[jboss-user] [Security & JAAS/JBoss] - Credentials - String or char[]

[sim-smith]

Hi All,

I think that I have found an issue with the representations of Credentials in JBoss - sometimes they are java.lang.String, and other times char[].  (This is for JBoss 4.0.4.GA).  In particular, org.jboss.web.tomcat.security.SecurityAssociationValve uses Strings (actually the root class is probably FormAuthenticator?), and org.jboss.security.ClientLoginModule uses char[] (because it comes in from the UsernamePasswordHandler).

This causes a problem with the caching, because the credentials are stored initially as a String (because of the SecurityAssociationValve), and when accessing an EJB the ClientLoginModule pushes onto the SecurityContext stack with char[] credentials, and so the cache lookup fails (org.jboss.security.plugins.JaasSecurityManager.validateCache()).

As it turns out this is of little conseqence in itself because it just results in another authentication, and hits the login modules again.  It happens to trigger another problem though, but I'll save that for another post.

I would suggest though that this is a minor bug - JBoss should be consistent here to avoid the additional hit on the credential cache.  Probably the best approach would be to modify either the ClientLoginModule to use a String, or SecurityAssociationValve/FormAuthenticator to use a char[].

I am thinking of raising a JIRA issue about this - does anybody have any comments?

Let me know if you want more information.

Many thanks,

Mark

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4039115#4039115

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4039115