[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-1778) SynchronizingLoginModule synchronizeRoles still syncs existing roles when set to false

Fri Nov 2 09:44:45 EDT 2007

SynchronizingLoginModule synchronizeRoles still syncs existing roles when set to false
--------------------------------------------------------------------------------------

                 Key: JBPORTAL-1778
                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1778
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal Security
    Affects Versions: 2.6.2 Final
         Environment: Pentium 3 - 2GB memroy - 20 GB of Free Space
Windows XP Professional Service Pack 2
JBoss Portal 2.6.2 + JBoss AS 4.2.1 Bundle
            Reporter: Guy M. Spillman, Jr.
         Assigned To: Julien Viet

Problem was discovered using JaasLounge(http://jaaslounge.sourceforge.net/ ) NTLMLoginModule, but can be duplicated using JBoss' UsersRolesLoginModule.

Configuration:

${jboss.server.home.dir}\deploy\jboss-portal.sar\conf\login-config.xml:
Code:

<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
  <module-option name="unauthenticatedIdentity">guest</module-option>
  <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
  <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  <module-option name="additionalRole">Authenticated</module-option>
  <module-option name="password-stacking">useFirstPass</module-option>
</login-module>

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />

<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
  <module-option name="synchronizeIdentity">true</module-option>
  <module-option name="synchronizeRoles">false</module-option>
  <module-option name="additionalRole">Authenticated</module-option>
  <module-option name="defaultAssignedRole">User</module-option>
  <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
</login-module>		

${jboss.server.home.dir}\conf\defaultRoles.properties:
Code:

testuser=test
testuser2=test2

${jboss.server.home.dir}\conf\defaultUsers.properties:
Code:

testuser=testrole1,testrole2
testuser2=testrole3,testrole4

Procedure:

1. Apply above configuration, run JBoss, and navigate to portal using browser.
2. Login using testuser/test.
3. Logout
4. Login using admin/admin
5. Click on the "Admin" link
6. Click on the "Members" tab
7. Click on "User Management" sub tab
8. Click on "Search Users" link
9. Find the "testuser" that should have been auto created in step #2
10. Click on "Role Management" sub tab
11. Click on "Create New Role" link
12. Enter "portalrole" for both "Role" and "Display Name" edit boxes (Role must not exist in defaultRoles.properties)
13. Click "Submit" button
14. Click on "User Management" sub tab
15. Click on "Search Users" link
16. Click on the "Roles" link to the right of "testuser"
17. Click the "portalrole" checkbox.
18. Click the "Submit" button.
19. Logout
20. Login using testuser/test
21. Navigate around the portal at your leisure (Sometimes this step can be skipped)
22. Logout
23. Login using admin/admin
24. Click on the "Admin" link
25. Click on the "Members" tab
26. Click on "User Management" sub tab
27. Click on "Search Users" link
28. Click on the "Roles" link to the right of "testuser"

The "portalrole" is no longer checked.  Expected it to remain checked.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira