[JBoss JIRA] Created: (SECURITY-591) Single security domain with DatabaseSourceLoginModule and DatabaseCertLoginModule only works if allowUnsafeLegacyRenegotiation="true"
3:46 p.m.
Single security domain with DatabaseSourceLoginModule and DatabaseCertLoginModule only
works if allowUnsafeLegacyRenegotiation="true"
-------------------------------------------------------------------------------------------------------------------------------------
Key: SECURITY-591
URL: https://issues.jboss.org/browse/SECURITY-591
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: JBossSX
Affects Versions: PicketBox_v3_0_CR2
Environment: Windows 7 Enterprise x64
Eclipse EE 3.6.2
Oracle JDK 6u24
JBoss 6.0 AS Final (PicketBox 3.0.0CR2)
SQL Server Express 2008 R2 x64
Reporter: Justin Cranford
Assignee: Anil Saldhana
I am blocked by broken functionality in JBossSX login modules. The functionality is broken
because SSL renegotiation is disabled. Disabling SSL renegotiation is valid, but is it
possible to fix or workaround the login module issue without enabling SSL renegotiation?
- I posed this question on the PicketBox forum, but perhaps it belongs here instead.
http://community.jboss.org/message/604544#604544
- I get similar exceptions in Resteasy as what this person reported in SOAP.
https://issues.jboss.org/browse/JBPAPP-3889
- The original issue to disable SSl renegotiation by default is tracked by this issue, and
it mentions how functionality might break. However, there is no mention of potential
workarounds or fixes.
https://issues.jboss.org/browse/JBPAPP-3845
My requirements are to support Resteasy web access over HTTPS using one of 2
authentication methods. For localhost access, user/pass authentication is sufficient. For
remote access, X.509 client cert authentication is required.
To implement these requirements, I deployed two nearly identical Resteasy web apps. The
only differences are the context path in jboss-web.xml, and <auth-constraint> and
<auth-method> in web.xml.
1) localhost HTTPS web app => username/password (LocalAdmin role only)
<login-config><auth-method>BASIC</auth-method><realm-name>JustinCranfordSecurityDomain</realm-name></login-config>
<security-role><role-name>LocalAdmin</role-name></security-role>
2) remote HTTPS => x.509 client cert (RemoteAdmin role only)
<login-config><auth-method>CLIENT-CERT</auth-method><realm-name>JustinCranfordSecurityDomain</realm-name></login-config>
<security-role><role-name>RemoteAdmin</role-name></security-role>
Both web apps are wrappers for the same EJB3 code, so I am forced to combine
DatabaseServerLoginModule and DatabaseCertLoginModule into the same
<application-policy> in login-config.xml.
<application-policy name="JustinCranfordSecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="sufficient">
<module-option
name="dsJndiName">java:/JustinCranfordDataSource</module-option>
<module-option name="principalsQuery">SELECT password FROM actor WHERE
name=?</module-option>
<module-option name="rolesQuery">SELECT r.name,'Roles' FROM
actor a,role r WHERE r.id=a.roleid AND a.name=?</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
<module-option
name="unauthenticatedIdentity">unauthenticated</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule"
flag="required">
<module-option
name="securityDomain">java:/jaas/JustinCranfordSecurityDomain</module-option>
<module-option
name="dsJndiName">java:/JustinCranfordDataSource</module-option>
<module-option name="principalsQuery">SELECT password FROM actor WHERE
dname=?</module-option>
<module-option name="rolesQuery">SELECT r.name,'Roles' FROM
actor a,role r WHERE r.id=a.roleid AND a.dname=?</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
<module-option
name="unauthenticatedIdentity">unauthenticated</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule"
flag="required"></login-module>
</authentication>
</application-policy>
DatabaseCertLoginModule only works if my web app turns on SSL renegotiation in server.xml
via the allowUnsafeLegacyRenegotiation="true" attribute.
If turned off, I get SSL renegotiation disabled messages in JBossSX login modules.
However, DatabaseCertLoginModule says the user is authenticated, and I see
"Successfully passed all security constraints". Unfortunately JBossWebRealm then
throws an exception "Security Context has not been set", control passes to
Resteasy, and then "jboss.web" container throws an exception "Exception
getting SSL attributes: java.net.SocketException: Socket Closed" and "No
certificates included with this request".
At the very least, JBossSX should handle these problems more gracefully. SSL renegotiation
is disabled by default after all.
Is is possible to fix these issues in JBossSX? Are there any workarounds in the meantime?
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
3:53 p.m.
New subject: [JBoss JIRA] Updated: (SECURITY-591) Single security domain with DatabaseSourceLoginModule and DatabaseCertLoginModule only works if allowUnsafeLegacyRenegotiation="true"
[
https://issues.jboss.org/browse/SECURITY-591?page=com.atlassian.jira.plug...
