[jboss-jira] [JBoss JIRA] Created: (JBAS-4209) DatabaseServerLoginModule fails if no roles are found

Felix Ho?feld (JIRA) jira-events at lists.jboss.org
Fri Mar 16 21:13:32 EDT 2007 

DatabaseServerLoginModule fails if no roles are found
-----------------------------------------------------

                 Key: JBAS-4209
                 URL: http://jira.jboss.com/jira/browse/JBAS-4209
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-4.0.5.GA
         Environment: JBoss 4.0.5.GA, JDK 1.6.0, Windows & Linux
            Reporter: Felix Ho?feld
         Assigned To: Scott M Stark


I have a problem using the DatabaseServerLoginModule. Login fails during commit() if no roles are defined for a user. The relevant part is in Util.getRoleSets(...):

         rs = ps.executeQuery();
         if( rs.next() == false )
         {
            if( trace )
               log.trace("No roles found");
            if( aslm.getUnauthenticatedIdentity() == null )
               throw new FailedLoginException("No matching username found in Roles");
            /* We are running with an unauthenticatedIdentity so create an
               empty Roles set and return.
            */
            Group[] roleSets = { new SimpleGroup("Roles") };
            return roleSets;
         }

Why is an exception thrown if no roles are returned? At this point the user has authenticated himself. According to the JAAS contract (http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#commit) an exceptions should be thrown if the method fails. In my opinion it is not a failure if no roles are assigned so it should just return an empty role set.

So I suggest to just remove the following lines:

  if( aslm.getUnauthenticatedIdentity() == null )
                throw new FailedLoginException("No matching username found in Roles");

However, I admit that this might have a security impact on existing sites that rely on failed authentications if no roles are found so it is probably too late to introduce this change. If it is changed a prominent notice in the documentaion would be necessary.

Regards

Felix


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list