All geek questions in one place

JBoss JAAS User Login Module

I have an application that uses a custom JBoss login module. Authentication can fail for a wide variety of reasons, and I have to show them to the user instead of the usual Inavlid username / password error.

Is there a way to get the error message from the login message? I think that it would be best with an exception, since authentication returns a boolean, however, I cannot figure out how to catch it after authentication. Any pointers are welcome.

+6
source share
3 answers

Use the org.jboss.web.tomcat.security.ExtendedFormAuthenticator valve and catch j_exception from the session.

Link:

+3
source

You can use the database login module and then get an exception using

Exception e = (Exception) SecurityContextAssociation.getContextInfo ("org.jboss.security.exception");

You can use this code inside a managed bean to retrieve an ex error message.

 public String getLoginFailureMsg(){ Exception e = (Exception) SecurityContextAssociation. getContextInfo("org.jboss.security.exception"); if(e != null){ if(e.getMessage().contains("PB00019")) return "invalid username"; else return "invalid password"; } return null; }

to configure JAAS with Jboss 7 see this punch:

http://amatya.net/blog/implementing-security-with-jaas-in-jboss-as-7/

+2
source

I had the same problem ... but for obvious reasons I don't like the link code bound to the container.

So, I did to add an exception to the session myself.

First create a ThreadLocal exception store to send an exception between LoginContext and ServletContext:

 public final class SecurityThreadLocal { private static final ThreadLocal<Exception> j_exception = new ThreadLocal<Exception>(); public static void setException(Exception e) { j_exception.set(e); } public static Exception getException() { return (Exception)j_exception.get(); } public static void clear() { j_exception.remove(); }

}

Add LoginException to SecurityThreadLocal:

  catch (Exception e) { // or just catch LoginException log.log(Level.SEVERE, e.getMessage(), e); SecurityThreadLocal.setException(e); }

Add exception to HttpSession using filter:

web.xml

  <filter-mapping> <filter-name>SecurityFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>

SecurityFilter.java

  if (uri.endsWith("<form-error-page>") && session != null){ Exception j_exception = SecurityThreadLocal.getException(); if( j_exception != null) session.setAttribute("j_exception", j_exception); }

But you should know, because I know that this is bad practice and a security crack.

Well .., in my case, the client won ...

+1
source

Source: https://habr.com/ru/post/895311/

More articles:


All Articles