4 Replies Latest reply on Oct 19, 2011 8:33 PM by mandelbr0t

    Strange behaviour from SecurityClient

    mandelbr0t

      I am having some trouble with SecurityClient in my EJB client application. While it is possible to authenticate against the server, a LoginException is not thrown when invalid credentials are provided. The auth.conf I am using looks like:

       

      mine {

           org.jboss.security.ClientLoginModule required;

      };

       

      The call to SecurityClient is as follows:

       

      SecurityClient sec = SecurityClientFactory.getSecurityClient();

      sec.setJAAS("mine", new JAASCallbackHandler(email, password));

      try {

           sec.login();

           ...

      } catch (LoginException e} {

           ...

      }

       

      Luckily, this is a secured EJB and I can catch the EJBAccessException to note that the login failed. However, this is not the desired (or documented) behavior. Replacing the SecurityClient with a LoginContext and debugging shows that:

       

      1) loginSucceeded = true

      2) success = false

       

      Reading the source code, it doesn't seem to be possible to get into this state without throwing a LoginException. Does anyone have any ideas on how my EJB client can determine that the authentication at the server has failed?

        • 1. Re: Strange behaviour from SecurityClient
          meme

          The ClientLoginModule (which is also used in the SecurityClient) is something like a "cache". If you're "login" using this

          module, the credentials (username, password) are stored in memory. The real authentication against the server is done when

          it's accessed the first time. I'm doing that in my projects shortly after your sec.login() method. So I can catch the LoginException and

          react on it in my GUI for example.

           

          m.

          • 2. Re: Strange behaviour from SecurityClient
            mandelbr0t

            OK, thanks. That is consistent with what I'm seeing. So, the EJBAccessException is expected when authenticating against a secured EJB with the wrong login credentials. The GUI app works properly, I just didn't expect to have to catch both exceptions.

            • 3. Re: Strange behaviour from SecurityClient
              mandelbr0t

              Something is still wrong. I have removed the unauthenticatedIdentity option to ensure that I'm not accidentally using an unauthenticated identity. However, when trying to accessing the secured EJB on another server, the application no longer attempts to authenticate (I have security tracing on). I simply get an EJBAccessException (Invalid User) without any messages appearing in the server trace. Why won't my SecurityClient authenticate with the server?

              • 4. Re: Strange behaviour from SecurityClient
                mandelbr0t

                OK, I have two related problems. I will close this thread since I am having trouble with a different issue.