[jboss-jira] [JBoss JIRA] Commented: (JBAS-4209) DatabaseServerLoginModule fails if no roles are found

Felix Ho?feld (JIRA) jira-events at lists.jboss.org
Sat Mar 17 08:35:32 EDT 2007 

    [ http://jira.jboss.com/jira/browse/JBAS-4209?page=comments#action_12356444 ] 
            
Felix Ho?feld commented on JBAS-4209:
-------------------------------------

Shall I supply a patch?

If so what should the flag be called?

Regards

Felix

> DatabaseServerLoginModule fails if no roles are found
> -----------------------------------------------------
>
>                 Key: JBAS-4209
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4209
>             Project: JBoss Application Server
>          Issue Type: Feature Request
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: JBossAS-4.0.5.GA
>         Environment: JBoss 4.0.5.GA, JDK 1.6.0, Windows & Linux
>            Reporter: Felix Ho?feld
>         Assigned To: Scott M Stark
>   Original Estimate: 1 hour
>  Remaining Estimate: 1 hour
>
> I have a problem using the DatabaseServerLoginModule. Login fails during commit() if no roles are defined for a user. The relevant part is in Util.getRoleSets(...):
>          rs = ps.executeQuery();
>          if( rs.next() == false )
>          {
>             if( trace )
>                log.trace("No roles found");
>             if( aslm.getUnauthenticatedIdentity() == null )
>                throw new FailedLoginException("No matching username found in Roles");
>             /* We are running with an unauthenticatedIdentity so create an
>                empty Roles set and return.
>             */
>             Group[] roleSets = { new SimpleGroup("Roles") };
>             return roleSets;
>          }
> Why is an exception thrown if no roles are returned? At this point the user has authenticated himself. According to the JAAS contract (http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#commit) an exceptions should be thrown if the method fails. In my opinion it is not a failure if no roles are assigned so it should just return an empty role set.
> So I suggest to just remove the following lines:
>   if( aslm.getUnauthenticatedIdentity() == null )
>                 throw new FailedLoginException("No matching username found in Roles");
> However, I admit that this might have a security impact on existing sites that rely on failed authentications if no roles are found so it is probably too late to introduce this change. If it is changed a prominent notice in the documentaion would be necessary.
> Regards
> Felix

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list