[jboss-user] [Security & JAAS/JBoss] - Wierd seucrity login module questions!!

mskonda do-not-reply at jboss.com
Fri Jul 6 10:42:11 EDT 2007 

My goal is to encrypt datasouce passwords in our current production system.

I followed the wiki and wrote a class (module) of my own. I've created (almost copied) the SecurityIdentityLoginModule to have properties such as pbePass, algo, salt and iterationCount configured. 

I did the following:

- I've added the reference to the policy name in my *-ds.xml(see below)
- I've added the relevant bits in login-config.xml (see below)
- when I deploy I can see that the login module invoked is mine

However, I find these things intriguing:

- Although I have different applicaition-policy definitions for different daatasources, I can only see that my LoginModule being invoked just once! I am not sure why though - can any one explain to me if this is expected? 

- Secondly if I have two datasouce definitions, one with XA and other non-XA, I can only see that the LoginModule is invoked just for Non-XA all the times. The XA version, looks like, doesn't do any authentication. I've tried to deploy just a single XA datasource and found that my LoginModule being not invoked. I am not sure why though. Is this expected, if yes, could you give me an explanation, if not, is this a bug?

- third, even if I change the password string to incorrect one deliberately, the second DS deployment doesn't complain!

Can someone throw few pointers, please?

Help/input much appreciated.

Thanks
/M
<<my datasouces>>
--------------------

  |  <local-tx-datasource>
  |         <jndi-name>JMSDS</jndi-name>
  |         <connection-url>jdbc:sybase:Tds:myhost:4100/MyDbMS</connection-url>
  |         <driver-class>com.sybase.jdbc3.jdbc.SybDataSource</driver-class>
  |         <use-java-context>true</use-java-context>
  |         <security-domain>JMSDSEncryptionPolicy</security-domain>
  |         <check-valid-connection-sql>SELECT @@VERSION</check-valid-connection-sql>
  |         <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SybaseExceptionSorter</exception-sorter-class-name>
  |         <metadata>
  |             <type-mapping>Sybase</type-mapping>
  |         </metadata>
  |     </local-tx-datasource>
  | 
  |   <xa-datasource>
  |         <jndi-name>JMSXADS</jndi-name>
  |         <use-java-context>false</use-java-context>
  |         <security-domain>JMSDSEncryptionPolicy</security-domain>
  |         <xa-datasource-class>com.sybase.jdbc3.jdbc.SybXADataSource</xa-datasource-class>
  |         <xa-datasource-property name="DatabaseName">mydb</xa-datasource-property>
  |         <xa-datasource-property name="ServerName">myserver</xa-datasource-property>
  |         <xa-datasource-property name="PortNumber">4100</xa-datasource-property>
  |         <check-valid-connection-sql>SELECT @@VERSION</check-valid-connection-sql>
  |         <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SybaseExceptionSorter</exception-sorter-class-name>
  |         <metadata>
  |             <type-mapping>Sybase</type-mapping>
  |         </metadata>
  |     </xa-datasource>
  | 
<<my login-config.xml >>
-----------------------


  | <application-policy name = "JMSDSEncryptionPolicy">
  |        <authentication>
  |           <login-module code = "com.cmi2.framework.security.SecureLoginModule"
  |              flag = "required">
  |                <module-option name = "username">cmi2Trade01</module-option>
  |                <module-option name = "password">4d85a83e922ac8bed6cfd1f9898f3b42</module-option>
  |                <module-option name = "pbeAlgo">Blowfish</module-option>
  |                <module-option name = "pbePass">CMI2 is evolving</module-option>
  |                <module-option name = "securePropertiesFile">secure.properties.file</module-option>
  |                <module-option name = "policyName">JMSDSEncryptionPolicy</module-option>
  |                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JMSDS</module-option>
  |          </login-module>
  |       </authentication>
  |     </application-policy>
  |     
  |     <application-policy name = "EAIDSEncryptionPolicy">
  |        <authentication>
  |          <login-module code = "com.cmi2.framework.security.SecureLoginModule"
  |           
  |              flag = "required">
  |                <module-option name = "username">cmi2Trade01</module-option>
  |                <module-option name = "password">4d85a83e922ac8bed6cfd1f9898f3b42</module-option>
  |                <module-option name = "pbeAlgo">Blowfish</module-option>
  |                <module-option name = "pbePass">CMI2 is evolving</module-option>
  |                <module-option name = "securePropertiesFile">secure.properties.file</module-option>
  |                <module-option name = "policyName">CMITrade01EAIDSEncryptionPolicy</module-option>
  |                <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=CMITrade01EAIDS</module-option>
  |          </login-module>
  |       </authentication>
  |     </application-policy>



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4061336#4061336

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4061336

More information about the jboss-user mailing list