Why does stacking multiple custom login modules within the same security-domain fail on JBoss EAP 6 and 7?
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6.x
- 7.x
Issue
Why does stacking multiple custom login modules within the same security-domain fail on JBoss EAP 6 and 7?
Stacking Multiple Custom LoginModules. Both modules are defined as modules and are placed in the modules section of JBoss installation. Using the custom login modules seperatly works just fine. Both can be found and loaded. But when stacking them together the loading of the modules fails.
We want to use two customize login modules in same application. If the authentication for the first one is failed we need switch to the second module. How can we configure these two module in standalone-full.xml and how can get JBoss configured/loaded modules in application ?
I have two login modules (an authentication module and an authorization module) in different JBoss modules, but it seems like JBoss tries to find both login modules in the second JBoss module
Example:
<security-domain name="ima-security-domain" cache-type="default">
<authentication>
<login-module code="a.AuthenticationModule" flag="required" module="a:1">
<module-option name="password-stacking" value="useFirstPass"></module>
</login-module>
<login-module code="b.AuthorizationModule" flag="required" module="b:1">
<module-option name="password-stacking" value="useFirstPass"></module>
</login-module>
</authentication>
</security-domain>
In this case I expect a.AuthenticationModule to be loaded and initialized from JBoss module "a:1" and b.AuthorizationModule to be loaded and initialized from JBoss module "b:1".
If I add "a.AuthenticationModule.class" to the JBoss module "b:1" it will initialize both login modules, but it loads a.AuthenticationModule from JBoss module "b:1" not from "a:1" as I would expected.
It seems like the last JBoss module specification are use for both login modules.
Resolution
Apply JBoss EAP 6.4 CP14 when available
Workarounds:
-
Make a "composite" JBoss module that depends on the modules that contain the custom login modules:
<module xmlns="urn:jboss:module:1.1" name="composite"> <dependencies> <module name="a" slot="1"/> <module name="b" slot="1"/> </dependencies> </module>Configure the security-domain to load the custom login modules from the composite JBoss module:
<security-domain name="ima-security-domain" cache-type="default"> <authentication> <login-module code="a.AuthenticationModule" flag="required" module="composite"> <module-option name="password-stacking" value="useFirstPass"></module> </login-module> <login-module code="b.AuthorizationModule" flag="required" module="composite"> <module-option name="password-stacking" value="useFirstPass"></module> </login-module> </authentication> </security-domain> -
Combine the custom login modules into a single JBoss module
Root Cause
There seems to be two issues. 1) The security subsystem code only "remembers" the last module that is defined within a single security domain. 2) I think issue #1 is happening because the JBoss authentication code (org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate()) defers to the JVM's login module handling code. The JVM appears to treat the login modules as one atomic until and so a single classloader is set and then the JVM login module code is invoked to handle the authentication requests.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.