[jboss-jira] [JBoss JIRA] (SECURITY-848) AbstractServerLoginModule.commit() always adds CallerPrincipal group, even if non is defined
Juergen H (JIRA)
issues at jboss.org
Wed Jun 25 08:15:29 EDT 2014
Juergen H created SECURITY-848:
----------------------------------
Summary: AbstractServerLoginModule.commit() always adds CallerPrincipal group, even if non is defined
Key: SECURITY-848
URL: https://issues.jboss.org/browse/SECURITY-848
Project: PicketBox
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: PicketBox
Affects Versions: PicketBox_4_0_21.Beta1
Environment: wildfly-8.1
Reporter: Juergen H
Assignee: Stefan Guilhen
this is not a duplicate of SECURITY-680
org.jboss.security.auth.spi.AbstractServerLoginModule.commit() ends with the following piece of code to always add the identity as CallerPrincipal group if such does not already exist:
{code:title=AbstractServerLoginModule.commit()}
// add the CallerPrincipal group if none has been added in getRoleSets
Group callerGroup = getCallerPrincipalGroup(principals);
if (callerGroup == null)
{
callerGroup = new SimpleGroup(SecurityConstants.CALLER_PRINCIPAL_GROUP);
callerGroup.addMember(identity);
principals.add(callerGroup);
}
{code}
Now in my case, I do not only have a single login module defined but multiple.
The very first login module to succeed does NOT define any CallerPrincipal group. But due to the above code, the identity (e.g. "John") is added as 1st entry to an auto-created new CallerPrincipal group.
Now one of my subsequent login modules does define a specific CallerPrincipal group with a mapped username (e.g. "Mary"). The mapped username gets added to the already existing auto-created CallerPrincipal group { 1: "John", 2: "Mary" }
CallerPrincipal mapping is considered at the end of login, and it only takes the very first (auto-added) principal "John" of CallerPrincipal group into account. Any other specifically added principals ("Mary") are ignored.
In my opinion this behaviour is not correct.
I can only define a specific CallerPrincipal in the very first login module to succeed. Any specific CallerPrincipal in a subsequent module is ignored.
My opinon of possible fixes:
Do not auto-create CallerPrincipal group with identity as principal. Rather when its time to look for CallerPrincipal group and none is found, use identity as default.
Or if a login module defines a CallerPrincipal group, it replaces any existing, but does not aggregate (no point in adding principals to this group as they get ignored anyway)
As a workaround, I overrode commit in my login module that defines CallerPrincipals and remove any existing CallerPrincipal group
{code:title=commit()}
@Override
public boolean commit() throws LoginException {
Group[] groups = getRoleSets();
Set<Principal> principals = new HashSet<Principal>(Arrays.asList(groups));
Group cpg = getCallerPrincipalGroup(principals);
if (cpg != null) {
//2014-06-11 juergen: remove an existing "CallerPrincipal" named group, to be replaced with this login modules defined CallerPrincipal
//removed based on principal name equality org.jboss.security.SimplePrincipal.equals(Object)
subject.getPrincipals().remove(cpg);
//subject.getPrincipals().add(cpg);
}
boolean result = super.commit();
return result;
}
{code}
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the jboss-jira
mailing list