[jboss-jira] [JBoss JIRA] Updated: (JBAS-4209) DatabaseServerLoginModule fails if no roles are found
Scott M Stark (JIRA)
jira-events at lists.jboss.org
Fri Mar 16 22:15:32 EDT 2007
[ http://jira.jboss.com/jira/browse/JBAS-4209?page=all ]
Scott M Stark updated JBAS-4209:
--------------------------------
Issue Type: Feature Request (was: Bug)
This is a legacy design from when the login module was used to return both authentication and authorization info. There should be a flag to disable the exception.
> DatabaseServerLoginModule fails if no roles are found
> -----------------------------------------------------
>
> Key: JBAS-4209
> URL: http://jira.jboss.com/jira/browse/JBAS-4209
> Project: JBoss Application Server
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-4.0.5.GA
> Environment: JBoss 4.0.5.GA, JDK 1.6.0, Windows & Linux
> Reporter: Felix Ho?feld
> Assigned To: Scott M Stark
> Original Estimate: 1 hour
> Remaining Estimate: 1 hour
>
> I have a problem using the DatabaseServerLoginModule. Login fails during commit() if no roles are defined for a user. The relevant part is in Util.getRoleSets(...):
> rs = ps.executeQuery();
> if( rs.next() == false )
> {
> if( trace )
> log.trace("No roles found");
> if( aslm.getUnauthenticatedIdentity() == null )
> throw new FailedLoginException("No matching username found in Roles");
> /* We are running with an unauthenticatedIdentity so create an
> empty Roles set and return.
> */
> Group[] roleSets = { new SimpleGroup("Roles") };
> return roleSets;
> }
> Why is an exception thrown if no roles are returned? At this point the user has authenticated himself. According to the JAAS contract (http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#commit) an exceptions should be thrown if the method fails. In my opinion it is not a failure if no roles are assigned so it should just return an empty role set.
> So I suggest to just remove the following lines:
> if( aslm.getUnauthenticatedIdentity() == null )
> throw new FailedLoginException("No matching username found in Roles");
> However, I admit that this might have a security impact on existing sites that rely on failed authentications if no roles are found so it is probably too late to introduce this change. If it is changed a prominent notice in the documentaion would be necessary.
> Regards
> Felix
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list