1280512 – [GSS] (6.4.z) A security-domain can only load login-modules from a single JBoss module

Bug 1280512 - [GSS] (6.4.z) A security-domain can only load login-modules from a single JBoss module

Summary: [GSS] (6.4.z) A security-domain can only load login-modules from a single JBo...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	Security
Sub Component:
Version:	6.4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	CR1
Target Release:	EAP 6.4.14
Assignee:	Peter Palaga
QA Contact:	Josef Cacek
Docs Contact:
URL:
Whiteboard:
Depends On:	1408458
Blocks:	eap6414-payload
TreeView+	depends on / blocked

Reported:	2015-11-12 00:10 UTC by dhorton
Modified:	2019-09-12 09:16 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1408458 (view as bug list)
Environment:
Last Closed:	2017-03-23 08:25:30 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBEAP-6559	Major	Verified	[GSS] (7.1.0) A security-domain can only load login-modules from a single JBoss module	2019-10-07 19:19:41 UTC
Red Hat Issue Tracker	JBEAP-7848	Major	Verified	[GSS] (7.0.z) A security-domain can only load login-modules from a single JBoss module	2019-10-07 19:19:41 UTC
Red Hat Issue Tracker	SECURITY-930	Major	Resolved	A security-domain can only load login-modules from a single JBoss module	2019-10-07 19:19:41 UTC
Red Hat Issue Tracker	WFLY-7412	Major	Closed	A security-domain can only load login-modules from a single JBoss module	2019-10-07 19:19:41 UTC
Red Hat Issue Tracker	WFLY-7834	Major	Closed	A test for loading custom login modules from non-default JBoss modules [SECURITY-930][WFLY-7412]	2019-10-07 19:19:41 UTC
Red Hat Knowledge Base (Solution)	2056203	None	None	None	2017-03-03 18:27:39 UTC

Description dhorton 2015-11-12 00:10:36 UTC

Description of problem:

A security-domain can only load login-modules from a single JBoss module.  Even though the security-domain configuration will allow each login module defined within a single security-domain to have a "module" attribute, the only module that is used to load the login-modules is the last "module" attribute that the parsing system locates.  

For example, with the following configuration, it looks like "org.jboss.example.CustomLoginModule" should be loaded from the "org.jboss.example" jboss-module and "org.jboss.example.CustomBaseCertLoginModule" should be loaded from the "org.jboss.another.example" jboss-module:

  <security-domain name="jmx-console" cache-type="default">
      <authentication>
          <login-module code="org.jboss.example.CustomLoginModule" module="org.jboss.example" flag="required">
              <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
              <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
          </login-module>
          <login-module code="org.jboss.example.CustomBaseCertLoginModule" module="org.jboss.another.example" flag="required">
              <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
              <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
          </login-module>

      </authentication>
  </security-domain>

Unfortunately, it does not work like this.  Only the "org.jboss.another.example" jboss-module is used to load the custom login modules.

There seems to be two issues.  1)  The security subsystem code only "remembers" the last module that is defined within a single security domain.  2)  I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code.  The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.

Comment 2 Peter Palaga 2016-12-22 15:43:24 UTC

The upstream PR https://github.com/wildfly/wildfly/pull/9508 adds a test case and should be backported together with https://github.com/wildfly/wildfly/pull/9323

Comment 6 Ivo Hradek 2017-03-02 11:34:29 UTC

Verified for EAP 6.4.14.CP.CR1;

Comment 7 Petr Penicka 2017-03-23 08:25:30 UTC

Released with EAP 6.4.14 on March 14 (ZIPs) and March 22 (RPMs).

Note You need to log in before you can comment on or make changes to this bug.