1 Reply Latest reply on Oct 16, 2002 12:25 PM by davidnash

    Unexpected behavior - chaining login modules

    davidnash
    davidnash Oct 15, 2002 12:14 PM

      I've seen several posts to this question in the security forum but no answers so far - wondering if anyone can explain this?

      Scenario: multiple login modules defined in auth.conf, with control flag of "sufficient". Each works fine on its own, but when combined in series only the first one works. The last will authenticate, but fails to authorize on a missing required role error:

      User: john is NOT authorized, requiredRoles=[webadmin]

      This error is demonstrated by trying to log in to a userid that is in one source (e.g., an LDAP) but not another (e.g., a properties file).

      But...if you go ahead and define the userid in both sources (but with different passwords), it seems to work OK.

      Another strange behavior: if john has roles A and B in module1 but only B in module2, if module2 is last in the series, he is authorized for both roles A and B (!)

      Can anyone suggest what is happening here, and how to get around it?

      Thanks,

      David

      • 3072 Views
      • Tags:
        • 1. Re: Unexpected behavior - chaining login modules
          davidnash
          davidnash Oct 16, 2002 12:25 PM (in response to davidnash)

          OK - I've spent an entire day working on this problem. I think I know what's going on. We're on an older version of jBoss (2.2.2), so it may have been corrected in more recent versions.

          Custom login modules need to provide two main methodes - login and getRoleSets. What is happening is that getRoleSets gets called even if login fails(!), and the roles that are returned are cached. For the next login module in series, the login may succeed, but the roles for this successful login are not retrieved becuase jBoss already has cached roles from the previous login attempt.

          The workaround that I am using is that whenever getRoleSets is called I do a callback on the userid and password and re-authenticate. If the authentication fails, I throw a LoginException rather than pass back a list of roles which will be cached and may conflict with a future successful login.

          The sample login module (UsersRolesLoginModule) exhibits this problem. I haven't tested the others that come with jBoss.

          -David Nash

            • Actions