[jboss-jira] [JBoss JIRA] Commented: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules

JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules ------------------------------------------------------------------------------- Key: SECURITY-278 URL: https://jira.jboss.org/jira/browse/SECURITY-278 Project: JBoss Security and Identity Management Issue Type: Bug Security Level: Public(Everyone can see) Affects Versions: 2.0.2.GA Environment: JBoss AS 4.2.2.GA Reporter: egor kolesnikov Assignee: Anil Saldhana http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o... JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block: try { // call login modules and authenticate } catch (Exception ex) { ex.printStackTrace(); return false; } Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown. Observed behavior: When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks. Expected behavior: When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.