wso2am - extending userstoremanager - Error occurred while accessing Java Security Manager Privilege Block

0
votes

I am extending a userstore manager ActiveDirectoryUserStoreManager for WSO2AM 2.1.0 overriding the protected String[] doGetExternalRoleListOfUser method to add roles from an external authorization service (roles are used for scope authorization).

All looks working locally, but in other environments (deployed on kubernetes) when requesting a token (code grant) I got following exception: Error occurred while accessing Java Security Manager Privilege Block

(other grant types are working with no issue)

Error occurred while issuing the access token for Client ID : ddSiloINsMx5fwp08FqqF62hcaaa, User ID null, Scope : [] and Grant Type : authorization_code    More
ERROR {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error occurred while issuing the access token for Client ID : ddSiloINsMx5fwp08FqqF62hcaaa, User ID null, Scope : [] and Grant Type : authorization_code 
java.util.AbstractCollection.addAll(AbstractCollection.java:343) 
org.wso2.carbon.apimgt.keymgt.ScopesIssuer.setScopes(ScopesIssuer.java:110)
org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler.validateScope(ExtendedAuthorizationCodeGrantHandler.java:48)
org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:242) 
...
ERROR {org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer} - Error when getting the tenant's UserStoreManager or when getting roles of user 
org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:177) 
org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2586) 
org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer.getScopes(RoleBasedScopesIssuer.java:118) 
org.wso2.carbon.apimgt.keymgt.ScopesIssuer.setScopes(ScopesIssuer.java:109) 
...
ERROR {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Error occurred while accessing Java Security Manager Privilege Block

Checking the source code I see there are secure calls made (callSecure), which I don't see immediate reason (though I assume there must be a security reason if someone made so much effort).

The same issue pops up whe nvalidating the token (invoking an API requiring a scope)

As it is working locally, atm I am unable to provide a working testable (repeatable) case, as soon I have one I will update the question.

Using default AD userstore manager there's no issue whatsoever, just we don't have the external roles available for authorization

1
wso2wso2-am

1 Answers

1
votes

There was another log entry in the wso2carbon.log (though not in the console - logs available through the carbon console)

Caused by: java.lang.NullPointerException
    at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.getLDAPRoleListOfUser(ReadOnlyLDAPUserStoreManager.java:1928)
    at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.doGetExternalRoleListOfUser(ReadOnlyLDAPUserStoreManager.java:2041)
    at com.rd.poa.auth.roleuserstore.ExtRoleUserstore.doGetExternalRoleListOfUser(ExtRoleUserstore.java:162)
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.doGetRoleListOfUser(AbstractUserStoreManager.java:3730)
    at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2615)

seems users were members of groups outside the "GroupSearch" filter. Making the group search base containing all LDAP group seems to help (so far)

another needed action was stripping the FEDERATED realm from the username WSO2AM2.1.0-update12 scope roles for federated users