[jboss-jira] [JBoss JIRA] (JBAS-9203) EJBAccessException doesnt contain my LoginException thrown in a custom LoginModule (login-Method)

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Wed Nov 14 07:44:18 EST 2012 

    [ https://issues.jboss.org/browse/JBAS-9203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734074#comment-12734074 ] 

Darran Lofthouse commented on JBAS-9203:
----------------------------------------

What is the reason that the client needs this Exception?  What you are asking for is a change that means a remote hacker is now provided with additional information as to why they could not authenticate so now they can implement a more targeted attack against your server.
                
> EJBAccessException doesnt contain my LoginException thrown in a custom LoginModule (login-Method)
> -------------------------------------------------------------------------------------------------
>
>                 Key: JBAS-9203
>                 URL: https://issues.jboss.org/browse/JBAS-9203
>             Project: Application Server 3  4  5 and 6
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: 6.0.0.Final
>            Reporter: Felix Ullrich
>            Assignee: Anil Saldhana
>         Attachments: Ejb3AuthenticationInterceptorv2.java
>
>
> This problem was already mentioned here [http://community.jboss.org/message/114379] and ignored here [https://issues.jboss.org/browse/JBAS-7324].
> A thrown LoginException in a custom LoginModule is not correctly wrapped into the javax.ejb.EJBAccessException on client-side. The cause of EJBAccessException is just not set - its null...
> The RemoteClient-Code looks like this 
> {code:title=RemoteClient.java|borderStyle=solid}
> try {
>   ejb.someMethod();
> } catch (final EJBAccessException e) {
>   e.printStackTrace();
>   throw e.getCause();
> }
> {code}
> and the Stacktrace:
> {code}
> javax.ejb.EJBAccessException: Invalid User
> 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:161)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.stateful.StatefulContainer.dynamicInvoke(StatefulContainer.java:603)
> 	at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
> 	at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
> 	at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
> 	at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:898)
> 	at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:791)
> 	at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:744)
> 	at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:548)
> 	at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:234)
> 	at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:216)
> 	at org.jboss.remoting.Client.invoke(Client.java:1961)
> 	at org.jboss.remoting.Client.invoke(Client.java:804)
> 	at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:60)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:77)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
> 	at $Proxy8.invoke(Unknown Source)
> 	at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:185)
> 	at $Proxy7.findAll(Unknown Source)
> 	at RemoteClient.main(RemoteClient.java:22)
> 	at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:72)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:77)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
> 	at $Proxy8.invoke(Unknown Source)
> 	at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:185)
> 	at $Proxy7.findAll(Unknown Source)
> 	at RemoteClient.main(RemoteClient.java:22)
> Exception in thread "main" java.lang.NullPointerException
> 	at RemoteClient.main(RemoteClient.java:25)
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list