Security Concern

Can a new login module be deliberately loaded after the first
InitialContext was started, ie. login configuration has been parsed.

Is there any way a login configuration/module can be loaded
automatically AT ALL?

Quintin Beukes

On Oct 8, 2009, at 10:43 AM, Quintin Beukes wrote:

> Can a new login module be deliberately loaded after the first
> InitialContext was started, ie. login configuration has been parsed.
>
> Is there any way a login configuration/module can be loaded
> automatically AT ALL?

Only way to add a new LoginModule is by editing the conf/login.config  
file.  There's no way to do it programmatically in the client or server.

-David

Though what I was wondering about is, since you can change which
login.config file should be loaded by the system property, could a new
one be loaded, or does this code get executed ONLY once?

Quintin Beukes



On Fri, Oct 9, 2009 at 7:58 AM, David Blevins <david.blevins@...> wrote:

On Oct 9, 2009, at 1:31 AM, Quintin Beukes wrote:

> Though what I was wondering about is, since you can change which
> login.config file should be loaded by the system property, could a new
> one be loaded, or does this code get executed ONLY once?

That I don't know.  We set the 'java.security.auth.login.config'  
property at startup and it's the VM that does the reading.  We do  
attempt a "null" login at startup in attempts to eagerly flush out any  
issues with the config file.  Not sure if the VM will consult that  
property again.

If you find out, definitely share.  You have me curious as well.

-David