]
egor kolesnikov reopened SECURITY-278:
--------------------------------------
Anil,
The "new" code does not re-throw LoginException also, it just stores is within
the SubjectActions object.
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL:
https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: