Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-7848

[GSS] (7.0.z) A security-domain can only load login-modules from a single JBoss module

    XMLWordPrintable

Details

    • Workaround Exists
    • Hide

      1. Make a "composite" JBoss module that depends on the modules that contain the custom login modules:

      <module xmlns="urn:jboss:module:1.1" name="composite">
      <dependencies>
      <module name="a" slot="1"/>
      <module name="b" slot="1"/>
      </dependencies>
      </module>
      Configure the security-domain to load the custom login modules from the composite JBoss module:

      <security-domain name="ima-security-domain" cache-type="default">
      <authentication>
      <login-module code="a.AuthenticationModule" flag="required" module="composite">
      <module-option name="password-stacking" value="useFirstPass"></module>
      </login-module>
      <login-module code="b.AuthorizationModule" flag="required" module="composite">
      <module-option name="password-stacking" value="useFirstPass"></module>
      </login-module>
      </authentication>
      </security-domain>

      Or

      2. Combine the custom login modules into a single JBoss module

      Show
      1. Make a "composite" JBoss module that depends on the modules that contain the custom login modules: <module xmlns="urn:jboss:module:1.1" name="composite"> <dependencies> <module name="a" slot="1"/> <module name="b" slot="1"/> </dependencies> </module> Configure the security-domain to load the custom login modules from the composite JBoss module: <security-domain name="ima-security-domain" cache-type="default"> <authentication> <login-module code="a.AuthenticationModule" flag="required" module="composite"> <module-option name="password-stacking" value="useFirstPass"></module> </login-module> <login-module code="b.AuthorizationModule" flag="required" module="composite"> <module-option name="password-stacking" value="useFirstPass"></module> </login-module> </authentication> </security-domain> Or 2. Combine the custom login modules into a single JBoss module
    • EAP 7.0.6

    Description

      A security-domain can only load login-modules from a single JBoss module. Even though the security-domain configuration will allow each login module defined within a single security-domain to have a "module" attribute, the only module that is used to load the login-modules is the last "module" attribute that the parsing system locates.

      For example, with the following configuration, it looks like "org.jboss.example.CustomLoginModule" should be loaded from the "org.jboss.example" jboss-module and "org.jboss.example.CustomBaseCertLoginModule" should be loaded from the "org.jboss.another.example" jboss-module:

      <security-domain name="jmx-console" cache-type="default">
      <authentication>
      <login-module code="org.jboss.example.CustomLoginModule" module="org.jboss.example" flag="required">
      <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
      </login-module>
      <login-module code="org.jboss.example.CustomBaseCertLoginModule" module="org.jboss.another.example" flag="required">
      <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
      <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
      </login-module>

      </authentication>
      </security-domain>

      Unfortunately, it does not work like this. Only the "org.jboss.another.example" jboss-module is used to load the custom login modules.

      There seems to be two issues. 1) The security subsystem code only "remembers" the last module that is defined within a single security domain. 2) I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code. The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.

      Attachments

        Issue Links

          Activity

            People

              ppalaga Peter Palaga
              ppalaga Peter Palaga
              Ivo Hradek Ivo Hradek (Inactive)
              Ivo Hradek Ivo Hradek (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 4 hours
                  4h