]
RH Bugzilla Integration commented on SECURITY-803:
--------------------------------------------------
Carlo de Wolf <cdewolf(a)redhat.com> changed the Status of [bug
SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results
are not cached by the JAAS cache
------------------------------------------------------------------------------------------------------
Key: SECURITY-803
URL:
https://issues.jboss.org/browse/SECURITY-803
Project: PicketBox
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: PicketBox
Affects Versions: PicketBox_4_0_19.Final
Reporter: Derek Horton
Assignee: Stefan Guilhen
Attachments: SECURITY-803.patch
In EAP 6, when using the SecureIdentityLoginModule to encrypt datasource passwords, the
results are not cached by the JAAS cache. In EAP 5, the results are cached. This can
lead to a performance issue.
The root cause appears to be that the EAP 6 JAAS cache does not allow for a JAAS cache
key to be null.
The issue only occurs when the application that uses the datasource is not secured. In
this situation, the principal is null when isValid() and updateCache() are called. When
the application is secured, the results are cached. I think it is working because the
result of the SecureIdentityLoginModule are cached using the authenticated user's
principal as the cache key.
Workaround:
Use vault for encrypting the database password. This does not use a JAAS login module so
the JAAS cache and login module are completely avoided.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: