[JBoss JIRA] Created: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
6:56 a.m.
JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or at least
re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:58 a.m.
New subject: [JBoss JIRA] Updated: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
egor kolesnikov updated SECURITY-278:
-------------------------------------
Description:
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at
least re-throw) it and allow the exception to reach the client code.
was:
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or at least
re-throw) it and allow the exception to reach the client code.
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:41 a.m.
New subject: [JBoss JIRA] Closed: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
Anil Saldhana closed SECURITY-278.
----------------------------------
Resolution: Rejected
I do not think this code url that you refer is the right one. The code that you show is
very very old (probably JBoss 3.0.x days). The correct one is:
http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/security/src/m...
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:44 p.m.
New subject: [JBoss JIRA] Reopened: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
egor kolesnikov reopened SECURITY-278:
--------------------------------------
Anil,
The "new" code does not re-throw LoginException also, it just stores is within
the SubjectActions object.
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:49 a.m.
New subject: [JBoss JIRA] Commented: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
Anil Saldhana commented on SECURITY-278:
----------------------------------------
http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/security/src/m...
That is the interface/contract implemented by JaasSecurityManager. It uses JAAS as an
internal detail. So there is no expectation of an exception here.
What really is needed is SEAM to generate events when authentication failed (when the
return value is false).
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
12:18 a.m.
New subject: [JBoss JIRA] Commented: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
egor kolesnikov commented on SECURITY-278:
------------------------------------------
Anil,
Following the JAAS specification, our team had implemented few LoginException descendants:
WrongUserNamePasswordException, UserNotYetActivatedException, UserAccountBlockedException,
UserDeletedException. We were going to catch them on the client side, inform user about
the exact failure reason and provide him the descriptive message (like "use the link
below to activate your account" or "your account has been blocked because of
..." etc).
Due to the problem described, we've found out that there is no way to pass these
descriptive exceptions from JAAS LoginModule to the UI, because JaasSecurityManager simply
returns "false" if there were any exceptions.
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
8:22 a.m.
New subject: [JBoss JIRA] Commented: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
Anil Saldhana commented on SECURITY-278:
----------------------------------------
There are two options:
1) You can get the LoginException from
org.jboss.security.SecurityAssociation.getContextInfo(""org.jboss.security.exception")
right after you have done the auth.
2) Since your login modules are generating the application specific exceptions, you can
have a threadlocal variable in a custom class such as:
public class ApplicationAuthStatus
{
public static ThreadLocal<Exception> exception;
}
Now in your login module where you generate the custom exception,
ApplicationAuthStatus.exception.put(LoginException);
In your application, you can do the following on the return of false from
JaasSecurityManager
LoginException le = ApplicationAuthStatus.exception.get()
I would suggest approach 2.
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
10:42 a.m.
New subject: [JBoss JIRA] Updated: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
Anil Saldhana updated SECURITY-278:
-----------------------------------
Fix Version/s: 2.0.4.GA
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: 2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
Fix For: 2.0.4.GA
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
3 p.m.
New subject: [JBoss JIRA] Closed: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
[
https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.p...
]
Anil Saldhana closed SECURITY-278.
----------------------------------
Resolution: Won't Fix
JaasSecurityManager should not "swallow" LoginExceptions
thrown by LoginModules
-------------------------------------------------------------------------------
Key: SECURITY-278
URL: https://jira.jboss.org/jira/browse/SECURITY-278
Project: JBoss Security and Identity Management
Issue Type: Bug
Security Level: Public(Everyone can see)
Affects Versions: JBossSecurity_2.0.2.GA
Environment: JBoss AS 4.2.2.GA
Reporter: egor kolesnikov
Assignee: Anil Saldhana
Fix For: JBossSecurity_2.0.4
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/o...
JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential)
has the following block:
try {
// call login modules and authenticate
} catch (Exception ex) {
ex.printStackTrace();
return false;
}
Disregarding the fact that "ex.printStackTrace()" is a definitely bad code
style, swallowing all exceptions violates the JAAS specifications regarding the fact that
login modules could return false or throw LoginException if login attempt has failed (see
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModu... for
details). This also affects Jboss SEAM framework which raises special event if
LoginException has been thrown.
Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false
without any additional checks.
Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should
at least re-throw) it and allow the exception to reach the client code.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5571
days inactive
5872
days old
8 comments
2 participants
participants (2)
-
Anil Saldhana (JIRA) -
egor kolesnikov (JIRA)