Bug: <security-domain-and-application> make impossible to cr
iouchkov Aug 26, 2005 2:02 AMHi All,
JBoss has great feature to specify custom login module for Data Sources via Security-Domains (Application-Policy). So configured modules will be used by ds.CreateConnetion(...) calls. It's excelent. There are three possibility to configure each datasource:
<application-managed-security/>
<security-domain/>
and "mixed"
<security-domain-and-application>
First both working excelent, but <security-domain-and-application> makes impossible application login, when some domain is specified.
It's my configuration files:
1. Domain Configuration:
<application-policy name = "DummyDomain">
<login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
<module-option name="principal">dummyuser</module-option>
<module-option name="user">dummy</module-option>
<module-option name="pass">user</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JBDB</module-option>
</login-module>
</application-policy>
So you can see it's just dummy domain, which has some username/password configurations (unexisting in database) in this example, but it malkes no sence which LoginModule is used.
2. DataSource Configuration:
<local-tx-datasource>
<jndi-name>JBDB</jndi-name>
<connection-url>jdbc:oracle:thin:@[...]:[...]</connection-url>
<driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
<security-domain-and-application>DummyDomain</security-domain-and-application>
<exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
<type-mapping>Oracle9i</type-mapping>
</local-tx-datasource>
Like it described in documentation and I saw in the source-code, it should work following way:
1. It will use "Domain Configuration" (user, configured in Login-Module) by ds.GetConnection() call (w/o params)
2. It will use "Application" Configuration by ds.GetConnection(userName, password) (application I mean that will be used parameters username/password instead configured in LoginModule).
Bug Description:
Also by ds.GetConnection(userName, password) call, JBoss trying to make connection by credentials specified for Security-Domain. So if we change <Security-Domain-and-application> just to <security-domain> - it will make no difference. Only <application-managed-security/> setting make "Application" working.
In other words <security-domain-and-application> disables Application Login and make same job as <security-domain>.
I debuged the source and probably found the place, where it happens:
BasedWrapperConnectionManagedConnectionFactory:
...
Properties props = new Properties();
props.putAll(connectionProps);
if (subject != null)
{
if (SubjectActions.addMatchingProperties(subject, props, this) == true)
return props;
throw new JBossResourceException("No matching credentials in Subject!");
}
...
But subject is always created (can be with null principials), if DataSource has security domain associated:
BaseConnectionManager2:
...
private Subject getSubject()
{
Subject subject = null;
if (securityDomain != null)
{
/* Authenticate using the caller info and obtain a copy of the Subject
state for use in establishing a secure connection. A copy must be
obtained to avoid problems with multiple threads associated with
the same principal changing the state of the resulting Subject.
*/
Principal principal = GetPrincipalAction.getPrincipal();
Object credential = GetCredentialAction.getCredential();
subject = new Subject();
if (securityDomain.isValid(principal, credential, subject) == false)
{
throw new SecurityException("Invalid authentication attempt, principal=" + principal);
} // end of if
} // end of if ()
...
Or I'm wrong and it's not a bug and it's a feature? :-)