[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2165) Authenticator method invoked twice when login fails

[Shane Bryzak (JIRA)]

    [ http://jira.jboss.com/jira/browse/JBSEAM-2165?page=comments#action_12398380 ] 
            
Shane Bryzak commented on JBSEAM-2165:
--------------------------------------

As a note for anyone reading this issue - even after this fix was applied (this was a valid issue) there is still no guarantee about how many times the authenticator method will be invoked during a single request.  See the security chapter of the Seam ref docs for details.

> Authenticator method invoked twice when login fails
> ---------------------------------------------------
>
>                 Key: JBSEAM-2165
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2165
>             Project: JBoss Seam
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 2.0.0.CR3
>            Reporter: Yannick Lazzari
>         Assigned To: Shane Bryzak
>            Priority: Minor
>             Fix For: 2.0.1.CR1
>
>
> The default behaviour of the isLoggedIn method in the Identity class is to pass the attemptLogin flag to true. Because of that, when authentication fails, it always calls the authenticator method twice. See the code of the authenticate() method below:
> public void authenticate() 
>       throws LoginException
>    {
>       // If we're already authenticated, then don't authenticate again
>       if (!isLoggedIn())
>       {
>          authenticate( getLoginContext() );
>       }
>    }
>    
>  public boolean isLoggedIn(boolean attemptLogin)
>    {
>       if (!authenticating && attemptLogin && getPrincipal() == null && isCredentialsSet() &&
>           Contexts.isEventContextActive() &&
>           !Contexts.getEventContext().isSet(LOGIN_TRIED))
>       {
>          Contexts.getEventContext().set(LOGIN_TRIED, true);
>          quietLogin();
>       }     
>       
>       // If there is a principal set, then the user is logged in.
>       return getPrincipal() != null;
>    }      
>    
> public void authenticate(LoginContext loginContext) 
>       throws LoginException
>    {
>       try
>       {
>          authenticating = true;
>          preAuthenticate();
>          loginContext.login();
>          postAuthenticate();         
>       }
>       finally
>       {
>          authenticating = false;
>       }
>    }   
> 	
> The first reference to isLoggedIn tries to log the user. When it fails, it goes in the if block and tries to authenticate the user for a second time before failing again. I could fix this on my end by overriding the isLoggedIn() method in my own Identity component and passing the attemptLogin flag to false. Before doing so, I thought that perhaps a fix could be done at a higher level, i.e. in the Identity class of Seam itself. The way I see it, 2 things could be done:
> 1. In the authenticate() method, invoke the isLoggedIn method with false.
> 2. Look into the management of the authenticating class member; there might be something wrong. It's only set to true at the beginning of the authenticate(LoginContext) method. If you look at the logic in the isLoggedIn(boolean) method, when it winds up being invoked at the beginning of the authenticate(), the authenticating flag is false, the attemptLogin flag is true, I don't have a principal yet (I'm trying to login for the first time) and my credentials are set (the user just provided his username and password). 

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira