[jboss-jira] [JBoss JIRA] Updated: (SECURITY-371) Using SecurityDomain causing problems with DB access
William Newman (JIRA)
jira-events at lists.jboss.org
Tue Feb 24 15:47:44 EST 2009
[ https://jira.jboss.org/jira/browse/SECURITY-371?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
William Newman updated SECURITY-371:
------------------------------------
Description:
When using @SecurityDomain in EJB I try and get a connection to a database using a datasource other than the DefaultDS and it is somehow going to the driver defined for the DefaultDS.
Create a security domain, I used the BaseCertLoginModule. Then have two datasources setup, one that is named 'DefaultDS' and one that is named something else 'AnotherDS'. Configure each data source with a different driver. When you get inside a bean get the 'AnotherDS' and call getConnection, then call something like prepareStatment. Sit back and watch the driver for the 'DefaultDS' get called.
Something seems to be getting corrupted in JBoss when you use @SecurityDomain or when you set-up the context specific stuff for use with the security domain i.e. Context.SECURITY_PRINIPAL..
here is some of my code:
oracle-ds.xml (DefaultDS)
<datasources>
<local-tx-datasource>
<jndi-name>DefaultDS</jndi-name>
<connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
<driver-class>com.example.driver.ProxiedOracleDriver</driver-class>
<user-name>defaultds</user-name>
<password>defaultds</password>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle10g</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>
A different DS with a different driver
<datasources>
<local-tx-datasource>
<jndi-name>AnotherDS</jndi-name>
<connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<user-name>anotherds</user-name>
<password>anotherds</password>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle10g</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>
login-config.xml
<policy>
<application-policy name="client-cert">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
<module-option name="securityDomain">java:/jaas/client-cert</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="ASecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/client-cert</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
<module-option name="unathenticatedIdentity">guest</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="restore-login-identity">true</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>
</policy>
Code in an EJB to get db stuff:
@Clustered
@Stateless
@Local(SecurityService.class)
@LocalBinding(jndiBinding="/ejb/SecurityRef")
@SecurityDomain(ASecurityDomain)
public class SecurityBean {
@Resource(mappedName="java:/AnotherDS")
private DataSource ds;
public Interger testDB() {
Connection dbConn = ds.getConnection();
PreparedStatement pStmt = dbConn .prepareStatement("select count(*) from some_table");
ResultSet rs = pStmt.executeQuery();
rs.next();
return new Integer(rs.getInt(1));
}
Code in servlet to call EJB:
X509Certificate cert = null; /* get cert here */
Properties env = new Properties();
env.put(InitialContext.PROVIDER_URL, "jnp://server:1100");
env.put(InitialContext.SECURITY_PRINCIPAL, cert.getSubjectX500Principal());
env.put(InitialContext.SECURITY_CREDENTIALS, cert);
env.put(InitialContext.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
InitialContext cxt = InitialContext(env);
SecurityService security = (SecurityService) cxt.lookup("/ejb/SecurityRef");
Integer result = security.testDB();
was:
When using @SecurityDomain in EJB I try and get a connection to a database using a datasource other than the DefaultDS and it is somehow going to the driver defined for the DefaultDS.
Create a security domain, I used the BaseCertLoginModule. Then have two datasources setup, one that is named 'DefaultDS' and one that is named something else 'AnotherDS'. Configure each data source with a different driver. When you get inside a bean get the 'AnotherDS' and call getConnection, then call something like prepareStatment. Sit back and watch the driver for the 'DefaultDS' get called.
Something seems to be getting corrupted in JBoss when you use @SecurityDomain or when you set-up the context specific stuff for use with the security domain i.e. Context.SECURITY_PRINIPAL..
here is some of my code:
oracle-ds.xml (DefaultDS)
<datasources>
<local-tx-datasource>
<jndi-name>DefaultDS</jndi-name>
<connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
<driver-class>com.example.driver.ProxiedOracleDriver</driver-class>
<user-name>defaultds</user-name>
<password>defaultds</password>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle10g</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>
A different DS with a different driver
<datasources>
<local-tx-datasource>
<jndi-name>AnotherDS</jndi-name>
<connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<user-name>anotherds</user-name>
<password>anotherds</password>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<metadata>
<type-mapping>Oracle10g</type-mapping>
</metadata>
</local-tx-datasource>
</datasources>
login-config.xml
<policy>
<application-policy name="client-cert">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
<module-option name="securityDomain">java:/jaas/client-cert</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
</login-module>
</authentication>
</application-policy>
<application-policy name="ASecurityDomain">
<authentication>
<login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="securityDomain">java:/jaas/client-cert</module-option>
<module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
<module-option name="unathenticatedIdentity">guest</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="restore-login-identity">true</module-option>
<module-option name="password-stacking">useFirstPass</module-option>
</login-module>
</authentication>
</application-policy>
</policy>
Code in an EJB to get db stuff:
@Resource(mappedName="java:/AnotherDS")
private DataSource ds;
.
