1 Reply Latest reply on Oct 26, 2005 10:57 AM by Scott Stark

    security bug in ws4ee

    dpocock Newbie


      Hi,

      I've just discovered this bug.

      I have two applications in JBoss. The first is lm.war, a web app. It contains users.properties and roles.properties files for the UsersRolesLoginModule.

      I also have an application call cm.ear. It contains a working WS4EE EJB Web service, cm.jar. cm.jar also contains users.properties and roles.properties

      When I try to access the secured web service, the UsersRolesLoginModule authenticates me against the users in lm.war, rather than those is cm.jar. Is this some kind of classpath error?

      As a work around, I am defining an individual login module in conf/login-config.xml, and using unique filenames instead of just users.properties and roles.properties. However, this is not ideal.

      Regards,

      Daniel