harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paulex Yang <paulex.y...@gmail.com>
Subject [classlib][auth]LoginContext should always invoke the LoginModules?
Date Fri, 29 Sep 2006 10:10:44 GMT
Hi, all

I'm not a security expert, so please correct me if I miss something. I 
found some different behavior of Harmony and RI on 
javax.security.auth.login.LoginContext, the testcase[1] shows the 
difference.

Actually I tried to create the event sequence like below:
1. create LoginContext with some Subject
2. LoginContext.login() and return successfully
3. Modify Subject's content to make it invalid(one Principal's name 
here, maybe passwd/username/servername in more general case)
4. LoginContext.login() again

In RI, the second login() invocation really tried to invoke the relative 
LoginModule.login() and then failed to login with the modified Subject, 
but in Harmony, both invocations succeed. I consider RI's behavior is 
more reasonable.

After a rough look of LoginContext implementation, I found the cause may 
be the Ln. 275

    private void loginImpl() throws LoginException {
        if (loggedIn) {
            return;
        }
    ....
    }

Seems Harmony won't invoke the LoginModule.login() again only if the 
login ever succeeds. If I comment out these lines, the test below passes 
happily. Any ideas on this issue?


[1]
public class LoginContextTest extends TestCase {
    private static final String VALID_NAME = "name1";
    private static final String INVALID_NAME = "name2";

    public void testLogin() throws Exception{
        MyPrincipal pri = new MyPrincipal();
        HashSet set = new HashSet();
        set.add(pri);
        Subject sub = new Subject(false, set, new HashSet(), new HashSet());
        Configuration.setConfiguration(new MyConfig());
        LoginContext context = new LoginContext("moduleName", sub);
        context.login();
        pri.name = INVALID_NAME;
        try{
            context.login();
            fail("Should throw LoginException");
        }catch(LoginException e){
           
        }
    }   
    static class MyConfig extends Configuration{
        AppConfigurationEntry[] entries = new 
AppConfigurationEntry[]{new 
AppConfigurationEntry(MyModule.class.getName(), 
LoginModuleControlFlag.REQUIRED, new HashMap())};
        public AppConfigurationEntry[] getAppConfigurationEntry(String 
name) {
            return entries;
        }
        public void refresh() {
        }
    }
    public static class MyModule implements LoginModule{
        Subject sub;
        public void MyModule(){
        }
        public boolean abort() throws LoginException {
            return false;
        }
        public boolean commit() throws LoginException {
            return true;
        }
        public void initialize(Subject arg0, CallbackHandler arg1, 
Map<String, ?> arg2, Map<String, ?> arg3) {
            sub = arg0;
        }
        public boolean login() throws LoginException {
            Principal[] pris = sub.getPrincipals().toArray(new 
Principal[0]);
            return VALID_NAME.equals(pris[0].getName());
        }
        public boolean logout() throws LoginException {
            return false;
        }
    }
    public static class MyPrincipal implements Principal{
        public String name = VALID_NAME;
        public String getName() {
            return name;
        }
        public String toString(){
            return name;
        }
    };
}



-- 
Paulex Yang
China Software Development Lab
IBM



---------------------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
For additional commands, e-mail: harmony-dev-help@incubator.apache.org


Mime
View raw message