Bug 1280512 - [GSS] (6.4.z) A security-domain can only load login-modules from a single JBoss module
Summary: [GSS] (6.4.z) A security-domain can only load login-modules from a single JBo...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.4
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: CR1
: EAP 6.4.14
Assignee: Peter Palaga
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On: 1408458
Blocks: eap6414-payload
TreeView+ depends on / blocked
 
Reported: 2015-11-12 00:10 UTC by dhorton
Modified: 2019-09-12 09:16 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1408458 (view as bug list)
Environment:
Last Closed: 2017-03-23 08:25:30 UTC
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-6559 0 Major Verified [GSS] (7.1.0) A security-domain can only load login-modules from a single JBoss module 2019-10-07 19:19:41 UTC
Red Hat Issue Tracker JBEAP-7848 0 Major Verified [GSS] (7.0.z) A security-domain can only load login-modules from a single JBoss module 2019-10-07 19:19:41 UTC
Red Hat Issue Tracker SECURITY-930 0 Major Resolved A security-domain can only load login-modules from a single JBoss module 2019-10-07 19:19:41 UTC
Red Hat Issue Tracker WFLY-7412 0 Major Closed A security-domain can only load login-modules from a single JBoss module 2019-10-07 19:19:41 UTC
Red Hat Issue Tracker WFLY-7834 0 Major Closed A test for loading custom login modules from non-default JBoss modules [SECURITY-930][WFLY-7412] 2019-10-07 19:19:41 UTC
Red Hat Knowledge Base (Solution) 2056203 0 None None None 2017-03-03 18:27:39 UTC

Description dhorton 2015-11-12 00:10:36 UTC
Description of problem:

A security-domain can only load login-modules from a single JBoss module.  Even though the security-domain configuration will allow each login module defined within a single security-domain to have a "module" attribute, the only module that is used to load the login-modules is the last "module" attribute that the parsing system locates.  

For example, with the following configuration, it looks like "org.jboss.example.CustomLoginModule" should be loaded from the "org.jboss.example" jboss-module and "org.jboss.example.CustomBaseCertLoginModule" should be loaded from the "org.jboss.another.example" jboss-module:

  <security-domain name="jmx-console" cache-type="default">
      <authentication>
          <login-module code="org.jboss.example.CustomLoginModule" module="org.jboss.example" flag="required">
              <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
              <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
          </login-module>
          <login-module code="org.jboss.example.CustomBaseCertLoginModule" module="org.jboss.another.example" flag="required">
              <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
              <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
          </login-module>

      </authentication>
  </security-domain>

Unfortunately, it does not work like this.  Only the "org.jboss.another.example" jboss-module is used to load the custom login modules.

There seems to be two issues.  1)  The security subsystem code only "remembers" the last module that is defined within a single security domain.  2)  I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code.  The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.

Comment 2 Peter Palaga 2016-12-22 15:43:24 UTC
The upstream PR https://github.com/wildfly/wildfly/pull/9508 adds a test case and should be backported together with https://github.com/wildfly/wildfly/pull/9323

Comment 6 Ivo Hradek 2017-03-02 11:34:29 UTC
Verified for EAP 6.4.14.CP.CR1;

Comment 7 Petr Penicka 2017-03-23 08:25:30 UTC
Released with EAP 6.4.14 on March 14 (ZIPs) and March 22 (RPMs).


Note You need to log in before you can comment on or make changes to this bug.