Bug 1254194 - (6.4.z) Differently implemented password-stacking option in ClientLoginModule
Summary: (6.4.z) Differently implemented password-stacking option in ClientLoginModule
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: CR1
: EAP 6.4.12
Assignee: Ryan Emerson
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On:
Blocks: 1274287 eap6412-payload
TreeView+ depends on / blocked
 
Reported: 2015-08-17 12:05 UTC by Ondrej Lukas
Modified: 2017-01-17 13:11 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-17 13:11:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SECURITY-903 0 Major Resolved Differently implemented password-stacking option in ClientLoginModule 2020-07-07 14:43:04 UTC

Description Ondrej Lukas 2015-08-17 12:05:23 UTC 
In case when some login module should use password stacking then value of password-stacking option should be set to useFirstPass. All login modules should respect it. However implemetation of org.jboss.security.ClientLoginModule uses password-stacking differently - it uses password stacking everytime when some value is set for password-stacking option (even value false). It should work same as other login modules. Current behavior can be confusing and can lead to incorrectly set server configuration.
Comment 5 JBoss JIRA Server 2015-09-16 09:03:05 UTC 
Ryan Emerson <remerson> updated the status of jira SECURITY-903 to Resolved
Comment 6 Mike McCune 2016-03-28 23:25:37 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 7 Ivo Hradek 2016-11-25 10:17:31 UTC 
Verified with EAP 6.4.12.CP.CR1;
Comment 8 Petr Penicka 2017-01-17 13:11:33 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.
Note You need to log in before you can comment on or make changes to this bug.