You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Stijn Strickx (JIRA)" <ji...@apache.org> on 2017/01/31 20:00:53 UTC
[jira] (KARAF-4968) LDAPLoginModule does not correctly implement
login method
Stijn Strickx created KARAF-4968:
------------------------------------
Summary: LDAPLoginModule does not correctly implement login method
Key: KARAF-4968
URL: https://issues.apache.org/jira/browse/KARAF-4968
Project: Karaf
Issue Type: Bug
Components: karaf-security
Affects Versions: 4.0.8
Reporter: Stijn Strickx
Priority: Minor
When the LDAPLoginModule fails to authenticate a user, given the provided credentials, the login() method will return false.
This is incorrect behavior as explained in the JAAS Dev Guide: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#login
The login() method should throw a LoginException in that case. Returning false actually tells the LoginContext that this LoginModule should be ignore.
As long as the LDAPLoginModule is the only LoginModule configured within a Realm, the resulting behavior from the LoginContext is as expected. The problem becomes apparent when using the LDAPLoginModule as one of multiple LoginModules defined within a Realm. If, for example, all LoginModule's flags are set to "required", a failure to login in the LDAPLoginModule will just be ignored (while it logs a warning about invalid credentials) as long as the other LoginModules were able to do a successful login. This is not the expected behavior since the LDAPLoginModule is also configured to be "required".
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)