1 Reply Latest reply on Nov 18, 2015 12:10 PM by cweiler

    LdapExtended Authentication on ldaps without SSLHandshakeException

    cweiler

      Hi,

       

      I've setup a security-domain with authentication been done by LdapExtende login-module.

       

      First of all: configuration WORKS! dot.

       

      My problem is that we use ldaps protocol, and I can never receive SSLHandshakeException when the certificate is missing, or invalid. I setup log to DEBUG on "org.jboss.security" and the error message that I get on log files is:

       

      DEBUG [org.jboss.security] (default task-19) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:406)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:345)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:333)
        at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:146)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verifyCredential(JAASIdentityManagerImpl.java:111)
        at org.wildfly.extension.undertow.security.JAASIdentityManagerImpl.verify(JAASIdentityManagerImpl.java:82)
        at io.undertow.security.impl.SecurityContextImpl.login(SecurityContextImpl.java:236)
        at io.undertow.servlet.spec.HttpServletRequestImpl.login(HttpServletRequestImpl.java:433)
      
      

       

      Password is not invalid!!!!! If certificate is correctly configured authentication works, but when certificate is missconfigured I should receive correct error message, something closer to SSLHandshakeException.

       

      Any clues on how to get better error message?

       

      ---

      WildFly 9.0.2

      Windows 7 64

      Java SE 8 64

      ---

       

      Thanks!

        • 1. Re: LdapExtended Authentication on ldaps without SSLHandshakeException
          cweiler

          Ok, this is not as simple:

           

          Configure the Ldap login module with the option:

           

          <module-option name="throwValidateError" value="true"/>
          

           

          With this option, the security mechanism will place the original exception in a security context. But the exception throw will always be a simple login exception without cause, so you need to get this message with:

           

          Object contextInfo = SecurityContextAssociation.getContextInfo("org.jboss.security.exception");
          

           

          The returned object should be a instance of FailedLoginException with cause stack, just log it or make better error messages...