You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Gundersen, Richard" <Ri...@london-scottish.com> on 2008/04/23 17:15:35 UTC
JNDI Realm nor returning LDAP error codes/exceptions
Hi
I'm using the standard JNDIRealm class to authenticate users. However if
the login is unsuccessful, I am unable report the *reason* for the
failure.
The code for JNDIRealm.java tries to return a valid Principal object.
If logging on fails - which could be for several reasons e.g. bad
password, account expired, password needs changing etc - then the
exception is caught, logged, and then forgotten. The authenticate method
just returns a null Principal object.
So, by the time the request gets to the 'error' JSP, all I can report to
the user is that there was some kind of problem - not what the problem
was.
I was thinking of writing my own Realm class which did the same, but
threw the exception if one occurred. Unfortunately this would break the
contract with the RealmBase class I think (abstract methods).
From reading the Servlet spec, it suggests that the failure information
*should* be available:
"The error page sent to a user that is not authenticated
contains information about the failure."
Does anyone have any advice / solved this problem before? Appreciate any
feedback
Thanks
Richard Gundersen
As a responsible corporate citizen, London Scottish Bank plc asks you to consider the environment before printing this email.
*** Disclaimer ***
This electronic communication is confidential and for the exclusive use of the addressee. It may contain private and confidential information. The information, attachments and opinions contained in this E-mail are those of its author only and do not necessarily represent those of London Scottish Bank PLC or any other members of the London Scottish Group.
If you are not the intended addressee, you are prohibited from any disclosure, distribution or further copying or use of this communication or the information in it or taking any action in reliance on it. If you have received this communication in error please notify the Information Security Manager at ISM@London-Scottish.com as soon as possible and delete the message from all places in your computer where it is stored.
We utilise virus scanning software but we cannot guarantee the security of electronic communications and you are advised to check any attachments for viruses. We do not accept liability for any loss resulting from any corruption or alteration of data or importation of any virus as a result of receiving this electronic communication.
Replies to this E-mail may be monitored for operational or business reasons. London Scottish Bank PLC is regulated by the Financial Services Authority.
London Scottish Bank plc, Registered Office: 201 Deansgate, Manchester M3 3NW Registered Number 973008 England.
Subsidiary Companies:-
London Scottish Finance Limited, Registered Office: 201 Deansgate, Manchester M3 3NW Registered Number 233259 England.
London Scottish Broking Limited, Registered Office: 201 Deansgate, Manchester M3 3NW Registered Number 230110 England.
London Scottish Invoice Finance Limited, Registered Office: 201 Deansgate, Manchester M3 3NW Registered Number 2643766 England.
Robinson Way & Company Limited, Registered Office: 201 Deansgate, Manchester M3 3NW Registered Number 885896 England.
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: FooRealm not returning [any] error codes/exceptions
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Richard,
Gundersen, Richard wrote:
| I'm using the standard JNDIRealm class to authenticate users. However if
| the login is unsuccessful, I am unable report the *reason* for the
| failure.
Yup. That's just how the realms are written. The code catches all
checked exceptions and merely logs them, and returns null (which means
"not authenticated").
Check your catalina.out or other log files for the reason.
| I was thinking of writing my own Realm class which did the same, but
| threw the exception if one occurred. Unfortunately this would break the
| contract with the RealmBase class I think (abstract methods).
You can't change that without re-writing a bunch of Tomcat code. What
you can do is to log the problem somewhere specific.
| From reading the Servlet spec, it suggests that the failure information
| *should* be available:
|
| "The error page sent to a user that is not authenticated
| contains information about the failure."
|
| Does anyone have any advice / solved this problem before? Appreciate any
| feedback
The information that Tomcat has chosen to provide is limited to the lack
of successful authentication.
One solution is to use securityfilter
(http://securityfilter.sourceforge.net/). You can use Tomcat-provided
realms or write your own (which I recommend, given your requirements).
Get the latest source code and look at the FlexibleRealmInterface, which
has a method for authentication that includes a reference to the
request, so you can shove error messages into that and stuff like that.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkgPYZQACgkQ9CaO5/Lv0PDdfACgnPmbJOmsM7Ve0CatQgsRvtkn
jQQAnjMogAAWdD+29gE7HAr5f976ZKXd
=7qgR
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org