1 Reply Latest reply on May 8, 2005 3:59 PM by joe_the_quick

    How does a LoginException make its way to the form-login-err


      Hi there,

      We've successfully set up a custom LoginModule for handling xmldsig logins (using smart card readers).

      However, in case of a LoginException we'd like to propagate the Exception from the location where it is thrown (which would be in our LoginModule.login() - method) to the web user interface.

      The communication way is as follows:
      - The user is accessing a web page
      - The user is redirected to the form-login-page of web.xml
      - The uthenticate() method
      - The FormAuthenticator.authenticate() method is invoked
      - The LoginModule.login()-method is invoked
      - LoginModule.login() -> throws LoginException("Sorry folk, the certificate has been revoked");
      - The FormAuthenticator gets the null-value for the principal and redirects to form-error-page.

      ==> The LoginException never makes its way back to the Authenticator. As far as I see, the exception is somehow masked inside the JBossSecurityMgrRealm - there the principal is simply returned with a null-value, and authentication errors could be noticed in TRACE-mode.

      Snippet from org.jboss.web.tomcat.tc4.authenticator.FormAuthenticator

      String username = hreq.getParameter(Constants.FORM_USERNAME);
      String password = hreq.getParameter(Constants.FORM_PASSWORD);
      if (debug >= 1)
      log("Authenticating username '" + username + "'");
      principal = realm.authenticate(username, password);
      if (principal == null)
      if (debug >= 1)
      log("Redirect to error page '" + errorURI + "'");
      return (false);

      Snippet from org.jboss.web.tomcat.security.JBossSecurityMgrRealm

      if (securityMgr.isValid(principal, passwordChars))
      log.trace("User: " + username + " is authenticated");
      //.... removed
      principal = null;
      if (trace)
      log.trace("User: " + username + " is NOT authenticated");

      Given the above way of communication, it seems quite hard to detect errors.

      So far we've discussed the following options to trap the LoginException:
      *) Perform a LoginModule.login() in the error-jsp page and trap the LoginException ourselves (thus the whole login-procedure will be done twice in case of an login-error).

      *) Return a Principal with the LoginException-data stored in an Exception-property. However, this could impose a security risk as the user would be authenticated as a Principal (with no roles).

      Does anyone know of more delicate options available?

      thx alot