Agreed, it should probably be turned down (or at least the stacktrace should be). Please submit a jira and/or pull request.
On Thu, Oct 6, 2016 at 10:53 AM, scSynergy <[email protected]> wrote: > When using multiple realms for authentication and a user enters the wrong > password the following stack trace is constantly logged: > > WARN [org.apache.shiro.authc.pam.ModularRealmAuthenticator] (default > task-4) Realm [de.scsynergy.elementary.qi.shiro.CamelRealm@38364d8] threw > an > exception during a multi-realm authentication attempt:: > org.apache.shiro.authc.IncorrectCredentialsException: Submitted > credentials > for token [org.apache.shiro.authc.UsernamePasswordToken - camelRealm, > rememberMe=false (127.0.0.1)] did not match the expected credentials. > at > org.apache.shiro.realm.AuthenticatingRealm.assertCredentialsMatch( > AuthenticatingRealm.java:600) > at > org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo( > AuthenticatingRealm.java:578) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator. > doMultiRealmAuthentication(ModularRealmAuthenticator.java:219) > at > org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate( > ModularRealmAuthenticator.java:269) > at > org.apache.shiro.authc.AbstractAuthenticator.authenticate( > AbstractAuthenticator.java:198) > at > org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate( > AuthenticatingSecurityManager.java:106) > at > org.apache.shiro.mgt.DefaultSecurityManager.login( > DefaultSecurityManager.java:270) > at > org.apache.shiro.subject.support.DelegatingSubject. > login(DelegatingSubject.java:256) > at > org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin( > AuthenticatingFilter.java:53) > at > org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter. > onAccessDenied(BasicHttpAuthenticationFilter.java:190) > at > org.apache.shiro.web.filter.AccessControlFilter.onAccessDenied( > AccessControlFilter.java:133) > at > org.apache.shiro.web.filter.AccessControlFilter.onPreHandle( > AccessControlFilter.java:162) > at > org.apache.shiro.web.filter.PathMatchingFilter.isFilterChainContinued( > PathMatchingFilter.java:203) > at > org.apache.shiro.web.filter.PathMatchingFilter.preHandle( > PathMatchingFilter.java:178) > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal( > AdviceFilter.java:131) > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter( > OncePerRequestFilter.java:125) > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter( > ProxiedFilterChain.java:66) > at > org.apache.shiro.web.servlet.AdviceFilter.executeChain( > AdviceFilter.java:108) > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal( > AdviceFilter.java:137) > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter( > OncePerRequestFilter.java:125) > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter( > ProxiedFilterChain.java:66) > at > org.apache.shiro.web.servlet.AdviceFilter.executeChain( > AdviceFilter.java:108) > at > org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal( > AdviceFilter.java:137) > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter( > OncePerRequestFilter.java:125) > at > org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter( > ProxiedFilterChain.java:66) > at > org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain( > AbstractShiroFilter.java:449) > at > org.apache.shiro.web.servlet.AbstractShiroFilter$1.call( > AbstractShiroFilter.java:365) > at > org.apache.shiro.subject.support.SubjectCallable. > doCall(SubjectCallable.java:90) > at > org.apache.shiro.subject.support.SubjectCallable.call( > SubjectCallable.java:83) > at > org.apache.shiro.subject.support.DelegatingSubject. > execute(DelegatingSubject.java:383) > at > org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal( > AbstractShiroFilter.java:362) > at > org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter( > OncePerRequestFilter.java:125) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > Question: Why is a wrong password logged when using *more than 1 realm* in > contrast to using *just 1 realm*? > Does anybody have any idea why anyone would want this behavior? > > It is caused by the lines 222 and 224 in ModularRealmAuthenticator.java: > https://shiro.apache.org/static/1.3.2/apidocs/src-html/ > org/apache/shiro/authc/pam/ModularRealmAuthenticator.html#line.222 > > Should not the logging level be set to TRACE or DEBUG as it is in > AuthenticatingRealm? > > > > -- > View this message in context: http://shiro-user.582556.n2. > nabble.com/Invalid-credentials-cause-stack-trace- > to-be-logged-tp7581311.html > Sent from the Shiro User mailing list archive at Nabble.com. >
