How does a LoginException make its way to the form-login-err
Hi there,
We've successfully set up a custom LoginModule for handling xmldsig logins (using smart card readers).
However, in case of a LoginException we'd like to propagate the Exception from the location where it is thrown (which would be in our LoginModule.login() - method) to the web user interface.
The communication way is as follows:
- The user is accessing a web page
- The user is redirected to the form-login-page of web.xml
- The uthenticate() method
- The FormAuthenticator.authenticate() method is invoked
- The LoginModule.login()-method is invoked
- LoginModule.login() -> throws LoginException("Sorry folk, the certificate has been revoked");
- The FormAuthenticator gets the null-value for the principal and redirects to form-error-page.
==> The LoginException never makes its way back to the Authenticator. As far as I see, the exception is somehow masked inside the JBossSecurityMgrRealm - there the principal is simply returned with a null-value, and authentication errors could be noticed in TRACE-mode.
===============================================
Snippet from org.jboss.web.tomcat.tc4.authenticator.FormAuthenticator
===============================================
String username = hreq.getParameter(Constants.FORM_USERNAME);
String password = hreq.getParameter(Constants.FORM_PASSWORD);
if (debug >= 1)
log("Authenticating username '" + username + "'");
principal = realm.authenticate(username, password);
if (principal == null)
{
if (debug >= 1)
log("Redirect to error page '" + errorURI + "'");
hres.sendRedirect(hres.encodeRedirectURL(errorURI));
return (false);
}
===============================================
Snippet from org.jboss.web.tomcat.security.JBossSecurityMgrRealm
===============================================
if (securityMgr.isValid(principal, passwordChars))
{
log.trace("User: " + username + " is authenticated");
//.... removed
}
else
{
principal = null;
if (trace)
log.trace("User: " + username + " is NOT authenticated");
}
Given the above way of communication, it seems quite hard to detect errors.
So far we've discussed the following options to trap the LoginException:
*) Perform a LoginModule.login() in the error-jsp page and trap the LoginException ourselves (thus the whole login-procedure will be done twice in case of an login-error).
*) Return a Principal with the LoginException-data stored in an Exception-property. However, this could impose a security risk as the user would be authenticated as a Principal (with no roles).
Does anyone know of more delicate options available?
thx alot
joe