1054556 – AuditProvider mentions "[Success]" even if username/password is invalid

Bug 1054556 - AuditProvider mentions "[Success]" even if username/password is invalid

Summary: AuditProvider mentions "[Success]" even if username/password is invalid

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.2.0,6.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	DR1
Target Release:	EAP 6.4.0
Assignee:	jboss-set
QA Contact:	Pavel Slavicek
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-01-17 02:52 UTC by Hisanobu Okuda
Modified:	2019-08-19 12:40 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2019-08-19 12:38:39 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	WFLY-3691	0	Major	Closed	AuditProvider mentions "[Success]" even if username/password is invalid	2018-07-30 15:51:54 UTC

Description Hisanobu Okuda 2014-01-17 02:52:40 UTC

Description of problem:
AuditProvider in security-domain mentions "[Success]" as follow:-

11:37:26,835 TRACE [org.jboss.security.audit] (HttpManagementService-threads - 3) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=admin;

even if a username/password is wrong.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Change ManagementRealm:-

            <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local"/>
                    <jaas name="jaasSecurityDomain"/>
                </authentication>

2. add the log category:-

            <logger category="org.jboss.security.audit">
                <level name="TRACE"/>
            </logger>

3. add the security-domain:-

                <security-domain name="jaasSecurityDomain" cache-type="default">
                    <authentication>
                        <login-module code="Simple" flag="required"/>
                    </authentication>
                    <audit/>
                </security-domain>

then, web console requires authentication against security-domain instead of mgmt-users.properties file.

4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

Actual results:


Expected results:


Additional info:

Comment 1 Hisanobu Okuda 2014-01-17 03:08:20 UTC

The following code change would work:-

[hokuda@localhost SRC]$ git diff
diff --git a/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java b/jboss-as-se
index e00a70c..eae0abc 100644
--- a/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java
+++ b/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java
@@ -507,7 +507,7 @@ public class SimpleSecurityManager implements ServerSecurityManager {
      * @param userPrincipal
      */
     private void audit(String level, AuditManager auditManager, Principal userPrincipal) {
-        AuditEvent auditEvent = new AuditEvent(AuditLevel.SUCCESS);
+        AuditEvent auditEvent = new AuditEvent(level);
         Map<String, Object> ctxMap = new HashMap<String, Object>();
         ctxMap.put("principal", userPrincipal != null ? userPrincipal : "null");
         ctxMap.put("Source", getClass().getCanonicalName());

Comment 3 Darran Lofthouse 2014-09-04 17:54:22 UTC

Adding a dev ack on the basis this is already at the MODIFIED state.

Comment 4 Ondrej Lukas 2014-09-19 08:41:40 UTC

Verified in EAP 6.4.0.DR1.1.

Note You need to log in before you can comment on or make changes to this bug.