-
Bug
-
Resolution: Done
-
Major
-
JBossAS-4.0.3 Final, JBossAS-4.0.3 SP1
-
None
BasicAuthValve described here: http://wiki.jboss.org/wiki/Wiki.jsp?page=BasicAuthValve
This valve will return incorrect messages and exception headers for requests subsequent to an initial request which generated an error status.
I have been able to produce this behavior with a combinations of 401 and 404 requests as well as 401 and 403 requests.
Here is an example series of requests that demonstrate the problem. The last request has a 404 error code with a "Password Incorrect/Password Required" message:
===================================================================
===================================================================
========request a non-existent resource with correct password - works correctly
jmoran@jmoran ~
$ wget -S --http-user=admin --http-passwd=admin http://localhost:8080/jmx-console/nothing.here
-13:25:03- http://localhost:8080/jmx-console/nothing.here
=> `nothing.here'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
HTTP/1.1 404 /jmx-console/nothing.here
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)/Tomcat-5.5
Content-Type: text/html;charset=utf-8
Content-Length: 1021
Date: Wed, 16 Nov 2005 18:25:03 GMT
Connection: keep-alive
13:25:03 ERROR 404: /jmx-console/nothing.here.
========request a non-existent resource with incorrect password - works correctly
jmoran@jmoran ~
$ wget -S --http-user=admin --http-passwd=bad http://localhost:8080/jmx-console/nothing.here
-13:25:22- http://localhost:8080/jmx-console/nothing.here
=> `nothing.here'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
HTTP/1.1 401 Password Incorrect/Password Required
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
WWW-Authenticate: Basic realm="JBoss JMX Console"
X-Exception: Password Incorrect/Password Required
Content-Type: text/html;charset=utf-8
Content-Length: 1056
Date: Wed, 16 Nov 2005 18:25:22 GMT
Connection: keep-alive
Authorization failed.
========request a non-existent resource with correct password again - works correctly
jmoran@jmoran ~
$ wget -S --http-user=admin --http-passwd=admin http://localhost:8080/jmx-console/nothing.here
-13:25:33- http://localhost:8080/jmx-console/nothing.here
=> `nothing.here'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
HTTP/1.1 404 /jmx-console/nothing.here
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)/Tomcat-5.5
Content-Type: text/html;charset=utf-8
Content-Length: 1021
Date: Wed, 16 Nov 2005 18:25:33 GMT
Connection: keep-alive
13:25:33 ERROR 404: /jmx-console/nothing.here.
========request a non-existent resource with correct password again - WRONG MESSAGE
jmoran@jmoran ~
$ wget -S --http-user=admin --http-passwd=admin http://localhost:8080/jmx-console/nothing.here
-13:25:59- http://localhost:8080/jmx-console/nothing.here
=> `nothing.here'
Resolving localhost... 127.0.0.1
Connecting to localhost|127.0.0.1|:8080... connected.
HTTP request sent, awaiting response...
HTTP/1.1 404 Password Incorrect/Password Required
Server: Apache-Coyote/1.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Wed, 31 Dec 1969 19:00:00 EST
X-Powered-By: Servlet 2.4; JBoss-4.0.3SP1 (build: CVSTag=JBoss_4_0_3_SP1 date=200510231054)/Tomcat-5.5
X-Exception: Password Incorrect/Password Required
Content-Type: text/html;charset=utf-8
Content-Length: 1054
Date: Wed, 16 Nov 2005 18:26:00 GMT
Connection: keep-alive
13:26:00 ERROR 404: Password Incorrect/Password Required.
===================================================================
===================================================================
Here is the BasicAuthValve trace logging for above requests. Note the trace for the last request shows a status of 404 but SecurityAssociationActions.getAuthException() returns a FailedLoginException??:
2005-11-16 13:25:03,254 TRACE [org.jboss.web.tomcat.security.BasicAuthValve] Status: 404SecurityAssociation.exception:
2005-11-16 13:25:22,632 TRACE [org.jboss.web.tomcat.security.BasicAuthValve] Status: 401SecurityAssociation.exception:
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:189)
at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:572)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:506)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:315)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
at org.jboss.web.tomcat.security.BasicAuthValve.invoke(BasicAuthValve.java:56)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
2005-11-16 13:25:33,388 TRACE [org.jboss.web.tomcat.security.BasicAuthValve] Status: 404SecurityAssociation.exception:
2005-11-16 13:26:00,036 TRACE [org.jboss.web.tomcat.security.BasicAuthValve] Status: 404SecurityAssociation.exception:
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:189)
at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:137)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:572)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:506)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:315)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:230)
at org.apache.catalina.authenticator.BasicAuthenticator.authenticate(BasicAuthenticator.java:181)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:446)
at org.jboss.web.tomcat.security.BasicAuthValve.invoke(BasicAuthValve.java:56)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:59)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:744)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
at java.lang.Thread.run(Thread.java:595)