]
Justin Cranford updated SECURITY-591:
-------------------------------------
Attachment: Authentication-RenegotiationOff-Error.txt
Authentication-RenegotiationOn-OK.txt
Security TRACE logs for JBoss AS 6.0 Final when authenticating x.509 client user. In this
case I was using DatabaseServerLoginModule first, and then password stacking
BaseCertLoginModule & DatabaseServerLoginModule (3 total modules). I later combined
BaseCertLoginModule & DatabseServerLoginModule into DatabaseCertLoginModule (2 total
modules), but the JBossSX+JBossWebRealm+Resteasy exceptions were the same.
Single security domain with DatabaseSourceLoginModule and
DatabaseCertLoginModule only works if allowUnsafeLegacyRenegotiation="true"
-------------------------------------------------------------------------------------------------------------------------------------
Key: SECURITY-591
URL: https://issues.jboss.org/browse/SECURITY-591
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: JBossSX
Affects Versions: PicketBox_v3_0_CR2
Environment: Windows 7 Enterprise x64
Eclipse EE 3.6.2
Oracle JDK 6u24
JBoss 6.0 AS Final (PicketBox 3.0.0CR2)
SQL Server Express 2008 R2 x64
Reporter: Justin Cranford
Assignee: Anil Saldhana
Attachments: Authentication-RenegotiationOff-Error.txt,
Authentication-RenegotiationOn-OK.txt
I am blocked by broken functionality in JBossSX login modules. The functionality is
broken because SSL renegotiation is disabled. Disabling SSL renegotiation is valid, but is
it possible to fix or workaround the login module issue without enabling SSL
renegotiation?
- I posed this question on the PicketBox forum, but perhaps it belongs here instead.
http://community.jboss.org/message/604544#604544
- I get similar exceptions in Resteasy as what this person reported in SOAP.
https://issues.jboss.org/browse/JBPAPP-3889
- The original issue to disable SSl renegotiation by default is tracked by this issue,
and it mentions how functionality might break. However, there is no mention of potential
workarounds or fixes.
https://issues.jboss.org/browse/JBPAPP-3845
My requirements are to support Resteasy web access over HTTPS using one of 2
authentication methods. For localhost access, user/pass authentication is sufficient. For
remote access, X.509 client cert authentication is required.
To implement these requirements, I deployed two nearly identical Resteasy web apps. The
only differences are the context path in jboss-web.xml, and <auth-constraint> and
<auth-method> in web.xml.
1) localhost HTTPS web app => username/password (LocalAdmin role only)
<login-config><auth-method>BASIC</auth-method><realm-name>JustinCranfordSecurityDomain</realm-name></login-config>
<security-role><role-name>LocalAdmin</role-name></security-role>
2) remote HTTPS => x.509 client cert (RemoteAdmin role only)
<login-config><auth-method>CLIENT-CERT</auth-method><realm-name>JustinCranfordSecurityDomain</realm-name></login-config>
<security-role><role-name>RemoteAdmin</role-name></security-role>
Both web apps are wrappers for the same EJB3 code, so I am forced to combine
DatabaseServerLoginModule and DatabaseCertLoginModule into the same
<application-policy> in login-config.xml.
<application-policy name="JustinCranfordSecurityDomain">
<authentication>
<login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
flag="sufficient">
<module-option
name="dsJndiName">java:/JustinCranfordDataSource</module-option>
<module-option name="principalsQuery">SELECT password FROM actor
WHERE name=?</module-option>
<module-option name="rolesQuery">SELECT r.name,'Roles' FROM
actor a,role r WHERE r.id=a.roleid AND a.name=?</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
<module-option
name="unauthenticatedIdentity">unauthenticated</module-option>
</login-module>
<login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule"
flag="required">
<module-option
name="securityDomain">java:/jaas/JustinCranfordSecurityDomain</module-option>
<module-option
name="dsJndiName">java:/JustinCranfordDataSource</module-option>
<module-option name="principalsQuery">SELECT password FROM actor
WHERE dname=?</module-option>
<module-option name="rolesQuery">SELECT r.name,'Roles' FROM
actor a,role r WHERE r.id=a.roleid AND a.dname=?</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">base64</module-option>
<module-option
name="unauthenticatedIdentity">unauthenticated</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule"
flag="required"></login-module>
</authentication>
</application-policy>
DatabaseCertLoginModule only works if my web app turns on SSL renegotiation in server.xml
via the allowUnsafeLegacyRenegotiation="true" attribute.
If turned off, I get SSL renegotiation disabled messages in JBossSX login modules.
However, DatabaseCertLoginModule says the user is authenticated, and I see
"Successfully passed all security constraints". Unfortunately JBossWebRealm then
throws an exception "Security Context has not been set", control passes to
Resteasy, and then "jboss.web" container throws an exception "Exception
getting SSL attributes: java.net.SocketException: Socket Closed" and "No
certificates included with this request".
At the very least, JBossSX should handle these problems more gracefully. SSL
renegotiation is disabled by default after all.
Is is possible to fix these issues in JBossSX? Are there any workarounds in the meantime?
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
4772
days inactive
4772
days old
1 comments
1 participants
participants (1)
-
Justin Cranford (JIRA)