authentication order has changed from 1.4.x to 1.5.x ----------------------------------------------------
Key: JCR-1977 URL: https://issues.apache.org/jira/browse/JCR-1977 Project: Jackrabbit Content Repository Issue Type: Bug Components: jackrabbit-core Affects Versions: 1.5.2, 1.5.0 Environment: JBoss 4.0.5 + deployed Liferay 4.2.2 on any Platform Reporter: Thomas Fromm Priority: Critical In 1.4.x inside RepositoryImpl.login(...) at first the local configuration is checked for configured LoginModules and after it was unsuccessful, the JAAS component is asked: AuthContext authCtx; LoginModuleConfig lmc = repConfig.getLoginModuleConfig(); if (lmc == null) { authCtx = new AuthContext.JAAS(repConfig.getAppName(), credentials); } else { ... With 1.5.x this behaviour has moved to SimpleSecurityManager.init(..) and is changed: LoginModuleConfig loginModConf = config.getLoginModuleConfig(); authCtxProvider = new AuthContextProvider(config.getAppName(), loginModConf); if (authCtxProvider.isJAAS()) { log.info("init: using JAAS LoginModule configuration for " + config.getAppName()); } else if (authCtxProvider.isLocal()) { ... The problem is with JBoss JAAS implemantation, that authCtxProvider.isJAAS() is always true. Because for any reason, the result of Configuration.getAppConfigurationEntry(appName) is never empty, when a jaas.config is specified for Liferay. Using different appName takes no effect, always the configuration inside the jaas.config is used. I think still first the local configuration should be concerned, before using JAAS. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.