shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brian Demers (JIRA)" <>
Subject [jira] [Updated] (SHIRO-606) Exception thrown in the log-in process is being ignored.
Date Fri, 05 May 2017 18:05:04 GMT


Brian Demers updated SHIRO-606:
    Fix Version/s:     (was: 1.3.2)

> Exception thrown in the log-in process is being ignored.
> --------------------------------------------------------
>                 Key: SHIRO-606
>                 URL:
>             Project: Shiro
>          Issue Type: Improvement
>          Components: Authentication (log-in)
>    Affects Versions: 1.3.2
>         Environment: OS: Windows 10
> Java Version: 1.8.0_51
> Web Server:Tomcat 8
> IDE: Eclipse Mars for JEE
>            Reporter: Liang Weiwei
>              Labels: newbie, patch
>   Original Estimate: 101.5h
>  Remaining Estimate: 101.5h
>     In my opinion, AbstractAuthenticator.authenticate(AuthenticationToken token) handles
exception inappropriately. When the exception thrown in the try block is not instance of Authentication,
the method will wrap the exception to a Authentication instance, and throw it all the way
to AuthenticatingFilter.executeLogin(ServletRequest request, ServletResponse response), and
just return a boolean.
>     The process mentioned above, make the exception ignored, which make it hard for us
to find out the mistake because the user can not take over the exception handling job directly.
>     We can do some extension to handle the issue.I look into the source code and find
out two ways about handling the exception.First, write a class that implements the AuthenticationListener,
and inject it to the ModularRealmAuthenticator instance, then the listener we write will handle
the exception in AbstractAuthenticator.notifyFailure(AuthenticationToken token, AuthenticationException
ae).Second, FormAuthenticationFilter.setFailureAttribute(ServletRequest request, AuthenticationException
ae), this method seems insignificant and cant help, because it only set a requset atrribute
and the attribute value always is "AuthenticationException", ignores everything about the
original Exception.
>     Although there is a way to handle the exception on our own, I still dont think the
exception should be ignored in the Shiro log-in process.
>     In addtion, the way to handle the exception is a little tricky.In my situation, I
am using Spring with Shiro, and I have to write a Class that extends the ModularRealmAuthenticator
in order to inject the listener through constructor-arg, because through value-inject a exception
will be thrown.Of course, without Spring, we could write a ModularRealmAuthenticator's subclass,
and assign a List<AuthenticationListener> to the instance's field.
>     It  is easy to reproduce the issue, any exception thrown in the process metnioned
above will cause the problem.This is my first open issue and I am sorry I dont know how to
provide a test appropriately.

This message was sent by Atlassian JIRA

View raw message