[JBoss-user] [Security & JAAS/JBoss] - possible expliot with database login module?

Mon, 29 Aug 2005 13:17:22 -0700 

We're trying to determine if we have a cross site scripting issue with the 
database login module.  We're using jboss 3.2.6.  Here's what we've been 
seeing:  A user authenticates by form based authenication with the 
DatabaseServerLoginModule.  During the login process we display the 
username/roles.  This particular user shows a username of 'Roles' and the 
correct role to access the site.  However, there is no username of 'Roles' in 
the database.  When we try to create our user object we get a null pointer 
exception.  Almost immediately after this we'll see the following error in the 
logs:

2005-08-29 10:53:17,408 ERROR [org.apache.struts.action.RequestProcessor] 
Invalid path /secure/j_security_check was requested

I'm sure that we can catch the null pointer and send the user to the logout 
page so that they can't access pages within the site.  However, I'm wondering 
how the user is authenticating with the container without a valid username and 
password.

here is the configuration in login-config.xml
          <login-module code = 
"org.jboss.security.auth.spi.DatabaseServerLoginModule"
  |              flag = "required">
  |              <module-option name = 
"unauthenticatedIdentity">guest</module-option>
  |              <module-option name = 
"dsJndiName">java:/MySqlDS</module-option>
  |              <module-option name = "principalsQuery">select password from 
employer_info where FEIN=?</module-option>
  |              <module-option name = "rolesQuery">select role, 'Roles' from 
employer_info where FEIN=?</module-option>
  | 



View the original post : 
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3892140#3892140

Reply to the post : 
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3892140


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user

Reply via email to