[ https://issues.apache.org/jira/browse/QPID-7549?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15696153#comment-15696153 ]
Keith Wall edited comment on QPID-7549 at 11/25/16 3:48 PM: ------------------------------------------------------------ I think there are a couple of parts: # We should ensure that HTTP threads always carry a Subject. If the user is not yet authenticated, this will simple be a Subject containing a {{ManagementConnectionPrincipal}}. If think this is best done once in a filter, towards the front of the filter chain. # Is there a reason why AuthenticationResultCacher should not consider all {{SocketConnectionPrincipal}} rather than just {{ConnectionPrincipal}}. I realise that if Qpid were to be behind a web proxy, then there would be not uniqueness added (as the end point would be same), but the same argument could be made about AMQP if it were using a AMQP proxy. # I think the responsibilities for preemptive authentication and sasl authentication should be refactored into filters. I think the current code is hard to follow (separate JIRA). For qpid-java-6.1.x, I would simply guard the AuthenticationResultCacher.java:117 was (Author: k-wall): I think there are a couple of parts: # We should ensure that HTTP threads always carry a Subject. If the user is not yet authenticated, this will simple be a Subject containing a {{ManagementConnectionPrincipal}}. If think this is best done once in a filter, towards the front of the filter chain. # Is there a reason why AuthenticationResultCacher should not consider all {{SocketConnectionPrincipal}} rather than just {{ConnectionPrincipal}}. I realise that if Qpid were to be behind a web proxy, then there would be not uniqueness added (as the end point would be same), but the same argument could be made about AMQP if it were using a AMQP proxy. # I think the responsibilities for preemptive authentication and sasl authentication should be refactored into filters. I think the current code is hard to follow (separate JIRA). For quid-java-6.1.x, I would simply guard the AuthenticationResultCacher.java:117 > [Java Broker] Authentication using SimpleLDAP authentication provider fails > with NPE when caching of authentication results is enabled(by default) > -------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: QPID-7549 > URL: https://issues.apache.org/jira/browse/QPID-7549 > Project: Qpid > Issue Type: Bug > Components: Java Broker > Affects Versions: qpid-java-6.1 > Reporter: Alex Rudyy > Fix For: qpid-java-6.1.1 > > > Authentication with SimpleLDAP authentication provider fails due to the > following exception: > {noformat} > 2016-11-24 12:59:12,878 WARN [HttpManagement-testHTTP-158] > (o.e.j.s.ServletHandler) - /service/sasl > java.lang.NullPointerException: null > at > org.apache.qpid.server.security.auth.manager.AuthenticationResultCacher.digestCredentials(AuthenticationResultCacher.java:116) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.security.auth.manager.AuthenticationResultCacher.getOrLoad(AuthenticationResultCacher.java:80) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.getOrLoadAuthenticationResult(SimpleLDAPAuthenticationManagerImpl.java:410) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.access$200(SimpleLDAPAuthenticationManagerImpl.java:83) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl$SimpleLDAPPlainCallbackHandler.handle(SimpleLDAPAuthenticationManagerImpl.java:669) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.security.auth.sasl.plain.PlainSaslServer.evaluateResponse(PlainSaslServer.java:87) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManagerImpl.authenticate(SimpleLDAPAuthenticationManagerImpl.java:312) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.security.SubjectCreator.authenticate(SubjectCreator.java:115) > ~[qpid-broker-core-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.evaluateSaslResponse(SaslServlet.java:213) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.management.plugin.servlet.rest.SaslServlet.doPostWithSubjectAndActor(SaslServlet.java:135) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:121) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet$2.run(AbstractServlet.java:117) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at java.security.AccessController.doPrivileged(Native Method) > ~[na:1.8.0_74] > at javax.security.auth.Subject.doAs(Subject.java:422) ~[na:1.8.0_74] > at > org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doWithSubjectAndActor(AbstractServlet.java:218) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.apache.qpid.server.management.plugin.servlet.rest.AbstractServlet.doPost(AbstractServlet.java:115) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:595) > ~[geronimo-servlet_3.0_spec-1.0.jar:1.0] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:668) > ~[geronimo-servlet_3.0_spec-1.0.jar:1.0] > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684) > ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1496) > ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.apache.qpid.server.management.plugin.filter.ForbiddingAuthorisationFilter.doFilter(ForbiddingAuthorisationFilter.java:94) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.apache.qpid.server.management.plugin.filter.ForbiddingTraceFilter.doFilter(ForbiddingTraceFilter.java:65) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.apache.qpid.server.management.plugin.filter.LoggingFilter.doFilter(LoggingFilter.java:65) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.servlets.CrossOriginFilter.handle(CrossOriginFilter.java:247) > ~[jetty-servlets-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.servlets.CrossOriginFilter.doFilter(CrossOriginFilter.java:210) > ~[jetty-servlets-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.apache.qpid.server.management.plugin.filter.ExceptionHandlingFilter.doFilter(ExceptionHandlingFilter.java:56) > ~[qpid-broker-plugins-management-http-6.1.0.jar:6.1.0] > at > org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1467) > ~[jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:501) > [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:229) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1086) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:429) > [jetty-servlet-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:193) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1020) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > at org.eclipse.jetty.server.Server.handle(Server.java:370) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > at > org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494) > [jetty-server-8.1.17.v20150415.jar:8.1.17.v20150415] > {noformat} > This issue only impacts authentication via Web Management Console (when > SimpleLDAp authentication provider is configured for HTTP port). Due to NPE > the authentication fails and user is not able to login to Web Management > Console. Authentication over AMQP or preemptive authentication is not > impacted by the issue. > Disabling of the caching allows to work around the issue. The caching can be > turned off by setting to 'null' or '0' or negative value any/all of the > following context variables: > * qpid.auth.cache.size > * qpid.auth.cache.expiration_time > * qpid.auth.cache.iteration_count -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org