0 Replies Latest reply on Jul 6, 2007 10:42 AM by mskonda

    Wierd seucrity login module questions!!

    mskonda Apprentice

      My goal is to encrypt datasouce passwords in our current production system.

      I followed the wiki and wrote a class (module) of my own. I've created (almost copied) the SecurityIdentityLoginModule to have properties such as pbePass, algo, salt and iterationCount configured.

      I did the following:

      - I've added the reference to the policy name in my *-ds.xml(see below)
      - I've added the relevant bits in login-config.xml (see below)
      - when I deploy I can see that the login module invoked is mine

      However, I find these things intriguing:

      - Although I have different applicaition-policy definitions for different daatasources, I can only see that my LoginModule being invoked just once! I am not sure why though - can any one explain to me if this is expected?

      - Secondly if I have two datasouce definitions, one with XA and other non-XA, I can only see that the LoginModule is invoked just for Non-XA all the times. The XA version, looks like, doesn't do any authentication. I've tried to deploy just a single XA datasource and found that my LoginModule being not invoked. I am not sure why though. Is this expected, if yes, could you give me an explanation, if not, is this a bug?

      - third, even if I change the password string to incorrect one deliberately, the second DS deployment doesn't complain!

      Can someone throw few pointers, please?

      Help/input much appreciated.

      Thanks
      /M
      <<my datasouces>>
      --------------------

       <local-tx-datasource>
       <jndi-name>JMSDS</jndi-name>
       <connection-url>jdbc:sybase:Tds:myhost:4100/MyDbMS</connection-url>
       <driver-class>com.sybase.jdbc3.jdbc.SybDataSource</driver-class>
       <use-java-context>true</use-java-context>
       <security-domain>JMSDSEncryptionPolicy</security-domain>
       <check-valid-connection-sql>SELECT @@VERSION</check-valid-connection-sql>
       <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SybaseExceptionSorter</exception-sorter-class-name>
       <metadata>
       <type-mapping>Sybase</type-mapping>
       </metadata>
       </local-tx-datasource>
      
       <xa-datasource>
       <jndi-name>JMSXADS</jndi-name>
       <use-java-context>false</use-java-context>
       <security-domain>JMSDSEncryptionPolicy</security-domain>
       <xa-datasource-class>com.sybase.jdbc3.jdbc.SybXADataSource</xa-datasource-class>
       <xa-datasource-property name="DatabaseName">mydb</xa-datasource-property>
       <xa-datasource-property name="ServerName">myserver</xa-datasource-property>
       <xa-datasource-property name="PortNumber">4100</xa-datasource-property>
       <check-valid-connection-sql>SELECT @@VERSION</check-valid-connection-sql>
       <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.SybaseExceptionSorter</exception-sorter-class-name>
       <metadata>
       <type-mapping>Sybase</type-mapping>
       </metadata>
       </xa-datasource>
      

      <<my login-config.xml >>
      -----------------------

      <application-policy name = "JMSDSEncryptionPolicy">
       <authentication>
       <login-module code = "com.cmi2.framework.security.SecureLoginModule"
       flag = "required">
       <module-option name = "username">cmi2Trade01</module-option>
       <module-option name = "password">4d85a83e922ac8bed6cfd1f9898f3b42</module-option>
       <module-option name = "pbeAlgo">Blowfish</module-option>
       <module-option name = "pbePass">CMI2 is evolving</module-option>
       <module-option name = "securePropertiesFile">secure.properties.file</module-option>
       <module-option name = "policyName">JMSDSEncryptionPolicy</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=JMSDS</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <application-policy name = "EAIDSEncryptionPolicy">
       <authentication>
       <login-module code = "com.cmi2.framework.security.SecureLoginModule"
      
       flag = "required">
       <module-option name = "username">cmi2Trade01</module-option>
       <module-option name = "password">4d85a83e922ac8bed6cfd1f9898f3b42</module-option>
       <module-option name = "pbeAlgo">Blowfish</module-option>
       <module-option name = "pbePass">CMI2 is evolving</module-option>
       <module-option name = "securePropertiesFile">secure.properties.file</module-option>
       <module-option name = "policyName">CMITrade01EAIDSEncryptionPolicy</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=CMITrade01EAIDS</module-option>
       </login-module>
       </authentication>
       </application-policy>