1069885 – [GSS] (6.3.0) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache

Bug 1069885 - [GSS] (6.3.0) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache

Summary: [GSS] (6.3.0) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) r...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.1.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	ER4
Target Release:	EAP 6.3.0
Assignee:	Derek Horton
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:
Blocks:	1069886
TreeView+	depends on / blocked

Reported:	2014-02-25 20:55 UTC by Derek Horton
Modified:	2019-11-14 06:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Clones:	1069886 (view as bug list)
Environment:
Last Closed:	2014-06-28 15:27:53 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SECURITY-803	0	Major	Resolved	SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache	2016-06-27 09:54:59 UTC

Description Derek Horton 2014-02-25 20:55:59 UTC

Description of problem:

In EAP 6, when using the SecureIdentityLoginModule to encrypt datasource passwords, the results are not cached by the JAAS cache. In EAP 5, the results are cached. This can lead to a performance issue.

The root cause appears to be that the EAP 6 JAAS cache does not allow for a JAAS cache key to be null.

The issue only occurs when the application that uses the datasource is not secured. In this situation, the principal is null when isValid() and updateCache() are called. When the application is secured, the results are cached. I think it is working because the result of the SecureIdentityLoginModule are cached using the authenticated user's principal as the cache key.

Workaround:
Use vault for encrypting the database password. This does not use a JAAS login module so the JAAS cache and login module are completely avoided.

Comment 1 JBoss JIRA Server 2014-03-06 22:44:59 UTC

Derek Horton <dhorton> updated the status of jira SECURITY-803 to Resolved

Comment 2 Derek Horton 2014-04-08 21:12:57 UTC

Fix committed to:
https://svn.jboss.org/repos/picketbox/branches/eap62
https://svn.jboss.org/repos/picketbox/trunk

Comment 5 Hynek Mlnarik 2014-05-14 15:54:35 UTC

Verified in 6.3.0.ER4

Note You need to log in before you can comment on or make changes to this bug.