[SECURITY-76] Creating a user with an @ in the username leads that the user cannot login Created: 19/Dec/23  Updated: 19/Jan/24  Resolved: 16/Jan/24

Status: Closed
Project: Security
Component/s: None
Affects Version/s: 6.2.19
Fix Version/s: 6.2.20

Type: Bug Priority: Critical
Reporter: Tom Wespi Assignee: Khayal Musayev
Resolution: Fixed Votes: 0
Labels: SSO_and_Security_Initiative, dx-core-6.3
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MAGNOLIA-9233 Users whose name contains dots can't ... Closed
relation
Template:
Acceptance criteria:
Empty
Release notes required:
Yes
Team: AdminX
Work Started:
Approved:
Yes

 Description   

M 6 security app only

Steps to reproduce

  1. Go th demo author
  2. Create a user test@test with role superuser
  3. Try to log in with the user > login fail
  4. Rename the user to test > login fail again

.. Logs, screenshots, gifs...

Expected results

.. You can create an username with an @ in it, the renamed user can login
Justify non-trivial expectations with a link to a doc or a relevant discussion.

Actual results

User cannot login

Workaround

When current usernames have @ in it, you must use the previous security app.



 Comments   
Comment by Tom Wespi [ 19/Dec/23 ]

Stacktrace:
2023-12-19 10:05:51,401 ERROR info.magnolia.cms.security.SecuritySupportBase    : Can't login due to: 
javax.security.auth.login.LoginException: java.lang.NullPointerException
at info.magnolia.jaas.sp.jcr.JCRAuthorizationModule.setACLForUser(JCRAuthorizationModule.java:126)
at info.magnolia.jaas.sp.jcr.JCRAuthorizationModule.setACL(JCRAuthorizationModule.java:111)
at info.magnolia.jaas.sp.AbstractLoginModule.commit(AbstractLoginModule.java:228)
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:729)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663)
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:575)
at info.magnolia.cms.security.SecuritySupportBase.authenticate(SecuritySupportBase.java:61)
at info.magnolia.cms.security.SecuritySupport$ByteBuddy$IPUtLBmA$auxiliary$S6xtMnTF.apply(Unknown Source)
at info.magnolia.objectfactory.ObservedComponentFactory$Invoker.delegate(ObservedComponentFactory.java:173)
at info.magnolia.cms.security.SecuritySupport$ByteBuddy$IPUtLBmA.authenticate(Unknown Source)
at info.magnolia.cms.security.auth.login.LoginHandlerBase.authenticate(LoginHandlerBase.java:46)
at info.magnolia.cms.security.auth.login.FormLogin.handle(FormLogin.java:94)
at info.magnolia.cms.security.auth.login.LoginFilter.doFilter(LoginFilter.java:78)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81)
at ch.esense.framework.filter.DeviceSupportFilter.doFilter(DeviceSupportFilter.java:59)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
at info.magnolia.cms.filters.ContentTypeFilter.doFilter(ContentTypeFilter.java:155)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
at info.magnolia.cms.filters.ContextFilter.doFilter(ContextFilter.java:128)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79)
at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:75)
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85)
at info.magnolia.cms.filters.SafeDestroyMgnlFilterWrapper.doFilter(SafeDestroyMgnlFilterWrapper.java:107)
at info.magnolia.cms.filters.MgnlFilterDispatcher.doDispatch(MgnlFilterDispatcher.java:67)
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:110)
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:830)
 
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:821) ~[?:?]
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:665) ~[?:?]
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:663) ~[?:?]
at java.base/java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:663) ~[?:?]
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:575) ~[?:?]
at info.magnolia.cms.security.SecuritySupportBase.authenticate(SecuritySupportBase.java:61) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.security.SecuritySupport$ByteBuddy$IPUtLBmA$auxiliary$S6xtMnTF.apply(Unknown Source) [magnolia-core-6.2.41.jar:?]
at info.magnolia.objectfactory.ObservedComponentFactory$Invoker.delegate(ObservedComponentFactory.java:173) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.security.SecuritySupport$ByteBuddy$IPUtLBmA.authenticate(Unknown Source) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.security.auth.login.LoginHandlerBase.authenticate(LoginHandlerBase.java:46) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.security.auth.login.FormLogin.handle(FormLogin.java:94) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.security.auth.login.LoginFilter.doFilter(LoginFilter.java:78) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:81) [magnolia-core-6.2.41.jar:?]
at ch.esense.framework.filter.DeviceSupportFilter.doFilter(DeviceSupportFilter.java:59) [framework-module-main-3.79.jar:?]
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.ContentTypeFilter.doFilter(ContentTypeFilter.java:155) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.ContextFilter.doFilter(ContextFilter.java:128) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterChain.doFilter(MgnlFilterChain.java:79) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.CompositeFilter.doFilter(CompositeFilter.java:75) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.AbstractMgnlFilter.doFilter(AbstractMgnlFilter.java:85) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.SafeDestroyMgnlFilterWrapper.doFilter(SafeDestroyMgnlFilterWrapper.java:107) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlFilterDispatcher.doDispatch(MgnlFilterDispatcher.java:67) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:110) [magnolia-core-6.2.41.jar:?]
at info.magnolia.cms.filters.MgnlMainFilter.doFilter(MgnlMainFilter.java:96) [magnolia-core-6.2.41.jar:?]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:9.0.34]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:9.0.34]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202) [catalina.jar:9.0.34]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:9.0.34]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541) [catalina.jar:9.0.34]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) [catalina.jar:9.0.34]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) [catalina.jar:9.0.34]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690) [catalina.jar:9.0.34]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) [catalina.jar:9.0.34]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343) [catalina.jar:9.0.34]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373) [tomcat-coyote.jar:9.0.34]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65) [tomcat-coyote.jar:9.0.34]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868) [tomcat-coyote.jar:9.0.34]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590) [tomcat-coyote.jar:9.0.34]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:9.0.34]
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:9.0.34]
at java.base/java.lang.Thread.run(Thread.java:830) [?:?]

Generated at Mon Feb 12 10:47:40 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.