harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stepan Mishura" <stepan.mish...@gmail.com>
Subject Re: [classlib][auth]LoginContext should always invoke the LoginModules?
Date Thu, 12 Oct 2006 05:23:50 GMT
So we have following suggestions:

1) leave the check and document the difference with RI
2) follow RI and put a warning
3) do LogingContext.logout() before the second login()
4) introduce a system property to follow RI

Should we vote?

Thanks,
Stepan.


On 9/29/06, Paulex Yang wrote:
>
> Hi, all
>
> I'm not a security expert, so please correct me if I miss something. I
> found some different behavior of Harmony and RI on
> javax.security.auth.login.LoginContext, the testcase[1] shows the
> difference.
>
> Actually I tried to create the event sequence like below:
> 1. create LoginContext with some Subject
> 2. LoginContext.login() and return successfully
> 3. Modify Subject's content to make it invalid(one Principal's name
> here, maybe passwd/username/servername in more general case)
> 4. LoginContext.login() again
>
> In RI, the second login() invocation really tried to invoke the relative
> LoginModule.login() and then failed to login with the modified Subject,
> but in Harmony, both invocations succeed. I consider RI's behavior is
> more reasonable.
>
> After a rough look of LoginContext implementation, I found the cause may
> be the Ln. 275
>
>    private void loginImpl() throws LoginException {
>        if (loggedIn) {
>            return;
>        }
>    ....
>    }
>
> Seems Harmony won't invoke the LoginModule.login() again only if the
> login ever succeeds. If I comment out these lines, the test below passes
> happily. Any ideas on this issue?
>
>
> [1]
> public class LoginContextTest extends TestCase {
>    private static final String VALID_NAME = "name1";
>    private static final String INVALID_NAME = "name2";
>
>    public void testLogin() throws Exception{
>        MyPrincipal pri = new MyPrincipal();
>        HashSet set = new HashSet();
>        set.add(pri);
>        Subject sub = new Subject(false, set, new HashSet(), new
> HashSet());
>        Configuration.setConfiguration(new MyConfig());
>        LoginContext context = new LoginContext("moduleName", sub);
>        context.login();
>        pri.name = INVALID_NAME;
>        try{
>            context.login();
>            fail("Should throw LoginException");
>        }catch(LoginException e){
>
>        }
>    }
>    static class MyConfig extends Configuration{
>        AppConfigurationEntry[] entries = new
> AppConfigurationEntry[]{new
> AppConfigurationEntry(MyModule.class.getName(),
> LoginModuleControlFlag.REQUIRED, new HashMap())};
>        public AppConfigurationEntry[] getAppConfigurationEntry(String
> name) {
>            return entries;
>        }
>        public void refresh() {
>        }
>    }
>    public static class MyModule implements LoginModule{
>        Subject sub;
>        public void MyModule(){
>        }
>        public boolean abort() throws LoginException {
>            return false;
>        }
>        public boolean commit() throws LoginException {
>            return true;
>        }
>        public void initialize(Subject arg0, CallbackHandler arg1,
> Map<String, ?> arg2, Map<String, ?> arg3) {
>            sub = arg0;
>        }
>        public boolean login() throws LoginException {
>            Principal[] pris = sub.getPrincipals().toArray(new
> Principal[0]);
>            return VALID_NAME.equals(pris[0].getName());
>        }
>        public boolean logout() throws LoginException {
>            return false;
>        }
>    }
>    public static class MyPrincipal implements Principal{
>        public String name = VALID_NAME;
>        public String getName() {
>            return name;
>        }
>        public String toString(){
>            return name;
>        }
>    };
> }
>
>
>
> --
> Paulex Yang
> China Software Development Lab
> IBM
>
>
------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org
For additional commands, e-mail: harmony-dev-help@incubator.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message