[
https://jira.jboss.org/jira/browse/JBAS-5802?page=com.atlassian.jira.plug...
]
Adrian Brock closed JBAS-5802.
------------------------------
Resolution: Rejected
Assignee: (was: Jesper Pedersen)
Use the forums before raising spurious bug reports.
It would be totally unacceptble to "leak" authentication reasons as stacktraces
to users. That would open up all sorts of security holes in the event the error message
(from whoever wrote the login module) contained important information.
JBoss simply does the "hollywood" style
ACCESS DENIED
Although not in so many words. ;-)
This information can be obtained by enabling TRACE logging for org.jboss.security,
see the FAQ or its forum for more info, e.g. auditing access attempts.
BaseConnectionManager2 does not propagate or log authentication
exception cause
-------------------------------------------------------------------------------
Key: JBAS-5802
URL:
https://jira.jboss.org/jira/browse/JBAS-5802
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: JCA service, Security
Affects Versions: JBossAS-4.2.2.GA
Environment: JBoss AS 4.3.0 / 4.2.2, DB2 XA-Connection errors
Reporter: Carsten Mjartan
In org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(), the
following code handles authentication errors while obtaining a new database connection
from the pool:
...
if (securityDomain.isValid(principal, credential, subject) == false)
throw new SecurityException("Invalid authentication attempt,
principal=" + principal);
...
If there are errors during authentication, they are not logged or rethrown like it's
done in AuthenticationInterceptor:
...
if (authenticationManager.isValid(principal, credential, subject) == false)
{
// Check for the security association exception
Exception ex = SecurityActions.getContextException();
if (ex != null)
throw ex;
...
In our case, we had a bug in our login-config for the security domain being used for the
database connections. The real exception came from the LoginModule's initialize
method, but the only message we got is a SecurityException with 'Invalid
authentication attempt'.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira