[jboss-jira] [JBoss JIRA] Created: (SECURITY-591) Single security domain with DatabaseSourceLoginModule and DatabaseCertLoginModule only works if allowUnsafeLegacyRenegotiation="true"

Justin Cranford (JIRA) jira-events at lists.jboss.org
Wed May 11 16:46:18 EDT 2011 

Single security domain with DatabaseSourceLoginModule and DatabaseCertLoginModule only works if allowUnsafeLegacyRenegotiation="true"
-------------------------------------------------------------------------------------------------------------------------------------

                 Key: SECURITY-591
                 URL: https://issues.jboss.org/browse/SECURITY-591
             Project: PicketBox (JBoss Security and Identity Management)
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: JBossSX
    Affects Versions: PicketBox_v3_0_CR2
         Environment: Windows 7 Enterprise x64
Eclipse EE 3.6.2
Oracle JDK 6u24
JBoss 6.0 AS Final (PicketBox 3.0.0CR2)
SQL Server Express 2008 R2 x64
            Reporter: Justin Cranford
            Assignee: Anil Saldhana


I am blocked by broken functionality in JBossSX login modules. The functionality is broken because SSL renegotiation is disabled. Disabling SSL renegotiation is valid, but is it possible to fix or workaround the login module issue without enabling SSL renegotiation? 

- I posed this question on the PicketBox forum, but perhaps it belongs here instead.
http://community.jboss.org/message/604544#604544

- I get similar exceptions in Resteasy as what this person reported in SOAP.
https://issues.jboss.org/browse/JBPAPP-3889

- The original issue to disable SSl renegotiation by default is tracked by this issue, and it mentions how functionality might break. However, there is no mention of potential workarounds or fixes.
https://issues.jboss.org/browse/JBPAPP-3845




My requirements are to support Resteasy web access over HTTPS using one of 2 authentication methods. For localhost access, user/pass authentication is sufficient. For remote access, X.509 client cert authentication is required.

To implement these requirements, I deployed two nearly identical Resteasy web apps. The only differences are the context path in jboss-web.xml, and <auth-constraint> and <auth-method> in web.xml.

1) localhost HTTPS web app => username/password (LocalAdmin role only)

	<login-config><auth-method>BASIC</auth-method><realm-name>JustinCranfordSecurityDomain</realm-name></login-config>
	<security-role><role-name>LocalAdmin</role-name></security-role>

2) remote HTTPS => x.509 client cert (RemoteAdmin role only)

	<login-config><auth-method>CLIENT-CERT</auth-method><realm-name>JustinCranfordSecurityDomain</realm-name></login-config>
	<security-role><role-name>RemoteAdmin</role-name></security-role>

Both web apps are wrappers for the same EJB3 code, so I am forced to combine DatabaseServerLoginModule and DatabaseCertLoginModule into the same <application-policy> in login-config.xml.

	<application-policy name="JustinCranfordSecurityDomain">
		<authentication>
			<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
				<module-option name="dsJndiName">java:/JustinCranfordDataSource</module-option>
				<module-option name="principalsQuery">SELECT password FROM actor WHERE name=?</module-option>
				<module-option name="rolesQuery">SELECT r.name,'Roles' FROM actor a,role r WHERE r.id=a.roleid AND a.name=?</module-option>
				<module-option name="hashAlgorithm">MD5</module-option> 
				<module-option name="hashEncoding">base64</module-option>
				<module-option name="unauthenticatedIdentity">unauthenticated</module-option>
			</login-module>
			<login-module code="org.jboss.security.auth.spi.DatabaseCertLoginModule" flag="required">
				<module-option name="securityDomain">java:/jaas/JustinCranfordSecurityDomain</module-option>
				<module-option name="dsJndiName">java:/JustinCranfordDataSource</module-option>
				<module-option name="principalsQuery">SELECT password FROM actor WHERE dname=?</module-option>
				<module-option name="rolesQuery">SELECT r.name,'Roles' FROM actor a,role r WHERE r.id=a.roleid AND a.dname=?</module-option>
				<module-option name="hashAlgorithm">MD5</module-option> 
				<module-option name="hashEncoding">base64</module-option>
				<module-option name="unauthenticatedIdentity">unauthenticated</module-option>
			</login-module>
			<login-module code="org.jboss.security.ClientLoginModule" flag="required"></login-module>
		</authentication>
	</application-policy>




DatabaseCertLoginModule only works if my web app turns on SSL renegotiation in server.xml via the allowUnsafeLegacyRenegotiation="true" attribute.

If turned off, I get SSL renegotiation disabled messages in JBossSX login modules. However, DatabaseCertLoginModule says the user is authenticated, and I see "Successfully passed all security constraints". Unfortunately JBossWebRealm then throws an exception "Security Context has not been set", control passes to Resteasy, and then "jboss.web" container throws an exception "Exception getting SSL attributes: java.net.SocketException: Socket Closed" and "No certificates included with this request".



At the very least, JBossSX should handle these problems more gracefully. SSL renegotiation is disabled by default after all.

Is is possible to fix these issues in JBossSX? Are there any workarounds in the meantime?

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list