Bug 1069886

Summary: [GSS] (6.2.x) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: SecurityAssignee: Derek Horton <dehort>
Status: CLOSED CURRENTRELEASE QA Contact: Josef Cacek <jcacek>
Severity: unspecified Docs Contact: Russell Dickenson <rdickens>
Priority: unspecified    
Version: 6.1.0CC: bbaranow, cdewolf, dehort, olukas, smumford
Target Milestone: CR2   
Target Release: EAP 6.2.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
In previous versions of JBoss EAP 6, the JAAS cache did not cache the login information when the principal was null. If an application is not secured and uses a datasource that is configured to use the `SecureIdentityLoginModule`, the principal comes into JAAS cache as a null. As a result, nothing was cached. This meant that each time the application used the datasource, a call to the login-module was triggered. This release of the product contains a modification to the JAAS cache logic to cache the login info when the principal is null. Now the login module is not called each time the datasource is used.
 Story Points: ---
Clone Of: 1069885
: 1073646 (view as bug list) Environment:
Last Closed: 2014-06-09 12:46:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1069885    
Bug Blocks: 1067532, 1073646, 1088896, 1088897    

Description Derek Horton 2014-02-25 20:58:21 UTC 
+++ This bug was initially created as a clone of Bug #1069885 +++

Description of problem:

In EAP 6, when using the SecureIdentityLoginModule to encrypt datasource passwords, the results are not cached by the JAAS cache. In EAP 5, the results are cached. This can lead to a performance issue.

The root cause appears to be that the EAP 6 JAAS cache does not allow for a JAAS cache key to be null.

The issue only occurs when the application that uses the datasource is not secured. In this situation, the principal is null when isValid() and updateCache() are called. When the application is secured, the results are cached. I think it is working because the result of the SecureIdentityLoginModule are cached using the authenticated user's principal as the cache key.

Workaround:
Use vault for encrypting the database password. This does not use a JAAS login module so the JAAS cache and login module are completely avoided.
Comment 1 JBoss JIRA Server 2014-03-06 22:44:59 UTC 
Derek Horton <dhorton> updated the status of jira SECURITY-803 to Resolved
Comment 2 Derek Horton 2014-04-04 17:19:13 UTC 
Fix committed:
https://svn.jboss.org/repos/picketbox/branches/eap62
Comment 3 Derek Horton 2014-04-04 17:19:40 UTC 
Reproducer:

- unsecured/unprotected servlet that users a datasource
- configure a datasource that uses a security-domain
- configure the security-domain to use either the SecureIdentityLoginModule or the ConfiguredIdentityLoginModule
- hit the servlet and make sure the security-domain only gets hit once
Comment 6 Ondrej Lukas 2014-05-07 11:53:41 UTC 
Verified in EAP 6.2.3.CR2.
Comment 7 Nichola Moore 2014-05-09 00:25:36 UTC 
Please add doc text.
Comment 8 Nichola Moore 2014-05-09 00:33:38 UTC 
Please add doc text. Thank you.