1 Reply Latest reply on Aug 28, 2005 12:14 PM by Scott Stark

    Bug: <security-domain-and-application> make impossible to cr

    Vadim Iouchkov Newbie

      Hi All,

      JBoss has great feature to specify custom login module for Data Sources via Security-Domains (Application-Policy). So configured modules will be used by ds.CreateConnetion(...) calls. It's excelent. There are three possibility to configure each datasource:
      <application-managed-security/>
      <security-domain/>
      and "mixed"
      <security-domain-and-application>

      First both working excelent, but <security-domain-and-application> makes impossible application login, when some domain is specified.

      It's my configuration files:

      1. Domain Configuration:


      <application-policy name = "DummyDomain">

      <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
      <module-option name="principal">dummyuser</module-option>
      <module-option name="user">dummy</module-option>
      <module-option name="pass">user</module-option>
      <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JBDB</module-option>
      </login-module>

      </application-policy>


      So you can see it's just dummy domain, which has some username/password configurations (unexisting in database) in this example, but it malkes no sence which LoginModule is used.

      2. DataSource Configuration:

      <local-tx-datasource>
      <jndi-name>JBDB</jndi-name>
      <connection-url>jdbc:oracle:thin:@[...]:[...]</connection-url>
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
      <security-domain-and-application>DummyDomain</security-domain-and-application>
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>

      <type-mapping>Oracle9i</type-mapping>

      </local-tx-datasource>



      Like it described in documentation and I saw in the source-code, it should work following way:

      1. It will use "Domain Configuration" (user, configured in Login-Module) by ds.GetConnection() call (w/o params)

      2. It will use "Application" Configuration by ds.GetConnection(userName, password) (application I mean that will be used parameters username/password instead configured in LoginModule).

      Bug Description:

      Also by ds.GetConnection(userName, password) call, JBoss trying to make connection by credentials specified for Security-Domain. So if we change <Security-Domain-and-application> just to <security-domain> - it will make no difference. Only <application-managed-security/> setting make "Application" working.

      In other words <security-domain-and-application> disables Application Login and make same job as <security-domain>.

      I debuged the source and probably found the place, where it happens:

      BasedWrapperConnectionManagedConnectionFactory:

      ...
      Properties props = new Properties();
      props.putAll(connectionProps);
      if (subject != null)
      {
      if (SubjectActions.addMatchingProperties(subject, props, this) == true)
      return props;
      throw new JBossResourceException("No matching credentials in Subject!");
      }
      ...


      But subject is always created (can be with null principials), if DataSource has security domain associated:

      BaseConnectionManager2:

      ...
      private Subject getSubject()
      {
      Subject subject = null;
      if (securityDomain != null)
      {
      /* Authenticate using the caller info and obtain a copy of the Subject
      state for use in establishing a secure connection. A copy must be
      obtained to avoid problems with multiple threads associated with
      the same principal changing the state of the resulting Subject.
      */
      Principal principal = GetPrincipalAction.getPrincipal();
      Object credential = GetCredentialAction.getCredential();
      subject = new Subject();
      if (securityDomain.isValid(principal, credential, subject) == false)
      {
      throw new SecurityException("Invalid authentication attempt, principal=" + principal);
      } // end of if
      } // end of if ()
      ...



      Or I'm wrong and it's not a bug and it's a feature? :-)

        • 1. Re: Bug: <security-domain-and-application> make impossible t
          Scott Stark Master

          The security domain login module is always used. The description states that the difference from the security-domain option is that some additional application data affects the pooled subject:

          uses the identified login module configured in conf/login-module.xml AND other connection request information supplied by the application, e.g. queue or topic in JMS


          What you are looking for is a security-domain-or-application which does not exist.