[jboss-jira] [JBoss JIRA] (JBAS-9203) EJBAccessException doesnt contain my LoginException thrown in a custom LoginModule (login-Method)

Darran Lofthouse (JIRA) jira-events at lists.jboss.org
Wed Nov 14 07:53:19 EST 2012 

    [ https://issues.jboss.org/browse/JBAS-9203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12734079#comment-12734079 ] 

Darran Lofthouse commented on JBAS-9203:
----------------------------------------

So in other words the attacker now knows if they should stick with the username they are using and just try different passwords or if they have an invalid username and should try and find a valid username before concentrating on the password.
                
> EJBAccessException doesnt contain my LoginException thrown in a custom LoginModule (login-Method)
> -------------------------------------------------------------------------------------------------
>
>                 Key: JBAS-9203
>                 URL: https://issues.jboss.org/browse/JBAS-9203
>             Project: Application Server 3  4  5 and 6
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Security
>    Affects Versions: 6.0.0.Final
>            Reporter: Felix Ullrich
>            Assignee: Anil Saldhana
>         Attachments: Ejb3AuthenticationInterceptorv2.java
>
>
> This problem was already mentioned here [http://community.jboss.org/message/114379] and ignored here [https://issues.jboss.org/browse/JBAS-7324].
> A thrown LoginException in a custom LoginModule is not correctly wrapped into the javax.ejb.EJBAccessException on client-side. The cause of EJBAccessException is just not set - its null...
> The RemoteClient-Code looks like this 
> {code:title=RemoteClient.java|borderStyle=solid}
> try {
>   ejb.someMethod();
> } catch (final EJBAccessException e) {
>   e.printStackTrace();
>   throw e.getCause();
> }
> {code}
> and the Stacktrace:
> {code}
> javax.ejb.EJBAccessException: Invalid User
> 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:161)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.stateful.StatefulContainer.dynamicInvoke(StatefulContainer.java:603)
> 	at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
> 	at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
> 	at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
> 	at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:898)
> 	at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:791)
> 	at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:744)
> 	at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:548)
> 	at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:234)
> 	at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:216)
> 	at org.jboss.remoting.Client.invoke(Client.java:1961)
> 	at org.jboss.remoting.Client.invoke(Client.java:804)
> 	at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:60)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:77)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
> 	at $Proxy8.invoke(Unknown Source)
> 	at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:185)
> 	at $Proxy7.findAll(Unknown Source)
> 	at RemoteClient.main(RemoteClient.java:22)
> 	at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:72)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:77)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
> 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
> 	at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
> 	at $Proxy8.invoke(Unknown Source)
> 	at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:185)
> 	at $Proxy7.findAll(Unknown Source)
> 	at RemoteClient.main(RemoteClient.java:22)
> Exception in thread "main" java.lang.NullPointerException
> 	at RemoteClient.main(RemoteClient.java:25)
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list