Hi there,
We've successfully set up a custom LoginModule for handling xmldsig logins
(using smart card readers).
However, in case of a LoginException we'd like to propagate the Exception from
the location where it is thrown (which would be in our LoginModule.login() -
method) to the web user interface.
The communication way is as follows:
- The user is accessing a web page
- The user is redirected to the form-login-page of web.xml
- The uthenticate() method
- The FormAuthenticator.authenticate() method is invoked
- The LoginModule.login()-method is invoked
- LoginModule.login() -> throws LoginException("Sorry folk, the certificate has
been revoked");
- The FormAuthenticator gets the null-value for the principal and redirects to
form-error-page.
==> The LoginException never makes its way back to the Authenticator. As far as
I see, the exception is somehow masked inside the JBossSecurityMgrRealm - there
the principal is simply returned with a null-value, and authentication errors
could be noticed in TRACE-mode.
===============================================
Snippet from org.jboss.web.tomcat.tc4.authenticator.FormAuthenticator
===============================================
String username = hreq.getParameter(Constants.FORM_USERNAME);
String password = hreq.getParameter(Constants.FORM_PASSWORD);
if (debug >= 1)
log("Authenticating username '" + username + "'");
principal = realm.authenticate(username, password);
if (principal == null)
{
if (debug >= 1)
log("Redirect to error page '" + errorURI + "'");
hres.sendRedirect(hres.encodeRedirectURL(errorURI));
return (false);
}
===============================================
Snippet from org.jboss.web.tomcat.security.JBossSecurityMgrRealm
===============================================
if (securityMgr.isValid(principal, passwordChars))
{
log.trace("User: " + username + " is authenticated");
//.... removed
}
else
{
principal = null;
if (trace)
log.trace("User: " + username + " is NOT authenticated");
}
Given the above way of communication, it seems quite hard to detect errors.
So far we've discussed the following options to trap the LoginException:
*) Perform a LoginModule.login() in the error-jsp page and trap the
LoginException ourselves (thus the whole login-procedure will be done twice in
case of an login-error).
*) Return a Principal with the LoginException-data stored in an
Exception-property. However, this could impose a security risk as the user
would be authenticated as a Principal (with no roles).
Does anyone know of more delicate options available?
thx alot
joe
View the original post :
http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3873737#3873737
Reply to the post :
http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3873737
-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
