3 Replies Latest reply on Oct 1, 2003 4:55 PM by jkuhn

    How to deal with failed logins in client side ?

    blakbox

      Hi,

      I have a standalone client using a secured EJB. So, if the login fails (because an invalid pass or user) then the exception caught on the client side is something like that:

      java.rmi.ServerException: EJBException:; nested exception is:
      javax.ejb.EJBException: checkSecurityAssociation; CausedByException is:
      Authentication exception, principal=luis
      at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:308)
      at sun.rmi.transport.Transport$1.run(Transport.java:164)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.rmi.transport.Transport.serviceCall(Transport.java:160)
      at
      .........

      So, how to deal with this exception? I need to expose an invalid login error message to the client, indicating the reason, but the exception is always a ServerException with an embedded EJBException.

      There's a workaround?

        • 1. Re: How to deal with failed logins in client side ?
          rickardsson

          I have seen this post a number of times now but no answer?

          I have the same problem, I want to be able to distinguish between a number of login problems but the exception I throw is transformed so the original cause is lost.

          Is this all possible to fix?

          • 2. Re: How to deal with failed logins in client side ?

            It's going to have to be wrapped in some type of RemoteException always, that is the only way to get it back to the client, otherwise you'd have to declare the security exception as an application exception for every EJB method.

            RemoteException does give you access to the exception it is wrapping.

            What details do you need on the client? Modifying or extending the current server side security interceptor should be fairly trivial task if you need more specific exception messages. However notice that the current API for the security manager works with simple methods of boolean isValid() [authentication] and boolean doesUserHaveRole() for authorization.

            -- Juha

            • 3. Re: How to deal with failed logins in client side ?
              jkuhn

              I'm not sure I understand what your problem is.

              Your login is taking place within a try-catch, no?

              Just catch the LoginException, and then forward to a different jsp.

              I'm using struts, so my login code is in an "Action" servlet. Here is the code:





              try {
              handler = new AppCallbackHandler(userId, password);
              lc = new LoginContext("toolkit", handler);
              System.out.println("Created LoginContext");
              lc.login();
              System.out.println("Logged in.");
              it = lc.getSubject().getPrincipals().iterator();
              while (it.hasNext()) { // display user info in server output.
              o = it.next();
              System.out.println("principle: " + o.getClass().getName() + " " + o);
              }
              session = request.getSession(); // put the login context onto the session.
              session.setAttribute(ADMIN_LOGIN_CONTEXT, lc);
              } catch (LoginException le) {
              System.out.println("Login failed");
              // le.printStackTrace();
              return mapping.findForward(ERROR);
              }
              return mapping.findForward(SUCCESS);