authentication order has changed from 1.4.x to 1.5.x
----------------------------------------------------
Key: JCR-1977
URL: https://issues.apache.org/jira/browse/JCR-1977
Project: Jackrabbit Content Repository
Issue Type: Bug
Components: jackrabbit-core
Affects Versions: 1.5.2, 1.5.0
Environment: JBoss 4.0.5 + deployed Liferay 4.2.2 on any Platform
Reporter: Thomas Fromm
Priority: Critical
In 1.4.x inside RepositoryImpl.login(...) at first the local configuration is
checked for configured LoginModules and after it was unsuccessful, the JAAS
component is asked:
AuthContext authCtx;
LoginModuleConfig lmc = repConfig.getLoginModuleConfig();
if (lmc == null) {
authCtx = new AuthContext.JAAS(repConfig.getAppName(),
credentials);
} else {
...
With 1.5.x this behaviour has moved to SimpleSecurityManager.init(..) and is
changed:
LoginModuleConfig loginModConf = config.getLoginModuleConfig();
authCtxProvider = new AuthContextProvider(config.getAppName(),
loginModConf);
if (authCtxProvider.isJAAS()) {
log.info("init: using JAAS LoginModule configuration for " +
config.getAppName());
} else if (authCtxProvider.isLocal()) {
...
The problem is with JBoss JAAS implemantation, that authCtxProvider.isJAAS()
is always true.
Because for any reason, the result of
Configuration.getAppConfigurationEntry(appName) is never empty,
when a jaas.config is specified for Liferay. Using different appName takes no
effect, always the configuration inside the jaas.config is used.
I think still first the local configuration should be concerned, before using
JAAS.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
