[ http://issues.apache.org/jira/browse/GERONIMO-1203?page=all ]
Aaron Mulder updated GERONIMO-1203:
-----------------------------------
Fix Version: 1.0
(was: 1.1)
Assign To: Aaron Mulder
This should be an easy fix -- I'll look at it for 1.0
> LoginConfig processing can silently do the wrong thing
> ------------------------------------------------------
>
> Key: GERONIMO-1203
> URL: http://issues.apache.org/jira/browse/GERONIMO-1203
> Project: Geronimo
> Type: Bug
> Components: deployment, security
> Versions: 1.0-M5
> Reporter: Aaron Mulder
> Assignee: Aaron Mulder
> Priority: Critical
> Fix For: 1.0
>
> If you deploy a security realm using a LoginConfig block, and you set the
> login domain name to be the same for every login module in the realm, only
> one of the login modules is actually deployed, and no error is generated.
> I'm not clear why you can't have more than one login module with the same
> login domain in the same realm. If you have an extra login module that
> doesn't produce principals but works in conjunction with the main login
> module (for auditing, for example), then why would you need to specify a
> distinct login domain for it? It looks like we use the login domain name as
> the GBean name, but maybe we should just call them "LoginModule1" through
> "LoginModuleN" or something instead.
> Nevertheless, if this is an error condition, we should not deploy the realm
> with only one login module, we should throw a DeploymentException.
> <configuration configId="SecurityRealmAaron"
> parentId="org/apache/geronimo/Server"
> xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0";>
> <gbean name="Aaron"
> class="org.apache.geronimo.security.realm.GenericSecurityRealm">
> <attribute name="realmName">Aaron</attribute>
> <reference name="ServerInfo">
>
> <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=org/apache/geronimo/System,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
> </reference>
> <xml-reference name="LoginModuleConfiguration">
> <log:login-config
> xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0";>
> <log:login-module control-flag="REQUIRED" server-side="true">
> <log:login-domain-name>Aaron</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
> <log:option
> name="usersURI">var/security/demo_users.properties</log:option>
> <log:option
> name="groupsURI">var/security/demo_groups.properties</log:option>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL" server-side="true">
> <log:login-domain-name>Aaron</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.GeronimoPasswordCredentialLoginModule</log:login-module-class>
> </log:login-module>
> <log:login-module control-flag="OPTIONAL" server-side="true">
> <log:login-domain-name>Aaron</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
> <log:option name="file">var/log/login.log</log:option>
> </log:login-module>
> <log:login-module control-flag="REQUISITE" server-side="true">
> <log:login-domain-name>Aaron</log:login-domain-name>
>
> <log:login-module-class>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule</log:login-module-class>
> <log:option name="failureCount">3</log:option>
> <log:option name="failurePeriodSecs">60</log:option>
> <log:option name="lockoutDurationSecs">600</log:option>
> </log:login-module>
> </log:login-config>
> </xml-reference>
> </gbean>
> </configuration>
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
