Bugs item #1067726, was opened at 2004-11-17 00:02 Message generated for change (Comment added) made by ejort You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1067726&group_id=22866
Category: JBossCX Group: v3.2 Status: Closed Resolution: Invalid Priority: 5 Submitted By: Ryan Rhodes (rrhodes) Assigned to: Nobody/Anonymous (nobody) Summary: SecurityException in CallerIdentityLoginModule Initial Comment: The CallerIdentityLoginModule throws a SecurityException when it tries to get the login information from a web application. I have verified that it throws an Exception when SimpleServerLoginModule, DatabaseServerLoginModule, or my own custom login module are used for authentication of the web application. I'm using jboss v3.2.6 The real exception is a ClassCastException, but the caller login module is catching it and rethrowing SecurityException. On line 122 of CallerIdentityLoginModule, it has: password = (char[]) o; This needs to be changed to: String pass = (String) o; password = pass.toCharArray(); I'm uploading my file with the change. thanks, Ryan Rhodes ---------------------------------------------------------------------- >Comment By: Adrian Brock (ejort) Date: 2004-11-17 17:30 Message: Logged In: YES user_id=9459 The only way the login modules can affect the password is to update the shared state when useFirstPass password stacking is enabled and this is coupled with the ClientLoginModule. Login modules are used to validate the password not to set it (with the notable exception of the ClientLoginModule). >From UsernamePasswordLoginModule: private char[] credential; ... sharedState.put("javax.security.auth.login.password", credential); I would suggest you post your config details here: http://www.jboss.org/index.html?module=bb&op=viewforum&f=49 and enabling TRACE logging for org.jboss.security maybe enlightening? ---------------------------------------------------------------------- Comment By: Ryan Rhodes (rrhodes) Date: 2004-11-17 17:02 Message: Logged In: YES user_id=1160600 Yes, my understanding was that your PasswordCallback should be storing a char[], but the login is being performed by DatabaseServerLoginModule, and I have tested it with others... so, either this is a bug, or there is a bug in all login modules that extend UsernamePasswordLoginModule. This Exception happens before it ever gets to the JCA adapters login. This is between the original login and the caller identity login module. thanks, Ryan Rhodes ---------------------------------------------------------------------- Comment By: Adrian Brock (ejort) Date: 2004-11-17 16:03 Message: Logged In: YES user_id=9459 The credential should be a char[] not a String. cf javax.security.auth.callback.PasswordCallback You need to look at whatever is performing the login (not the login module), i.e. the javax.security.auth.callback.CallbackHandler implementation ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=376685&aid=1067726&group_id=22866 ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ JBoss-Development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development