Summary: | Logging Unbalanced parenthesis error in catalina log during user login | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Hemanth Kumar <hemanth.kumar2> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | P2 | ||
Version: | 8.0.53 | ||
Target Milestone: | ---- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: | catalina log with Unbalanced parenthesis error |
Comment on attachment 36471 [details] catalina log with Unbalanced parenthesis error >Feb 07, 2019 4:36:45 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=****,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > >Feb 07, 2019 4:38:33 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=****,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) Comment on attachment 36471 [details] catalina log with Unbalanced parenthesis error >Feb 07, 2019 4:36:45 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=exampledomain,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at com.siemens.soarian.se.slpa.tomcat.SlpaValve.invoke(SlpaValve.java:186) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > >Feb 07, 2019 4:38:33 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=mfldclin,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at com.siemens.soarian.se.slpa.tomcat.SlpaValve.invoke(SlpaValve.java:186) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) 8.0.x is no longer supported. Please test with the latest 8.5.x release and report back. I've been able to test this with the latest 9.0.x. The bug is still present. I'm working on a fix. Thanks for the report. Fixed in: - trunk for 9.0.17 onwards - 8.5.x for 8.5.39 onwards - 7.0.x for 7.0.94 onwards |
Created attachment 36471 [details] catalina log with Unbalanced parenthesis error The error below is logged when a user is attempting to log in. It appears that the user is a member of a group with DN that contains a left paren but no matching right paren. With roleNested attribute set to "TRUE" in Realm className, this seems to indicate that tomcat is not properly escaping characters. CN=LklApptCoordSched(RX,OU=Groups,DC=mfldclin,DC=org org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=mfldclin,DC=org' at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24) at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)