Bugs item #1067726, was opened at 2004-11-17 00:02
Message generated for change (Comment added) made by ejort
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1067726&group_id=22866
Category: JBossCX
Group: v3.2
Status: Closed
Resolution: Invalid
Priority: 5
Submitted By: Ryan Rhodes (rrhodes)
Assigned to: Nobody/Anonymous (nobody)
Summary: SecurityException in CallerIdentityLoginModule
Initial Comment:
The CallerIdentityLoginModule throws a
SecurityException when it tries to get the login
information from a web application. I have verified that
it throws an Exception when SimpleServerLoginModule,
DatabaseServerLoginModule, or my own custom login
module are used for authentication of the web
application. I'm using jboss v3.2.6
The real exception is a ClassCastException, but the
caller login module is catching it and rethrowing
SecurityException.
On line 122 of CallerIdentityLoginModule, it has:
password = (char[]) o;
This needs to be changed to:
String pass = (String) o;
password = pass.toCharArray();
I'm uploading my file with the change.
thanks,
Ryan Rhodes
----------------------------------------------------------------------
>Comment By: Adrian Brock (ejort)
Date: 2004-11-17 17:30
Message:
Logged In: YES
user_id=9459
The only way the login modules can affect the password is to
update the shared state when useFirstPass password stacking
is enabled and this is coupled with the ClientLoginModule.
Login modules are used to validate the password not to set it
(with the notable exception of the ClientLoginModule).
>From UsernamePasswordLoginModule:
private char[] credential;
...
sharedState.put("javax.security.auth.login.password",
credential);
I would suggest you post your config details here:
http://www.jboss.org/index.html?module=bb&op=viewforum&f=49
and enabling TRACE logging for org.jboss.security maybe
enlightening?
----------------------------------------------------------------------
Comment By: Ryan Rhodes (rrhodes)
Date: 2004-11-17 17:02
Message:
Logged In: YES
user_id=1160600
Yes, my understanding was that your PasswordCallback
should be storing a char[], but the login is being performed by
DatabaseServerLoginModule, and I have tested it with
others... so, either this is a bug, or there is a bug in all login
modules that extend UsernamePasswordLoginModule.
This Exception happens before it ever gets to the JCA
adapters login. This is between the original login and the
caller identity login module.
thanks,
Ryan Rhodes
----------------------------------------------------------------------
Comment By: Adrian Brock (ejort)
Date: 2004-11-17 16:03
Message:
Logged In: YES
user_id=9459
The credential should be a char[] not a String.
cf javax.security.auth.callback.PasswordCallback
You need to look at whatever is performing the login (not
the login module),
i.e. the javax.security.auth.callback.CallbackHandler
implementation
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1067726&group_id=22866
-------------------------------------------------------
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
_______________________________________________
JBoss-Development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
