1 Reply Latest reply on Sep 3, 2005 11:57 PM by Scott Stark

    possible expliot with database login module?

    kookywon Newbie

      We're trying to determine if we have a cross site scripting issue with the database login module. We're using jboss 3.2.6. Here's what we've been seeing: A user authenticates by form based authenication with the DatabaseServerLoginModule. During the login process we display the username/roles. This particular user shows a username of 'Roles' and the correct role to access the site. However, there is no username of 'Roles' in the database. When we try to create our user object we get a null pointer exception. Almost immediately after this we'll see the following error in the logs:

      2005-08-29 10:53:17,408 ERROR [org.apache.struts.action.RequestProcessor] Invalid path /secure/j_security_check was requested

      I'm sure that we can catch the null pointer and send the user to the logout page so that they can't access pages within the site. However, I'm wondering how the user is authenticating with the container without a valid username and password.

      here is the configuration in login-config.xml

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/MySqlDS</module-option>
       <module-option name = "principalsQuery">select password from employer_info where FEIN=?</module-option>
       <module-option name = "rolesQuery">select role, 'Roles' from employer_info where FEIN=?</module-option>