[jboss-cvs] JBossAS SVN: r75357 - projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Jul 3 17:21:15 EDT 2008
Author: darran.lofthouse at jboss.com
Date: 2008-07-03 17:21:15 -0400 (Thu, 03 Jul 2008)
New Revision: 75357
Modified:
projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java
Log:
[SECURITY-133] Report failures using LoginException
Modified: projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java
===================================================================
--- projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java 2008-07-03 21:14:19 UTC (rev 75356)
+++ projects/security/security-negotiation/trunk/jboss-negotiation/src/main/java/org/jboss/security/negotiation/spnego/AdvancedLdapLoginModule.java 2008-07-03 21:21:15 UTC (rev 75357)
@@ -237,15 +237,8 @@
@Override
public boolean login() throws LoginException
{
- /*
- * The super.login() check is required to decide if
- * the current user needs to be authenticated, however
- * the actual user and roles search should proceed based
- * on their own options.
- */
+ Object result = null;
- Boolean result = null;
-
AuthorizeAction action = new AuthorizeAction();
if (AUTH_TYPE_GSSAPI.equals(bindAuthentication))
{
@@ -260,7 +253,7 @@
log.debug("Logged in '" + lc + "' LoginContext");
}
- result = (Boolean) Subject.doAs(serverSubject, action);
+ result = Subject.doAs(serverSubject, action);
lc.logout();
}
else
@@ -268,8 +261,12 @@
result = action.run();
}
- return result.booleanValue();
+ if (result instanceof LoginException)
+ {
+ throw (LoginException) result;
+ }
+ return ((Boolean) result).booleanValue();
}
@Override
@@ -286,13 +283,8 @@
return roleSets;
}
- protected Boolean innerLogin() throws Exception
+ protected Boolean innerLogin() throws LoginException
{
- /*
- * TODO - General failures should throw LoginException, an
- * actual failed authentication should throw FailedLoginException.
- */
-
// Obtain the username and password
processIdentityAndCredential();
log.trace("Identity - " + getIdentity().getName());
@@ -302,9 +294,18 @@
{
if (jaasSecurityDomain != null)
{
- ObjectName serviceName = new ObjectName(jaasSecurityDomain);
- char[] tmp = DecodeAction.decode(bindCredential, serviceName);
- bindCredential = new String(tmp);
+ try
+ {
+ ObjectName serviceName = new ObjectName(jaasSecurityDomain);
+ char[] tmp = DecodeAction.decode(bindCredential, serviceName);
+ bindCredential = new String(tmp);
+ }
+ catch (Exception e)
+ {
+ LoginException le = new LoginException("Unabe to decode bindCredential");
+ le.initCause(e);
+ throw le;
+ }
}
}
@@ -333,7 +334,16 @@
finally
{
if (searchContext != null)
- searchContext.close();
+ {
+ try
+ {
+ searchContext.close();
+ }
+ catch (NamingException e)
+ {
+ log.warn("Error closing context", e);
+ }
+ }
}
return Boolean.valueOf(super.loginOk);
@@ -343,7 +353,7 @@
* Either retrieve existing values based on useFirstPass or use
* CallBackHandler to obtain the values.
*/
- protected void processIdentityAndCredential() throws Exception
+ protected void processIdentityAndCredential() throws LoginException
{
if (super.login() == true)
{
@@ -367,22 +377,31 @@
}
else
{
- NameCallback nc = new NameCallback("User name: ", "guest");
- PasswordCallback pc = new PasswordCallback("Password: ", false);
- Callback[] callbacks =
- {nc, pc};
+ try
+ {
+ NameCallback nc = new NameCallback("User name: ", "guest");
+ PasswordCallback pc = new PasswordCallback("Password: ", false);
+ Callback[] callbacks =
+ {nc, pc};
- callbackHandler.handle(callbacks);
- String username = nc.getName();
- identity = createIdentity(username);
- credential = pc.getPassword();
- pc.clearPassword();
+ callbackHandler.handle(callbacks);
+ String username = nc.getName();
+ identity = createIdentity(username);
+ credential = pc.getPassword();
+ pc.clearPassword();
+ }
+ catch (Exception e)
+ {
+ LoginException le = new LoginException("Unable to obtain username/credential");
+ le.initCause(e);
+ throw le;
+ }
}
}
protected LdapContext constructLdapContext(String dn, Object credential, String authentication)
- throws NamingException
+ throws LoginException
{
Properties env = new Properties();
Iterator iter = options.entrySet().iterator();
@@ -434,39 +453,57 @@
if (credential != null)
env.put(Context.SECURITY_CREDENTIALS, credential);
traceLdapEnv(env);
- return new InitialLdapContext(env, null);
+ try
+ {
+ return new InitialLdapContext(env, null);
+ }
+ catch (NamingException e)
+ {
+ LoginException le = new LoginException("Unable to create new InitialLdapContext");
+ le.initCause(e);
+ throw le;
+ }
}
- protected String findUserDN(LdapContext ctx) throws Exception
+ protected String findUserDN(LdapContext ctx) throws LoginException
{
- NamingEnumeration results = null;
-
- Object[] filterArgs =
- {getIdentity().getName()};
- results = ctx.search(baseCtxDN, baseFilter, filterArgs, userSearchControls);
- if (results.hasMore() == false)
+ try
{
- results.close();
- throw new NamingException("Search of baseDN(" + baseCtxDN + ") found no matches");
- }
+ NamingEnumeration results = null;
- SearchResult sr = (SearchResult) results.next();
- String name = sr.getName();
- String userDN = null;
- if (sr.isRelative() == true)
- userDN = name + "," + baseCtxDN;
- else
- throw new NamingException("Can't follow referal for authentication: " + name);
+ Object[] filterArgs =
+ {getIdentity().getName()};
+ results = ctx.search(baseCtxDN, baseFilter, filterArgs, userSearchControls);
+ if (results.hasMore() == false)
+ {
+ results.close();
+ throw new LoginException("Search of baseDN(" + baseCtxDN + ") found no matches");
+ }
- results.close();
- results = null;
+ SearchResult sr = (SearchResult) results.next();
+ String name = sr.getName();
+ String userDN = null;
+ if (sr.isRelative() == true)
+ userDN = name + "," + baseCtxDN;
+ else
+ throw new LoginException("Can't follow referal for authentication: " + name);
- log.trace("findUserDN - " + userDN);
- return userDN;
+ results.close();
+ results = null;
+
+ log.trace("findUserDN - " + userDN);
+ return userDN;
+ }
+ catch (NamingException e)
+ {
+ LoginException le = new LoginException("Unable to find user DN");
+ le.initCause(e);
+ throw le;
+ }
}
- protected void authenticate(String userDN)
+ protected void authenticate(String userDN) throws LoginException
{
if (credential.length == 0)
{
@@ -485,7 +522,9 @@
catch (NamingException ne)
{
log.debug("Authentication failed - " + ne.getMessage());
- return;
+ LoginException le = new LoginException("Authentication failed");
+ le.initCause(ne);
+ throw le;
}
super.loginOk = true;
@@ -497,14 +536,15 @@
}
- protected void rolesSearch(LdapContext searchContext, String dn) throws NamingException
+ protected void rolesSearch(LdapContext searchContext, String dn) throws LoginException
{
Object[] filterArgs =
{getIdentity().getName(), dn};
- NamingEnumeration results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);
+ NamingEnumeration results = null;
try
{
+ results = searchContext.search(rolesCtxDN, roleFilter, filterArgs, roleSearchControls);
while (results.hasMore())
{
SearchResult sr = (SearchResult) results.next();
@@ -566,10 +606,25 @@
}
}
}
+ catch (NamingException e)
+ {
+ LoginException le = new LoginException("Error finding roles");
+ le.initCause(e);
+ throw le;
+ }
finally
{
if (results != null)
- results.close();
+ {
+ try
+ {
+ results.close();
+ }
+ catch (NamingException e)
+ {
+ log.warn("Problem closing results", e);
+ }
+ }
}
}
@@ -621,18 +676,18 @@
}
}
- private class AuthorizeAction implements PrivilegedAction<Boolean>
+ private class AuthorizeAction implements PrivilegedAction<Object>
{
- public Boolean run()
+ public Object run()
{
try
{
return innerLogin();
}
- catch (Exception e)
+ catch (LoginException e)
{
- throw new RuntimeException(e);
+ return e;
}
}
More information about the jboss-cvs-commits
mailing list