[jboss-jira] [JBoss JIRA] Resolved: (JBPORTAL-1779) SynchronizingLoginModule prevents access to Dashboard
[ http://jira.jboss.com/jira/browse/JBPORTAL-1779?page=all ]
Boleslaw Dawidowicz resolved JBPORTAL-1779.
-------------------------------------------
Resolution: Done
Solved
There was a bug with permission check related to dashboards and was not working properly
with any generic LoginModule implementation other then portal one.
Fixed in SVN - you can try it with JBoss_Portal_Branch_2_6 or wait for the 2.6.3 release.
SynchronizingLoginModule prevents access to Dashboard
-----------------------------------------------------
Key: JBPORTAL-1779
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1779
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Security
Affects Versions: 2.6.2 Final
Environment: Pentium 3 - 2GB memroy - 20 GB of Free Space
Windows XP Professional Service Pack 2
JBoss Portal 2.6.2 + JBoss AS 4.2.1 Bundle
Reporter: Guy M. Spillman, Jr.
Assigned To: Boleslaw Dawidowicz
Fix For: 2.6.3 Final
Users who athenticate using an additional login module after the IdentityLoginModule get
the following HTTP error when clicking on their Dashboard link:
HTTP Status 403 -
--------------------------------------------------------------------------------
type Status report
message
description Access to the specified resource () has been forbidden.
--------------------------------------------------------------------------------
JBossWeb/2.0.0.GA
Users who login with the IdentityLoginModule (such as the default user & admin
usernames) will see their Dashboard content without problems.
Problem was discovered using JaasLounge(http://jaaslounge.sourceforge.net/ )
NTLMLoginModule, but can be duplicated using JBoss' UsersRolesLoginModule.
This problem was originally discussed in the following thread, but seams to be a
different problem since it can be duplicated using JBoss code only.
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119733
Configuration:
${jboss.server.home.dir}\deploy\jboss-portal.sar\conf\login-config.xml:
Code:
<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule"
flag="sufficient">
<module-option
name="unauthenticatedIdentity">guest</module-option>
<module-option
name="userModuleJNDIName">java:/portal/UserModule</module-option>
<module-option
name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
<module-option
name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
<module-option
name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
<module-option
name="additionalRole">Authenticated</module-option>
<module-option
name="password-stacking">useFirstPass</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required" />
<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule"
flag="optional">
<module-option name="synchronizeIdentity">true</module-option>
<module-option name="synchronizeRoles">false</module-option>
<module-option
name="additionalRole">Authenticated</module-option>
<module-option name="defaultAssignedRole">User</module-option>
<module-option
name="userModuleJNDIName">java:/portal/UserModule</module-option>
<module-option
name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
<module-option
name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
<module-option
name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
</login-module>
${jboss.server.home.dir}\conf\defaultRoles.properties:
Code:
testuser=test
testuser2=test2
${jboss.server.home.dir}\conf\defaultUsers.properties:
Code:
testuser=testrole1,testrole2
testuser2=testrole3,testrole4
Procedure:
1. Login a testuser/test.
2. Click Dashboard link.
The HTTP Status 403 error described above will be displayed.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira