[Security & JAAS/JBoss] - Re: DatabaseServerLoginModule with Cipher and PBEWithMD5AndD
by ragavgomatam
Check out the login-config.xml element in the following :-
<application-policy name = "testPBEIdentityLoginModule">
| <authentication>
| <login-module code = "org.jboss.resource.security.PBEIdentityLoginModule"
| flag = "required">
| <module-option name = "principal">sa</module-option>
| <module-option name = "userName">sa</module-option>
| <!--
| output from:
| org.jboss.resource.security.PBEIdentityLoginModule
| thesecret testPBEIdentityLoginModule abcdefgh 19 PBEWithMD5AndDES
| -->
| <module-option name = "password">3fp7R/7TMjyTTxhmePdJVk</module-option>
| <module-option name = "ignoreMissigingMCF">true</module-option>
| <module-option name = "pbealgo">PBEWithMD5AndDES</module-option>
| <module-option name = "pbepass">testPBEIdentityLoginModule</module-option>
| <module-option name = "salt">abcdefgh</module-option>
| <module-option name = "iterationCount">19</module-option>
| <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
| </login-module>
| </authentication>
| </application-policy>
| <application-policy name = "testPBEIdentityLoginModuleTmpFilePassword">
| <authentication>
| <login-module code = "org.jboss.resource.security.PBEIdentityLoginModule"
| flag = "required">
| <module-option name = "principal">sa</module-option>
| <module-option name = "userName">sa</module-option>
| <!--
| output from:
| org.jboss.resource.security.PBEIdentityLoginModule
| thesecret2 testPBEIdentityLoginModuleTmpFilePassword abcdefgh 19 PBEWithMD5AndDES
| -->
| <module-option name = "password">2zff525DS/OgTuWuJtHYHa</module-option>
| <module-option name = "ignoreMissigingMCF">true</module-option>
| <module-option name = "pbealgo">PBEWithMD5AndDES</module-option>
| <module-option name = "pbepass">{CLASS}org.jboss.security.plugins.TmpFilePassword:${java.io.tmpdir}/tmp.password,5000</module-option>
| <module-option name = "salt">abcdefgh</module-option>
| <module-option name = "iterationCount">19</module-option>
| <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
More information available at
http://wiki.jboss.org/wiki/ConfigJCALoginModule
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4169436#4169436
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4169436
17 years, 11 months
[Security & JAAS/JBoss] - Re: Users bookmarking login.jsp causes problems
by ragavgomatam
Hi
We ran into a similar problem before & if I remember correct, secure the <url-pattern> in your web.xml properly. The url that you put inside this tag is crucial. In our old struts based application our web.xml went like this :-
<welcome-file-list>
| <welcome-file>jsp/welcome.jsp</welcome-file>
| </welcome-file-list>
| <error-page>
| <error-code>500</error-code>
| <location>/jsp/error.jsp</location>
| </error-page>
| <security-constraint>
| <web-resource-collection>
| <web-resource-name>SecurePages</webresource-name>
| <description>
| Security constraint testing using custom Jaas Module
| </description>
| <url-pattern>*.do</url-pattern>
| <http-method>POST</http-method>
| <http-method>GET</http-method>
| </web-resource-collection>
So basically anything that goes to Struts Action Servlet is protected. Plus Users are not exposed to the jsp's directly. Even if they book-mark a page, they are redirected to welcome page
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4169433#4169433
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4169433
17 years, 11 months
[Beginners Corner] - Re: Monitor user sessions in JBoss
by mrgordonz
Hi Peter,
Thanks for that info. I tried browsing to http://localhost:8180/jmx-console/ on the server and I got a huge listing of stuff (I don't even know what the stuff is!). What I do know is the application I host (Saba) has a single ear file which I deploy (D:\SabaWeb\JBoss_Tomcat\server\default\deploy\saba.ear), and in the ear file is a saba.war file and a saba.jar file, which as I understand it is pretty much standard for J2EE applications. What I am interested in is how many people have an active session in that application.
I found what I think is the mbean you mentioned:
name=http-0.0.0.0-8180,type=ThreadPool
And when I follow the link it shows a value for currentThreadsBusy. I did a test by logging in as several different people, and then refreshed the mbean view, but nothing changed.
I find it odd that there is no easy way to find out how many users have an active session in a particular application - I would have thought that was a metric which most system administrators would like to monitor from time to time.
Cheers,
Paul Hobbs
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4169425#4169425
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4169425
17 years, 11 months
[Remoting] - Re: unrecognized invoker locator
by ron.sigal@jboss.com
"ecatum" wrote :
| l'InvokerLocator doesn't support loopback address.
|
| API InvokerLocator :
|
| Quote:
|
| NOTE: the hostname will automatically be resolved to the outside IP address of the local machine if localhost or 127.0.0.1 is used as the hostname in the URI. If it cannot be determined or resolved, it will use what was passed.
|
That's an old and misleading note, which I never noticed. In fact, InvokerLocator doesn't have any special treatment for "localhost" or "127.0.0.1", and I've updated the javadoc accordingly (https://jira.jboss.org/jira/browse/JBREM-1022).
As for the "unrecognized invoker locator", that's a different story. When the rmi proxy comes over from the server, it brings configuration information which is merged with configuration information on the client when the RMIClientInvoker is created. The "unrecognized invoker locator" occurs, as far as I can tell, when the RMI runtime uses the RemotingRMIClientSocketFactory, for its own purposes, before the RMIClientInvoker has been created. I don't believe your application should be affected at all.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4169424#4169424
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4169424
17 years, 11 months