3 Replies Latest reply on Feb 21, 2003 12:29 PM by Philippe C

    ClientLoginModule does not throw FailedLoginException

    Philippe C Newbie

      Why not? Should creating a LoginContext and calling login() with a bad password not throw a LoginException?

        • 1. Re: ClientLoginModule does not throw FailedLoginException
          J. Wolfgang Kaltz Novice

          The ClientLoginModule can not verify the password, so it won't throw an exception for a "bad password".
          The username/password will get verified on your first access to a secured EJB (at which time whatever LoginModule you configured for that will get executed), at that time you can get a LoginException (although it will be encapsulated within a RemoteException)

          • 2. Re: ClientLoginModule does not throw FailedLoginException
            Philippe C Newbie

            I think a LoginModule should perform an authentication. The JAAS dev guide states:

            The login method should:
            1. Determine whether or not this LoginModule should be ignored. (...)
            2. Call the CallbackHandler handle method if user interaction is required.
            3. Perform the authentication.
            4. Store the authentication result (success or failure).
            5. If authentication succeeded, save any relevant state information that may be needed by the commit method.
            6. Return true if authentication succeeds, or throw a LoginException such as FailedLoginException if authentication fails.

            Since the ClientLoginModule simply stores the username and password and no authentication is performed. Does this not break the JAAS specs?

            On the other hand, maybe I should add my server-side LoginModule in the client auth.conf file to perform the authentication. The job of authenticating at LoginContext.login() will be handled by the LdapLoginModule and the method call security will be handled by the ClientLoginModule.

            JAAS dev guide:

            • 3. Re: ClientLoginModule does not throw FailedLoginException
              Philippe C Newbie

              I just found a nice note in the paid documentation about that. I will post it here because I think any divergence from the JAAS specs should be documented in the source code not only in paid documentation.

              page 284:
              Note that this login module does not perform any authentication. It merely copies the login
              information provided to it into the JBoss server EJB invocation layer for subsequent
              authentication on the server. If you need to perform client-side authentication of users you
              would need to configure another login module in addition to the ClientLoginModule.

              conclusion: It's not enough to buy the doco you have to read it too!