[jboss-jira] [JBoss JIRA] (WFLY-5569) Module dependencies don't work correctly when JAAS login is used in deployments

Josef Cacek (JIRA) issues at jboss.org
Fri Oct 23 07:16:00 EDT 2015 

     [ https://issues.jboss.org/browse/WFLY-5569?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Josef Cacek updated WFLY-5569:
------------------------------
           Description: 
When user wants to use direct JAAS login call from a deployment (e.g. servlet), (s)he will experience problems when LoginModule is placed in custom AS module.

Login modules works correctly if they come from PicketBox, but new modules doesn't work.

This issue is based on [this StackOverflow question|http://stackoverflow.com/questions/33203277/wildfly-and-jaas-login-module]

  was:
When user wants to use direct JAAS login call from a deployment (e.g. servlet), (s)he will experience problems when LoginModule is placed in custom AS module.

Login modules works correctly if they come from PicketBox, but new modules doesn't work.

    Steps to Reproduce: 
Install custom AS module ({{login.mongodb}} in my case) which contains custom login module ({{org.jboss.test.MongoLoginModule}}).

Create new security domain, which uses the new login module:
{code:xml}
<security-domain name="web-tests" cache-type="default">
    <authentication>
        <login-module code="org.jboss.test.MongoLoginModule" flag="required" module="login.mongodb">
            <module-option name="mongodb.uri" value="mongodb://localhost:21017/test?collection"/>
        </login-module>
    </authentication>
</security-domain>
{code}

Deploy application with servlet containing following code:

{code:java}
//...
LoginContext loginContext = new LoginContext("web-tests", new CallbackHandler() {

    @Override
    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (Callback c : callbacks) {
            if (c instanceof PasswordCallback) {
                ((PasswordCallback) c).setPassword(req.getParameter("password").toCharArray());
            } else if (c instanceof NameCallback) {
                ((NameCallback) c).setName(req.getParameter("user"));
            }
        }
    }
});
loginContext.login();
Subject subject = loginContext.getSubject();
LOGGER.info("Login successful. Subject: " + subject);
//...
{code}

After making request to the servlet, user will see following exception:
{code}
javax.security.auth.login.LoginException: unable to find LoginModule class: org.jboss.test.MongoLoginModule from [Module "deployment.secured-webapp.war:main" from Service Module Loader]
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:794)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
	at org.jboss.test.JaasLoginServlet.doGet(JaasLoginServlet.java:61)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86)
	at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
	at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
	at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
	at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
	at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
	at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
	at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
	at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
	at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:72)
	at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
	at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
	at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
	at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
	at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
	at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:198)
	at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:784)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
{code}

If a login module from PicketBox (e.g. "UsersRoles") is used in the {{"web-tests"}} security domain, then everything works correctly and user is authenticated.

If security domain is referenced from the {{jboss-web.xml}} and {{HttpServletRequest.login(String,String)}} is used instead of direct JAAS, then it works also for login module in the custom AS module.


> Module dependencies don't work correctly when JAAS login is used in deployments
> -------------------------------------------------------------------------------
>
>                 Key: WFLY-5569
>                 URL: https://issues.jboss.org/browse/WFLY-5569
>             Project: WildFly
>          Issue Type: Bug
>          Components: Class Loading, Security
>            Reporter: Josef Cacek
>            Assignee: David Lloyd
>
> When user wants to use direct JAAS login call from a deployment (e.g. servlet), (s)he will experience problems when LoginModule is placed in custom AS module.
> Login modules works correctly if they come from PicketBox, but new modules doesn't work.
> This issue is based on [this StackOverflow question|http://stackoverflow.com/questions/33203277/wildfly-and-jaas-login-module]



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list