[jboss-jira] [JBoss JIRA] Closed: (JBAS-5236) Encrypting passwords with DIGEST prevents shutting down JBoss from command line
Marcus Moyses (JIRA)
jira-events at lists.jboss.org
Mon Jul 28 13:35:45 EDT 2008
[ https://jira.jboss.org/jira/browse/JBAS-5236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Marcus Moyses closed JBAS-5236.
-------------------------------
Resolution: Won't Fix
The security domain used to secure the jmx-invoker cannot use DIGEST encryption. This can only be used in the web container as the realm name is used in the encryption process.
> Encrypting passwords with DIGEST prevents shutting down JBoss from command line
> -------------------------------------------------------------------------------
>
> Key: JBAS-5236
> URL: https://jira.jboss.org/jira/browse/JBAS-5236
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-4.0.5.GA
> Reporter: Marcus Moyses
> Assignee: Marcus Moyses
> Priority: Minor
> Fix For: JBossAS-5.0.0.CR2
>
>
> Following the instructions to encrypt the login module passwords as indicated in http://jira.jboss.com/jira/browse/JBAS-2338 and then securing the jmx-invoker with the same login module causes an error when trying to shut down JBoss from the command line.
> [mmoyses at mmoyses bin]$ ./shutdown.sh -s localhost -u admin
> Enter password for admin: xxx
> Exception in thread "main" java.lang.SecurityException: Failed to authenticate principal=admin, securityDomain=jmx-console
> at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:97)
> at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
> at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
> at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
> at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
> at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
> at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
> at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
> at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
> at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
> at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
> at sun.rmi.transport.Transport$1.run(Transport.java:153)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
> at java.lang.Thread.run(Thread.java:595)
> at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
> at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
> at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:126)
> at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unknown Source)
> at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:133)
> at org.jboss.invocation.InvokerInterceptor.invokeInvoker(InvokerInterceptor.java:365)
> at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:197)
> at org.jboss.jmx.connector.invoker.client.InvokerAdaptorClientInterceptor.invoke(InvokerAdaptorClientInterceptor.java:66)
> at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:70)
> at org.jboss.proxy.ClientMethodInterceptor.invoke(ClientMethodInterceptor.java:74)
> at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:100)
> at $Proxy0.invoke(Unknown Source)
> at org.jboss.Shutdown$ServerProxyHandler.invoke(Shutdown.java:266)
> at $Proxy1.shutdown(Unknown Source)
> at org.jboss.Shutdown.main(Shutdown.java:237)
> Here is the server.log snippet:
> 2008-02-15 11:30:54,898 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Begin isValid, principal:admin, cache info: null
> 2008-02-15 11:30:54,898 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] defaultLogin, principal=admin
> 2008-02-15 11:30:54,898 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(jmx-console), size=8
> 2008-02-15 11:30:54,898 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(jmx-console), authInfo=AppConfigurationEntry[]:
> [0]
> LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
> ControlFlag: LoginModuleControlFlag: required
> Options:name=hashEncoding, value=rfc2617
> name=rolesProperties, value=props/jmx-console-roles.properties
> name=usersProperties, value=props/jmx-console-users.properties
> name=hashUserPassword, value=false
> name=passwordIsA1Hash, value=true
> name=hashAlgorithm, value=MD5
> name=hashStorePassword, value=true
> name=storeDigestCallback, value=org.jboss.security.auth.spi.RFC2617Digest
> 2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@8295471
> 2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: jmx-console
> 2008-02-15 11:30:54,903 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Password hashing activated: algorithm = MD5, encoding = rfc2617, charset = {default}, callback = null, storeCallback = org.jboss.security.auth.spi.RFC2617Digest
> 2008-02-15 11:30:54,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
> 2008-02-15 11:30:54,909 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/opt/jboss-4.0.5.GA/server/default/conf/props/jmx-console-users.properties, defaults=null
> 2008-02-15 11:30:54,909 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin]
> 2008-02-15 11:30:54,909 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null
> 2008-02-15 11:30:54,911 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/opt/jboss-4.0.5.GA/server/default/conf/props/jmx-console-roles.properties, defaults=null
> 2008-02-15 11:30:54,911 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[admin]
> 2008-02-15 11:30:54,911 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
> 2008-02-15 11:30:54,915 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Created DigestCallback: org.jboss.security.auth.spi.RFC2617Digest at c8d62f
> 2008-02-15 11:30:54,922 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
> 2008-02-15 11:30:54,922 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Login failure
> javax.security.auth.login.LoginException: storeDigestCallback callback failed
> at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:409)
> at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:209)
> at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
> at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
> at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
> at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:89)
> at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
> at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
> at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
> at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:179)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:155)
> at org.jboss.mx.server.Invocation.dispatch(Invocation.java:94)
> at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
> at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
> at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
> at org.jboss.invocation.jrmp.server.JRMPInvoker$MBeanServerAction.invoke(JRMPInvoker.java:819)
> at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:420)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:294)
> at sun.rmi.transport.Transport$1.run(Transport.java:153)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Transport.java:149)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:466)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:707)
> at java.lang.Thread.run(Thread.java:595)
> Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback
> at org.jboss.security.auth.callback.SecurityAssociationHandler.handle(SecurityAssociationHandler.java:128)
> at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
> at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:399)
> ... 42 more
> 2008-02-15 11:30:54,924 TRACE [org.jboss.security.plugins.JaasSecurityManager.jmx-console] End isValid, false
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list