[jboss-jira] [JBoss JIRA] (SECURITY-859) Authentication failure due to a login module misconfiguration is not reported if principal is null
RH Bugzilla Integration (JIRA)
issues at jboss.org
Tue Dec 2 07:18:39 EST 2014
[ https://issues.jboss.org/browse/SECURITY-859?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13024382#comment-13024382 ]
RH Bugzilla Integration commented on SECURITY-859:
--------------------------------------------------
Ondrej Kotek <okotek at redhat.com> changed the Status of [bug 927064|https://bugzilla.redhat.com/show_bug.cgi?id=927064] from ON_QA to ASSIGNED
> Authentication failure due to a login module misconfiguration is not reported if principal is null
> --------------------------------------------------------------------------------------------------
>
> Key: SECURITY-859
> URL: https://issues.jboss.org/browse/SECURITY-859
> Project: PicketBox
> Issue Type: Bug
> Components: PicketBox
> Affects Versions: PicketBox_4_0_21.Beta2, PicketBox_4_0_19.SP5
> Reporter: Ivo Studensky
> Assignee: Peter Skopek
> Fix For: PicketBox_4_1_0.Beta1, PicketBox_4_9_0.Beta3
>
>
> Any misconfiguration of a login module leading to authentication failure used to be reported at trace level for anonymous user (principal == null) until SECURITY-660. Right now it is reported at debug level, but only if principal != null.
> I am going to propose a fix to report the cause of such a failure at debug level despite the principal value. So that customers can see for example "javax.security.auth.login.LoginException: unable to find LoginModule class: ..." in their logs instead of "PBOX000016: Access denied" only.
--
This message was sent by Atlassian JIRA
(v6.3.8#6338)
More information about the jboss-jira
mailing list