2 Replies Latest reply on Apr 18, 2003 5:07 PM by Benjamin Walstrum

    Firebird security domain problem

    Benjamin Walstrum Newbie

      Hello everyone -

      I am migrating from 3.0.4 to 3.2.0, and am trying to get my datasources set up. I am using FireBird, and as such have switched from using firebird-service.xml to firebird-ds.xml to configure my Firebird datasource. It should be noted that we originally were using an Interbase client, and that is why the datasource is named InterbaseDS.

      Here's my firebird-ds.xml:

      <connection-factories>
      <tx-connection-factory>
      <jndi-name>InterbaseDS</jndi-name>
      <xa-transaction />
      <adapter-display-name>Firebird Database Connector</adapter-display-name>
      <config-property name="Database" type="java.lang.String">devserv01/3050:E:/devdb/java/dev_integration2/thgg101.gdb</config-property>
      <!--
      <user-name>SYSDBA</user-name>
      password
      -->
      <min-pool-size>0</min-pool-size>
      <security-domain>FirebirdDBRealm</security-domain>
      </tx-connection-factory>
      </connection-factories>

      I have gotten everything to work fine using the and fields in the firebird-ds.xml file, but I actually would like to use a security realm set up in login-config.xml. The reason for this is that we have a ConfiguredIdentityLoginModule that supports encryption of the username and password, which is required for our project. Right now I am trying to get an unencrypted username and password to work correctly, but to no avail. I believe that the problem resides in the "managedConnectionFactoryName" module-option, because it complains in the logs that it doesn't exist. Unfortunately, I have no clue what the correct value should be. I see a lot of example realms with different values, but no explanation.

      Here's my realm from the login-config.xml:

      <application-policy name="FirebirdDBRealm">

      <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
      <module-option name="principal">guest</module-option>
      <module-option name="userName">SYSDBA</module-option>
      <module-option name="password">password</module-option>
      <module-option name="managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=InterbaseDS</module-option>
      </login-module>

      </application-policy>

      If anyone has thoughts on what I have misconfigured I would greatly appreciate any input!!

      Thanks.

      Ben

        • 1. Re: Firebird security domain problem
          David Jencks Master

          I think you want the mcf name to be

          jboss.jca:service=TxCM,name=InterbaseDS

          To be sure, look in jmx-console.

          Would you be interested and/or able to contribute the ConfiguredIdentity login module? Periodically people ask for this. Have you found a way to provide any real security or is it basically just obscured?

          • 2. Re: Firebird security domain problem
            Benjamin Walstrum Newbie

            Thanks for the quick reply.

            Changing to "TxCM" did solve the problem, as I had a successful deployment. However, the startup time became unacceptably slow. Normally JBoss starts up in ~60s. To start up JBoss in this mode it takes ~5.5 min. That is a fairly unacceptable amount of time. Is there something that I can tweak to get the startup time to decrease back to its normal level? I think that there must be something wrong for it to take so long.

            As far as the ConfiguredIdentityLoginModule, let me describe it a bit and you can decide whether it is worthwhile (and then I will see about contributing the source). We are using a password-based encryption system, which means that a salt of some sort must be stored (usually in the source code/compiled class) which can then be used to encrypt and decrypt values. The problem with that approach for distribution is that each person using JBoss should probably have a different salt, because once you have the salt, you can very easily get the plain text. Also, if someone were to get a hold of the class and a decompiler the salt would be available.

            Thanks.

            Ben