-
Bug
-
Resolution: Done
-
Major
-
7.0.0.ER6
-
None
If the security-domain is defined for a datasource and the password is not a valid encoded SecureIdentity password, there will be a LoginException within the login module: SecureIdentity, which should be set to current SecurityContext. But the SecurityContext is missing at the time when creating the subject for data-source deployment, same for resource-adapter deployment.
<datasource jndi-name="java:/DefaultDS2" pool-name="DefaultDS2" enabled="true" use-java-context="true"> <connection-url>jdbc:oracle:thin:@hostname:1521:ora1</connection-url> <driver>oracle</driver> <security> <security-domain>encryptedPassword2</security-domain> </security> </datasource> <security-domain name="encryptedPassword2"> <authentication> <login-module code="SecureIdentity" flag="required"> <module-option name="username" value="${user:none}"/> <module-option name="password" value="${password:none}"/> </login-module> </authentication> </security-domain>
Expected:
SecurityContext is set when creating the subject for data-source or resource-adapter deployment.
This is part of the fix for issues described in the linked Bugzilla, which ensures that the SecurityContext should be set.
Another part of the fix is on the linked issue: JBEAP-4733, once that is done, the issues described in the linked Bugzilla can be verified by starting EAP using configuration above with command line:
bin/standalone.sh -Duser=sa -Dpassword=9fdd42c2a7390d
then you can see the root exception like:
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:966)
at com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:824)
at com.sun.crypto.provider.BlowfishCipher.engineDoFinal(BlowfishCipher.java:319)
at javax.crypto.Cipher.doFinal(Cipher.java:2165)
at org.picketbox.datasource.security.SecureIdentityLoginModule.decode(SecureIdentityLoginModule.java:197)
at org.picketbox.datasource.security.SecureIdentityLoginModule.commit(SecureIdentityLoginModule.java:116)
... 31 more
printed out to the console
- is blocked by
-
WFLY-6372 Flagging of invalid login credential for datasource is inconsistent.
- Closed
- is related to
-
JBEAP-3813 [GSS](7.0.z) Upgrade PicketBox from 4.9.6.Final to 4.9.7.Final
- Verified
- relates to
-
JBEAP-4733 (7.0.z) Flagging of invalid login credential for datasource is inconsistent - JBossSecuritySubjectFactory should check the root cause exception
- Verified