.
.
Connection dbConn = ds.getConnection();
dbConn .prepareStatement("select * from Foo");
> Using SecurityDomain causing problems with DB access
> ----------------------------------------------------
>
> Key: SECURITY-371
> URL: https://jira.jboss.org/jira/browse/SECURITY-371
> Project: JBoss Security and Identity Management
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Environment: Using oracle db, running linux red hat
> Reporter: William Newman
> Assignee: Anil Saldhana
>
> When using @SecurityDomain in EJB I try and get a connection to a database using a datasource other than the DefaultDS and it is somehow going to the driver defined for the DefaultDS.
> Create a security domain, I used the BaseCertLoginModule. Then have two datasources setup, one that is named 'DefaultDS' and one that is named something else 'AnotherDS'. Configure each data source with a different driver. When you get inside a bean get the 'AnotherDS' and call getConnection, then call something like prepareStatment. Sit back and watch the driver for the 'DefaultDS' get called.
> Something seems to be getting corrupted in JBoss when you use @SecurityDomain or when you set-up the context specific stuff for use with the security domain i.e. Context.SECURITY_PRINIPAL..
> here is some of my code:
> oracle-ds.xml (DefaultDS)
> <datasources>
> <local-tx-datasource>
> <jndi-name>DefaultDS</jndi-name>
> <connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
> <driver-class>com.example.driver.ProxiedOracleDriver</driver-class>
> <user-name>defaultds</user-name>
> <password>defaultds</password>
> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
> <metadata>
> <type-mapping>Oracle10g</type-mapping>
> </metadata>
> </local-tx-datasource>
> </datasources>
> A different DS with a different driver
>
> <datasources>
> <local-tx-datasource>
> <jndi-name>AnotherDS</jndi-name>
> <connection-url>jdbc:oracle:thin:@host:1721:example</connection-url>
> <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
> <user-name>anotherds</user-name>
> <password>anotherds</password>
> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
> <metadata>
> <type-mapping>Oracle10g</type-mapping>
> </metadata>
> </local-tx-datasource>
> </datasources>
> login-config.xml
>
> <policy>
> <application-policy name="client-cert">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
> <module-option name="securityDomain">java:/jaas/client-cert</module-option>
> <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
> </login-module>
> </authentication>
> </application-policy>
> <application-policy name="ASecurityDomain">
> <authentication>
> <login-module code="org.jboss.security.auth.spi.BaseCertLoginModule" flag="required">
> <module-option name="password-stacking">useFirstPass</module-option>
> <module-option name="securityDomain">java:/jaas/client-cert</module-option>
> <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
> <module-option name="unathenticatedIdentity">guest</module-option>
> </login-module>
> <login-module code="org.jboss.security.ClientLoginModule" flag="required">
> <module-option name="restore-login-identity">true</module-option>
> <module-option name="password-stacking">useFirstPass</module-option>
> </login-module>
> </authentication>
> </application-policy>
> </policy>
> Code in an EJB to get db stuff:
> @Clustered
> @Stateless
> @Local(SecurityService.class)
> @LocalBinding(jndiBinding="/ejb/SecurityRef")
> @SecurityDomain(ASecurityDomain)
> public class SecurityBean {
> @Resource(mappedName="java:/AnotherDS")
> private DataSource ds;
> public Interger testDB() {
> Connection dbConn = ds.getConnection();
>
> PreparedStatement pStmt = dbConn .prepareStatement("select count(*) from some_table");
> ResultSet rs = pStmt.executeQuery();
> rs.next();
> return new Integer(rs.getInt(1));
> }
> Code in servlet to call EJB:
> X509Certificate cert = null; /* get cert here */
> Properties env = new Properties();
> env.put(InitialContext.PROVIDER_URL, "jnp://server:1100");
> env.put(InitialContext.SECURITY_PRINCIPAL, cert.getSubjectX500Principal());
> env.put(InitialContext.SECURITY_CREDENTIALS, cert);
> env.put(InitialContext.INITIAL_CONTEXT_FACTORY, "org.jboss.security.jndi.JndiLoginInitialContextFactory");
> InitialContext cxt = InitialContext(env);
> SecurityService security = (SecurityService) cxt.lookup("/ejb/SecurityRef");
> Integer result = security.testDB();
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list