Application Server 7
  1. Application Server 7
  2. AS7-3888

Deployment provided login modules for security domains are not accessible to remote invocation

    Details

    • Type: Enhancement Enhancement
    • Status: Closed Closed (View Workflow)
    • Priority: Major Major
    • Resolution: Rejected
    • Affects Version/s: 7.1.0.Final
    • Fix Version/s: No Release
    • Component/s: Security
    • Labels:
      None
    • Environment:
      Reproduced on Ubuntu 10.04.3 LTS, CentOS release 5.7, Windows 7
    • Similar Issues:
      Show 10 results 

      Description

      When using a remote jndi connection to AS and a custom security-realm for it that is tied to a custom login module the authentication only works when packaging the class in a jar and installing it on jboss_install_dir/modules/org/jboss/as/remoting/main. It should be loadable from ear also.
      More details here: https://community.jboss.org/thread/195501

        Issue Links

          Activity

          Hide
          Anil Saldhana
          added a comment -

          Please attach the ear file to this jira issue, for future reference.

          Show
          Anil Saldhana
          added a comment - Please attach the ear file to this jira issue, for future reference.
          Hide
          Darran Lofthouse
          added a comment -

          Need to review how these custom modules are accessed - within the ear may not make sense too much as this is central server configuration then depending on a single deployment - however the additional module approach may also be more than is desirable.

          Show
          Darran Lofthouse
          added a comment - Need to review how these custom modules are accessed - within the ear may not make sense too much as this is central server configuration then depending on a single deployment - however the additional module approach may also be more than is desirable.
          Hide
          Anil Saldhana
          added a comment -

          When the user had a custom login module in a separate module and in the login module configuration, they specify the module attribute to indicate the JBoss Module where it is located, then we install https://github.com/anilsaldhana/jboss-as/blob/master/security/src/main/java/org/jboss/as/security/plugins/ModuleClassLoaderLocator.java to deal with the tccl/modulecl issue when JDK jaas kicks off. In the case of custom login module sitting in the application class path (war, ejb jar) etc, it is available on the tccl for the JDK. I am unsure why in this particular ear case, the tccl does not have it.

          Show
          Anil Saldhana
          added a comment - When the user had a custom login module in a separate module and in the login module configuration, they specify the module attribute to indicate the JBoss Module where it is located, then we install https://github.com/anilsaldhana/jboss-as/blob/master/security/src/main/java/org/jboss/as/security/plugins/ModuleClassLoaderLocator.java to deal with the tccl/modulecl issue when JDK jaas kicks off. In the case of custom login module sitting in the application class path (war, ejb jar) etc, it is available on the tccl for the JDK. I am unsure why in this particular ear case, the tccl does not have it.
          Hide
          Jason Greene
          added a comment -

          This issue is being relocated to 7.1.2 so that 7.1.1 only contains criticals, blockers, and EAP LA issues (which are probably not yet at the right status, or need an extra triage pass).

          If these issues are completed in a 7.1.1 timeframe please change the fix version. Although if you forget I will bulk correct.

          Show
          Jason Greene
          added a comment - This issue is being relocated to 7.1.2 so that 7.1.1 only contains criticals, blockers, and EAP LA issues (which are probably not yet at the right status, or need an extra triage pass). If these issues are completed in a 7.1.1 timeframe please change the fix version. Although if you forget I will bulk correct.
          Hide
          Jason Greene
          added a comment -

          This is by design (explanation to follow). Although instead of modifying the security module, the best approach is to define a new static module with its own jar (placing it in the modules dir) and reference it using the module="" tag in the security domain login module stack.

          The reason it is not possible to use application classes is that remoting connections perform authentication once during the negotiation phase of the connection, and all subsequent ejb (or jndi etc) invocations share the same connection. So an authenticated connection can potentially span an arbitrary number of applications, and that information can not be known at the time of authentication.

          Show
          Jason Greene
          added a comment - This is by design (explanation to follow). Although instead of modifying the security module, the best approach is to define a new static module with its own jar (placing it in the modules dir) and reference it using the module="" tag in the security domain login module stack. The reason it is not possible to use application classes is that remoting connections perform authentication once during the negotiation phase of the connection, and all subsequent ejb (or jndi etc) invocations share the same connection. So an authenticated connection can potentially span an arbitrary number of applications, and that information can not be known at the time of authentication.
          Hide
          Jason Greene
          added a comment -

          To help usability in this area we are going to attempt to include AS7-3905 soon

          Show
          Jason Greene
          added a comment - To help usability in this area we are going to attempt to include AS7-3905 soon

            People

            • Assignee:
              Darran Lofthouse
              Reporter:
              Daniel Jipa
            • Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: