[jboss-jira] [JBoss JIRA] (SECURITY-930) A security-domain can only load login-modules from a single JBoss module
Stefan Guilhen (JIRA)
issues at jboss.org
Tue Oct 4 13:23:00 EDT 2016
[ https://issues.jboss.org/browse/SECURITY-930?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13302526#comment-13302526 ]
Stefan Guilhen commented on SECURITY-930:
-----------------------------------------
[~ppalaga] Yeah, I do have an update. The fix was applied a while ago to PicketBox master, which was not yet used by WildFly until recently. Now that Elytron is being integrated we have upgraded WildFly to use PicketBox 5.0.0 and we can now change the ModuleClassLoaderLocator to make use of the new API that allows for the registration of multiple modules.
So the issue affects two projects. The PicketBox side is covered by this issue and we already have a fix for it. I'll add a reference to the commit that fixes the issue here so we can close this issue. The WildFly side might need a different Jira to fix the ModuleClassLoaderLocator.
I'll try to open the WF Jira and send a PR for it tonight.
> A security-domain can only load login-modules from a single JBoss module
> --------------------------------------------------------------------------
>
> Key: SECURITY-930
> URL: https://issues.jboss.org/browse/SECURITY-930
> Project: PicketBox
> Issue Type: Bug
> Components: JBossSX, Security-SPI
> Reporter: Derek Horton
> Assignee: Stefan Guilhen
>
> A security-domain can only load login-modules from a single JBoss module. Even though the security-domain configuration will allow each login module defined within a single security-domain to have a "module" attribute, the only module that is used to load the login-modules is the last "module" attribute that the parsing system locates.
> For example, with the following configuration, it looks like "org.jboss.example.CustomLoginModule" should be loaded from the "org.jboss.example" jboss-module and "org.jboss.example.CustomBaseCertLoginModule" should be loaded from the "org.jboss.another.example" jboss-module:
> <security-domain name="jmx-console" cache-type="default">
> <authentication>
> <login-module code="org.jboss.example.CustomLoginModule" module="org.jboss.example" flag="required">
> <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
> <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
> </login-module>
> <login-module code="org.jboss.example.CustomBaseCertLoginModule" module="org.jboss.another.example" flag="required">
> <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
> <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
> </login-module>
> </authentication>
> </security-domain>
> Unfortunately, it does not work like this. Only the "org.jboss.another.example" jboss-module is used to load the custom login modules.
> There seems to be two issues. 1) The security subsystem code only "remembers" the last module that is defined within a single security domain. 2) I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code. The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list