SynchronizingLoginModule prevents access to Dashboard ----------------------------------------------------- Key: JBPORTAL-1779 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1779 Project: JBoss Portal Issue Type: Bug Security Level: Public (Everyone can see) Components: Portal Security Affects Versions: 2.6.2 Final Environment: Pentium 3 - 2GB memroy - 20 GB of Free Space Windows XP Professional Service Pack 2 JBoss Portal 2.6.2 + JBoss AS 4.2.1 Bundle Reporter: Guy M. Spillman, Jr. Assigned To: Julien Viet Users who athenticate using an additional login module after the IdentityLoginModule get the following HTTP error when clicking on their Dashboard link: HTTP Status 403 - -------------------------------------------------------------------------------- type Status report message description Access to the specified resource () has been forbidden. -------------------------------------------------------------------------------- JBossWeb/2.0.0.GA Users who login with the IdentityLoginModule (such as the default user & admin usernames) will see their Dashboard content without problems. Problem was discovered using JaasLounge(http://jaaslounge.sourceforge.net/ ) NTLMLoginModule, but can be duplicated using JBoss' UsersRolesLoginModule. This problem was originally discussed in the following thread, but seams to be a different problem since it can be duplicated using JBoss code only. http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119733 Configuration: ${jboss.server.home.dir}\deploy\jboss-portal.sar\conf\login-config.xml: Code: <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option> <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="password-stacking">useFirstPass</module-option> </login-module> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" /> <login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional"> <module-option name="synchronizeIdentity">true</module-option> <module-option name="synchronizeRoles">false</module-option> <module-option name="additionalRole">Authenticated</module-option> <module-option name="defaultAssignedRole">User</module-option> <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option> <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option> <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option> <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option> </login-module> ${jboss.server.home.dir}\conf\defaultRoles.properties: Code: testuser=test testuser2=test2 ${jboss.server.home.dir}\conf\defaultUsers.properties: Code: testuser=testrole1,testrole2 testuser2=testrole3,testrole4 Procedure: 1. Login a testuser/test. 2. Click Dashboard link. The HTTP Status 403 error described above will be displayed. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira