payara
Bug Report: LDAP Realm Breaks with Java 11.0.15 / FISH-6567
Description
When running Payara Community (2022.2 or older like 2021.10) on Java 11.0.15, I can no longer connect to an LDAP server (Active Directory). Running on Java 11.0.14 works fine.
Expected Outcome
Java 11.0.15 introduced security features that by default make parsing of JNDI URLs more strict.
https://www.oracle.com/java/technologies/javase/11-0-15-relnotes.html#JDK-8278972
But you're supposed to be able to relax these restrictions with the system property
-Dcom.sun.jndi.ldapURLParsing=legacy
My initial forum post with a very helpful response from Ondro Mihályi is here:
https://forum.payara.fish/t/ldap-realm-breaking-with-java-11-0-15/306/3?u=mrr39
Current Outcome
However, even with that setting I cannot connect to LDAP. The following exception is thrown:
ldaprealm.exception
javax.security.auth.login.LoginException: javax.naming.CommunicationException: [Root exception is java.net.SocketException: Unconnected sockets not implemented]
at com.sun.enterprise.security.auth.realm.ldap.LDAPRealm.findAndBind(LDAPRealm.java:497)
at com.sun.enterprise.security.auth.login.LDAPLoginModule.authenticateUser(LDAPLoginModule.java:101)
at com.sun.enterprise.security.BasePasswordLoginModule.login(BasePasswordLoginModule.java:143)
at java.base/javax.security.auth.login.LoginContext.invoke(LoginContext.java:747)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:672)
at java.base/javax.security.auth.login.LoginContext$4.run(LoginContext.java:670)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:670)
at java.base/javax.security.auth.login.LoginContext.login(LoginContext.java:581)
...
Caused by: java.net.SocketException: Unconnected sockets not implemented
at java.base/javax.net.SocketFactory.createSocket(SocketFactory.java:125)
at java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:303)
at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:231)
... 68 more
Caused by: java.lang.UnsupportedOperationException
at java.base/javax.net.SocketFactory.createSocket(SocketFactory.java:123)
... 70 more
Steps to reproduce
- Run Payara on a Java version < 11.0.15
- Configure an LDAP Realm for admin-realm
- Successfully login to admin console via UI
- Switch to Java version 11.0.15
- Add system property
-Dcom.sun.jndi.ldapURLParsing=legacy - Restart Payara
- Try to login to admin console via UI
- Login fails and throws the exception above
Environment
- Distribution: Server Full Profile 5.2022.2
- JDK Version: OpenJDK 11.0.15
- Operating System: Linux and Mac
I can confirm that we see the same problem with upgrading Java 8 to 1.8.0_332. Additionally, we don't see this problem with Glassfish running on 1.8.0_332.
I can get around this problem for my applications (but not the admin console) by using the LdapIdentityStoreDefinition rather than the RealmIdentityStoreDefinition within an application config class.
The only difference is in the group search filter.
In the LdapIdentityStoreDefinition I have to use (note the "%s"):
groupSearchFilter = "(&(member:1.2.840.113556.1.4.1941:=%s)(objectClass=group))"
instead of:
<property name="group-search-filter" value="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%d))"></property>
Hi @m1kryn,
I tried reproducing it but I was unable to do so. Would you be kind enough to share with us a sample reproducer application?
Thanks, Shubham
Hi @m1kryn,
This same error has recently been escalated to our development team and is currently being tracked under the internal ID FISH-6567. We hope to have a fix for this available in the next release of Payara Community edition.
Thanks, James
