Hi All,
JBoss has great feature to specify custom login module for Data Sources via
Security-Domains (Application-Policy). So configured modules will be used by
ds.CreateConnetion(...) calls. It's excelent. There are three possibility to
configure each datasource:
<application-managed-security/>
<security-domain/>
and "mixed"
<security-domain-and-application>
First both working excelent, but <security-domain-and-application> makes
impossible application login, when some domain is specified.
It's my configuration files:
1. Domain Configuration:
<application-policy name = "DummyDomain">
<login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule"
flag="required">
<module-option name="principal">dummyuser</module-option>
<module-option name="user">dummy</module-option>
<module-option name="pass">user</module-option>
<module-option
name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JBDB</module-option>
</login-module>
</application-policy>
So you can see it's just dummy domain, which has some username/password
configurations (unexisting in database) in this example, but it malkes no sence
which LoginModule is used.
2. DataSource Configuration:
<local-tx-datasource>
<jndi-name>JBDB</jndi-name>
<connection-url>jdbc:oracle:thin:@[...]:[...]</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<security-domain-and-application>DummyDomain</security-domain-and-application>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<type-mapping>Oracle9i</type-mapping>
</local-tx-datasource>
Like it described in documentation and I saw in the source-code, it should work
following way:
1. It will use "Domain Configuration" (user, configured in Login-Module) by
ds.GetConnection() call (w/o params)
2. It will use "Application" Configuration by ds.GetConnection(userName,
password) (application I mean that will be used parameters username/password
instead configured in LoginModule).
Bug Description:
Also by ds.GetConnection(userName, password) call, JBoss trying to make
connection by credentials specified for Security-Domain. So if we change
<Security-Domain-and-application> just to <security-domain> - it will make no
difference. Only <application-managed-security/> setting make "Application"
working.
In other words <security-domain-and-application> disables Application Login and
make same job as <security-domain>.
I debuged the source and probably found the place, where it happens:
BasedWrapperConnectionManagedConnectionFactory:
...
Properties props = new Properties();
props.putAll(connectionProps);
if (subject != null)
{
if (SubjectActions.addMatchingProperties(subject, props, this) ==
true)
return props;
throw new JBossResourceException("No matching credentials in
Subject!");
}
...
But subject is always created (can be with null principials), if DataSource has
security domain associated:
BaseConnectionManager2:
...
private Subject getSubject()
{
Subject subject = null;
if (securityDomain != null)
{
/* Authenticate using the caller info and obtain a copy of the Subject
state for use in establishing a secure connection. A copy must be
obtained to avoid problems with multiple threads associated with
the same principal changing the state of the resulting Subject.
*/
Principal principal = GetPrincipalAction.getPrincipal();
Object credential = GetCredentialAction.getCredential();
subject = new Subject();
if (securityDomain.isValid(principal, credential, subject) == false)
{
throw new SecurityException("Invalid authentication attempt,
principal=" + principal);
} // end of if
} // end of if ()
...
Or I'm wrong and it's not a bug and it's a feature? :-)
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3891740#3891740
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3891740
-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
JBoss-user mailing list
JBoss-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/jboss-user
