LoginConfig processing can silently do the wrong thing
------------------------------------------------------
Key: GERONIMO-1203
URL: http://issues.apache.org/jira/browse/GERONIMO-1203
Project: Geronimo
Type: Bug
Components: security, deployment
Versions: 1.0-M5
Reporter: Aaron Mulder
Priority: Critical
Fix For: 1.0
If you deploy a security realm using a LoginConfig block, and you set the login
domain name to be the same for every login module in the realm, only one of the
login modules is actually deployed, and no error is generated.
I'm not clear why you can't have more than one login module with the same login
domain in the same realm. If you have an extra login module that doesn't
produce principals but works in conjunction with the main login module (for
auditing, for example), then why would you need to specify a distinct login
domain for it? It looks like we use the login domain name as the GBean name,
but maybe we should just call them "LoginModule1" through "LoginModuleN" or
something instead.
Nevertheless, if this is an error condition, we should not deploy the realm
with only one login module, we should throw a DeploymentException.
<configuration configId="SecurityRealmAaron"
parentId="org/apache/geronimo/Server"
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0";>
<gbean name="Aaron"
class="org.apache.geronimo.security.realm.GenericSecurityRealm">
<attribute name="realmName">Aaron</attribute>
<reference name="ServerInfo">
<gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=org/apache/geronimo/System,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
</reference>
<xml-reference name="LoginModuleConfiguration">
<log:login-config
xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0";>
<log:login-module control-flag="REQUIRED" server-side="true">
<log:login-domain-name>Aaron</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
<log:option
name="usersURI">var/security/demo_users.properties</log:option>
<log:option
name="groupsURI">var/security/demo_groups.properties</log:option>
</log:login-module>
<log:login-module control-flag="OPTIONAL" server-side="true">
<log:login-domain-name>Aaron</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.GeronimoPasswordCredentialLoginModule</log:login-module-class>
</log:login-module>
<log:login-module control-flag="OPTIONAL" server-side="true">
<log:login-domain-name>Aaron</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
<log:option name="file">var/log/login.log</log:option>
</log:login-module>
<log:login-module control-flag="REQUISITE" server-side="true">
<log:login-domain-name>Aaron</log:login-domain-name>
<log:login-module-class>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule</log:login-module-class>
<log:option name="failureCount">3</log:option>
<log:option name="failurePeriodSecs">60</log:option>
<log:option name="lockoutDurationSecs">600</log:option>
</log:login-module>
</log:login-config>
</xml-reference>
</gbean>
</configuration>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
