Bug 1069885 – [GSS] (6.3.0) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1069885 - [GSS] (6.3.0) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache

Summary:	[GSS] (6.3.0) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) r...

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security (Show other bugs)
Sub Component:
Version:	6.1.1
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	ER4
Target Release:	EAP 6.3.0
Assigned To:	Derek Horton
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	1069886
	Show dependency tree / graph

Reported:	2014-02-25 15:55 EST by Derek Horton
Modified:	2016-06-27 05:58 EDT (History)
CC List:	5 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	In previous versions of JBoss EAP 6 performance issues were encountered when using the `SecureIdentityLoginModule` not caching encrypted datasource passwords. This was caused by JAAS cache not allowing the cache key to be null when the application using the datasource was not secured. In this release of the product the vault is used for encrypting database passwords, bypassing the JAAS login module and resolving the performance issues.
Story Points:	---
Clone Of:
Clones:	1069886 (view as bug list)
Environment:
Last Closed:	2014-06-28 11:27:53 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
JBoss Issue Tracker	SECURITY-803	Major	Resolved	SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache	2016-06-27 05:54 EDT

Groups: None (edit)

Description Derek Horton 2014-02-25 15:55:59 EST

Description of problem:

In EAP 6, when using the SecureIdentityLoginModule to encrypt datasource passwords, the results are not cached by the JAAS cache. In EAP 5, the results are cached. This can lead to a performance issue.

The root cause appears to be that the EAP 6 JAAS cache does not allow for a JAAS cache key to be null.

The issue only occurs when the application that uses the datasource is not secured. In this situation, the principal is null when isValid() and updateCache() are called. When the application is secured, the results are cached. I think it is working because the result of the SecureIdentityLoginModule are cached using the authenticated user's principal as the cache key.

Workaround:
Use vault for encrypting the database password. This does not use a JAAS login module so the JAAS cache and login module are completely avoided.

Comment 1 JBoss JIRA Server 2014-03-06 17:44:59 EST

Derek Horton <dhorton@redhat.com> updated the status of jira SECURITY-803 to Resolved

Comment 2 Derek Horton 2014-04-08 17:12:57 EDT

Fix committed to:
https://svn.jboss.org/repos/picketbox/branches/eap62
https://svn.jboss.org/repos/picketbox/trunk

Comment 5 Hynek Mlnarik 2014-05-14 11:54:35 EDT

Verified in 6.3.0.ER4

Note You need to log in before you can comment on or make changes to this bug.