0 Replies Latest reply on Aug 20, 2013 10:10 AM by thomas-h

    Is this a bug? HttpServletRequest.login() throws ServletException without RootCause

    thomas-h Newbie

      Hi All!

       

      We are currently migrating a project to JBoss AS 7.1 and refactore a WebApplication to make use of the new ServletAPI 3.0.

      Just as additonal Information we furthermore use a custom loginmodule for authentication.

      In this context I faced the issue that the Implementation in JBoss does not behave like I had expected in the case of login failure.

       

      I wanted to use ServletAPI 3.0  login() method on HttpServletRequest to authenticate programmatically from withinh the application. This login method declares to throw a ServletException for failed authentication attempts.

      ServletExpetion in turn is declared to contain the original exception as root cause in ServletApi 3.0 Spec Section 9.5 (Error Handling).

       

      As a result I would have expected the ServletExcpetion thrown as a result of failed login contains the original LoginException that is thrown by a LoginModule.

      But this is not the case.

       

      I debugged some code and discovered that JBossCachedAuthenticationManager catches the Exception and  puts it in a helper context named SecurityContextAssociation.

      From my current perspective I would say this is a bug cause it breaks the servlet api contract.

      But I am not too sure about this.

      So what do you think?

       

      Best regards,

       

      Thomas