SEC-2017: ActiveDirectoryLdapAuthenticationProvider.doAuthentication() does not catch IncorrectResultSizeException #2242

Closed
spring-issuemaster opened this Issue Jul 23, 2012 · 7 comments

2 participants

@spring-issuemaster

Frank Scheffler (Migrated from SEC-2017) said:

The mentioned method uses Spring LDAP Template to search for the given user in AD. However, if the given user does not exist at all in the directory, the template throws IncorrectResultSizeException and not NamingException, as expected.

Sample stack-trace in Tomcat:
org.springframework.dao.IncorrectResultSizeDataAccessException: Incorrect result size: expected 1, actual 0
    org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntryInternal(SpringSecurityLdapTemplate.java:239)
    org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.searchForUser(ActiveDirectoryLdapAuthenticationProvider.java:258)
    org.springframework.security.ldap.authentication.ad.ActiveDirectoryLdapAuthenticationProvider.doAuthentication(ActiveDirectoryLdapAuthenticationProvider.java:114)
    org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:61)
@spring-issuemaster

Frank Scheffler said:

Not yet tested, if this also affect pure LDAP authentication, i.e. not AD.

@spring-issuemaster

Rob Winch said:

This should not impact anything else because it is caught by FilterBasedLdapuserSearch#searchForUser and rethrown as UserNameNotFoundException which would be expected.

@spring-issuemaster

Rob Winch said:

The IncorrectResultSizeDataAccessException is now wrapped in the same manner it would be with the default setup for LdapUserAuthenticationProvider. Specifically the Exception ends up looking like

new BadCredentialsException(new UsernameNotFoundException(incorrectresultSizeException));
@spring-issuemaster

Frank Scheffler said:

In my case it was not caught by anything in between, but rather went through leading to HTTP/500 errors. Nevertheless, thanks for the fix, I will check, as soon as it's released.

@spring-issuemaster

Rob Winch said:

Can you clarify the last statement? When you say "it" was not caught by anything in between are you referring to the ActiveDirectoryLdapAuthenticationProvider (which was broken and is now fixed) or were you referring to LdapAuthenticationProvider which should be working already. I ask because I want to be sure we got everything fixed and understood the scope of this bug properly.

@spring-issuemaster

Frank Scheffler said:

I was referring to the AD-Provider, which did not catch the IncorrectResultSizeException. Did not check with LdapXXXProvider.

@spring-issuemaster

Rob Winch said:

Alright. I was concerned that you didn't feel like everything had been addressed but it appears that is not the case. Thank you for your prompt response.

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment