Created attachment 36471 [details] catalina log with Unbalanced parenthesis error The error below is logged when a user is attempting to log in. It appears that the user is a member of a group with DN that contains a left paren but no matching right paren. With roleNested attribute set to "TRUE" in Realm className, this seems to indicate that tomcat is not properly escaping characters. CN=LklApptCoordSched(RX,OU=Groups,DC=mfldclin,DC=org org.apache.catalina.realm.JNDIRealm authenticate SEVERE: Exception performing authentication javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=mfldclin,DC=org' at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24) at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
Comment on attachment 36471 [details] catalina log with Unbalanced parenthesis error >Feb 07, 2019 4:36:45 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=****,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > >Feb 07, 2019 4:38:33 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=****,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745)
Comment on attachment 36471 [details] catalina log with Unbalanced parenthesis error >Feb 07, 2019 4:36:45 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=exampledomain,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at com.siemens.soarian.se.slpa.tomcat.SlpaValve.invoke(SlpaValve.java:186) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > >Feb 07, 2019 4:38:33 PM org.apache.catalina.realm.JNDIRealm authenticate >SEVERE: Exception performing authentication >javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=mfldclin,DC=org' > at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143) > at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74) > at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546) > at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985) > at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844) > at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769) > at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358) > at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341) > at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267) > at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203) > at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052) > at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24) > at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146) > at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180) > at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294) > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449) > at com.siemens.soarian.se.slpa.tomcat.SlpaValve.invoke(SlpaValve.java:186) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070) > at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440) > at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429) > at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745)
8.0.x is no longer supported. Please test with the latest 8.5.x release and report back.
I've been able to test this with the latest 9.0.x. The bug is still present. I'm working on a fix.
Thanks for the report. Fixed in: - trunk for 9.0.17 onwards - 8.5.x for 8.5.39 onwards - 7.0.x for 7.0.94 onwards