]
Shane Bryzak commented on JBSEAM-2165:
--------------------------------------
As a note for anyone reading this issue - even after this fix was applied (this was a
valid issue) there is still no guarantee about how many times the authenticator method
will be invoked during a single request. See the security chapter of the Seam ref docs
for details.
Authenticator method invoked twice when login fails
---------------------------------------------------
Key: JBSEAM-2165
URL:
http://jira.jboss.com/jira/browse/JBSEAM-2165
Project: JBoss Seam
Issue Type: Bug
Components: Security
Affects Versions: 2.0.0.CR3
Reporter: Yannick Lazzari
Assigned To: Shane Bryzak
Priority: Minor
Fix For: 2.0.1.CR1
The default behaviour of the isLoggedIn method in the Identity class is to pass the
attemptLogin flag to true. Because of that, when authentication fails, it always calls the
authenticator method twice. See the code of the authenticate() method below:
public void authenticate()
throws LoginException
{
// If we're already authenticated, then don't authenticate again
if (!isLoggedIn())
{
authenticate( getLoginContext() );
}
}
public boolean isLoggedIn(boolean attemptLogin)
{
if (!authenticating && attemptLogin && getPrincipal() == null
&& isCredentialsSet() &&
Contexts.isEventContextActive() &&
!Contexts.getEventContext().isSet(LOGIN_TRIED))
{
Contexts.getEventContext().set(LOGIN_TRIED, true);
quietLogin();
}
// If there is a principal set, then the user is logged in.
return getPrincipal() != null;
}
public void authenticate(LoginContext loginContext)
throws LoginException
{
try
{
authenticating = true;
preAuthenticate();
loginContext.login();
postAuthenticate();
}
finally
{
authenticating = false;
}
}
The first reference to isLoggedIn tries to log the user. When it fails, it goes in the if
block and tries to authenticate the user for a second time before failing again. I could
fix this on my end by overriding the isLoggedIn() method in my own Identity component and
passing the attemptLogin flag to false. Before doing so, I thought that perhaps a fix
could be done at a higher level, i.e. in the Identity class of Seam itself. The way I see
it, 2 things could be done:
1. In the authenticate() method, invoke the isLoggedIn method with false.
2. Look into the management of the authenticating class member; there might be something
wrong. It's only set to true at the beginning of the authenticate(LoginContext)
method. If you look at the logic in the isLoggedIn(boolean) method, when it winds up being
invoked at the beginning of the authenticate(), the authenticating flag is false, the
attemptLogin flag is true, I don't have a principal yet (I'm trying to login for
the first time) and my credentials are set (the user just provided his username and
password).
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: