[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
egor kolesnikov commented on SECURITY-278:
------------------------------------------
Anil,
Following the JAAS specification, our team had implemented few LoginException descendants:
WrongUserNamePasswordException, UserNotYetActivatedException, UserAccountBlockedException,
UserDeletedException. We were going to catch them on the client side, inform user about
the exact failure reason and provide him the descriptive message (like "use the link
below to activate your account" or "your account has been blocked because of
..." etc).
Due to the problem described, we've found out that there is no way to pass these
descriptive exceptions from JAAS LoginModule to the UI, because JaasSecurityManager simply
returns "false" if there were any exceptions.
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL:
https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira