SEC-2017: ActiveDirectoryLdapAuthenticationProvider.doAuthentication() does not catch IncorrectResultSizeException #2242

Closed
spring-issuemaster opened this Issue Jul 23, 2012 · 7 comments

Comments

Projects
None yet
2 participants

Frank Scheffler (Migrated from SEC-2017) said:

The mentioned method uses Spring LDAP Template to search for the given user in AD. However, if the given user does not exist at all in the directory, the template throws IncorrectResultSizeException and not NamingException, as expected.

Sample stack-trace in Tomcat:
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0
    org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)
    org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.searchForUser(ActiveDirectoryLdapAuthenticationProvider.java:258)
    org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:114)
    org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)

Frank Scheffler said:

Not yet tested, if this also affect pure LDAP authentication, i.e. not AD.

Rob Winch said:

This should not impact anything else because it is caught by FilterBasedLdapuserSearch#searchForUser and rethrown as UserNameNotFoundException which would be expected.

Rob Winch said:

The IncorrectResultSizeDataAccessException is now wrapped in the same manner it would be with the default setup for LdapUserAuthenticationProvider. Specifically the Exception ends up looking like

new BadCredentialsException(new UsernameNotFoundException(incorrectresultSizeException));

Frank Scheffler said:

In my case it was not caught by anything in between, but rather went through leading to HTTP/500 errors. Nevertheless, thanks for the fix, I will check, as soon as it's released.

Rob Winch said:

Can you clarify the last statement? When you say "it" was not caught by anything in between are you referring to the ActiveDirectoryLdapAuthenticationProvider (which was broken and is now fixed) or were you referring to LdapAuthenticationProvider which should be working already. I ask because I want to be sure we got everything fixed and understood the scope of this bug properly.

Frank Scheffler said:

I was referring to the AD-Provider, which did not catch the IncorrectResultSizeException. Did not check with LdapXXXProvider.

Rob Winch said:

Alright. I was concerned that you didn't feel like everything had been addressed but it appears that is not the case. Thank you for your prompt response.

spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment