[jboss-jira] [JBoss JIRA] Updated: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules

egor kolesnikov (JIRA) jira-events at lists.jboss.org
Tue Oct 7 07:58:20 EDT 2008 

     [ https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

egor kolesnikov updated SECURITY-278:
-------------------------------------

    Description: 
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091

JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:

try {

// call login modules and authenticate

 } catch (Exception ex) {
    ex.printStackTrace();
    return false;
}

Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.

Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.

Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.

  was:
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091

JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:

try {

// call login modules and authenticate

 } catch (Exception ex) {
    ex.printStackTrace();
    return false;
}

Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.

Observed behavior:
When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.

Expected behavior:
When LoginModule throws LoginException, JaasSecurityManager should not catch (or at least re-throw) it and allow the exception to reach the client code.



> JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
> -------------------------------------------------------------------------------
>
>                 Key: SECURITY-278
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-278
>             Project: JBoss Security and Identity Management
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 2.0.2.GA
>         Environment: JBoss AS 4.2.2.GA
>            Reporter: egor kolesnikov
>            Assignee: Anil Saldhana
>
> http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091
> JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:
> try {
> // call login modules and authenticate
>  } catch (Exception ex) {
>     ex.printStackTrace();
>     return false;
> }
> Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.
> Observed behavior:
> When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.
> Expected behavior:
> When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list