[jboss-jira] [JBoss JIRA] Commented: (JBAS-7542) RemoteHostTrustLoginModule / Valve for allowing third party authentication

Dimitris Andreadis (JIRA) jira-events at lists.jboss.org
Wed Dec 23 07:02:30 EST 2009 

    [ https://jira.jboss.org/jira/browse/JBAS-7542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12501498#action_12501498 ] 

Dimitris Andreadis commented on JBAS-7542:
------------------------------------------

Shouldn't the solution be to update to use the correct library (or wait for that), rather than reverting to reflection?

> RemoteHostTrustLoginModule / Valve for allowing third party authentication 
> ---------------------------------------------------------------------------
>
>                 Key: JBAS-7542
>                 URL: https://jira.jboss.org/jira/browse/JBAS-7542
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.2.3.GA
>            Reporter: Andrew Oliver
>            Assignee: Andrew Oliver
>             Fix For: JBossAS-6.0.0.M2
>
>
> Presently Tested With 4.3.0.  This login module is for the specific case of needing to pass credentials between instances without re-authenticating (diagram: http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.png and http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.odg).  The valve puts the getRemoteHost from a request object in a thread local value.  The login module checks this supplied getRemoteHost (generally an IP) against a list of trusted IPs.  This should only be used behind a firewall with spoofing disabled where network security has assured the getRemoteHost call returns a valid value.  No testcase is included as it requires a specific network setup and multiple instances.
> If there are no objections I'll commit this to the trunk with my LdapExtLoginModule patches.
> http://dl.dropbox.com/u/1368565/redhat/patches/HostThreadLocal.java
> http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostTrustLoginModule.java
> http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostValve.java
> In order to use it (login-config.xml):
>  <application-policy name = "jmx-console">
>     <authentication>
>        <login-module code="org.jboss.security.auth.spi.RemoteHostTrustLoginModule"
>           flag = "optional">
>           <module-option name="password-stacking">useFirstPass</module-option>
>           <module-option name="trustedHosts">192.168.49.10</module-option>
>           <module-option name="roles">transportAuthenticated</module-option>
>        </login-module>
> .. some other login module ...
>   </authentication>
> </application-policy>
> context.xml:
> <Context>
> <Valve className="org.jboss.web.tomcat.security.RemoteHostValve"/>
> </Context>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list