Hi All, JBoss has great feature to specify custom login module for Data Sources via Security-Domains (Application-Policy). So configured modules will be used by ds.CreateConnetion(...) calls. It's excelent. There are three possibility to configure each datasource: <application-managed-security/> <security-domain/> and "mixed" <security-domain-and-application>
First both working excelent, but <security-domain-and-application> makes impossible application login, when some domain is specified. It's my configuration files: 1. Domain Configuration: <application-policy name = "DummyDomain"> <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required"> <module-option name="principal">dummyuser</module-option> <module-option name="user">dummy</module-option> <module-option name="pass">user</module-option> <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JBDB</module-option> </login-module> </application-policy> So you can see it's just dummy domain, which has some username/password configurations (unexisting in database) in this example, but it malkes no sence which LoginModule is used. 2. DataSource Configuration: <local-tx-datasource> <jndi-name>JBDB</jndi-name> <connection-url>jdbc:oracle:thin:@[...]:[...]</connection-url> <driver-class>oracle.jdbc.driver.OracleDriver</driver-class> <security-domain-and-application>DummyDomain</security-domain-and-application> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name> <type-mapping>Oracle9i</type-mapping> </local-tx-datasource> Like it described in documentation and I saw in the source-code, it should work following way: 1. It will use "Domain Configuration" (user, configured in Login-Module) by ds.GetConnection() call (w/o params) 2. It will use "Application" Configuration by ds.GetConnection(userName, password) (application I mean that will be used parameters username/password instead configured in LoginModule). Bug Description: Also by ds.GetConnection(userName, password) call, JBoss trying to make connection by credentials specified for Security-Domain. So if we change <Security-Domain-and-application> just to <security-domain> - it will make no difference. Only <application-managed-security/> setting make "Application" working. In other words <security-domain-and-application> disables Application Login and make same job as <security-domain>. I debuged the source and probably found the place, where it happens: BasedWrapperConnectionManagedConnectionFactory: ... Properties props = new Properties(); props.putAll(connectionProps); if (subject != null) { if (SubjectActions.addMatchingProperties(subject, props, this) == true) return props; throw new JBossResourceException("No matching credentials in Subject!"); } ... But subject is always created (can be with null principials), if DataSource has security domain associated: BaseConnectionManager2: ... private Subject getSubject() { Subject subject = null; if (securityDomain != null) { /* Authenticate using the caller info and obtain a copy of the Subject state for use in establishing a secure connection. A copy must be obtained to avoid problems with multiple threads associated with the same principal changing the state of the resulting Subject. */ Principal principal = GetPrincipalAction.getPrincipal(); Object credential = GetCredentialAction.getCredential(); subject = new Subject(); if (securityDomain.isValid(principal, credential, subject) == false) { throw new SecurityException("Invalid authentication attempt, principal=" + principal); } // end of if } // end of if () ... Or I'm wrong and it's not a bug and it's a feature? :-) View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3891740#3891740 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3891740 ------------------------------------------------------- SF.Net email is Sponsored by the Better Software Conference & EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user