Bug 1254194 - (6.4.z) Differently implemented password-stacking option in ClientLoginModule
(6.4.z) Differently implemented password-stacking option in ClientLoginModule
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
Unspecified Unspecified
unspecified Severity medium
: CR1
: EAP 6.4.12
Assigned To: Ryan Emerson
Josef Cacek
Depends On:
Blocks: 1274287 eap6412-payload
  Show dependency treegraph
Reported: 2015-08-17 08:05 EDT by Ondrej Lukas
Modified: 2017-01-17 08:11 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-01-17 08:11:33 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker SECURITY-903 Major Resolved Differently implemented password-stacking option in ClientLoginModule 2017-08-04 07:50 EDT

  None (edit)
Description Ondrej Lukas 2015-08-17 08:05:23 EDT
In case when some login module should use password stacking then value of password-stacking option should be set to useFirstPass. All login modules should respect it. However implemetation of org.jboss.security.ClientLoginModule uses password-stacking differently - it uses password stacking everytime when some value is set for password-stacking option (even value false). It should work same as other login modules. Current behavior can be confusing and can lead to incorrectly set server configuration.
Comment 5 JBoss JIRA Server 2015-09-16 05:03:05 EDT
Ryan Emerson <remerson@redhat.com> updated the status of jira SECURITY-903 to Resolved
Comment 6 Mike McCune 2016-03-28 19:25:37 EDT
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune@redhat.com with any questions
Comment 7 Ivo Hradek 2016-11-25 05:17:31 EST
Verified with EAP 6.4.12.CP.CR1;
Comment 8 Petr Penicka 2017-01-17 08:11:33 EST
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Note You need to log in before you can comment on or make changes to this bug.