Encrypting passwords with DIGEST prevents shutting down JBoss from command line
-------------------------------------------------------------------------------
Key: JBAS-5236
URL:
http://jira.jboss.com/jira/browse/JBAS-5236
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Reporter: Marcus Moyses
Assigned To: Anil Saldhana
Fix For: JBossAS-5.0.0.GA
Following the instructions to encrypt the login module passwords as indicated in
http://jira.jboss.com/jira/browse/JBAS-2338 and then securing the jmx-invoker with the
same login module causes an error when trying to shut down JBoss from the command line.
[mmoyses@mmoyses bin]$ ./shutdown.sh -s localhost -u admin
Enter password for admin: xxx
Exception in thread "main" java.lang.SecurityException: Failed to authenticate
principal=admin, securityDomain=jmx-console
at
org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:97)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
at sun.rmi.transport.Transport$1.run(Transport.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
at java.lang.Thread.run(Thread.java:595)
at
sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unknown Source)
at
org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:133)
at
org.jboss.invocation.InvokerInterceptor.invokeInvoker(InvokerInterceptor.java:365)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:197)
at
org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor.invoke(InvokerAdaptorClientInterceptor.java:66)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
at
org.jboss.proxy.ClientMethodInterceptor.invoke(ClientMethodInterceptor.java:74)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
at $Proxy0.invoke(Unknown Source)
at org.jboss.Shutdown$ServerProxyHandler.invoke(Shutdown.java:266)
at $Proxy1.shutdown(Unknown Source)
at org.jboss.Shutdown.main(Shutdown.java:237)
Here is the server.log snippet:
2008-02-15 11:30:54,898 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console]
Begin isValid, principal:admin, cache info: null
2008-02-15 11:30:54,898 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console]
defaultLogin, principal=admin
2008-02-15 11:30:54,898 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin
getAppConfigurationEntry(jmx-console), size=8
2008-02-15 11:30:54,898 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End
getAppConfigurationEntry(jmx-console), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=hashEncoding, value=rfc2617
name=rolesProperties, value=props/jmx-console-roles.properties
name=usersProperties, value=props/jmx-console-users.properties
name=hashUserPassword, value=false
name=passwordIsA1Hash, value=true
name=hashAlgorithm, value=MD5
name=hashStorePassword, value=true
name=storeDigestCallback, value=org.jboss.security.auth.spi.RFC2617Digest
2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
initialize, instance=@8295471
2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Security
domain: jmx-console
2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Password
hashing activated: algorithm = MD5, encoding = rfc2617, charset = {default}, callback =
null, storeCallback = org.jboss.security.auth.spi.RFC2617Digest
2008-02-15 11:30:54,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
findResource: null
2008-02-15 11:30:54,909 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
Properties
file=file:/opt/jboss-4.0.5.GA/server/default/conf/props/jmx-console-users.properties,
defaults=null
2008-02-15 11:30:54,909 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded
properties, users=[admin]
2008-02-15 11:30:54,909 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
findResource: null
2008-02-15 11:30:54,911 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
Properties
file=file:/opt/jboss-4.0.5.GA/server/default/conf/props/jmx-console-roles.properties,
defaults=null
2008-02-15 11:30:54,911 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded
properties, users=[admin]
2008-02-15 11:30:54,911 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2008-02-15 11:30:54,915 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Created
DigestCallback: org.jboss.security.auth.spi.RFC2617Digest@c8d62f
2008-02-15 11:30:54,922 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
2008-02-15 11:30:54,922 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console]
Login failure
javax.security.auth.login.LoginException: storeDigestCallback callback failed
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:409)
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:209)
at
org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
at
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at
org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:89)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
at sun.rmi.transport.Transport$1.run(Transport.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unrecognized
Callback
at
org.jboss.security.auth.callback.SecurityAssociationHandler.handle(SecurityAssociationHandler.java:128)
at
javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:399)
... 42 more
2008-02-15 11:30:54,924 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console]
End isValid, false
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira