[JBoss-user] [Security & JAAS/JBoss] - Re: configuring UsersPassword login module

Sun, 14 Mar 2004 22:26:04 -0800 

Thanks for testing instructions. However, the results are not good. I hid away the 
users/roles.properties under jmx-console.war and configured the entry in 
login-config.xml like so:
    <application-policy name = "jmx-console">
  |        <authentication>
  |           <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
  |              flag = "required" />
  |                 <module-option 
name="usersProperties">g-users.properties</module-option>
  |                 <module-option 
name="rolesProperties">g-roles.properties</module-option>
  |        </authentication>
  |     </application-policy>
The files g-* are under conf and my other servlets, which do not contain their own 
users/roles, find them and work right. The jmx-console does this:
2004-03-14 21:02:10,375 INFO  [org.jboss.security.plugins.JaasSecurityManagerService] 
Added jmx-console, [EMAIL PROTECTED] to map
  | 2004-03-14 21:02:10,376 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] 
getAppConfigurationEntry, authInfo=AppConfigurationEntry[]:
  | [0]
  | LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
  | ControlFlag: LoginModuleControlFlag: required
  | Options:
  | 2004-03-14 21:02:10,445 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] 
initialize
  | 2004-03-14 21:02:10,451 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] 
Properties 
file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/users.properties
  | 2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] 
Properties 
file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/roles.properties
  | 2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] 
login
  | 2004-03-14 21:02:10,457 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] 
Bad password for username=admin
  | 2004-03-14 21:02:10,457 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] 
abort
  | 2004-03-14 21:02:10,458 DEBUG 
[org.jboss.security.plugins.JaasSecurityManager.jmx-console] Login failure

The files under tmp are dated June 2003, belong to web-console and contain a trivial 
admin password.
So the jmx-console login config does not find the authentication resource under 
"deploy" and so it goes out for some file I dont know where it came from. I think 
jboss is following here some unspecified chain of defaults quite against the stated 
configuration policy and it is intrducing a security hole.

Thanks for your attention

<a 
href="http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3825620#3825620";>View 
the original post</a>

<a 
href="http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3825620>Reply 
to the post</a>


-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to