Bug 1280512 - [GSS] (6.4.z) A security-domain can only load login-modules from a single JBoss module
[GSS] (6.4.z) A security-domain can only load login-modules from a single JBo...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security (Show other bugs)
6.4.4
Unspecified Unspecified
high Severity high
: CR1
: EAP 6.4.14
Assigned To: Peter Palaga
Josef Cacek
:
Depends On: 1408458
Blocks: eap6414-payload
  Show dependency treegraph
 
Reported: 2015-11-11 19:10 EST by dhorton
Modified: 2017-03-23 04:25 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1408458 (view as bug list)
Environment:
Last Closed: 2017-03-23 04:25:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBEAP-6559 Major Verified [GSS] (7.1.z) A security-domain can only load login-modules from a single JBoss module 2017-09-10 20:41 EDT
JBoss Issue Tracker JBEAP-7848 Major Verified [GSS] (7.0.z) A security-domain can only load login-modules from a single JBoss module 2017-09-10 20:41 EDT
JBoss Issue Tracker SECURITY-930 Major Resolved A security-domain can only load login-modules from a single JBoss module 2017-09-10 20:41 EDT
JBoss Issue Tracker WFLY-7412 Major Resolved A security-domain can only load login-modules from a single JBoss module 2017-09-10 20:41 EDT
JBoss Issue Tracker WFLY-7834 Major Resolved A test for loading custom login modules from non-default JBoss modules [SECURITY-930][WFLY-7412] 2017-09-10 20:41 EDT
Red Hat Knowledge Base (Solution) 2056203 None None None 2017-03-03 13:27 EST

  None (edit)
Description dhorton 2015-11-11 19:10:36 EST
Description of problem:

A security-domain can only load login-modules from a single JBoss module.  Even though the security-domain configuration will allow each login module defined within a single security-domain to have a "module" attribute, the only module that is used to load the login-modules is the last "module" attribute that the parsing system locates.  

For example, with the following configuration, it looks like "org.jboss.example.CustomLoginModule" should be loaded from the "org.jboss.example" jboss-module and "org.jboss.example.CustomBaseCertLoginModule" should be loaded from the "org.jboss.another.example" jboss-module:

  <security-domain name="jmx-console" cache-type="default">
      <authentication>
          <login-module code="org.jboss.example.CustomLoginModule" module="org.jboss.example" flag="required">
              <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
              <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
          </login-module>
          <login-module code="org.jboss.example.CustomBaseCertLoginModule" module="org.jboss.another.example" flag="required">
              <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
              <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
          </login-module>

      </authentication>
  </security-domain>

Unfortunately, it does not work like this.  Only the "org.jboss.another.example" jboss-module is used to load the custom login modules.

There seems to be two issues.  1)  The security subsystem code only "remembers" the last module that is defined within a single security domain.  2)  I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code.  The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.
Comment 2 Peter Palaga 2016-12-22 10:43:24 EST
The upstream PR https://github.com/wildfly/wildfly/pull/9508 adds a test case and should be backported together with https://github.com/wildfly/wildfly/pull/9323
Comment 6 Ivo Hradek 2017-03-02 06:34:29 EST
Verified for EAP 6.4.14.CP.CR1;
Comment 7 Petr Penicka 2017-03-23 04:25:30 EDT
Released with EAP 6.4.14 on March 14 (ZIPs) and March 22 (RPMs).

Note You need to log in before you can comment on or make changes to this bug.