]
Carsten Mjartan commented on JBAS-5802:
---------------------------------------
You are right, the end user should not see the exception, it should just be logged out
without need to tweak logging (configuration errors are ERRORs in my opinion).
BaseConnectionManager2 does not propagate or log authentication
exception cause
-------------------------------------------------------------------------------
Key: JBAS-5802
URL:
https://jira.jboss.org/jira/browse/JBAS-5802
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: JCA service, Security
Affects Versions: JBossAS-4.2.2.GA
Environment: JBoss AS 4.3.0 / 4.2.2, DB2 XA-Connection errors
Reporter: Carsten Mjartan
In org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(), the
following code handles authentication errors while obtaining a new database connection
from the pool:
...
if (securityDomain.isValid(principal, credential, subject) == false)
throw new SecurityException("Invalid authentication attempt,
principal=" + principal);
...
If there are errors during authentication, they are not logged or rethrown like it's
done in AuthenticationInterceptor:
...
if (authenticationManager.isValid(principal, credential, subject) == false)
{
// Check for the security association exception
Exception ex = SecurityActions.getContextException();
if (ex != null)
throw ex;
...
In our case, we had a bug in our login-config for the security domain being used for the
database connections. The real exception came from the LoginModule's initialize
method, but the only message we got is a SecurityException with 'Invalid
authentication attempt'.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: