[jboss-jira] [JBoss JIRA] Commented: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Wed Oct 8 08:49:21 EDT 2008 

    [ https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12433041#action_12433041 ] 

Anil Saldhana commented on SECURITY-278:
----------------------------------------

http://anonsvn.jboss.org/repos/jbossas/branches/Branch_4_2/security/src/main/org/jboss/security/AuthenticationManager.java

That is the interface/contract implemented by JaasSecurityManager.  It uses JAAS as an internal detail.  So there is no expectation of an exception here.

What really is needed is SEAM to generate events when authentication failed (when the return value is false).

> JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
> -------------------------------------------------------------------------------
>
>                 Key: SECURITY-278
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-278
>             Project: JBoss Security and Identity Management
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 2.0.2.GA
>         Environment: JBoss AS 4.2.2.GA
>            Reporter: egor kolesnikov
>            Assignee: Anil Saldhana
>
> http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091
> JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:
> try {
> // call login modules and authenticate
>  } catch (Exception ex) {
>     ex.printStackTrace();
>     return false;
> }
> Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.
> Observed behavior:
> When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.
> Expected behavior:
> When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list