[JBoss JIRA] (SECURITY-930) A security-domain can only load login-modules from a single JBoss module

Tuesday, 4 October 2016

    [
https://issues.jboss.org/browse/SECURITY-930?page=com.atlassian.jira.plug...
] 

Stefan Guilhen commented on SECURITY-930:
-----------------------------------------

[~ppalaga] Yeah, I do have an update. The fix was applied a while ago to PicketBox master,
which was not yet used by WildFly until recently. Now that Elytron is being integrated we
have upgraded WildFly to use PicketBox 5.0.0 and we can now change the
ModuleClassLoaderLocator to make use of the new API that allows for the registration of
multiple modules.

So the issue affects two projects. The PicketBox side is covered by this issue and we
already have a fix for it. I'll add a reference to the commit that fixes the issue
here so we can close this issue. The WildFly side might need a different Jira to fix the
ModuleClassLoaderLocator.

I'll try to open the WF Jira and send a PR for it tonight.

...
  A security-domain can only load login-modules from a single JBoss
module 
 --------------------------------------------------------------------------

                 Key: SECURITY-930
                 URL: https://issues.jboss.org/browse/SECURITY-930
             Project: PicketBox 
          Issue Type: Bug
          Components: JBossSX, Security-SPI
            Reporter: Derek Horton
            Assignee: Stefan Guilhen

 A security-domain can only load login-modules from a single JBoss module.  Even though
the security-domain configuration will allow each login module defined within a single
security-domain to have a "module" attribute, the only module that is used to
load the login-modules is the last "module" attribute that the parsing system
locates.  
 For example, with the following configuration, it looks like
"org.jboss.example.CustomLoginModule" should be loaded from the
"org.jboss.example" jboss-module and
"org.jboss.example.CustomBaseCertLoginModule" should be loaded from the
"org.jboss.another.example" jboss-module:
   <security-domain name="jmx-console" cache-type="default">
       <authentication>
           <login-module code="org.jboss.example.CustomLoginModule"
module="org.jboss.example" flag="required">
               <module-option name="usersProperties"
value="${jboss.server.config.dir}/users.properties"/>
               <module-option name="rolesProperties"
value="${jboss.server.config.dir}/roles.properties"/>
           </login-module>
           <login-module code="org.jboss.example.CustomBaseCertLoginModule"
module="org.jboss.another.example" flag="required">
               <module-option name="usersProperties"
value="${jboss.server.config.dir}/users.properties"/>
               <module-option name="rolesProperties"
value="${jboss.server.config.dir}/roles.properties"/>
           </login-module>
       </authentication>
   </security-domain>
 Unfortunately, it does not work like this.  Only the
"org.jboss.another.example" jboss-module is used to load the custom login
modules.
 There seems to be two issues.  1)  The security subsystem code only "remembers"
the last module that is defined within a single security domain.  2)  I think issue #1 is
happening because the JBoss authentication code
(org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers
to the JVM's login module handling code.  The JVM appears to treat the login modules
as one atomic until and so a single classloader is set and then the JVM login module code
is invoked to handle the authentication requests. 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006