1 Reply Latest reply on Aug 28, 2005 12:14 PM by Scott Stark

    Bug: <security-domain-and-application> make impossible to cr

    Vadim Iouchkov Newbie

      Hi All,

      JBoss has great feature to specify custom login module for Data Sources via Security-Domains (Application-Policy). So configured modules will be used by ds.CreateConnetion(...) calls. It's excelent. There are three possibility to configure each datasource:
      and "mixed"

      First both working excelent, but <security-domain-and-application> makes impossible application login, when some domain is specified.

      It's my configuration files:

      1. Domain Configuration:

      <application-policy name = "DummyDomain">

      <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
      <module-option name="principal">dummyuser</module-option>
      <module-option name="user">dummy</module-option>
      <module-option name="pass">user</module-option>
      <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JBDB</module-option>


      So you can see it's just dummy domain, which has some username/password configurations (unexisting in database) in this example, but it malkes no sence which LoginModule is used.

      2. DataSource Configuration:




      Like it described in documentation and I saw in the source-code, it should work following way:

      1. It will use "Domain Configuration" (user, configured in Login-Module) by ds.GetConnection() call (w/o params)

      2. It will use "Application" Configuration by ds.GetConnection(userName, password) (application I mean that will be used parameters username/password instead configured in LoginModule).

      Bug Description:

      Also by ds.GetConnection(userName, password) call, JBoss trying to make connection by credentials specified for Security-Domain. So if we change <Security-Domain-and-application> just to <security-domain> - it will make no difference. Only <application-managed-security/> setting make "Application" working.

      In other words <security-domain-and-application> disables Application Login and make same job as <security-domain>.

      I debuged the source and probably found the place, where it happens:


      Properties props = new Properties();
      if (subject != null)
      if (SubjectActions.addMatchingProperties(subject, props, this) == true)
      return props;
      throw new JBossResourceException("No matching credentials in Subject!");

      But subject is always created (can be with null principials), if DataSource has security domain associated:


      private Subject getSubject()
      Subject subject = null;
      if (securityDomain != null)
      /* Authenticate using the caller info and obtain a copy of the Subject
      state for use in establishing a secure connection. A copy must be
      obtained to avoid problems with multiple threads associated with
      the same principal changing the state of the resulting Subject.
      Principal principal = GetPrincipalAction.getPrincipal();
      Object credential = GetCredentialAction.getCredential();
      subject = new Subject();
      if (securityDomain.isValid(principal, credential, subject) == false)
      throw new SecurityException("Invalid authentication attempt, principal=" + principal);
      } // end of if
      } // end of if ()

      Or I'm wrong and it's not a bug and it's a feature? :-)

        • 1. Re: Bug: <security-domain-and-application> make impossible t
          Scott Stark Master

          The security domain login module is always used. The description states that the difference from the security-domain option is that some additional application data affects the pooled subject:

          uses the identified login module configured in conf/login-module.xml AND other connection request information supplied by the application, e.g. queue or topic in JMS

          What you are looking for is a security-domain-or-application which does not exist.