You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Stijn Strickx (JIRA)" <ji...@apache.org> on 2017/01/31 20:00:53 UTC

[jira] (KARAF-4968) LDAPLoginModule does not correctly implement login method

Stijn Strickx created KARAF-4968:
------------------------------------

             Summary: LDAPLoginModule does not correctly implement login method
                 Key: KARAF-4968
                 URL: https://issues.apache.org/jira/browse/KARAF-4968
             Project: Karaf
          Issue Type: Bug
          Components: karaf-security
    Affects Versions: 4.0.8
            Reporter: Stijn Strickx
            Priority: Minor


When the LDAPLoginModule fails to authenticate a user, given the provided credentials, the login() method will return false.

This is incorrect behavior as explained in the JAAS Dev Guide: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#login

The login() method should throw a LoginException in that case. Returning false actually tells the LoginContext that this LoginModule should be ignore.

As long as the LDAPLoginModule is the only LoginModule configured within a Realm, the resulting behavior from the LoginContext is as expected. The problem becomes apparent when using the LDAPLoginModule as one of multiple LoginModules defined within a Realm. If, for example, all LoginModule's flags are set to "required", a failure to login in the LDAPLoginModule will just be ignored (while it logs a warning about invalid credentials) as long as the other LoginModules were able to do a successful login. This is not the expected behavior since the LDAPLoginModule is also configured to be "required".




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)