You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2017/02/01 06:53:52 UTC
[jira] [Assigned] (KARAF-4968) LDAPLoginModule does not correctly
implement login method
[ https://issues.apache.org/jira/browse/KARAF-4968?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré reassigned KARAF-4968:
-------------------------------------------
Assignee: Jean-Baptiste Onofré
> LDAPLoginModule does not correctly implement login method
> ---------------------------------------------------------
>
> Key: KARAF-4968
> URL: https://issues.apache.org/jira/browse/KARAF-4968
> Project: Karaf
> Issue Type: Bug
> Components: karaf-security
> Affects Versions: 4.0.8
> Reporter: Stijn Strickx
> Assignee: Jean-Baptiste Onofré
> Priority: Minor
>
> When the LDAPLoginModule fails to authenticate a user, given the provided credentials, the login() method will return false.
> This is incorrect behavior as explained in the JAAS Dev Guide: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#login
> The login() method should throw a LoginException in that case. Returning false actually tells the LoginContext that this LoginModule should be ignored.
> As long as the LDAPLoginModule is the only LoginModule configured within a Realm, the resulting behavior from the LoginContext is as expected. The problem becomes apparent when using the LDAPLoginModule as one of multiple LoginModules defined within a Realm. If, for example, all LoginModules their flags are set to "required", a failure to login in the LDAPLoginModule will just be ignored (while it logs a warning about invalid credentials) as long as the other LoginModules were able to do a successful login. This is not the expected behavior since the LDAPLoginModule is also configured to be "required".
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)