Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 927064

Summary: Login module cannot detect misconfiguration of its type and fails with "PBOX000016: Access denied" instead
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Hisanobu Okuda <hokuda>
Component: SecurityAssignee: Ivo Studensky <istudens>
Status: CLOSED CURRENTRELEASE QA Contact: Ondrej Kotek <okotek>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.1CC: anmiller, bdawidow, dehort, istudens, msimka, myarboro, okotek
Target Milestone: DR5   
Target Release: EAP 6.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1139561    

Description Hisanobu Okuda 2013-03-25 02:17:41 UTC 
Description of problem:
As configuring a data source as follow:-

		<datasource jndi-name="java:jboss/datasources/testds" pool-name="testpool">
		  <connection-url>jdbc:mysql://localhost:3306/</connection-url>
		  <driver>mysql</driver>
                  <pool>
                    <min-pool-size>10</min-pool-size>
                    <max-pool-size>20</max-pool-size>
                    <prefill>true</prefill>
                  </pool>
		  <security>
                    <security-domain>test</security-domain>
		  </security>
		</datasource>

SecurityException is thrown.

10:39:57,007 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-3) Exception during createSubject()PBOX000016: Access denied: authentication failed: java.lang.SecurityException: PBOX000016: Access denied: authentication failed
	at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84)
	at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1069)
	at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1064)
	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_37]
	at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1063)
	at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:592)
	at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282)
	at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:283)
	at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:116)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811)
	at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_37]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_37]
	at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_37]


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. deploy mysql jdbc driver as a module
2. add data source (see description)
3. start EAP6
  
Actual results:


Expected results:


Additional info:
Comment 2 Derek Horton 2013-11-08 17:01:28 UTC 
I think this exception/error will depend on what login module the security-domain is configured to use.

This error occurs during startup.  At that time, the login module that is invoked might not have enough info (username/password) to successfully authenticate the user.  If the login module fails, you will see this exception.

If the security-domain is configured to use the ConfiguredIdentityLoginModule, then authentication will not fail (as long as the login module is configured correctly) and this error will not occur.

I also tested this using the CallerIdentityLoginModule.  As expected, I see the error during startup.  However, the datasource works properly after JBoss starts.

I think this error can be ignored during startup.
Comment 6 Hisanobu Okuda 2013-11-13 01:14:10 UTC 
So, the real problem is that the error message "authentication failed" is wrong and should be "your security-domain is mis-configured" instead, right? Should I file a new other BZ for it?
Comment 7 Tom Fonteyne 2013-11-13 08:43:38 UTC 
certainly looks like it indeed. But I would not open a new BZ, just change the summary
Comment 9 Martin Simka 2014-08-26 14:38:33 UTC 
reassign, summary comment 6
Comment 12 JBoss JIRA Server 2014-11-17 12:20:50 UTC 
Stefan Guilhen <sguilhen> updated the status of jira SECURITY-859 to Resolved
Comment 16 Ondrej Kotek 2014-12-09 09:43:45 UTC 
Verified for JBoss EAP 6.4.0.DR12.