Torsten Mielke created KARAF-3373:
-------------------------------------
Summary: Log lower level root cause exception in LDAPLoginModule
Key: KARAF-3373
URL: https://issues.apache.org/jira/browse/KARAF-3373
Project: Karaf
Issue Type: Improvement
Components: karaf-security
Affects Versions: cave-3.0.0
Environment: LDAP based JAAS login module
Reporter: Torsten Mielke
Method org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin() catches any
exception and raises a new LoginException
{code:title=LDAPLoginModule.java}
} catch (Exception e) {
throw new LoginException("Can't connect to the LDAP server: " +
e.getMessage());
} finally {
...
}
{code}
However in case something is wrong with the LDAP configuration (e.g. wrong SSL
certificates) the root cause will be lost as e.getMessage() only returns a
fairly generic message, like
{code}
Can't connect to the LDAP server: simple bind failed: localhost:10636
{code}
whereas the root cause really is
{code}
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
{code}
We should somehow ensure this root cause is getting logged as well.
Unfortunately the call stack to calling LDAPLoginModule.doLogin() includes the
javax.security.auth.login.LoginContext which completely swallows the original
LoginException raised in doLogin(). It only re-raises a very generic
LoginException with the message:
{code}
javax.security.auth.login.FailedLoginException: User doesn't exist
{code}
The original exception message is lost.
So there is no point in wrapping the root cause exception message in the
LoginException to be thrown by LDAPLoginModule.doLogin().
Instead I suggest to log the root cause in doLogin() as a warning as in the
attached patch.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
