Description
Presently Tested With 4.3.0. This login module is for the specific case of needing to pass credentials between instances without re-authenticating (diagram: http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.png and http://dl.dropbox.com/u/1368565/redhat/patches/diagram_trust.odg). The valve puts the getRemoteHost from a request object in a thread local value. The login module checks this supplied getRemoteHost (generally an IP) against a list of trusted IPs. This should only be used behind a firewall with spoofing disabled where network security has assured the getRemoteHost call returns a valid value. No testcase is included as it requires a specific network setup and multiple instances.
If there are no objections I'll commit this to the trunk with my LdapExtLoginModule patches.
http://dl.dropbox.com/u/1368565/redhat/patches/HostThreadLocal.java
http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostTrustLoginModule.java
http://dl.dropbox.com/u/1368565/redhat/patches/RemoteHostValve.java
In order to use it (login-config.xml):
<application-policy name = "jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.RemoteHostTrustLoginModule"
flag = "optional">
<module-option name="password-stacking">useFirstPass</module-option>
<module-option name="trustedHosts">192.168.49.10</module-option>
<module-option name="roles">transportAuthenticated</module-option>
</login-module>
.. some other login module ...
</authentication>
</application-policy>
context.xml:
<Context>
<Valve className="org.jboss.web.tomcat.security.RemoteHostValve"/>
</Context>
Attachments
Issue Links
- is blocked by
-
SECURITY-450 RemoteHostTrustLoginModule third party authentication
- Closed