[jboss-jira] [JBoss JIRA] Commented: (SECURITY-278) JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Thu Oct 9 09:22:21 EDT 2008 

    [ https://jira.jboss.org/jira/browse/SECURITY-278?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12433231#action_12433231 ] 

Anil Saldhana commented on SECURITY-278:
----------------------------------------

There are two options:
1)   You can get the LoginException from  org.jboss.security.SecurityAssociation.getContextInfo(""org.jboss.security.exception")  right after you have done the auth.

2)  Since your login modules are generating the application specific exceptions,  you can have a threadlocal variable in a custom class such as:

public class ApplicationAuthStatus
{
   public static ThreadLocal<Exception> exception;
}

Now in your login module where you generate the custom exception,

   ApplicationAuthStatus.exception.put(LoginException);

In your application, you can do the following on the return of false from JaasSecurityManager

LoginException le = ApplicationAuthStatus.exception.get()

I would suggest approach 2.

> JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules
> -------------------------------------------------------------------------------
>
>                 Key: SECURITY-278
>                 URL: https://jira.jboss.org/jira/browse/SECURITY-278
>             Project: JBoss Security and Identity Management
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>    Affects Versions: 2.0.2.GA
>         Environment: JBoss AS 4.2.2.GA
>            Reporter: egor kolesnikov
>            Assignee: Anil Saldhana
>
> http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091
> JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:
> try {
> // call login modules and authenticate
>  } catch (Exception ex) {
>     ex.printStackTrace();
>     return false;
> }
> Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.
> Observed behavior:
> When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.
> Expected behavior:
> When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list