karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Resolved] (KARAF-3373) Log lower level root cause exception in LDAPLoginModule.doLogin()
Date Tue, 27 Jan 2015 15:05:42 GMT

     [ https://issues.apache.org/jira/browse/KARAF-3373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jean-Baptiste Onofré resolved KARAF-3373.
-----------------------------------------
    Resolution: Fixed

> Log lower level root cause exception in LDAPLoginModule.doLogin()
> -----------------------------------------------------------------
>
>                 Key: KARAF-3373
>                 URL: https://issues.apache.org/jira/browse/KARAF-3373
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf-security
>    Affects Versions: 3.0.0
>         Environment: LDAP based JAAS login module
>            Reporter: Torsten Mielke
>            Assignee: Jean-Baptiste Onofré
>              Labels: jaas
>             Fix For: 4.0.0, 3.0.3, 2.3.10, 2.4.2
>
>         Attachments: KARAF-3373.patch
>
>
> Method org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin() catches any exception
and raises a new LoginException
> {code:title=LDAPLoginModule.java}
> } catch (Exception e) {
>   throw new LoginException("Can't connect to the LDAP server: " + e.getMessage());
> } finally {
>   ...
> }
> {code}
> However in case something is wrong with the LDAP configuration (e.g. wrong SSL certificates)
the root cause will be lost as e.getMessage() only returns a fairly generic message, like
> {code}
> Can't connect to the LDAP server: simple bind failed: localhost:10636
> {code}
> whereas the root cause really is 
> {code}
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
> {code}
> We should somehow ensure this root cause is getting logged as well. 
> Unfortunately the call stack to calling LDAPLoginModule.doLogin() includes the javax.security.auth.login.LoginContext
which completely swallows the original LoginException raised in doLogin(). It only re-raises
a very generic LoginException with the message:
> {code}
> javax.security.auth.login.FailedLoginException: User doesn't exist
> {code} 
> The original exception message is lost. 
> So there is no point in wrapping the root cause exception message in the LoginException
to be thrown by LDAPLoginModule.doLogin(). 
> Instead I suggest to log the root cause in doLogin() as a warning as in the attached
patch. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message