-
1. Re: configuring UsersPassword login module
starksm64 Mar 14, 2004 10:02 AM (in response to tgil)Works fine for me. I have moved the files to the conf directory, renamed them jmx-users.properties, jmx-roles.properties to make sure only these would be used, and secured the jmx-console using the following login-config.xml entry:
<application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name = "usersProperties">jmx-users.properties</module-option> <module-option name = "rolesProperties">jmx-roles.properties</module-option> </login-module> </authentication> </application-policy>
Enable trace level logging of the org.jboss.security layer to see which properties files the UsersRolesLoginModule is using:<!-- conf/log4j.xml fragment --> <category name="org.jboss.security"> <priority value="TRACE" class="org.jboss.logging.XLevel"/> </category>
When I access the jmx-console the log shows the files in conf are used:2004-03-14 07:32:51,896 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize 2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-users.properties 2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-roles.properties 2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
-
2. Re: configuring UsersPassword login module
tgil Mar 14, 2004 11:49 PM (in response to tgil)Thanks for testing instructions. However, the results are not good. I hid away the users/roles.properties under jmx-console.war and configured the entry in login-config.xml like so:
<application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> <module-option name="usersProperties">g-users.properties</module-option> <module-option name="rolesProperties">g-roles.properties</module-option> </authentication> </application-policy>
The files g-* are under conf and my other servlets, which do not contain their own users/roles, find them and work right. The jmx-console does this:2004-03-14 21:02:10,375 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Added jmx-console, org.jboss.security.plugins.SecurityDomainContext@428527 to map 2004-03-14 21:02:10,376 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule ControlFlag: LoginModuleControlFlag: required Options: 2004-03-14 21:02:10,445 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize 2004-03-14 21:02:10,451 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/users.properties 2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/roles.properties 2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login 2004-03-14 21:02:10,457 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=admin 2004-03-14 21:02:10,457 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort 2004-03-14 21:02:10,458 DEBUG [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Login failure
The files under tmp are dated June 2003, belong to web-console and contain a trivial admin password.
So the jmx-console login config does not find the authentication resource under "deploy" and so it goes out for some file I dont know where it came from. I think jboss is following here some unspecified chain of defaults quite against the stated configuration policy and it is intrducing a security hole.
Thanks for your attention -
3. Re: configuring UsersPassword login module
starksm64 Mar 15, 2004 9:48 AM (in response to tgil)Your login-config.xml is invalid. The module-option elements need to be child elements of login-module. Just indenting them does not make this so.
-
4. Re: configuring UsersPassword login module
tgil Mar 15, 2004 11:14 AM (in response to tgil)Sorry. Making an invalid XML element in login-config.xml was not intentional.
Still - it bothers me that when the authentication resource is not found JBoss goes out and authenticates against some extraneous data. -
5. Re: configuring UsersPassword login module
starksm64 Mar 15, 2004 11:45 AM (in response to tgil)The read about configuration of the class loader architecture to see the options for deployment visibility. There is an excerpt from the 3.0.7
admin/devl guide here:
http://sourceforge.net/docman/display_doc.php?docid=14516&group_id=22866