[jboss-jira] [JBoss JIRA] (SECURITY-930) A security-domain can only load login-modules from a single JBoss module

Peter Palaga (JIRA) issues at jboss.org
Mon Dec 12 11:19:00 EST 2016 

    [ https://issues.jboss.org/browse/SECURITY-930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13337255#comment-13337255 ] 

Peter Palaga commented on SECURITY-930:
---------------------------------------

bq. The fix was applied a while ago to PicketBox master...

[~sguilhen], you mean this commit https://github.com/picketbox/picketbox/commit/66ca69979bd763662773944f54946584036b58ce and perhaps also this followup https://github.com/picketbox/picketbox/commit/548af1fe11909ceccb32909a4088a95160b9fa24 ? I am asking to get an idea if backporting to EAP 6.4 is possible.

>  A security-domain can only load login-modules from a single JBoss module 
> --------------------------------------------------------------------------
>
>                 Key: SECURITY-930
>                 URL: https://issues.jboss.org/browse/SECURITY-930
>             Project: PicketBox 
>          Issue Type: Bug
>          Components: JBossSX, Security-SPI
>            Reporter: Derek Horton
>            Assignee: Stefan Guilhen
>             Fix For: PicketBox_5_0_0.Beta1
>
>
> A security-domain can only load login-modules from a single JBoss module.  Even though the security-domain configuration will allow each login module defined within a single security-domain to have a "module" attribute, the only module that is used to load the login-modules is the last "module" attribute that the parsing system locates.  
> For example, with the following configuration, it looks like "org.jboss.example.CustomLoginModule" should be loaded from the "org.jboss.example" jboss-module and "org.jboss.example.CustomBaseCertLoginModule" should be loaded from the "org.jboss.another.example" jboss-module:
>   <security-domain name="jmx-console" cache-type="default">
>       <authentication>
>           <login-module code="org.jboss.example.CustomLoginModule" module="org.jboss.example" flag="required">
>               <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
>               <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
>           </login-module>
>           <login-module code="org.jboss.example.CustomBaseCertLoginModule" module="org.jboss.another.example" flag="required">
>               <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
>               <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
>           </login-module>
>       </authentication>
>   </security-domain>
> Unfortunately, it does not work like this.  Only the "org.jboss.another.example" jboss-module is used to load the custom login modules.
> There seems to be two issues.  1)  The security subsystem code only "remembers" the last module that is defined within a single security domain.  2)  I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code.  The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list