1 Reply Latest reply on Oct 26, 2005 10:57 AM by starksm64

security bug in ws4ee

dpocock Oct 24, 2005 3:05 PM

Hi,

I've just discovered this bug.

I have two applications in JBoss. The first is lm.war, a web app. It contains users.properties and roles.properties files for the UsersRolesLoginModule.

I also have an application call cm.ear. It contains a working WS4EE EJB Web service, cm.jar. cm.jar also contains users.properties and roles.properties

When I try to access the secured web service, the UsersRolesLoginModule authenticates me against the users in lm.war, rather than those is cm.jar. Is this some kind of classpath error?

As a work around, I am defining an individual login module in conf/login-config.xml, and using unique filenames instead of just users.properties and roles.properties. However, this is not ideal.

Regards,

Daniel

1. Re: security bug in ws4ee

starksm64 Oct 26, 2005 10:57 AM (in response to dpocock)

http://wiki.jboss.org/wiki/Wiki.jsp?page=ClassLoadingConfiguration
http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossClassLoadingUseCases
Actions