From harmony-dev-return-16001-apmail-incubator-harmony-dev-archive=incubator.apache.org@incubator.apache.org Sat Oct 14 12:37:15 2006 Return-Path: Delivered-To: apmail-incubator-harmony-dev-archive@www.apache.org Received: (qmail 89171 invoked from network); 14 Oct 2006 12:37:15 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 14 Oct 2006 12:37:15 -0000 Received: (qmail 96510 invoked by uid 500); 14 Oct 2006 12:36:49 -0000 Delivered-To: apmail-incubator-harmony-dev-archive@incubator.apache.org Received: (qmail 96472 invoked by uid 500); 14 Oct 2006 12:36:49 -0000 Mailing-List: contact harmony-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: harmony-dev@incubator.apache.org Delivered-To: mailing list harmony-dev@incubator.apache.org Received: (qmail 96439 invoked by uid 99); 14 Oct 2006 12:36:48 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 Oct 2006 05:36:48 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=DATE_IN_PAST_06_12,DNS_FROM_RFC_ABUSE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of t.p.ellison@gmail.com designates 64.233.182.184 as permitted sender) Received: from [64.233.182.184] (HELO nf-out-0910.google.com) (64.233.182.184) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 14 Oct 2006 05:36:45 -0700 Received: by nf-out-0910.google.com with SMTP id a4so1455876nfc for ; Sat, 14 Oct 2006 05:36:24 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:x-enigmail-version:content-type:content-transfer-encoding; b=flSLbN0J3qbC8Wpz64JNbbRXDe4kOn/hf8OMm94Nn3+hvVM7miOINGeZk//AAK2SxOpvqfHRjV6vyxtdVTAYKVupVMdw7SO7akIMzBPNDO+qN8SJv6lKW7Sd6IepReO8eSR3CGLpaBwRxdUlmO5H72I9RriacvyLBBw/XALSGdI= Received: by 10.48.230.18 with SMTP id c18mr8573819nfh; Sat, 14 Oct 2006 05:36:24 -0700 (PDT) Received: from ?192.168.0.4? ( [85.133.120.161]) by mx.google.com with ESMTP id c1sm1663528nfe.2006.10.14.05.36.22; Sat, 14 Oct 2006 05:36:24 -0700 (PDT) Message-ID: <453084BC.5000203@gmail.com> Date: Sat, 14 Oct 2006 01:33:32 -0500 From: Tim Ellison User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: harmony-dev@incubator.apache.org Subject: Re: [classlib][auth]LoginContext should always invoke the LoginModules? References: <451CF124.9010702@gmail.com> <6e47b64f0610112223g4d71c81w82a9ac2da49696bc@mail.gmail.com> In-Reply-To: <6e47b64f0610112223g4d71c81w82a9ac2da49696bc@mail.gmail.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Stepan Mishura wrote: > So we have following suggestions: > > 1) leave the check and document the difference with RI > 2) follow RI and put a warning What warning did you have in mind? And don't say j.u.logging 'cos I can find out where you live you know :-) Regards, Tim > 3) do LogingContext.logout() before the second login() > 4) introduce a system property to follow RI > > Should we vote? > > Thanks, > Stepan. > > > On 9/29/06, Paulex Yang wrote: >> >> Hi, all >> >> I'm not a security expert, so please correct me if I miss something. I >> found some different behavior of Harmony and RI on >> javax.security.auth.login.LoginContext, the testcase[1] shows the >> difference. >> >> Actually I tried to create the event sequence like below: >> 1. create LoginContext with some Subject >> 2. LoginContext.login() and return successfully >> 3. Modify Subject's content to make it invalid(one Principal's name >> here, maybe passwd/username/servername in more general case) >> 4. LoginContext.login() again >> >> In RI, the second login() invocation really tried to invoke the relative >> LoginModule.login() and then failed to login with the modified Subject, >> but in Harmony, both invocations succeed. I consider RI's behavior is >> more reasonable. >> >> After a rough look of LoginContext implementation, I found the cause may >> be the Ln. 275 >> >> private void loginImpl() throws LoginException { >> if (loggedIn) { >> return; >> } >> .... >> } >> >> Seems Harmony won't invoke the LoginModule.login() again only if the >> login ever succeeds. If I comment out these lines, the test below passes >> happily. Any ideas on this issue? >> >> >> [1] >> public class LoginContextTest extends TestCase { >> private static final String VALID_NAME = "name1"; >> private static final String INVALID_NAME = "name2"; >> >> public void testLogin() throws Exception{ >> MyPrincipal pri = new MyPrincipal(); >> HashSet set = new HashSet(); >> set.add(pri); >> Subject sub = new Subject(false, set, new HashSet(), new >> HashSet()); >> Configuration.setConfiguration(new MyConfig()); >> LoginContext context = new LoginContext("moduleName", sub); >> context.login(); >> pri.name = INVALID_NAME; >> try{ >> context.login(); >> fail("Should throw LoginException"); >> }catch(LoginException e){ >> >> } >> } >> static class MyConfig extends Configuration{ >> AppConfigurationEntry[] entries = new >> AppConfigurationEntry[]{new >> AppConfigurationEntry(MyModule.class.getName(), >> LoginModuleControlFlag.REQUIRED, new HashMap())}; >> public AppConfigurationEntry[] getAppConfigurationEntry(String >> name) { >> return entries; >> } >> public void refresh() { >> } >> } >> public static class MyModule implements LoginModule{ >> Subject sub; >> public void MyModule(){ >> } >> public boolean abort() throws LoginException { >> return false; >> } >> public boolean commit() throws LoginException { >> return true; >> } >> public void initialize(Subject arg0, CallbackHandler arg1, >> Map arg2, Map arg3) { >> sub = arg0; >> } >> public boolean login() throws LoginException { >> Principal[] pris = sub.getPrincipals().toArray(new >> Principal[0]); >> return VALID_NAME.equals(pris[0].getName()); >> } >> public boolean logout() throws LoginException { >> return false; >> } >> } >> public static class MyPrincipal implements Principal{ >> public String name = VALID_NAME; >> public String getName() { >> return name; >> } >> public String toString(){ >> return name; >> } >> }; >> } >> >> >> >> -- >> Paulex Yang >> China Software Development Lab >> IBM >> >> > ------------------------------------------------------ > Terms of use : http://incubator.apache.org/harmony/mailing.html > To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org > For additional commands, e-mail: harmony-dev-help@incubator.apache.org > -- Tim Ellison (t.p.ellison@gmail.com) IBM Java technology centre, UK. --------------------------------------------------------------------- Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: harmony-dev-unsubscribe@incubator.apache.org For additional commands, e-mail: harmony-dev-help@incubator.apache.org