Summary: | ServletException.getRootCause() does not return the LoginException thrown by a JAAS login module | ||
---|---|---|---|
Product: | Tomcat 7 | Reporter: | Patrik Varga <varga.patrik> |
Component: | Servlet & JSP API | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED INVALID | ||
Severity: | normal | CC: | lorenz.haenggi |
Priority: | P2 | ||
Version: | 7.0.8 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux | ||
Attachments: | stack trace and output |
Description
Patrik Varga
2011-02-17 13:53:32 UTC
What is stack trace of that exception? Where is it thrown from? Created attachment 26676 [details]
stack trace and output
See attached stack trace and output when called from a JSF backing bean test method pvarga.test.LoginBacking.login() which basically looks like this:
public String login() {
HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
try {
request.login(this.username, this.password);
}
catch (ServletException se) {
System.out.println("getCause: " + se.getCause());
System.out.println("getRootCause: " + se.getRootCause());
System.out.println("getMessage: " + se.getMessage());
System.out.println("getLocalizedMessage: " + se.getLocalizedMessage());
System.out.println("stack trace:");
se.printStackTrace();
}
return null;
}
As you can see the LoginException is logged in JAASRealm.authenticate() but not propagated into the ServletException.
stack trace: javax.servlet.ServletException: Login failed at org.apache.catalina.authenticator.AuthenticatorBase.doLogin(AuthenticatorBase.java:796) at org.apache.catalina.authenticator.AuthenticatorBase.login(AuthenticatorBase.java:785) at org.apache.catalina.connector.Request.login(Request.java:2508) at org.apache.catalina.connector.RequestFacade.login(RequestFacade.java:1066) Looking at AuthenticatorBase.java:796, the authenticator calls context.getRealm().authenticate(username, password) and that method reports unsuccessful authentication by returning null and not by throwing some exception. This cannot be solved unless interface of Realm is changed, e.g. by allowing either null or an exception to be returned. The Realm interface will not be changed for security reasons. The reason for a login failure should not be propagated to the user. If it were, that would be a security vulnerability of a similar nature to CVE-2009-0580. |