[
https://issues.jboss.org/browse/SECURITY-808?page=com.atlassian.jira.plug...
]
Lorenz Froihofer commented on SECURITY-808:
-------------------------------------------
Tracked down the issue a little bit further (picketbox-4.9.2.Final in Wildfly
9.0.1.Final):
JBossCallbackHandler.getPassword() falls back to try the dynamic invocation of a method
named "toCharArray":
{code:java}
Method m = credential.getClass().getMethod("toCharArray", types);
Object[] args = {};
password = (char[]) m.invoke(credential, args);
{code}
This fails with a NoSuchMethodException for a RemotingConnectionCredential object as this
class does not offer such a method. The exception handling just tries to create a
credential by using the "toString" method on the credential object (the
RemotingConnectionCredential) - leading to a String such as
org.jboss.as.security.remoting.RemotingConnectionCredential@22341334 instead of the real
password.
As far as the code looks like, the RemotingConnectionCredential should allow for a
callback to get the password, but looking at it or the wrapped Connection class, one can
only get the username through org.jboss.remoting3.Connection.getUserInfo(), but no
password.
This seems to be a more general issue not only related to the DatabaseServerLoginModule
but to custom login modules as well:
https://developer.jboss.org/message/866429
Password not passed into DatabaseServerLoginModule
--------------------------------------------------
Key: SECURITY-808
URL:
https://issues.jboss.org/browse/SECURITY-808
Project: PicketBox
Issue Type: Bug
Environment: WildFly8 on Windows 7 64-bit
Reporter: Stefan Eder
Assignee: Stefan Guilhen
Priority: Critical
Trying to migrate an application to WildFly (from AS6.1) the migration went pretty smooth
except for using the security domain.
The application uses a the ClientLoginModule on the client side and the
DatabaseserverLoginModule on the server side.
Though the DatabaseServerLoginModule is called the validation of the password fails. I
debugged it and the reason seems to be that in
{{org.jboss.security.auth.callback.JBossCallbackHandler.getPassword()}} a
{{org.jboss.as.security.remoting.RemotingConnectionCredential@22341334}} is not handled
and hence instead of a password the String
{{org.jboss.as.security.remoting.RemotingConnectionCredential@22341334}} is passed through
to the DatabaseLoginModule.
See also [DatabaseServerLoginModule
broken?|https://community.jboss.org/message/863295]
and the related posts
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)