5 Replies Latest reply on Mar 15, 2004 11:45 AM by Scott Stark

    configuring UsersPassword login module

    Tomasz Gil Newbie

      I am interested in using the UsersPassword login module for many servlets and EJBs. I dont want the users/roles.properties data deployed together with the .ear files. It seems that under 3.2.0 and 3.2.1 it was possible to place these .properties files under server/default/conf. It does not work under 3.2.2 any more. Should I specify the files under a policy in login-config.xml with absolute paths? Or relative to installation root?

      Thanks

      -Tgil

        • 1. Re: configuring UsersPassword login module
          Scott Stark Master

          Works fine for me. I have moved the files to the conf directory, renamed them jmx-users.properties, jmx-roles.properties to make sure only these would be used, and secured the jmx-console using the following login-config.xml entry:

           <application-policy name = "jmx-console">
           <authentication>
           <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
           flag = "required">
           <module-option name = "usersProperties">jmx-users.properties</module-option>
           <module-option name = "rolesProperties">jmx-roles.properties</module-option>
           </login-module>
           </authentication>
           </application-policy>
          


          Enable trace level logging of the org.jboss.security layer to see which properties files the UsersRolesLoginModule is using:
           <!-- conf/log4j.xml fragment -->
           <category name="org.jboss.security">
           <priority value="TRACE" class="org.jboss.logging.XLevel"/>
           </category>
          


          When I access the jmx-console the log shows the files in conf are used:
          2004-03-14 07:32:51,896 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
          2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-users.properties
          2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/C:/cvs/Releases/jboss-3.2.2/server/jmxconsole/conf/jmx-roles.properties
          2004-03-14 07:32:51,906 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
          



          • 2. Re: configuring UsersPassword login module
            Tomasz Gil Newbie

            Thanks for testing instructions. However, the results are not good. I hid away the users/roles.properties under jmx-console.war and configured the entry in login-config.xml like so:

            <application-policy name = "jmx-console">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
             <module-option name="usersProperties">g-users.properties</module-option>
             <module-option name="rolesProperties">g-roles.properties</module-option>
             </authentication>
             </application-policy>

            The files g-* are under conf and my other servlets, which do not contain their own users/roles, find them and work right. The jmx-console does this:
            2004-03-14 21:02:10,375 INFO [org.jboss.security.plugins.JaasSecurityManagerService] Added jmx-console, org.jboss.security.plugins.SecurityDomainContext@428527 to map
            2004-03-14 21:02:10,376 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry, authInfo=AppConfigurationEntry[]:
            [0]
            LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
            ControlFlag: LoginModuleControlFlag: required
            Options:
            2004-03-14 21:02:10,445 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize
            2004-03-14 21:02:10,451 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/users.properties
            2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/space/d/home/jboss/jboss-3.2.2/server/default/tmp/deploy/tmp9308web-console.war/WEB-INF/classes/roles.properties
            2004-03-14 21:02:10,456 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login
            2004-03-14 21:02:10,457 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=admin
            2004-03-14 21:02:10,457 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
            2004-03-14 21:02:10,458 DEBUG [org.jboss.security.plugins.JaasSecurityManager.jmx-console] Login failure


            The files under tmp are dated June 2003, belong to web-console and contain a trivial admin password.
            So the jmx-console login config does not find the authentication resource under "deploy" and so it goes out for some file I dont know where it came from. I think jboss is following here some unspecified chain of defaults quite against the stated configuration policy and it is intrducing a security hole.

            Thanks for your attention

            • 3. Re: configuring UsersPassword login module
              Scott Stark Master

              Your login-config.xml is invalid. The module-option elements need to be child elements of login-module. Just indenting them does not make this so.

              • 4. Re: configuring UsersPassword login module
                Tomasz Gil Newbie

                Sorry. Making an invalid XML element in login-config.xml was not intentional.
                Still - it bothers me that when the authentication resource is not found JBoss goes out and authenticates against some extraneous data.

                • 5. Re: configuring UsersPassword login module
                  Scott Stark Master

                  The read about configuration of the class loader architecture to see the options for deployment visibility. There is an excerpt from the 3.0.7
                  admin/devl guide here:
                  http://sourceforge.net/docman/display_doc.php?docid=14516&group_id=22866