[jboss-jira] [JBoss JIRA] Commented: (JBAS-7542) RemoteHostTrustLoginModule / Valve for allowing third party authentication

Wed Dec 23 08:01:30 EST 2009

    [ https://jira.jboss.org/jira/browse/JBAS-7542?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12501500#action_12501500 ] 

Andrew Oliver commented on JBAS-7542:
-------------------------------------

Thank you Anil.

Dimitris,

To fix things properly there are some rather clear issues:
1. There is no obvious public contributor documentation since 2006 (read: I have no idea what either you or brian are talking about)
2. There is no public central communication forum to discuss this type of cross appserver issue
3. The modules system you've created is somewhat arbitrary, and security is a crosscutting concern.
4. You do not actually list all of the modules anywhere publicly 
5. Most of the jboss.org site is inoperative most of the time.  

> RemoteHostTrustLoginModule / Valve for allowing third party authentication 
> ---------------------------------------------------------------------------
>
>                 Key: JBAS-7542
>                 URL: https://jira.jboss.org/jira/browse/JBAS-7542
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.2.3.GA
>            Reporter: Andrew Oliver
>            Assignee: Andrew Oliver
>             Fix For: JBossAS-6.0.0.M2
>
>
> Presently Tested With 4.3.0.  This login module is for the specific case of needing to pass credentials between instances without re-authenticating (diagram: http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.png and http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.odg).  The valve puts the getRemoteHost from a request object in a thread local value.  The login module checks this supplied getRemoteHost (generally an IP) against a list of trusted IPs.  This should only be used behind a firewall with spoofing disabled where network security has assured the getRemoteHost call returns a valid value.  No testcase is included as it requires a specific network setup and multiple instances.
> If there are no objections I'll commit this to the trunk with my LdapExtLoginModule patches.
> http://dl.dropbox.com/u/1368565/redhat/patches/HostThreadLocal.java
> http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostTrustLoginModule.java
> http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostValve.java
> In order to use it (login-config.xml):
>  <application-policy name = "jmx-console">
>     <authentication>
>        <login-module code="org.jboss.security.auth.spi.RemoteHostTrustLoginModule"
>           flag = "optional">
>           <module-option name="password-stacking">useFirstPass</module-option>
>           <module-option name="trustedHosts">192.168.49.10</module-option>
>           <module-option name="roles">transportAuthenticated</module-option>
>        </login-module>
> .. some other login module ...
>   </authentication>
> </application-policy>
> context.xml:
> <Context>
> <Valve className="org.jboss.web.tomcat.security.RemoteHostValve"/>
> </Context>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira