Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1054556 - AuditProvider mentions "[Success]" even if username/password is invalid
AuditProvider mentions "[Success]" even if username/password is invalid
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.2.0,6.3.0
Unspecified Unspecified
unspecified Severity high
: DR1
: EAP 6.4.0
Assigned To: jboss-set
Pavel Slavicek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-01-16 21:52 EST by Hisanobu Okuda
Modified: 2018-06-07 17:30 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker WFLY-3691 Major Closed AuditProvider mentions "[Success]" even if username/password is invalid 2018-07-30 11:51 EDT

  None (edit)
Description Hisanobu Okuda 2014-01-16 21:52:40 EST 
Description of problem:
AuditProvider in security-domain mentions "[Success]" as follow:-

11:37:26,835 TRACE [org.jboss.security.audit] (HttpManagementService-threads - 3) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=admin;

even if a username/password is wrong.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Change ManagementRealm:-

            <security-realm name="ManagementRealm">
                <authentication>
                    <local default-user="$local"/>
                    <jaas name="jaasSecurityDomain"/>
                </authentication>

2. add the log category:-

            <logger category="org.jboss.security.audit">
                <level name="TRACE"/>
            </logger>

3. add the security-domain:-

                <security-domain name="jaasSecurityDomain" cache-type="default">
                    <authentication>
                        <login-module code="Simple" flag="required"/>
                    </authentication>
                    <audit/>
                </security-domain>

then, web console requires authentication against security-domain instead of mgmt-users.properties file.

4. start EAP then access web console with a wrong username/password, for example, admin/wrongpass.

Actual results:


Expected results:


Additional info:
Comment 1 Hisanobu Okuda 2014-01-16 22:08:20 EST 
The following code change would work:-

[hokuda@localhost SRC]$ git diff
diff --git a/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java b/jboss-as-se
index e00a70c..eae0abc 100644
--- a/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java
+++ b/jboss-as-security-7.3.0.Final-redhat-14-sources/org/jboss/as/security/service/SimpleSecurityManager.java
@@ -507,7 +507,7 @@ public class SimpleSecurityManager implements ServerSecurityManager {
      * @param userPrincipal
      */
     private void audit(String level, AuditManager auditManager, Principal userPrincipal) {
-        AuditEvent auditEvent = new AuditEvent(AuditLevel.SUCCESS);
+        AuditEvent auditEvent = new AuditEvent(level);
         Map<String, Object> ctxMap = new HashMap<String, Object>();
         ctxMap.put("principal", userPrincipal != null ? userPrincipal : "null");
         ctxMap.put("Source", getClass().getCanonicalName());
Comment 3 Darran Lofthouse 2014-09-04 13:54:22 EDT 
Adding a dev ack on the basis this is already at the MODIFIED state.
Comment 4 Ondrej Lukas 2014-09-19 04:41:40 EDT 
Verified in EAP 6.4.0.DR1.1.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.