Re: [jBoss-Dev] Bug in tomcat-service JbossRealm

Tue, 06 Mar 2001 13:40:04 -0800 

The security layer in the pre2.1 cvs code just changed significantly. The current
JaasSecurityManager no longer has a char[] only view of the credential. It
tries the following in this order when attempting to validate the cached
credential:

        if( subjectCredential instanceof Comparable )
        {
            Comparable c = (Comparable) subjectCredential;
            isValid = c.compareTo(credential) == 0;
        }
        else if( subjectCredential instanceof char[] )
        {
            char[] a1 = (char[]) subjectCredential;
            char[] a2 = (char[]) credential;
            isValid = Arrays.equals(a1, a2);
        }
        else if( subjectCredential instanceof byte[] )
        {
            byte[] a1 = (byte[]) subjectCredential;
            byte[] a2 = (byte[]) credential;
            isValid = Arrays.equals(a1, a2);
        }
        else
        {
            isValid = subjectCredential.equals(credential);
        }

The true value of the credential is something that is between the client side
and server side LoginModules. In order for the credential to be cacheable
at the JaasSecurityManager it needs to be viewable as one of the above types.

Note that the security code has also mostly moved to the jbosssx cvs module
so look there for the source code. In the current jboss module the security classes
are integrated as three precompiled jars: jbosssx.jar, jboss-jaas.jar and 
jbosssx-client.jar

----- Original Message ----- 
From: "Anatoly Akkerman" <[EMAIL PROTECTED]>
To: "JBoss-Dev" <[EMAIL PROTECTED]>
Sent: Tuesday, March 06, 2001 1:06 PM
Subject: [jBoss-Dev] Bug in tomcat-service JbossRealm


> 
> Hello, everybody.
> 
> Here is what I ran across.  JaasSecurityManager expects the Credential
> object from the SecurityAssociation to be assignable to a char[], while
> JbossRealm Tomcat interceptor sets the Credential object to be a String
> which is the password from the Tomcat session. This causes problems when
> EJB requests are coming from web-tier into a JAAS secured container.
> 
> I checked my mods and they fix the problem that I was experiencing. I was
> not sure if I should go ahead and fix it myself in the CVS, so I am
> posting this. Instead of JbossRealm.java:35
> 
> SecurityAssociation.setCredential(passwd);
> 
> it should be something like:
> 
> SecurityAssociation.setCredential((passwd == null)? null: passwd.toCharArray());
> 
> Anatoly Akkerman.
> 
> 
>

Reply via email to