Bug 63213 - Logging Unbalanced parenthesis error in catalina log during user login
Summary: Logging Unbalanced parenthesis error in catalina log during user login
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.0.53
Hardware: PC All
: P2 minor (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-02-27 15:49 UTC by Hemanth Kumar
Modified: 2019-03-05 19:25 UTC (History)
0 users



Attachments
catalina log with Unbalanced parenthesis error (5.89 KB, text/plain)
2019-02-27 15:49 UTC, Hemanth Kumar
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Hemanth Kumar 2019-02-27 15:49:58 UTC
Created attachment 36471 [details]
catalina log with Unbalanced parenthesis error

The error below is logged when a user is attempting to log in.
It appears that the user is a member of a group with DN that contains a left paren but no matching right paren. With roleNested attribute set to "TRUE" in Realm className, this seems to indicate that tomcat is not properly escaping characters. 

CN=LklApptCoordSched(RX,OU=Groups,DC=mfldclin,DC=org

org.apache.catalina.realm.JNDIRealm authenticate
SEVERE: Exception performing authentication
javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=mfldclin,DC=org'
at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143)
at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203)
at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24)
at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
Comment 1 Hemanth Kumar 2019-02-28 05:19:33 UTC
Comment on attachment 36471 [details]
catalina log with Unbalanced parenthesis error

>Feb 07, 2019 4:36:45 PM org.apache.catalina.realm.JNDIRealm authenticate
>SEVERE: Exception performing authentication
>javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=****,DC=org'
>	at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143)
>	at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
>	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
>	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
>	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
>	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
>	at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
>	at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
>	at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
>	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294)
>	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
>	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
>	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429)
>	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>	at java.lang.Thread.run(Thread.java:745)
>
>Feb 07, 2019 4:38:33 PM org.apache.catalina.realm.JNDIRealm authenticate
>SEVERE: Exception performing authentication
>javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=****,DC=org'
>	at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143)
>	at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
>	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
>	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
>	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
>	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
>	at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
>	at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
>	at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
>	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294)
>	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
>	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
>	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429)
>	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>	at java.lang.Thread.run(Thread.java:745)
Comment 2 Hemanth Kumar 2019-02-28 05:31:41 UTC
Comment on attachment 36471 [details]
catalina log with Unbalanced parenthesis error

>Feb 07, 2019 4:36:45 PM org.apache.catalina.realm.JNDIRealm authenticate
>SEVERE: Exception performing authentication
>javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=exampledomain,DC=org'
>	at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143)
>	at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
>	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
>	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
>	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
>	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
>	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
>	at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
>	at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24)
>	at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
>	at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
>	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294)
>	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
>	at com.siemens.soarian.se.slpa.tomcat.SlpaValve.invoke(SlpaValve.java:186)
>	at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78)
>	at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78)
>	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
>	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429)
>	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>	at java.lang.Thread.run(Thread.java:745)
>
>Feb 07, 2019 4:38:33 PM org.apache.catalina.realm.JNDIRealm authenticate
>SEVERE: Exception performing authentication
>javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name 'DC=mfldclin,DC=org'
>	at com.sun.jndi.ldap.Filter.encodeFilter(Filter.java:143)
>	at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:74)
>	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:546)
>	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1985)
>	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1844)
>	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1769)
>	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:392)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:358)
>	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:341)
>	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:267)
>	at org.apache.catalina.realm.JNDIRealm.getRoles(JNDIRealm.java:1790)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1203)
>	at org.apache.catalina.realm.JNDIRealm.authenticate(JNDIRealm.java:1052)
>	at com.siemens.cto.security.tomcat.RoleMapperRealm.authenticate(RoleMapperRealm.java:24)
>	at org.apache.catalina.realm.CombinedRealm.authenticate(CombinedRealm.java:146)
>	at org.apache.catalina.realm.LockOutRealm.authenticate(LockOutRealm.java:180)
>	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:294)
>	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
>	at com.siemens.soarian.se.slpa.tomcat.SlpaValve.invoke(SlpaValve.java:186)
>	at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78)
>	at com.siemens.cto.security.tomcat.AbstractAuthenticationValve.invoke(AbstractAuthenticationValve.java:78)
>	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
>	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
>	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
>	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
>	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
>	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
>	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2440)
>	at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2429)
>	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
>	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
>	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
>	at java.lang.Thread.run(Thread.java:745)
Comment 3 Mark Thomas 2019-02-28 16:54:20 UTC
8.0.x is no longer supported. Please test with the latest 8.5.x release and report back.
Comment 4 Mark Thomas 2019-03-05 15:09:54 UTC
I've been able to test this with the latest 9.0.x. The bug is still present. I'm working on a fix.
Comment 5 Mark Thomas 2019-03-05 19:25:54 UTC
Thanks for the report.

Fixed in:
- trunk for 9.0.17 onwards
- 8.5.x for 8.5.39 onwards
- 7.0.x for 7.0.94 onwards