Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-278

JaasSecurityManager should not "swallow" LoginExceptions thrown by LoginModules

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Won't Do
    • Icon: Major Major
    • JBossSecurity_2.0.4
    • JBossSecurity_2.0.2.GA
    • None
    • None

    • JBoss AS 4.2.2.GA

      http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/jboss/src/main/org/jboss/security/plugins/JaasSecurityManager.java?annotate=1091&pathrev=1091

      JaasSecurityManager.authenticate(String beanName, Principal principal, Object credential) has the following block:

      try

      { // call login modules and authenticate }

      catch (Exception ex) {
      ex.printStackTrace();
      return false;
      }

      Disregarding the fact that "ex.printStackTrace()" is a definitely bad code style, swallowing all exceptions violates the JAAS specifications regarding the fact that login modules could return false or throw LoginException if login attempt has failed (see http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/spi/LoginModule.html for details). This also affects Jboss SEAM framework which raises special event if LoginException has been thrown.

      Observed behavior:
      When LoginModule throws LoginException, JaasSecurityManager.authenticate() returns false without any additional checks.

      Expected behavior:
      When LoginModule throws LoginException, JaasSecurityManager should not catch (or should at least re-throw) it and allow the exception to reach the client code.

              anil.saldhana Anil Saldanha (Inactive)
              eskape_jira Egor Kolesnikov (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: