Hi,
I have written a custom authentication module for use with JRun which
accesses an existing database of user information. This generally works
OK, but there seems to be a problem with failed authentication. If the
authentication fails because of a wrong password, user not existing
etc, and I return null for the java.lang.Principal object, the
container appears to resend the request ad infinitum, resulting in an
infinite loop of calls.
It seems to occur during the attempt to forward to the login failure
page as specified in the web.xml
file (note that this isn't protected by any security constraints).
<login-config>
<auth-method>FORM</auth-method>
<realm-name>default</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/loginFailed.jsp</form-error-page>
</form-login-config>
</login-config>
The end result is:
08/18 13:45:50 debug (JRun) getResourceURL(/loginFailed.jsp):
H:\ebeer2\webapp\loginFailed.jsp
08/18 13:45:58 debug (JRun) HttpServletResponse.sendError(500,<PRE>
<B>/ebeer/j_security_check:</B>
javax.servlet.ServletException: null
java.lang.StackOverflowError
at allaire.jrun.util.MultiKeyContainer.get(MultiKeyContainer.java:65)
at allaire.jrun.servlet.JRunRequest.getParameter(JRunRequest.java:224)
at
allaire.jrun.servlet.ForwardRequest.getParameter(ForwardRequest.java:186)
at
allaire.jrun.servlet.ForwardRequest.getParameter(ForwardRequest.java:186)
at
allaire.jrun.servlet.ForwardRequest.getParameter(ForwardRequest.java:186)
at
allaire.jrun.servlet.ForwardRequest.getParameter(ForwardRequest.java:186)
at
allaire.jrun.servlet.ForwardRequest.getParameter(ForwardRequest.java:186)
at
allaire.jrun.servlet.ForwardRequest.getParameter(ForwardRequest.java:186)
at
allaire.jrun.servlet.ForwardRequest.getParameter(ForwardRequest.java:186)
and I have a corresponding list of failed authentication requests in
the tracing from my JRun authentication module:
Authentication request for buyer
Authentication Failed: Incorrect password for user buyer
Authentication request for buyer
Authentication Failed: Incorrect password for user buyer
Authentication request for buyer
Authentication Failed: Incorrect password for user buyer
Authentication request for buyer
etc.
Does anyone know if this is connected with the form authentication bug
that is said to be fixed in the forthcoming service pack, or if it's
something else I'm missing?
cheers,
Luke.
--
Luke Taylor.
PGP Key ID: 0x57E9523C
------------------------------------------------------------------------------
Archives: http://www.egroups.com/group/jrun-interest/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/jrun_talk
or send a message to [EMAIL PROTECTED] with 'unsubscribe' in the
body.
