-
Feature Request
-
Resolution: Obsolete
-
Major
-
JBossAS-4.0.5.GA
-
None
-
JBoss 4.0.5.GA, JDK 1.6.0, Windows & Linux
-
Documentation (Ref Guide, User Guide, etc.), Compatibility/Configuration
-
Low
I have a problem using the DatabaseServerLoginModule. Login fails during commit() if no roles are defined for a user. The relevant part is in Util.getRoleSets(...):
rs = ps.executeQuery();
if( rs.next() == false )
{
if( trace )
log.trace("No roles found");
if( aslm.getUnauthenticatedIdentity() == null )
throw new FailedLoginException("No matching username found in Roles");
/* We are running with an unauthenticatedIdentity so create an
empty Roles set and return.
*/
Group[] roleSets =
;
return roleSets;
}
Why is an exception thrown if no roles are returned? At this point the user has authenticated himself. According to the JAAS contract (http://java.sun.com/javase/6/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#commit) an exceptions should be thrown if the method fails. In my opinion it is not a failure if no roles are assigned so it should just return an empty role set.
So I suggest to just remove the following lines:
if( aslm.getUnauthenticatedIdentity() == null )
throw new FailedLoginException("No matching username found in Roles");
However, I admit that this might have a security impact on existing sites that rely on failed authentications if no roles are found so it is probably too late to introduce this change. If it is changed a prominent notice in the documentaion would be necessary.
Regards
Felix
