openejb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Blevins <david.blev...@visi.com>
Subject Re: LoginModule Security Question
Date Thu, 15 Oct 2009 02:12:42 GMT
Responded to the same thread on the users list.  Feel free to respond  
there or here.

On Sep 29, 2009, at 1:22 PM, Quintin Beukes wrote:

> Hey,
>
> In the JUnit runner, the method I use to get the code to authenticate
> to a named role I use a LoginModule that simply sets the role. No
> actual authentication takes place. I get the login module loaded by
> setting the login configuration system property before I create the
> InitialContext.
>
> Just a question about this.
>
> 1. Once OpenEJB initialized, is it possible to load more login
> modules? In other words, does it create new LoginContexts during the
> runtime of OpenEJB?
>
> 2. If the openejb-junit JAR had to be on the classpath, can you think
> of anyway this login module can be used to authenticate against any
> chosen role?
>
> I'm basically trying to determine the security risks of having this
> module in your classpath. If it's a risk I would need to find a better
> way of doing the "fake authentication".
>
> The only way I could think of is if the login module was explicitly
> loaded at STARTUP? And after startup this is impossible?
>
> Quintin Beukes
>
>
>
>
> ---------- Forwarded message ----------
> From: Quintin Beukes <quintin@last.za.net>
> Date: Tue, Sep 29, 2009 at 5:46 PM
> Subject: Question
> To: Quintin Beukes <quintin@last.za.net>
>
>
> JUnit runner's login module. is it a risk in an appserver or a client
> where it's merely included in the classpath.
>
> Can it be (1) deliberate loading, or can't this happen once the real
> ones were loaded (2) automatic loading from CP scanning
>
> Quintin Beukes
>


Mime
View raw message