Wierd seucrity login module questions!!
My goal is to encrypt datasouce passwords in our current production system.
I followed the wiki and wrote a class (module) of my own. I've created (almost copied) the SecurityIdentityLoginModule to have properties such as pbePass, algo, salt and iterationCount configured.
I did the following:
- I've added the reference to the policy name in my *-ds.xml(see below)
- I've added the relevant bits in login-config.xml (see below)
- when I deploy I can see that the login module invoked is mine
However, I find these things intriguing:
- Although I have different applicaition-policy definitions for different daatasources, I can only see that my LoginModule being invoked just once! I am not sure why though - can any one explain to me if this is expected?
- Secondly if I have two datasouce definitions, one with XA and other non-XA, I can only see that the LoginModule is invoked just for Non-XA all the times. The XA version, looks like, doesn't do any authentication. I've tried to deploy just a single XA datasource and found that my LoginModule being not invoked. I am not sure why though. Is this expected, if yes, could you give me an explanation, if not, is this a bug?
- third, even if I change the password string to incorrect one deliberately, the second DS deployment doesn't complain!
Can someone throw few pointers, please?
Help/input much appreciated.
Thanks
/M
<<my datasouces>>
--------------------
<local-tx-datasource> <jndi-name>JMSDS</jndi-name> <connection-url>jdbc:sybase:Tds:myhost:4100/MyDbMS</connection-url> <driver-class>com.sybase.jdbc3.jdbc.SybDataSource</driver-class> <use-java-context>true</use-java-context> <security-domain>JMSDSEncryptionPolicy</security-domain> <check-valid-connection-sql>SELECT @@VERSION</check-valid-connection-sql> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SybaseExceptionSorter</exception-sorter-class-name> <metadata> <type-mapping>Sybase</type-mapping> </metadata> </local-tx-datasource> <xa-datasource> <jndi-name>JMSXADS</jndi-name> <use-java-context>false</use-java-context> <security-domain>JMSDSEncryptionPolicy</security-domain> <xa-datasource-class>com.sybase.jdbc3.jdbc.SybXADataSource</xa-datasource-class> <xa-datasource-property name="DatabaseName">mydb</xa-datasource-property> <xa-datasource-property name="ServerName">myserver</xa-datasource-property> <xa-datasource-property name="PortNumber">4100</xa-datasource-property> <check-valid-connection-sql>SELECT @@VERSION</check-valid-connection-sql> <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SybaseExceptionSorter</exception-sorter-class-name> <metadata> <type-mapping>Sybase</type-mapping> </metadata> </xa-datasource>
<<my login-config.xml >>
-----------------------
<application-policy name = "JMSDSEncryptionPolicy"> <authentication> <login-module code = "com.cmi2.framework.security.SecureLoginModule" flag = "required"> <module-option name = "username">cmi2Trade01</module-option> <module-option name = "password">4d85a83e922ac8bed6cfd1f9898f3b42</module-option> <module-option name = "pbeAlgo">Blowfish</module-option> <module-option name = "pbePass">CMI2 is evolving</module-option> <module-option name = "securePropertiesFile">secure.properties.file</module-option> <module-option name = "policyName">JMSDSEncryptionPolicy</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JMSDS</module-option> </login-module> </authentication> </application-policy> <application-policy name = "EAIDSEncryptionPolicy"> <authentication> <login-module code = "com.cmi2.framework.security.SecureLoginModule" flag = "required"> <module-option name = "username">cmi2Trade01</module-option> <module-option name = "password">4d85a83e922ac8bed6cfd1f9898f3b42</module-option> <module-option name = "pbeAlgo">Blowfish</module-option> <module-option name = "pbePass">CMI2 is evolving</module-option> <module-option name = "securePropertiesFile">secure.properties.file</module-option> <module-option name = "policyName">CMITrade01EAIDSEncryptionPolicy</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=CMITrade01EAIDS</module-option> </login-module> </authentication> </application-policy>