[jboss-jira] [JBoss JIRA] Created: (JBPORTAL-1779) SynchronizingLoginModule prevents access to Dashboard

Guy M. Spillman, Jr. (JIRA) jira-events at lists.jboss.org
Fri Nov 2 10:29:44 EDT 2007 

SynchronizingLoginModule prevents access to Dashboard
-----------------------------------------------------

                 Key: JBPORTAL-1779
                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1779
             Project: JBoss Portal
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Portal Security
    Affects Versions: 2.6.2 Final
         Environment: Pentium 3 - 2GB memroy - 20 GB of Free Space
Windows XP Professional Service Pack 2
JBoss Portal 2.6.2 + JBoss AS 4.2.1 Bundle
            Reporter: Guy M. Spillman, Jr.
         Assigned To: Julien Viet


Users who athenticate using an additional login module after the IdentityLoginModule get the following HTTP error when clicking on their Dashboard link:

HTTP Status 403 -
--------------------------------------------------------------------------------
type Status report
message
description Access to the specified resource () has been forbidden.
--------------------------------------------------------------------------------
JBossWeb/2.0.0.GA 

Users who login with the IdentityLoginModule (such as the default user & admin usernames) will see their Dashboard content without problems.

Problem was discovered using JaasLounge(http://jaaslounge.sourceforge.net/ ) NTLMLoginModule, but can be duplicated using JBoss' UsersRolesLoginModule.

This problem was originally discussed in the following thread, but seams to be a different problem since it can be duplicated using JBoss code only.
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119733 

Configuration:

${jboss.server.home.dir}\deploy\jboss-portal.sar\conf\login-config.xml:
Code:

<login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
  <module-option name="unauthenticatedIdentity">guest</module-option>
  <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
  <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  <module-option name="additionalRole">Authenticated</module-option>
  <module-option name="password-stacking">useFirstPass</module-option>
</login-module>

<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />

<login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
  <module-option name="synchronizeIdentity">true</module-option>
  <module-option name="synchronizeRoles">false</module-option>
  <module-option name="additionalRole">Authenticated</module-option>
  <module-option name="defaultAssignedRole">User</module-option>
  <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
  <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
  <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
  <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
</login-module>


${jboss.server.home.dir}\conf\defaultRoles.properties:
Code:

testuser=test
testuser2=test2


${jboss.server.home.dir}\conf\defaultUsers.properties:
Code:

testuser=testrole1,testrole2
testuser2=testrole3,testrole4 

Procedure:

1.  Login a testuser/test.
2.  Click Dashboard link.

The HTTP Status 403 error described above will be displayed. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list