[jboss-jira] [JBoss JIRA] (SECURITY-703) Picketbox logs an ERROR on each failed login

Thomas Heute (JIRA) jira-events at lists.jboss.org
Thu Oct 18 04:55:02 EDT 2012 

Thomas Heute created SECURITY-703:
-------------------------------------

             Summary: Picketbox logs an ERROR on each failed login
                 Key: SECURITY-703
                 URL: https://issues.jboss.org/browse/SECURITY-703
             Project: PicketBox 
          Issue Type: Bug
      Security Level: Public (Everyone can see)
            Reporter: Thomas Heute
            Assignee: Anil Saldhana
            Priority: Critical



Picketbox logs an ERROR with a stacktrace on each failed login:

See:

catch (LoginException e)
	   {
		   // Don't log anonymous user failures unless trace level logging is on
		   if (principal != null && principal.getName() != null)
               PicketBoxLogger.LOGGER.errorDuringLogin(e);
		   authException = e;
	   }



09:57:30,100 ERROR [org.jboss.security] (http-/127.0.0.1:8080-6) PBOX000206: Login failure: javax.security.auth.login.LoginException: Login failed for 
	at org.exoplatform.services.security.jaas.DefaultLoginModule.login(DefaultLoginModule.java:136) [exo.core.component.security.core-2.5.0-CR1.jar:2.5.0-CR1]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_25]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_25]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_25]
	at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_25]
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_25]
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_25]
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_25]
	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_25]
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_25]
	at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_25]
	at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.13.Final-redhat-1.jar:4.0.13.Final-redhat-1]


in http://anonsvn.jboss.org/repos/picketbox/tags/4.0.14.Final/picketbox-infinispan/src/main/java/org/jboss/security/authentication/JBossCachedAuthenticationManager.java

Failed login are expected from users and shouldn't be logged. This will seriously pollute EPP 6 logs.


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list