]
Anil Saldhana commented on SECURITY-278:
----------------------------------------
That is the interface/contract implemented by JaasSecurityManager. It uses JAAS as an
internal detail. So there is no expectation of an exception here.
What really is needed is SEAM to generate events when authentication failed (when the
return value is false).
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL:
https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: