4 Replies Latest reply on Dec 3, 2004 5:15 AM by Scott Stark

    CredentialsExpired and AccountExpired exception

    Sergio Berna Newbie

      Im trying to integrate a new authorization system through spring loginmodules by extending AbstractServerLoginModule.

      Everything works perfectly up to the point where I try to test CredentialExpired exceptions and AccountExpiredException. Then, no matter the security exception thrown the client always get the same plain securityExecption with no other information.

      Is there any way to get the exact cause of the SecurityException?

      Im using LocalClientLoginModule to access a remote EJB whose methods are protected.

        • 1. Re: SRP: Multiple clients
          Scott Stark Master


          There are more information that might be important to find out what is the problem.

          On the server side i have the following configuration:

          <application-policy name = "CustomFwRealm">

          <login-module code= "org.jboss.security.srp.jaas.SRPCacheLoginModule"
          flag = "required">
          <module-option name = "cacheJndiName">srp-fw/AuthenticationCache
          </module-option>
          </login-module>

          <login-module code = "com.security.jaas.FwServerLoginModule"
          flag = "required">
          <module-option name = "password-stacking">useFirstPass</module-option>
          </login-module>

          </application-policy>

          The FwServerLoginModule is a login module that creates a principal and gets the user roles.
          The strange part is that after the the Client application 2 did the login and the Client application 1 calls the method, the login method of this module is called again.
          Althought the login returns true i've got the exception

          2004-12-07 12:23:15,690 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Authentication exception, principal=nmeira

          and commit is never called...

          • 2. Re: CredentialsExpired and AccountExpired exception
            Sergio Berna Newbie

            With a bit more research i have found the following lines of code on org.jboss.ejb.plugins.SecurityInterceptor

            Starting on line 150.

            // Check the security info from the method invocation
            if (securityManager.isValid(principal, credential) == false)
            {
            String msg = "Authentication exception, principal=" + principal;
            log.error(msg);
            SecurityException e = new SecurityException(msg);
            throw e;
            }


            Seems like no matter whatever happens on LoginModule the exception thrown will be SecurityException :(.

            Is this a design decision or just something on the TODO?

            The JBoss version im using is 3.2.6

            • 3. Re: CredentialsExpired and AccountExpired exception
              Scott Stark Master

              The security manager interface does not have an exception so there is no way to propagate an arbitrary exception, and the exception has to conform to the ejb rules. The jaas security manager implementation in 3.2.6+ will save any exception seen under the org.jboss.security.SecurityAssociation contextInfo thread local under the key "org.jboss.security.exception".

              • 4. Re: CredentialsExpired and AccountExpired exception
                Sergio Berna Newbie

                Scott,

                I agree that the exception is available from SecurityAdapter, but only inside the same VM :(.

                Im using ClientLoginModule from a client standalone application and the exception is not propagated back to the client.

                This is to say:

                Object exception = SecurityAssociation.getContextInfo("org.jboss.security.exception");
                System.out.println("exception:"+exception);

                Always returns null on the client side.

                I agree that security manager doesnt allow for standard exception propagation but i need a way to send the state back to client.

                What would you think about the following modification on SecurityInterceptor (line 150)

                // Check the security info from the method invocation
                if (securityManager.isValid(principal, credential) == false)
                {

                Object exception = SecurityAssociation.getContextInfo(AUTH_EXCEPTION_KEY);
                if(exception!=null){
                //LoginException exception on internal JAAS login module. reThrow.
                log.error("Internal JAAS LoginException "+exception);
                throw (Exception) exception;
                }
                String msg = "Authentication exception, principal=" + principal;
                log.error(msg);
                SecurityException e = new SecurityException(msg);
                throw e;
                }


                The only problem i find is that LoginException does not extend from SecurityException but from GeneralSecurityException which is checked :(. Maybe another approach would be to use SecurityException as a wrapper for the JAAS exception.