[jboss-jira] [JBoss JIRA] Assigned: (JBPORTAL-1779) SynchronizingLoginModule prevents access to Dashboard

Boleslaw Dawidowicz (JIRA) jira-events at lists.jboss.org
Fri Nov 2 11:24:45 EDT 2007 

     [ http://jira.jboss.com/jira/browse/JBPORTAL-1779?page=all ]

Boleslaw Dawidowicz reassigned JBPORTAL-1779:
---------------------------------------------

    Assignee: Boleslaw Dawidowicz  (was: Julien Viet)

> SynchronizingLoginModule prevents access to Dashboard
> -----------------------------------------------------
>
>                 Key: JBPORTAL-1779
>                 URL: http://jira.jboss.com/jira/browse/JBPORTAL-1779
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal Security
>    Affects Versions: 2.6.2 Final
>         Environment: Pentium 3 - 2GB memroy - 20 GB of Free Space
> Windows XP Professional Service Pack 2
> JBoss Portal 2.6.2 + JBoss AS 4.2.1 Bundle
>            Reporter: Guy M. Spillman, Jr.
>         Assigned To: Boleslaw Dawidowicz
>             Fix For: 2.6.3 Final
>
>
> Users who athenticate using an additional login module after the IdentityLoginModule get the following HTTP error when clicking on their Dashboard link:
> HTTP Status 403 -
> --------------------------------------------------------------------------------
> type Status report
> message
> description Access to the specified resource () has been forbidden.
> --------------------------------------------------------------------------------
> JBossWeb/2.0.0.GA 
> Users who login with the IdentityLoginModule (such as the default user & admin usernames) will see their Dashboard content without problems.
> Problem was discovered using JaasLounge(http://jaaslounge.sourceforge.net/ ) NTLMLoginModule, but can be duplicated using JBoss' UsersRolesLoginModule.
> This problem was originally discussed in the following thread, but seams to be a different problem since it can be duplicated using JBoss code only.
> http://www.jboss.com/index.html?module=bb&op=viewtopic&t=119733 
> Configuration:
> ${jboss.server.home.dir}\deploy\jboss-portal.sar\conf\login-config.xml:
> Code:
> <login-module code="org.jboss.portal.identity.auth.IdentityLoginModule" flag="sufficient">
>   <module-option name="unauthenticatedIdentity">guest</module-option>
>   <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
>   <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
>   <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
>   <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
>   <module-option name="additionalRole">Authenticated</module-option>
>   <module-option name="password-stacking">useFirstPass</module-option>
> </login-module>
> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />
> <login-module code="org.jboss.portal.identity.auth.SynchronizingLoginModule" flag="optional">
>   <module-option name="synchronizeIdentity">true</module-option>
>   <module-option name="synchronizeRoles">false</module-option>
>   <module-option name="additionalRole">Authenticated</module-option>
>   <module-option name="defaultAssignedRole">User</module-option>
>   <module-option name="userModuleJNDIName">java:/portal/UserModule</module-option>
>   <module-option name="roleModuleJNDIName">java:/portal/RoleModule</module-option>
>   <module-option name="membershipModuleJNDIName">java:/portal/MembershipModule</module-option>
>   <module-option name="userProfileModuleJNDIName">java:/portal/UserProfileModule</module-option>
> </login-module>
> ${jboss.server.home.dir}\conf\defaultRoles.properties:
> Code:
> testuser=test
> testuser2=test2
> ${jboss.server.home.dir}\conf\defaultUsers.properties:
> Code:
> testuser=testrole1,testrole2
> testuser2=testrole3,testrole4 
> Procedure:
> 1.  Login a testuser/test.
> 2.  Click Dashboard link.
> The HTTP Status 403 error described above will be displayed. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list