Geronimo
  1. Geronimo
  2. GERONIMO-3965

Custom LoginModule uses wrong classloader

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.2, 2.1, 2.1.1
    • Fix Version/s: 2.0.3, 2.1.2, 2.2
    • Component/s: security
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Environment:

      Windows XP, JDK 1.5

      Description

      When specifying a custom LoginModule implementation in a geronimo-application.xml file, the class cannot be loaded if it is in the EAR. Debugging, the classloader being used belongs to OpenEJB rather than the one for the application. I have tried both versions 2.0.2 and 2.1.

      This bug was discovered and discussed in the mailing lists (http://www.nabble.com/Custom-LoginModule-classloading-issue-in-gernimo-2.0.2-td14404472s134.html) but I couldn't find any JIRA's for it. Note that the workaround discussed in the thread cannot be used in our application, though I tried it anyway and couldn't get it working.

        Activity

        Kory Markevich created issue -
        David Jencks made changes -
        Field Original Value New Value
        Assignee David Jencks [ djencks ]
        Hide
        David Jencks added a comment -

        Contrary to the comments on the mailing list thread, this isn't an openejb problem. Login modules are global resources and we need to set a thread context classloader suitable for a realm before trying to use it. Kinda messy.... but we didn't write the jaas spec. Openejb doesn't know which app you might be interested in at the point it is trying to authenticate you here, so it wouldn't know what to do anyway.

        I'd like to know what problems you found with the configuration suggestion I made in the thread. The user list would be a good place to discuss that.

        Show
        David Jencks added a comment - Contrary to the comments on the mailing list thread, this isn't an openejb problem. Login modules are global resources and we need to set a thread context classloader suitable for a realm before trying to use it. Kinda messy.... but we didn't write the jaas spec. Openejb doesn't know which app you might be interested in at the point it is trying to authenticate you here, so it wouldn't know what to do anyway. I'd like to know what problems you found with the configuration suggestion I made in the thread. The user list would be a good place to discuss that.
        Hide
        David Jencks added a comment -

        I'm a bit embarassed to say that when I personally ran into this problem it seemed more pressing and there was a fairly easy solution by using a delegating login module that knows what classloader is required for the login module.

        trunk rev 657967
        branches/2.1 rev 657968
        branches/2.0 rev 657969

        Show
        David Jencks added a comment - I'm a bit embarassed to say that when I personally ran into this problem it seemed more pressing and there was a fairly easy solution by using a delegating login module that knows what classloader is required for the login module. trunk rev 657967 branches/2.1 rev 657968 branches/2.0 rev 657969
        David Jencks made changes -
        Fix Version/s 2.0.x [ 12312601 ]
        Fix Version/s 2.2 [ 12312965 ]
        Fix Version/s 2.1.x [ 12313103 ]
        Status Open [ 1 ] Closed [ 6 ]
        Resolution Fixed [ 1 ]
        Hide
        Kory Markevich added a comment -

        Could you give a quick rundown on how to use this? I couldn't figure it out just looking at the diffs.

        Show
        Kory Markevich added a comment - Could you give a quick rundown on how to use this? I couldn't figure it out just looking at the diffs.
        Hide
        David Jencks added a comment -

        1. build one of the geronimo versions from svn or find a snapshot from one of the auto-builds
        2. make sure the login module class is available in the plugin/module where the security realm using it is defined
        3. enjoy

        You shouldn't have to do anything special for this to work. The trunk testsuite/enterprise-testsuite/sec-tests client test relies on this working for the ejb module's fake login module when calling in through the ejbd protocol.

        Show
        David Jencks added a comment - 1. build one of the geronimo versions from svn or find a snapshot from one of the auto-builds 2. make sure the login module class is available in the plugin/module where the security realm using it is defined 3. enjoy You shouldn't have to do anything special for this to work. The trunk testsuite/enterprise-testsuite/sec-tests client test relies on this working for the ejb module's fake login module when calling in through the ejbd protocol.
        Hide
        Joe Bohn added a comment -

        added 2.1.1 as an affected release and 2.0.3 and 2.1.2 as fix versions

        Show
        Joe Bohn added a comment - added 2.1.1 as an affected release and 2.0.3 and 2.1.2 as fix versions
        Joe Bohn made changes -
        Fix Version/s 2.0.3 [ 12313315 ]
        Affects Version/s 2.1.1 [ 12312941 ]
        Fix Version/s 2.1.2 [ 12313123 ]
        Joe Bohn made changes -
        Fix Version/s 2.0.x [ 12312601 ]
        Fix Version/s 2.1.x [ 12313103 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Closed Closed
        31d 23h 9m 1 David Jencks 19/May/08 21:56

          People

          • Assignee:
            David Jencks
            Reporter:
            Kory Markevich
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development