The javadoc of ServletException.getRootCause() at http://download.oracle.com/javaee/6/api/javax/servlet/ServletException.html#getRootCause%28%29 states that this method should return the exception that caused this servlet exception. However, when using a JAAS login module, the ServletException thrown after an unsuccessful HttpServletRequest.login(String,String) call does not contain its (root) cause, and its getCause() and getRootCause() methods always return null. This makes it impossible to get a handle to the original LoginException thrown by the login module and to present the user the specific error message contained in the LoginException.
What is stack trace of that exception? Where is it thrown from?
Created attachment 26676 [details] stack trace and output See attached stack trace and output when called from a JSF backing bean test method pvarga.test.LoginBacking.login() which basically looks like this: public String login() { HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest(); try { request.login(this.username, this.password); } catch (ServletException se) { System.out.println("getCause: " + se.getCause()); System.out.println("getRootCause: " + se.getRootCause()); System.out.println("getMessage: " + se.getMessage()); System.out.println("getLocalizedMessage: " + se.getLocalizedMessage()); System.out.println("stack trace:"); se.printStackTrace(); } return null; } As you can see the LoginException is logged in JAASRealm.authenticate() but not propagated into the ServletException.
stack trace: javax.servlet.ServletException: Login failed at org.apache.catalina.authenticator.AuthenticatorBase.doLogin(AuthenticatorBase.java:796) at org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:785) at org.apache.catalina.connector.Request.login(Request.java:2508) at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1066) Looking at AuthenticatorBase.java:796, the authenticator calls context.getRealm().authenticate(username, password) and that method reports unsuccessful authentication by returning null and not by throwing some exception. This cannot be solved unless interface of Realm is changed, e.g. by allowing either null or an exception to be returned.
The Realm interface will not be changed for security reasons. The reason for a login failure should not be propagated to the user. If it were, that would be a security vulnerability of a similar nature to CVE-2009-0580.
*** Bug 44598 has been marked as a duplicate of this bug. ***