]
Marcus Moyses closed JBAS-5236.
-------------------------------
Resolution: Won't Fix
The security domain used to secure the jmx-invoker cannot use DIGEST encryption. This can
only be used in the web container as the realm name is used in the encryption process.
Encrypting passwords with DIGEST prevents shutting down JBoss from
command line
-------------------------------------------------------------------------------
Key: JBAS-5236
URL:
https://jira.jboss.org/jira/browse/JBAS-5236
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Reporter: Marcus Moyses
Assignee: Marcus Moyses
Priority: Minor
Fix For: JBossAS-5.0.0.CR2
Following the instructions to encrypt the login module passwords as indicated in
http://jira.jboss.com/jira/browse/JBAS-2338 and then securing the jmx-invoker with the
same login module causes an error when trying to shut down JBoss from the command line.
[mmoyses@mmoyses bin]$ ./shutdown.sh -s localhost -u admin
Enter password for admin: xxx
Exception in thread "main" java.lang.SecurityException: Failed to authenticate
principal=admin, securityDomain=jmx-console
at
org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:97)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
at sun.rmi.transport.Transport$1.run(Transport.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
at java.lang.Thread.run(Thread.java:595)
at
sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unknown Source)
at
org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:133)
at
org.jboss.invocation.InvokerInterceptor.invokeInvoker(InvokerInterceptor.java:365)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:197)
at
org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor.invoke(InvokerAdaptorClientInterceptor.java:66)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
at
org.jboss.proxy.ClientMethodInterceptor.invoke(ClientMethodInterceptor.java:74)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
at $Proxy0.invoke(Unknown Source)
at org.jboss.Shutdown$ServerProxyHandler.invoke(Shutdown.java:266)
at $Proxy1.shutdown(Unknown Source)
at org.jboss.Shutdown.main(Shutdown.java:237)
Here is the server.log snippet:
2008-02-15 11:30:54,898 TRACE
[org.jboss.security.plugins.JaasSecurityManager.jmx-console] Begin isValid,
principal:admin, cache info: null
2008-02-15 11:30:54,898 TRACE
[org.jboss.security.plugins.JaasSecurityManager.jmx-console] defaultLogin,
principal=admin
2008-02-15 11:30:54,898 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin
getAppConfigurationEntry(jmx-console), size=8
2008-02-15 11:30:54,898 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End
getAppConfigurationEntry(jmx-console), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=hashEncoding, value=rfc2617
name=rolesProperties, value=props/jmx-console-roles.properties
name=usersProperties, value=props/jmx-console-users.properties
name=hashUserPassword, value=false
name=passwordIsA1Hash, value=true
name=hashAlgorithm, value=MD5
name=hashStorePassword, value=true
name=storeDigestCallback, value=org.jboss.security.auth.spi.RFC2617Digest
2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
initialize, instance=@8295471
2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
Security domain: jmx-console
2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
Password hashing activated: algorithm = MD5, encoding = rfc2617, charset = {default},
callback = null, storeCallback = org.jboss.security.auth.spi.RFC2617Digest
2008-02-15 11:30:54,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
findResource: null
2008-02-15 11:30:54,909 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
Properties
file=file:/opt/jboss-4.0.5.GA/server/default/conf/props/jmx-console-users.properties,
defaults=null
2008-02-15 11:30:54,909 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded
properties, users=[admin]
2008-02-15 11:30:54,909 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
findResource: null
2008-02-15 11:30:54,911 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule]
Properties
file=file:/opt/jboss-4.0.5.GA/server/default/conf/props/jmx-console-roles.properties,
defaults=null
2008-02-15 11:30:54,911 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded
properties, users=[admin]
2008-02-15 11:30:54,911 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2008-02-15 11:30:54,915 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Created
DigestCallback: org.jboss.security.auth.spi.RFC2617Digest@c8d62f
2008-02-15 11:30:54,922 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
2008-02-15 11:30:54,922 TRACE
[org.jboss.security.plugins.JaasSecurityManager.jmx-console] Login failure
javax.security.auth.login.LoginException: storeDigestCallback callback failed
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:409)
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:209)
at
org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at
org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
at
org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
at
org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at
org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:89)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at
org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
at
org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
at
org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
at sun.rmi.transport.Transport$1.run(Transport.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
at
sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unrecognized
Callback
at
org.jboss.security.auth.callback.SecurityAssociationHandler.handle(SecurityAssociationHandler.java:128)
at
javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:399)
... 42 more
2008-02-15 11:30:54,924 TRACE
[org.jboss.security.plugins.JaasSecurityManager.jmx-console] End isValid, false
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: