[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2165) Authenticator method invoked twice when login fails

Tue Nov 6 02:34:54 EST 2007

     [ http://jira.jboss.com/jira/browse/JBSEAM-2165?page=all ]

Shane Bryzak closed JBSEAM-2165.
--------------------------------

    Resolution: Done

Fixed in CVS.

> Authenticator method invoked twice when login fails
> ---------------------------------------------------
>
>                 Key: JBSEAM-2165
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2165
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.0.0.CR3
>            Reporter: Yannick Lazzari
>         Assigned To: Shane Bryzak
>            Priority: Minor
>             Fix For: 2.0.1.GA
>
>
> The default behaviour of the isLoggedIn method in the Identity class is to pass the attemptLogin flag to true. Because of that, when authentication fails, it always calls the authenticator method twice. See the code of the authenticate() method below:
> public void authenticate() 
>       throws LoginException
>    {
>       // If we're already authenticated, then don't authenticate again
>       if (!isLoggedIn())
>       {
>          authenticate( getLoginContext() );
>       }
>    }
>    
>  public boolean isLoggedIn(boolean attemptLogin)
>    {
>       if (!authenticating && attemptLogin && getPrincipal() == null && isCredentialsSet() &&
>           Contexts.isEventContextActive() &&
>           !Contexts.getEventContext().isSet(LOGIN_TRIED))
>       {
>          Contexts.getEventContext().set(LOGIN_TRIED, true);
>          quietLogin();
>       }     
>       
>       // If there is a principal set, then the user is logged in.
>       return getPrincipal() != null;
>    }      
>    
> public void authenticate(LoginContext loginContext) 
>       throws LoginException
>    {
>       try
>       {
>          authenticating = true;
>          preAuthenticate();
>          loginContext.login();
>          postAuthenticate();         
>       }
>       finally
>       {
>          authenticating = false;
>       }
>    }   
> 	
> The first reference to isLoggedIn tries to log the user. When it fails, it goes in the if block and tries to authenticate the user for a second time before failing again. I could fix this on my end by overriding the isLoggedIn() method in my own Identity component and passing the attemptLogin flag to false. Before doing so, I thought that perhaps a fix could be done at a higher level, i.e. in the Identity class of Seam itself. The way I see it, 2 things could be done:
> 1. In the authenticate() method, invoke the isLoggedIn method with false.
> 2. Look into the management of the authenticating class member; there might be something wrong. It's only set to true at the beginning of the authenticate(LoginContext) method. If you look at the logic in the isLoggedIn(boolean) method, when it winds up being invoked at the beginning of the authenticate(), the authenticating flag is false, the attemptLogin flag is true, I don't have a principal yet (I'm trying to login for the first time) and my credentials are set (the user just provided his username and password). 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira