5 Replies Latest reply on Mar 15, 2004 11:45 AM by starksm64

configuring UsersPassword login module

tgil Mar 13, 2004 9:25 PM

I am interested in using the UsersPassword login module for many servlets and EJBs. I dont want the users/roles.properties data deployed together with the .ear files. It seems that under 3.2.0 and 3.2.1 it was possible to place these .properties files under server/default/conf. It does not work under 3.2.2 any more. Should I specify the files under a policy in login-config.xml with absolute paths? Or relative to installation root?

Thanks

-Tgil

1. Re: configuring UsersPassword login module

starksm64 Mar 14, 2004 10:02 AM (in response to tgil)

Works fine for me. I have moved the files to the conf directory, renamed them jmx-users.properties, jmx-roles.properties to make sure only these would be used, and secured the jmx-console using the following login-config.xml entry:

 <application-policy name = "jmx-console">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name = "usersProperties">jmx-users.properties</module-option>
 <module-option name = "rolesProperties">jmx-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>

Enable trace level logging of the org.jboss.security layer to see which properties files the UsersRolesLoginModule is using:

 <!-- conf/log4j.xml fragment -->
 <category name="org.jboss.security">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 </category>

When I access the jmx-console the log shows the files in conf are used:

2004-03-14 07:32:51,896 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-users.properties
2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-roles.properties
2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login

2. Re: configuring UsersPassword login module

tgil Mar 14, 2004 11:49 PM (in response to tgil)

Thanks for testing instructions. However, the results are not good. I hid away the users/roles.properties under jmx-console.war and configured the entry in login-config.xml like so:

<application-policy name = "jmx-console">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required" />
 <module-option name="usersProperties">g-users.properties</module-option>
 <module-option name="rolesProperties">g-roles.properties</module-option>
 </authentication>
 </application-policy>

The files g-* are under conf and my other servlets, which do not contain their own users/roles, find them and work right. The jmx-console does this:

2004-03-14 21:02:10,375 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Added jmx-console, org.jboss.security.plugins.SecurityDomainContext@428527 to map
2004-03-14 21:02:10,376 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
2004-03-14 21:02:10,445 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
2004-03-14 21:02:10,451 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/users.properties
2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/roles.properties
2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
2004-03-14 21:02:10,457 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=admin
2004-03-14 21:02:10,457 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
2004-03-14 21:02:10,458 DEBUG [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Login failure

The files under tmp are dated June 2003, belong to web-console and contain a trivial admin password.
So the jmx-console login config does not find the authentication resource under "deploy" and so it goes out for some file I dont know where it came from. I think jboss is following here some unspecified chain of defaults quite against the stated configuration policy and it is intrducing a security hole.

Thanks for your attention

3. Re: configuring UsersPassword login module

starksm64 Mar 15, 2004 9:48 AM (in response to tgil)

Your login-config.xml is invalid. The module-option elements need to be child elements of login-module. Just indenting them does not make this so.
Actions
4. Re: configuring UsersPassword login module

tgil Mar 15, 2004 11:14 AM (in response to tgil)

Sorry. Making an invalid XML element in login-config.xml was not intentional.
Still - it bothers me that when the authentication resource is not found JBoss goes out and authenticates against some extraneous data.
Actions
5. Re: configuring UsersPassword login module

starksm64 Mar 15, 2004 11:45 AM (in response to tgil)

The read about configuration of the class loader architecture to see the options for deployment visibility. There is an excerpt from the 3.0.7
admin/devl guide here:
http://sourceforge.net/docman/display_doc.php?docid=14516&group_id=22866
Actions

Go to original post