Project

General

Profile

Actions

Bug #16093

open

When LDAP auth time out, we get an exception in place of a nice explanation message

Added by François ARMAND over 2 years ago. Updated over 2 years ago.

Status:
New
Priority:
N/A
Assignee:
-
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0

Description

When the authentication to LDAP directory (or AD) time out on auth, we get that kind of exception:

2019-10-31 09:43:49] ERROR
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter
- An internal error occurred while trying to authenticate the user.
org.springframework.security.authentication.InternalAuthenticationServiceException:
some.auth.server:9876; nested exception is javax.naming.CommunicationException:
some.auth.server:9876 [Root exception is java.net.ConnectException: Connection
timed out (Connection timed out)
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:191)
        at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:80)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:177)
        at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:92)
        at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:211)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1288)
        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:443)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)
        at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:532)
        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:227)
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1044)
        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:372)
        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:189)
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:978)
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
        at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:154)
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
        at org.eclipse.jetty.server.Server.handle(Server.java:369)
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:464)
        at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:924)
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:985)
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:861)
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:236)
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.springframework.ldap.CommunicationException:
some.auth.server:9876; nested exception is javax.naming.CommunicationException:
some.auth.server:9876 [Root exception is java.net.ConnectException: Connection
timed out (Connection timed out)]
        at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:100)
        at org.springframework.ldap.core.support.AbstractContextSource.createContext(AbstractContextSource.java:285)
        at org.springframework.ldap.core.support.AbstractContextSource.doGetContext(AbstractContextSource.java:119)
        at org.springframework.ldap.core.support.AbstractContextSource.getReadOnlyContext(AbstractContextSource.java:138)
        at org.springframework.ldap.core.LdapTemplate.executeReadOnly(LdapTemplate.java:791)
        at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleEntry(SpringSecurityLdapTemplate.java:194)
        at org.springframework.security.ldap.search.FilterBasedLdapUserSearch.searchForUser(FilterBasedLdapUserSearch.java:116)
        at org.springframework.security.ldap.authentication.BindAuthenticator.authenticate(BindAuthenticator.java:90)
        at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.doAuthentication(LdapAuthenticationProvider.java:178)
        ... 37 common frames omitted
Caused by: javax.naming.CommunicationException: some.auth.server:9876
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:238)
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
        at com.sun.jndi.ldap.LdapClientFactory.createPooledConnection(LdapClientFactory.java:64)
        at com.sun.jndi.ldap.pool.Connections.<init>(Connections.java:114)
        at com.sun.jndi.ldap.pool.Pool.getPooledConnection(Pool.java:136)
        at com.sun.jndi.ldap.LdapPoolManager.getLdapClient(LdapPoolManager.java:340)
        at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1601)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)

[2019-10-31 09:43:49] WARN  application - Login authentication failed for user 'unknown' from IP '127.0.0.1|X-Forwarded-For:123.123.123.123':some.auth.server:9876;
nested exception is javax.naming.CommunicationException: some.auth.server:9876 [Root exception is java.net.Co ...

This is not nice and we could try to make it more understandable for the UI user (and ops who try to understand what's happening).

We chose to let these exception because it's hard to know where the relevant part will be, and if we hide it behind a "trace" log level or something, it's hard to study after the fact what the problem was.

People, what do you thing would be best?

Actions #1

Updated by Vincent MEMBRÉ over 2 years ago

  • Target version changed from 5.0-1.3 to 5.0-1.4
Actions

Also available in: Atom PDF