[jboss-jira] [JBoss JIRA] Created: (JBAS-4209) DatabaseServerLoginModule fails if no roles are found
Felix Ho?feld (JIRA)
jira-events at lists.jboss.org
Fri Mar 16 21:13:32 EDT 2007
DatabaseServerLoginModule fails if no roles are found
-----------------------------------------------------
Key: JBAS-4209
URL: http://jira.jboss.com/jira/browse/JBAS-4209
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: JBossAS-4.0.5.GA
Environment: JBoss 4.0.5.GA, JDK 1.6.0, Windows & Linux
Reporter: Felix Ho?feld
Assigned To: Scott M Stark
I have a problem using the DatabaseServerLoginModule. Login fails during commit() if no roles are defined for a user. The relevant part is in Util.getRoleSets(...):
rs = ps.executeQuery();
if( rs.next() == false )
{
if( trace )
log.trace("No roles found");
if( aslm.getUnauthenticatedIdentity() == null )
throw new FailedLoginException("No matching username found in Roles");
/* We are running with an unauthenticatedIdentity so create an
empty Roles set and return.
*/
Group[] roleSets = { new SimpleGroup("Roles") };
return roleSets;
}
Why is an exception thrown if no roles are returned? At this point the user has authenticated himself. According to the JAAS contract (http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#commit) an exceptions should be thrown if the method fails. In my opinion it is not a failure if no roles are assigned so it should just return an empty role set.
So I suggest to just remove the following lines:
if( aslm.getUnauthenticatedIdentity() == null )
throw new FailedLoginException("No matching username found in Roles");
However, I admit that this might have a security impact on existing sites that rely on failed authentications if no roles are found so it is probably too late to introduce this change. If it is changed a prominent notice in the documentaion would be necessary.
Regards
Felix
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list