[jboss-jira] [JBoss JIRA] Commented: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules

egor kolesnikov (JIRA) jira-events at lists.jboss.org
Thu Oct 9 01:18:21 EDT 2008 

    [ https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12433183#action_12433183 ] 

egor kolesnikov commented on SECURITY-278:
------------------------------------------

Anil, 

Following the JAAS specification, our team had implemented few LoginException descendants: WrongUserNamePasswordException, UserNotYetActivatedException, UserAccountBlockedException, UserDeletedException. We were going to catch them on the client side, inform user about the exact failure reason and provide him the descriptive message (like "use the link below to activate your account" or "your account has been blocked because of ..." etc).
Due to the problem described, we've found out that there is no way to pass these descriptive exceptions from JAAS LoginModule to the UI, because JaasSecurityManager simply returns "false" if there were any exceptions.

> JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
> -------------------------------------------------------------------------------
>
>                 Key: SECURITY-278
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-278
>             Project: JBoss Security and Identity Management
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 2.0.2.GA
>         Environment: JBoss AS 4.2.2.GA
>            Reporter: egor kolesnikov
>            Assignee: Anil Saldhana
>
> http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091
> JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:
> try {
> // call login modules and authenticate
>  } catch (Exception ex) {
>     ex.printStackTrace();
>     return false;
> }
> Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.
> Observed behavior:
> When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.
> Expected behavior:
> When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list