Bug 1315441 - [GSS] (6.4.z) Flagging of invalid login credential for datasource is inconsistent.
Summary: [GSS] (6.4.z) Flagging of invalid login credential for datasource is inconsis...
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security
Version: 6.4.6
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Lin Gao
QA Contact: Josef Cacek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-03-07 18:18 UTC by Lami Akagwu
Modified: 2019-10-10 11:28 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-06 15:19:24 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1315439 0 unspecified CLOSED [GSS] (6.4.z) Difficult to identify datasource with wrong credentials if security-domain is used. 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker JBEAP-3812 0 Major Closed Flagging of invalid login credential for datasource is inconsistent - No SecurityContext set when creating subject 2019-07-25 22:19:30 UTC
Red Hat Issue Tracker SECURITY-938 0 Critical Resolved JBossSecuritySubjectFactory should check the root cause exception when AuthenticationManager.isValid() returns false 2019-07-25 22:19:30 UTC

Internal Links: 1315439

Description Lami Akagwu 2016-03-07 18:18:46 UTC
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
Always

There are multiple parts to this

(1) If the security-domain is defined for a datasource and the password is invalid, an error is reported in the console which is expected
        <datasource jndi-name="java:/DefaultDS2" pool-name="DefaultDS2" enabled="true" use-java-context="true">
                    <connection-url>jdbc:oracle:thin:@hostname:1521:ora1</connection-url>
                    <driver>oracle</driver>
                    <security>
                         <security-domain>encryptedPassword2</security-domain>
                    </security>
                </datasource>

(2) If the 'password' for the datasource is invalid no error is reported in the console log at startup e.g
        <datasource jndi-name="java:/DefaultDS2" pool-name="DefaultDS2" enabled="true" use-java-context="true">
                    <connection-url>jdbc:oracle:thin:@hostname:1521:ora1</connection-url>
                    <driver>oracle</driver>
                    <security>
                         <user-name>user</user-name>
                         <password>passwd</password>

                    </security>
                </datasource>


3. Whether or not you use a security-domain for a datasource, an invalid 'username' doesn't get flagged in the console.

Actual results:

Expected results:
Invalid username and password should be flagged as login errors in the console log.
It shouldn't make a difference whether or not you use security-credentials


Additional info:

Comment 7 JBoss JIRA Server 2016-03-16 06:41:51 UTC
Lin Gao <lgao> updated the status of jira SECURITY-938 to Coding In Progress

Comment 10 JBoss JIRA Server 2016-05-25 17:01:09 UTC
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-3812 to Resolved

Comment 13 Miroslav Sochurek 2016-06-06 11:17:16 UTC
More info from Lin for the Triage call:

Some conflicts I see to merge this commit to EAP 6.4.x are:

1). Some new Injected dependencies were added in EAP 7 Services(like AbstractDataSourceService, AbstractResourceAdapterDeploymentService, etc), which are not in EAP 6 yet.
2). The missing class(PicketBoxSubjectFactory) in IronJacamar 1.0 branch which is used for EAP 6.x.
3). JBoss Module dependency declaration, EAP 7 uses feature pack to compose the target archive, EAP 6 specify the module dependencies in a different location.

And it needs 2 parts to fix the issue by improving the ability to assist customer to find out the root cause of the exception(NOTE, no functionality fix):

a). Fixes in connector subsystem, which needs the cherry-pick from EAP 7 commit which has the conflicts above
b). Fixes in PicketBox(https://issues.jboss.org/browse/SECURITY-938), which needs an upgrade of PicketBox which is still not happen yet for both EAP 7 and 6(out of my control...)

Comment 17 JBoss JIRA Server 2016-07-29 02:48:51 UTC
Lin Gao <lgao> updated the status of jira SECURITY-938 to Resolved

Comment 18 JBoss JIRA Server 2016-08-23 11:38:43 UTC
Jiri Pallich <jpallich> updated the status of jira JBEAP-3812 to Closed


Note You need to log in before you can comment on or make changes to this bug.