Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Federated SAF registries can incorrectly claim a SAF user or group is not in the realm when calling UserRegistry.isValidGroup #19785

Closed
jvanhill opened this issue Jan 12, 2022 · 0 comments · Fixed by #19786
Closed

Federated SAF registries can incorrectly claim a SAF user or group is not in the realm when calling UserRegistry.isValidGroup #19785

jvanhill opened this issue Jan 12, 2022 · 0 comments · Fixed by #19786
Assignees
@jvanhill
Labels
release bug This bug is present in a released version of Open Liberty release:22002 team:Wendigo East

Comments

@jvanhill
Copy link
Contributor

jvanhill commented Jan 12, 2022
edited

Describe the bug
Calling UserRegistry.isValidGroup when using federatedRegistry-1.0 can result in a CWIML0515E error message that claims the <GROUP> is not in the scope of the <REALM>, when in fact it is.

com.ibm.ws.security.registry.RegistryException: CWIML0515E: The user registry operation could not be completed. The <GROUP> entity is not in the scope of the <REALM> realm. Specify an entity that is in the scope of the configured realm in the server.xml file.
        at com.ibm.ws.security.wim.registry.util.ValidBridge.isValidGroup(ValidBridge.java:215)
        at com.ibm.ws.security.wim.registry.WIMUserRegistry.isValidGroup(WIMUserRegistry.java:455)
        at com.ibm.ws.security.registry.internal.UserRegistryWrapper.isValidGroup(UserRegistryWrapper.java:231)
        ...

Steps to Reproduce
Federate a SAF registry and call the UserRegistry.isValidGroup method with a group that is in the SAF registry.

Expected behavior
The UserRegistry.isValidGroup call should return true instead of an exception.

Diagnostic information:

  • OpenLiberty Version: Any
  • Affected feature(s): federatedRegistry-1.0, zosSecurity-1.0 (WebSphere Liberty only)
  • Java Version: Any

Additional context
None.
@jvanhill jvanhill added team:Wendigo East release bug This bug is present in a released version of Open Liberty labels Jan 12, 2022
@jvanhill jvanhill self-assigned this Jan 12, 2022
@jvanhill jvanhill mentioned this issue Jan 12, 2022
Merged
jvanhill pushed a commit to jvanhill/open-liberty that referenced this issue Jan 24, 2022
Issue OpenLiberty#19785: When calling isValidGroup on a federated SAF…
b34a289 
… registry with a valid group, a RegistryException with a CWIML0515E error message is thrown, incorrectly indicating the valid group is not a member of the realm.
jvanhill pushed a commit that referenced this issue Jan 28, 2022
Merge pull request #19786 from jvanhill/19785-IsValidGroupSafGroupFai…
03c6e0f 
…lure

Issue #19785: When calling isValidGroup on a federated SAF registry w…
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jvanhill jvanhill

Labels
release bug This bug is present in a released version of Open Liberty release:22002 team:Wendigo East
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue #19785: When calling isValidGroup on a federated SAF registry w… jvanhill/open-liberty
2 participants
@jvanhill @LibbyBot