1069886 – [GSS] (6.2.x) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache

Bug 1069886 - [GSS] (6.2.x) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache

Summary: [GSS] (6.2.x) SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) r...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	CR2
Target Release:	EAP 6.2.3
Assignee:	Derek Horton
QA Contact:	Josef Cacek
Docs Contact:	Russell Dickenson
URL:
Whiteboard:
Depends On:	1069885
Blocks:	eap62-cp03-blockers 1073646 1088896 1088897
TreeView+	depends on / blocked

Reported:	2014-02-25 20:58 UTC by Derek Horton
Modified:	2018-12-05 17:25 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	In previous versions of JBoss EAP 6, the JAAS cache did not cache the login information when the principal was null. If an application is not secured and uses a datasource that is configured to use the `SecureIdentityLoginModule`, the principal comes into JAAS cache as a null. As a result, nothing was cached. This meant that each time the application used the datasource, a call to the login-module was triggered. This release of the product contains a modification to the JAAS cache logic to cache the login info when the principal is null. Now the login module is not called each time the datasource is used.
Clone Of:	1069885
Clones:	1073646 (view as bug list)
Environment:
Last Closed:	2014-06-09 12:46:43 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	SECURITY-803	0	Major	Resolved	SecureIdentityLoginModule (and ConfiguredIdentityLoginModule) results are not cached by the JAAS cache	2016-05-02 06:32:01 UTC

Description Derek Horton 2014-02-25 20:58:21 UTC

+++ This bug was initially created as a clone of Bug #1069885 +++

Description of problem:

In EAP 6, when using the SecureIdentityLoginModule to encrypt datasource passwords, the results are not cached by the JAAS cache. In EAP 5, the results are cached. This can lead to a performance issue.

The root cause appears to be that the EAP 6 JAAS cache does not allow for a JAAS cache key to be null.

The issue only occurs when the application that uses the datasource is not secured. In this situation, the principal is null when isValid() and updateCache() are called. When the application is secured, the results are cached. I think it is working because the result of the SecureIdentityLoginModule are cached using the authenticated user's principal as the cache key.

Workaround:
Use vault for encrypting the database password. This does not use a JAAS login module so the JAAS cache and login module are completely avoided.

Comment 1 JBoss JIRA Server 2014-03-06 22:44:59 UTC

Derek Horton <dhorton> updated the status of jira SECURITY-803 to Resolved

Comment 2 Derek Horton 2014-04-04 17:19:13 UTC

Fix committed:
https://svn.jboss.org/repos/picketbox/branches/eap62

Comment 3 Derek Horton 2014-04-04 17:19:40 UTC

Reproducer:

- unsecured/unprotected servlet that users a datasource
- configure a datasource that uses a security-domain
- configure the security-domain to use either the SecureIdentityLoginModule or the ConfiguredIdentityLoginModule
- hit the servlet and make sure the security-domain only gets hit once

Comment 6 Ondrej Lukas 2014-05-07 11:53:41 UTC

Verified in EAP 6.2.3.CR2.

Comment 7 Nichola Moore 2014-05-09 00:25:36 UTC

Please add doc text.

Comment 8 Nichola Moore 2014-05-09 00:33:38 UTC

Please add doc text. Thank you.

Note You need to log in before you can comment on or make changes to this bug.