[
https://issues.jboss.org/browse/SECURITY-709?page=com.atlassian.jira.plug...
]
Anil Saldhana commented on SECURITY-709:
----------------------------------------
Our authentication is not coupled either to the web container or LDAP server. What decides
is the security domain. The security domain defines a bunch of login modules. So when
JAAS system throws an loginexception, we return either true/false as to the status of the
authentication process. The web container's security uses this true/false to either
proceed to authorization checks or return 401 (case of BASIC, SPNego usecases).
Yi, we cannot accept this JIRA request.
Auth. using LdapLoginModule does not return HTTP 500 when the LDAP
server not available
---------------------------------------------------------------------------------------
Key: SECURITY-709
URL:
https://issues.jboss.org/browse/SECURITY-709
Project: PicketBox
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: PicketBox
Affects Versions: PicketBox_v4_0_7
Reporter: Yi Chen
Assignee: Anil Saldhana
I am using the LdapLoginModule from PicketBox in JBoss AS 7.1.1 to enable authentication
against our company's LDAP server. However, I always get a HTTP 401 back no matter
what kind of problem caused the authentication failure. Tracing through the Picketbox and
JBoss code, I found that the problem seems to be from the private method
"proceedWithJaasLogin" in "JBossCachedAuthenticationManager". At the
end of this method:
...
catch (LoginException e)
{
// Don't log anonymous user failures unless trace level logging is on
if (principal != null && principal.getName() != null || trace)
log.error("Login failure", e);
authException = e;
}
// Set the security association thread context info exception
SubjectActions.setContextInfo("org.jboss.security.exception",
authException);
return authenticated;
}
So basically, whatever exception that was sent up from the login modules is simply store
in the thread context. The methods then simply returns true or false to indicate whether
an authentication is successful or not. Whatever exception is store in the thread context
doesn't appear to be used to generate a more appropriate error code to the client.
Steps to reproduce:
Just set up a LdapLoginModule and verify that it can be used to authenticate some users
for a web application. Then shut down the LDAP server and try again. The client of the web
application will always get back HTTP 401.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:
http://www.atlassian.com/software/jira