Spring Security
  1. Spring Security
  2. SEC-2017

ActiveDirectoryLdapAuthenticationProvider.doAuthentication() does not catch IncorrectResultSizeException

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 3.1.1
    • Fix Version/s: 3.1.2
    • Component/s: LDAP
    • Labels:
      None

      Description

      The mentioned method uses Spring LDAP Template to search for the given user in AD. However, if the given user does not exist at all in the directory, the template throws IncorrectResultSizeException and not NamingException, as expected.

      Sample stack-trace in Tomcat:
      org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0
      	org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)
      	org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.searchForUser(ActiveDirectoryLdapAuthenticationProvider.java:258)
      	org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:114)
      	org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
      

        Activity

        Hide
        Frank Scheffler added a comment -

        Not yet tested, if this also affect pure LDAP authentication, i.e. not AD.

        Show
        Frank Scheffler added a comment - Not yet tested, if this also affect pure LDAP authentication, i.e. not AD.
        Hide
        Rob Winch added a comment -

        This should not impact anything else because it is caught by FilterBasedLdapuserSearch#searchForUser and rethrown as UserNameNotFoundException which would be expected.

        Show
        Rob Winch added a comment - This should not impact anything else because it is caught by FilterBasedLdapuserSearch#searchForUser and rethrown as UserNameNotFoundException which would be expected.
        Hide
        Rob Winch added a comment -

        The IncorrectResultSizeDataAccessException is now wrapped in the same manner it would be with the default setup for LdapUserAuthenticationProvider. Specifically the Exception ends up looking like

        new BadCredentialsException(new UsernameNotFoundException(incorrectresultSizeException));
        
        Show
        Rob Winch added a comment - The IncorrectResultSizeDataAccessException is now wrapped in the same manner it would be with the default setup for LdapUserAuthenticationProvider. Specifically the Exception ends up looking like new BadCredentialsException( new UsernameNotFoundException(incorrectresultSizeException));
        Hide
        Frank Scheffler added a comment -

        In my case it was not caught by anything in between, but rather went through leading to HTTP/500 errors. Nevertheless, thanks for the fix, I will check, as soon as it's released.

        Show
        Frank Scheffler added a comment - In my case it was not caught by anything in between, but rather went through leading to HTTP/500 errors. Nevertheless, thanks for the fix, I will check, as soon as it's released.
        Hide
        Rob Winch added a comment -

        Can you clarify the last statement? When you say "it" was not caught by anything in between are you referring to the ActiveDirectoryLdapAuthenticationProvider (which was broken and is now fixed) or were you referring to LdapAuthenticationProvider which should be working already. I ask because I want to be sure we got everything fixed and understood the scope of this bug properly.

        Show
        Rob Winch added a comment - Can you clarify the last statement? When you say "it" was not caught by anything in between are you referring to the ActiveDirectoryLdapAuthenticationProvider (which was broken and is now fixed) or were you referring to LdapAuthenticationProvider which should be working already. I ask because I want to be sure we got everything fixed and understood the scope of this bug properly.
        Hide
        Frank Scheffler added a comment -

        I was referring to the AD-Provider, which did not catch the IncorrectResultSizeException. Did not check with LdapXXXProvider.

        Show
        Frank Scheffler added a comment - I was referring to the AD-Provider, which did not catch the IncorrectResultSizeException. Did not check with LdapXXXProvider.
        Hide
        Rob Winch added a comment -

        Alright. I was concerned that you didn't feel like everything had been addressed but it appears that is not the case. Thank you for your prompt response.

        Show
        Rob Winch added a comment - Alright. I was concerned that you didn't feel like everything had been addressed but it appears that is not the case. Thank you for your prompt response.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Frank Scheffler
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 0.5d
              0.5d
              Remaining:
              Remaining Estimate - 0.5d
              0.5d
              Logged:
              Time Spent - Not Specified
              Not Specified