-
1. Re: Security issue Using JBoss/JAAS
mervinw Jan 17, 2003 2:32 PM (in response to jox72)Since you're using JAAS, are you starting JBoss with a Security Manager? If so, what are the permissions that you have granted in your policy files?
I'm trying to get JBoss to launch with a security manager, and have updated my was.profile with the permissions indicated in the Admin & Dev guide as the default, and have included all permissions indicated on the command line during startup. But I eventually run into a NullPointerException.
Any help would be greatly appreciated! -
2. Re: Security issue Using JBoss/JAAS
petertje Jan 17, 2003 3:04 PM (in response to jox72)> My application uses JAAS to allow users to login from
> the Web.
> I'm logged in to the application from one web
> browser, let's say as user AAAA.
> Then I bring up another browser, and when hitting the
> loginbutton on my page that user is automatically
> authenticated as AAAA without having to type in any
> username or password.
It sounds to me you are using the ClientLoginModule, are you? That is of very little use in the context of web applications.... Please give some more info of what you did. If you are using standard web authentication this should not happen...
> A user of my application says he is logging in to the
> application without entering a password. The user he
> is authenticated as is the user of a collegue a few
> rooms away at the same company. I assume these people
> use the same external IP and that's why the problem
> appears.
That is very unlikely: web containers distinguish request from different users using session-id's; it has nothing to do with IP addresses.
Cheers
Peter.