[JBoss-user] [Security JAAS/JBoss] - Re: configuring UsersPassword login module
Your login-config.xml is invalid. The module-option elements need to be child elements of login-module. Just indenting them does not make this so. a href=http://www.jboss.org/index.html?module=bbop=viewtopicp=3825713#3825713;View the original post/a a href=http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3825713Reply to the post/a --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: configuring UsersPassword login module
Sorry. Making an invalid XML element in login-config.xml was not intentional. Still - it bothers me that when the authentication resource is not found JBoss goes out and authenticates against some extraneous data. a href=http://www.jboss.org/index.html?module=bbop=viewtopicp=3825731#3825731;View the original post/a a href=http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3825731Reply to the post/a --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: configuring UsersPassword login module
The read about configuration of the class loader architecture to see the options for deployment visibility. There is an excerpt from the 3.0.7 admin/devl guide here: http://sourceforge.net/docman/display_doc.php?docid=14516group_id=22866 a href=http://www.jboss.org/index.html?module=bbop=viewtopicp=3825739#3825739;View the original post/a a href=http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3825739Reply to the post/a --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: configuring UsersPassword login module
Works fine for me. I have moved the files to the conf directory, renamed them jmx-users.properties, jmx-roles.properties to make sure only these would be used, and secured the jmx-console using the following login-config.xml entry: | application-policy name = jmx-console |authentication | login-module code=org.jboss.security.auth.spi.UsersRolesLoginModule | flag = required | module-option name = usersPropertiesjmx-users.properties/module-option | module-option name = rolesPropertiesjmx-roles.properties/module-option | /login-module |/authentication | /application-policy | Enable trace level logging of the org.jboss.security layer to see which properties files the UsersRolesLoginModule is using: |!-- conf/log4j.xml fragment -- |category name=org.jboss.security | priority value=TRACE class=org.jboss.logging.XLevel/ |/category | When I access the jmx-console the log shows the files in conf are used: | 2004-03-14 07:32:51,896 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize | 2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-users.properties | 2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-roles.properties | 2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login | a href=http://www.jboss.org/index.html?module=bbop=viewtopicp=3825552#3825552;View the original post/a a href=http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3825552Reply to the post/a --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] [Security JAAS/JBoss] - Re: configuring UsersPassword login module
Thanks for testing instructions. However, the results are not good. I hid away the users/roles.properties under jmx-console.war and configured the entry in login-config.xml like so: application-policy name = jmx-console |authentication | login-module code=org.jboss.security.auth.spi.UsersRolesLoginModule | flag = required / | module-option name=usersPropertiesg-users.properties/module-option | module-option name=rolesPropertiesg-roles.properties/module-option |/authentication | /application-policy The files g-* are under conf and my other servlets, which do not contain their own users/roles, find them and work right. The jmx-console does this: 2004-03-14 21:02:10,375 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Added jmx-console, [EMAIL PROTECTED] to map | 2004-03-14 21:02:10,376 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]: | [0] | LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule | ControlFlag: LoginModuleControlFlag: required | Options: | 2004-03-14 21:02:10,445 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize | 2004-03-14 21:02:10,451 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/users.properties | 2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/roles.properties | 2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login | 2004-03-14 21:02:10,457 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=admin | 2004-03-14 21:02:10,457 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort | 2004-03-14 21:02:10,458 DEBUG [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Login failure The files under tmp are dated June 2003, belong to web-console and contain a trivial admin password. So the jmx-console login config does not find the authentication resource under deploy and so it goes out for some file I dont know where it came from. I think jboss is following here some unspecified chain of defaults quite against the stated configuration policy and it is intrducing a security hole. Thanks for your attention a href=http://www.jboss.org/index.html?module=bbop=viewtopicp=3825620#3825620;View the original post/a a href=http://www.jboss.org/index.html?module=bbop=postingmode=replyp=3825620Reply to the post/a --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
