2 Replies Latest reply on Jan 17, 2003 3:04 PM by Peter Doornbosch

    Security issue Using JBoss/JAAS

    Joacim Larsson Newbie

      I'm using JBoss 3.0.4 + Jetty.

      My application uses JAAS to allow users to login from the Web.
      While developing the application I found something that I didn't think of as a problem by then:

      I'm logged in to the application from one web browser, let's say as user AAAA.
      Then I bring up another browser, and when hitting the loginbutton on my page that user is automatically authenticated as AAAA without having to type in any username or password.

      I thought this had something to do with my way of running everything in one box, so I didn't bother until now when the application is in production.

      A user of my application says he is logging in to the application without entering a password. The user he is authenticated as is the user of a collegue a few rooms away at the same company. I assume these people use the same external IP and that's why the problem appears.

      Now, how can I prevent JBoss/Jetty to cache this information? Or is it a bug?

      Thanks a thousand times for any help.

        • 1. Re: Security issue Using JBoss/JAAS
          Mervin Williams Newbie

          Since you're using JAAS, are you starting JBoss with a Security Manager? If so, what are the permissions that you have granted in your policy files?

          I'm trying to get JBoss to launch with a security manager, and have updated my was.profile with the permissions indicated in the Admin & Dev guide as the default, and have included all permissions indicated on the command line during startup. But I eventually run into a NullPointerException.

          Any help would be greatly appreciated!

          • 2. Re: Security issue Using JBoss/JAAS
            Peter Doornbosch Apprentice

            > My application uses JAAS to allow users to login from
            > the Web.
            > I'm logged in to the application from one web
            > browser, let's say as user AAAA.
            > Then I bring up another browser, and when hitting the
            > loginbutton on my page that user is automatically
            > authenticated as AAAA without having to type in any
            > username or password.

            It sounds to me you are using the ClientLoginModule, are you? That is of very little use in the context of web applications.... Please give some more info of what you did. If you are using standard web authentication this should not happen...


            > A user of my application says he is logging in to the
            > application without entering a password. The user he
            > is authenticated as is the user of a collegue a few
            > rooms away at the same company. I assume these people
            > use the same external IP and that's why the problem
            > appears.

            That is very unlikely: web containers distinguish request from different users using session-id's; it has nothing to do with IP addresses.

            Cheers
            Peter.