[jboss-jira] [JBoss JIRA] (SECURITY-803) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache

RH Bugzilla Integration (JIRA) issues at jboss.org
Wed May 7 07:54:57 EDT 2014 

    [ https://issues.jboss.org/browse/SECURITY-803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12966101#comment-12966101 ] 

RH Bugzilla Integration commented on SECURITY-803:
--------------------------------------------------

Ondrej Lukas <olukas at redhat.com> changed the Status of [bug 1069886|https://bugzilla.redhat.com/show_bug.cgi?id=1069886] from ON_QA to VERIFIED

> SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache
> ------------------------------------------------------------------------------------------------------
>
>                 Key: SECURITY-803
>                 URL: https://issues.jboss.org/browse/SECURITY-803
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: PicketBox
>    Affects Versions: PicketBox_4_0_19.Final
>            Reporter: Derek Horton
>            Assignee: Stefan Guilhen
>         Attachments: SECURITY-803.patch
>
>
> In EAP 6, when using the SecureIdentityLoginModule to encrypt datasource passwords, the results are not cached by the JAAS cache.  In EAP 5, the results are cached.  This can lead to a performance issue.
> The root cause appears to be that the EAP 6 JAAS cache does not allow for a JAAS cache key to be null.
> The issue only occurs when the application that uses the datasource is not secured.  In this situation, the principal is null when isValid() and updateCache() are called.  When the application is secured, the results are cached.  I think it is working because the result of the SecureIdentityLoginModule are cached using the authenticated user's principal as the cache key.
> Workaround:
> Use vault for encrypting the database password.  This does not use a JAAS login module so the JAAS cache and login module are completely avoided.



--
This message was sent by Atlassian JIRA
(v6.2.3#6260)

More information about the jboss-jira mailing list