[jboss-jira] [JBoss JIRA] (SECURITY-703) Picketbox logs an ERROR on each failed login

Anil Saldhana (JIRA) jira-events at lists.jboss.org
Thu Oct 18 09:57:01 EDT 2012 

     [ https://issues.jboss.org/browse/SECURITY-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Anil Saldhana reassigned SECURITY-703:
--------------------------------------

    Assignee: Stefan Guilhen  (was: Anil Saldhana)


Maybe we should not log *stack trace* on failed login at ERROR.  But have the stack trace on TRACE level. We should certainly log failed login with a message.
                
> Picketbox logs an ERROR on each failed login
> --------------------------------------------
>
>                 Key: SECURITY-703
>                 URL: https://issues.jboss.org/browse/SECURITY-703
>             Project: PicketBox 
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>            Reporter: Thomas Heute
>            Assignee: Stefan Guilhen
>            Priority: Critical
>
> Picketbox logs an ERROR with a stacktrace on each failed login:
> See:
> catch (LoginException e)
> 	   {
> 		   // Don't log anonymous user failures unless trace level logging is on
> 		   if (principal != null && principal.getName() != null)
>                PicketBoxLogger.LOGGER.errorDuringLogin(e);
> 		   authException = e;
> 	   }
> 09:57:30,100 ERROR [org.jboss.security] (http-/127.0.0.1:8080-6) PBOX000206: Login failure: javax.security.auth.login.LoginException: Login failed for 
> 	at org.exoplatform.services.security.jaas.DefaultLoginModule.login(DefaultLoginModule.java:136) [exo.core.component.security.core-2.5.0-CR1.jar:2.5.0-CR1]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_25]
> 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_25]
> 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_25]
> 	at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_25]
> 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769) [rt.jar:1.6.0_25]
> 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_25]
> 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_25]
> 	at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_25]
> 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_25]
> 	at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_25]
> 	at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:408) [picketbox-infinispan-4.0.13.Final-redhat-1.jar:4.0.13.Final-redhat-1]
> in http://anonsvn.jboss.org/repos/picketbox/tags/4.0.14.Final/picketbox-infinispan/src/main/java/org/jboss/security/authentication/JBossCachedAuthenticationManager.java
> Failed login are expected from users and shouldn't be logged. This will seriously pollute EPP 6 logs.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list