Bug 1288670
Summary: | [GSS] (6.4.z) Improve error message for EJBs with restricted access permission but no security-domain | ||
---|---|---|---|
Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | dhorton |
Component: | EJB | Assignee: | Radovan STANCEL <rstancel> |
Status: | CLOSED EOL | QA Contact: | Jan Martiska <jmartisk> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.4.4 | CC: | bbaranow, bmaxwell, david.lloyd, dhorton, egonzale, istudens, msochure, rstancel |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-19 12:46:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
dhorton
2015-12-04 23:19:05 UTC
Not really sure if changing the message would make sense as the logic of the security manager is to say if the user is valid or not. Regarding the "other" as the default security-domain, this is the current behaviour of the app server. Not sure if this change is a good idea. PS: Maybe adding some debug info about which security domain is being used could help in this sort of use case :? To reproduce: - build an application with a secured web application, assign the web application to a valid security-domain - make the servlet invoke a secured EJB - the ejb should use the @RolesAllowed annotation - the ejb should _not_ be assigned to a security-domain - it will fallback to using "other" by default There isn't a good warning in the logs about this behavior. You will see the servlet get authenticated using the security-domain that is assigned to it, but when the servlet invokes the secured EJB you will see that it "falls back" to the "other" security-domain which cannot authenticate the user...leading to an error. 10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: admin, cache entry: null 10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: admin 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 4 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule ControlFlag: LoginModuleControlFlag: optional Options: name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.as.security.RealmDirectLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=password-stacking, value=useFirstPass 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method 10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method 10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method 10:17:34,676 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000283: Bad password for username admin 10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method 10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method 10:17:34,677 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_111] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_111] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_111] at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_111] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_111] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_111] |