Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-6559

[GSS] (7.1.0) A security-domain can only load login-modules from a single JBoss module

    XMLWordPrintable

Details

    • Bug
    • Status: Verified (View Workflow)
    • Major
    • Resolution: Done
    • None
    • 7.1.0.DR8
    • Security
    • None
    • Workaround Exists
    • Hide

      1. Make a "composite" JBoss module that depends on the modules that contain the custom login modules:

      <module xmlns="urn:jboss:module:1.1" name="composite">
      <dependencies>
      <module name="a" slot="1"/>
      <module name="b" slot="1"/>
      </dependencies>
      </module>
      Configure the security-domain to load the custom login modules from the composite JBoss module:

      <security-domain name="ima-security-domain" cache-type="default">
      <authentication>
      <login-module code="a.AuthenticationModule" flag="required" module="composite">
      <module-option name="password-stacking" value="useFirstPass"></module>
      </login-module>
      <login-module code="b.AuthorizationModule" flag="required" module="composite">
      <module-option name="password-stacking" value="useFirstPass"></module>
      </login-module>
      </authentication>
      </security-domain>

      Or

      2. Combine the custom login modules into a single JBoss module

      Show
      1. Make a "composite" JBoss module that depends on the modules that contain the custom login modules: <module xmlns="urn:jboss:module:1.1" name="composite"> <dependencies> <module name="a" slot="1"/> <module name="b" slot="1"/> </dependencies> </module> Configure the security-domain to load the custom login modules from the composite JBoss module: <security-domain name="ima-security-domain" cache-type="default"> <authentication> <login-module code="a.AuthenticationModule" flag="required" module="composite"> <module-option name="password-stacking" value="useFirstPass"></module> </login-module> <login-module code="b.AuthorizationModule" flag="required" module="composite"> <module-option name="password-stacking" value="useFirstPass"></module> </login-module> </authentication> </security-domain> Or 2. Combine the custom login modules into a single JBoss module

    Description

      A security-domain can only load login-modules from a single JBoss module. Even though the security-domain configuration will allow each login module defined within a single security-domain to have a "module" attribute, the only module that is used to load the login-modules is the last "module" attribute that the parsing system locates.

      For example, with the following configuration, it looks like "org.jboss.example.CustomLoginModule" should be loaded from the "org.jboss.example" jboss-module and "org.jboss.example.CustomBaseCertLoginModule" should be loaded from the "org.jboss.another.example" jboss-module:

      <security-domain name="jmx-console" cache-type="default">
      <authentication>
      <login-module code="org.jboss.example.CustomLoginModule" module="org.jboss.example" flag="required">
      <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
      </login-module>
      <login-module code="org.jboss.example.CustomBaseCertLoginModule" module="org.jboss.another.example" flag="required">
      <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
      </login-module>

      </authentication>
      </security-domain>

      Unfortunately, it does not work like this. Only the "org.jboss.another.example" jboss-module is used to load the custom login modules.

      There seems to be two issues. 1) The security subsystem code only "remembers" the last module that is defined within a single security domain. 2) I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code. The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.

      Attachments

        Issue Links

          Activity

            People

              sguilhen Stefan Guilhen
              rhn-support-dehort Derek Horton
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h