[jboss-jira] [JBoss JIRA] Closed: (JBAS-5802) BaseConnectionManager2 does not propagate or log authentication exception cause

Adrian Brock (JIRA) jira-events at lists.jboss.org
Mon Jul 28 08:39:45 EDT 2008 

     [ https://jira.jboss.org/jira/browse/JBAS-5802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adrian Brock closed JBAS-5802.
------------------------------

    Resolution: Rejected
      Assignee:     (was: Jesper Pedersen)


Use the forums before raising spurious bug reports.

It would be totally unacceptble to "leak" authentication reasons as stacktraces
to users. That would open up all sorts of security holes in the event the error message
(from whoever wrote the login module) contained important information.

JBoss simply does the "hollywood" style

ACCESS DENIED

Although not in so many words. ;-)

This information can be obtained by enabling TRACE logging for org.jboss.security,
see the FAQ or its forum for more info, e.g. auditing access attempts.

> BaseConnectionManager2 does not propagate or log authentication exception cause
> -------------------------------------------------------------------------------
>
>                 Key: JBAS-5802
>                 URL: https://jira.jboss.org/jira/browse/JBAS-5802
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: JCA service, Security
>    Affects Versions: JBossAS-4.2.2.GA
>         Environment: JBoss AS 4.3.0 / 4.2.2, DB2 XA-Connection errors
>            Reporter: Carsten Mjartan
>
> In org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(), the following code handles authentication errors while obtaining a new database connection from the pool:
>         ...
>          if (securityDomain.isValid(principal, credential, subject) == false)
>             throw new SecurityException("Invalid authentication attempt, principal=" + principal);
>         ...
> If there are errors during authentication, they are not logged or rethrown like it's done in AuthenticationInterceptor:
>         ...
>         if (authenticationManager.isValid(principal, credential, subject) == false)
>          {
>             // Check for the security association exception
>             Exception ex = SecurityActions.getContextException();
>             if (ex != null)
>                throw ex;
>         ...
> In our case, we had a bug in our login-config for the security domain being used for the database connections. The real exception came from the LoginModule's initialize method, but the only message we got is a SecurityException with 'Invalid authentication attempt'. 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list