geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <...@geronimo.apache.org>
Subject [jira] Updated: (GERONIMO-1203) LoginConfig processing can silently do the wrong thing
Date Mon, 05 Dec 2005 16:47:08 GMT
     [ http://issues.apache.org/jira/browse/GERONIMO-1203?page=all ]

Aaron Mulder updated GERONIMO-1203:
-----------------------------------

    Fix Version: 1.0
                     (was: 1.1)
      Assign To: Aaron Mulder

This should be an easy fix -- I'll look at it for 1.0

> LoginConfig processing can silently do the wrong thing
> ------------------------------------------------------
>
>          Key: GERONIMO-1203
>          URL: http://issues.apache.org/jira/browse/GERONIMO-1203
>      Project: Geronimo
>         Type: Bug
>   Components: deployment, security
>     Versions: 1.0-M5
>     Reporter: Aaron Mulder
>     Assignee: Aaron Mulder
>     Priority: Critical
>      Fix For: 1.0

>
> If you deploy a security realm using a LoginConfig block, and you set the login domain
name to be the same for every login module in the realm, only one of the login modules is
actually deployed, and no error is generated.
> I'm not clear why you can't have more than one login module with the same login domain
in the same realm.  If you have an extra login module that doesn't produce principals but
works in conjunction with the main login module (for auditing, for example), then why would
you need to specify a distinct login domain for it?  It looks like we use the login domain
name as the GBean name, but maybe we should just call them "LoginModule1" through "LoginModuleN"
or something instead.
> Nevertheless, if this is an error condition, we should not deploy the realm with only
one login module, we should throw a DeploymentException.
> <configuration configId="SecurityRealmAaron" parentId="org/apache/geronimo/Server"
xmlns="http://geronimo.apache.org/xml/ns/deployment-1.0">
>     <gbean name="Aaron" class="org.apache.geronimo.security.realm.GenericSecurityRealm">
>         <attribute name="realmName">Aaron</attribute>
>         <reference name="ServerInfo">
>             <gbean-name>geronimo.server:J2EEApplication=null,J2EEModule=org/apache/geronimo/System,J2EEServer=geronimo,j2eeType=GBean,name=ServerInfo</gbean-name>
>         </reference>
>         <xml-reference name="LoginModuleConfiguration">
>             <log:login-config xmlns:log="http://geronimo.apache.org/xml/ns/loginconfig-1.0">
>                 <log:login-module control-flag="REQUIRED" server-side="true">
>                     <log:login-domain-name>Aaron</log:login-domain-name>
>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule</log:login-module-class>
>                     <log:option name="usersURI">var/security/demo_users.properties</log:option>
>                     <log:option name="groupsURI">var/security/demo_groups.properties</log:option>
>                 </log:login-module>
>                 <log:login-module control-flag="OPTIONAL" server-side="true">
>                     <log:login-domain-name>Aaron</log:login-domain-name>
>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.GeronimoPasswordCredentialLoginModule</log:login-module-class>
>                 </log:login-module>
>                 <log:login-module control-flag="OPTIONAL" server-side="true">
>                     <log:login-domain-name>Aaron</log:login-domain-name>
>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.FileAuditLoginModule</log:login-module-class>
>                     <log:option name="file">var/log/login.log</log:option>
>                 </log:login-module>
>                 <log:login-module control-flag="REQUISITE" server-side="true">
>                     <log:login-domain-name>Aaron</log:login-domain-name>
>                     <log:login-module-class>org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule</log:login-module-class>
>                     <log:option name="failureCount">3</log:option>
>                     <log:option name="failurePeriodSecs">60</log:option>
>                     <log:option name="lockoutDurationSecs">600</log:option>
>                 </log:login-module>
>             </log:login-config>
>         </xml-reference>
>     </gbean>
> </configuration>

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message