geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron Mulder (JIRA)" <...@geronimo.apache.org>
Subject [jira] Commented: (GERONIMO-2294) In security realm with multiple login modules, anything after the first is ignored
Date Tue, 08 Aug 2006 00:38:14 GMT
    [ http://issues.apache.org/jira/browse/GERONIMO-2294?page=comments#action_12426379 ] 
            
Aaron Mulder commented on GERONIMO-2294:
----------------------------------------

Actually, a successful login attempt goes through -- only failed login attempts skip the subsequent
login modules.  Still, that violates the JAAS control flags on the login modules.

Also, note that the sequence is:
 - gather callbacks on one
 - invoke one
 - if unsuccessful, quit
 - gather callbacks on two
 - invoke two

I thought this defeated the purpose of gathering callbacks, which was to gather the callbacks
for all login modules at once and "prompt the user" for all necessary callbacks across all
login modules at the same time.

> In security realm with multiple login modules, anything after the first is ignored
> ----------------------------------------------------------------------------------
>
>                 Key: GERONIMO-2294
>                 URL: http://issues.apache.org/jira/browse/GERONIMO-2294
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 1.1
>            Reporter: Aaron Mulder
>            Priority: Blocker
>             Fix For: 1.1.1
>
>         Attachments: security-test-webapp.war, test-realm.xml
>
>
> If you deploy the attached plan to create a security realm the same as the default except
with a second login module, and put breakpoints in the login() method of both login modules,
the first login module is called twice as expected (once to gather callbacks and again for
real) but the second login module is never called at all!
> The attached web app uses this realm, just deploy it at point to http://localhost:8080/security/index.html
to get the login, and put breakpoints in org.apache.geronimo.security.realm.providers.PropertiesFileLoginModule
and org.apache.geronimo.security.realm.providers.RepeatedFailureLockoutLoginModule

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message