[jboss-jira] [JBoss JIRA] Closed: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Tue Oct 7 08:41:21 EDT 2008 

     [ https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anil Saldhana closed SECURITY-278.
----------------------------------

    Resolution: Rejected


I do not think this code url that you refer is the right one.  The code that you show is very very old (probably JBoss 3.0.x days).  The correct one is:

http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java

> JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
> -------------------------------------------------------------------------------
>
>                 Key: SECURITY-278
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-278
>             Project: JBoss Security and Identity Management
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 2.0.2.GA
>         Environment: JBoss AS 4.2.2.GA
>            Reporter: egor kolesnikov
>            Assignee: Anil Saldhana
>
> http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091
> JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:
> try {
> // call login modules and authenticate
>  } catch (Exception ex) {
>     ex.printStackTrace();
>     return false;
> }
> Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.
> Observed behavior:
> When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.
> Expected behavior:
> When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list