[jboss-jira] [JBoss JIRA] (SECURITY-808) Password not passed into DatabaseServerLoginModule

Lorenz Froihofer (JIRA) issues at jboss.org
Thu Oct 1 18:35:00 EDT 2015 

    [ https://issues.jboss.org/browse/SECURITY-808?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13114347#comment-13114347 ] 

Lorenz Froihofer commented on SECURITY-808:
-------------------------------------------

Tracked down the issue a little bit further (picketbox-4.9.2.Final in Wildfly 9.0.1.Final):

JBossCallbackHandler.getPassword() falls back to try the dynamic invocation of a method named "toCharArray":
{code:java}
Method m = credential.getClass().getMethod("toCharArray", types);
Object[] args = {};
password = (char[]) m.invoke(credential, args);
{code}

This fails with a NoSuchMethodException for a RemotingConnectionCredential object as this class does not offer such a method. The exception handling just tries to create a credential by using the "toString" method on the credential object (the RemotingConnectionCredential) - leading to a String such as org.jboss.as.security.remoting.RemotingConnectionCredential at 22341334 instead of the real password.

As far as the code looks like, the RemotingConnectionCredential should allow for a callback to get the password, but looking at it or the wrapped Connection class, one can only get the username through org.jboss.remoting3.Connection.getUserInfo(), but no password.

This seems to be a more general issue not only related to the DatabaseServerLoginModule but to custom login modules as well: https://developer.jboss.org/message/866429

> Password not passed into DatabaseServerLoginModule
> --------------------------------------------------
>
>                 Key: SECURITY-808
>                 URL: https://issues.jboss.org/browse/SECURITY-808
>             Project: PicketBox 
>          Issue Type: Bug
>         Environment: WildFly8 on Windows 7 64-bit
>            Reporter: Stefan Eder
>            Assignee: Stefan Guilhen
>            Priority: Critical
>
> Trying to migrate an application to WildFly (from AS6.1) the migration went pretty smooth except for using the security domain.
> The application uses a the ClientLoginModule on the client side and the DatabaseserverLoginModule on the server side.
>  
> Though the DatabaseServerLoginModule is called the validation of the password fails. I debugged it and the reason seems to be that in {{org.jboss.security.auth.callback.JBossCallbackHandler.getPassword()}} a {{org.jboss.as.security.remoting.RemotingConnectionCredential at 22341334}} is not handled and hence instead of a password the String {{org.jboss.as.security.remoting.RemotingConnectionCredential at 22341334}} is passed through to the DatabaseLoginModule.
> See also [DatabaseServerLoginModule broken?|https://community.jboss.org/message/863295] and the related posts



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list