Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-3812

Flagging of invalid login credential for datasource is inconsistent - No SecurityContext set when creating subject

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • 7.0.1.CR1, 7.0.1.GA
    • 7.0.0.ER6
    • Security
    • None
    • EAP 7.0.1

      If the security-domain is defined for a datasource and the password is not a valid encoded SecureIdentity password, there will be a LoginException within the login module: SecureIdentity, which should be set to current SecurityContext. But the SecurityContext is missing at the time when creating the subject for data-source deployment, same for resource-adapter deployment.

      <datasource jndi-name="java:/DefaultDS2" pool-name="DefaultDS2" enabled="true" use-java-context="true">
                          <connection-url>jdbc:oracle:thin:@hostname:1521:ora1</connection-url>
                          <driver>oracle</driver>
                          <security>
                               <security-domain>encryptedPassword2</security-domain>
                          </security>
                      </datasource>
                      <security-domain name="encryptedPassword2">
                          <authentication>
                              <login-module code="SecureIdentity" flag="required">
                                  <module-option name="username" value="${user:none}"/>
                                  <module-option name="password" value="${password:none}"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

      Expected:

      SecurityContext is set when creating the subject for data-source or resource-adapter deployment.

      This is part of the fix for issues described in the linked Bugzilla, which ensures that the SecurityContext should be set.

      Another part of the fix is on the linked issue: JBEAP-4733, once that is done, the issues described in the linked Bugzilla can be verified by starting EAP using configuration above with command line:

      bin/standalone.sh -Duser=sa -Dpassword=9fdd42c2a7390d
      

      then you can see the root exception like:

      Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
      	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:966)
      	at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824)
      	at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(BlowfishCipher.java:319)
      	at javax.crypto.Cipher.doFinal(Cipher.java:2165)
      	at org.picketbox.datasource.security.SecureIdentityLoginModule.decode(SecureIdentityLoginModule.java:197)
      	at org.picketbox.datasource.security.SecureIdentityLoginModule.commit(SecureIdentityLoginModule.java:116)
      	... 31 more
      

      printed out to the console

            rhn-engineering-lgao Lin Gao
            rhn-engineering-lgao Lin Gao
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: