Bug 59839 - roleSearchAsUser not applied to nested roles when roleNested enabled
Summary: roleSearchAsUser not applied to nested roles when roleNested enabled
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 7.0.68
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2016-07-10 20:13 UTC by Tim Macinta
Modified: 2016-07-31 10:02 UTC (History)
0 users

Bind user on nested role search, when asked for (3.56 KB, patch)
2016-07-24 11:23 UTC, Felix Schumacher
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Macinta 2016-07-10 20:13:01 UTC
When using a JNDIRealm to search for a user's roles recursively via the 'roleNested' option while also binding using that user's credentials via the 'roleSearchAsUser' option, only the first role search actually binds using the user's credentials.  Subsequent searches of the nested roles revert to the original security environment, which leads to a NamingException reporting that a successful bind must be completed first (see below).

The cause is straightforward, from looking at the code.  I will refer to the code for 7.0.68, as that is what I've tested against, but I also see the same issue in the code for 7.0.70 and 8.5.3.  In "JNDIRealm.java" and the method getRoles() (starting on line 1938), there are two calls to context.search().  The first call on line 2002 is wrapped in logic which adds the user's credentials beforehand and removes them afterward, if 'roleSearchAsUser' was specified.  The second call on line 2056 is not wrapped in the same logic, but I'm guessing it should be.  This second call is only reached if 'roleNested' is true, per the if-block starting on line 2039.

The net result is that when anonymous binding is not allowed, the first search succeeds (assuming the user entered the correct credentials) and then the second one fails with a stack trace like the following.  I've redacted the company name and info:

javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
Comment 1 Felix Schumacher 2016-07-24 11:23:33 UTC
Created attachment 34069 [details]
Bind user on nested role search, when asked for

The patch is done on tomcat 9 (trunk), but it should be appliable to tomcat 7 without problems.

Can you test, whether it helps your case?
Comment 2 Tim Macinta 2016-07-24 20:18:27 UTC
Yes, it helps my case, thank you.
Comment 3 Felix Schumacher 2016-07-28 20:22:06 UTC
Fixed on tomcat 9 and will be in 9.0.0.M10.

Will backport to tomcat 8.5 and 8.0 when no problem gets reported.
Comment 4 Felix Schumacher 2016-07-31 10:02:00 UTC
Fixed in 7, 8 and 8.5. Will be released with 7.0.71, 8.0.37 and 8.5.5.

Thanks for the report and your analysis.