Wednesday, July 8, 2009

Form authentication, LoginException and JSPs

This is another one of those posts I hope google will pick up and index for all of those who find themselves in a situation similar to the one I found myself in today...

We've developed an application that lives in a JBoss server. In order to access the application you need to login with a username and a password. A pretty common scenario I would imagine. We handle this by delegation to a subclass of the login module DatabaseServerLoginModule provided by JBoss. Our subclass overrides the method getUsersPassword() and does some extra SQL-stuff and we've also put in some more validation etc in this method. There's probably a bit too much in there. Some of the validations will throw LoginException when some of the criterias are not met. If an exception is thrown this will propagate through the whole login mechanism and the user will be met by the page defined in the page form-error-page directive in the login-config section of your web.xml file.


Now, in order to actually show some information about the LoginException we have to define a Valve first. This was completely new to me and I wasn't very hopeful. But after some reading I figured that the following information should go into the file WEB-INF/context.xml
<?xml version="1.0" encoding="UTF-8"?>
<Context>
<Valve className="org.jboss.web.tomcat.security.FormAuthValve"/>
<Manager className="org.apache.catalina.session.StandardManager"
pathname=""/>
</Context>
Once that information was in the file the exception from the login module became available through the attribute j_exception on the users session and we could present the user with a valid reason for the failed login.


Yes, I know that there is a common belief that when it comes to logins and security you should not really tell the user what went wrong. Giving away too much information might actually help the bad guys trying to get in. I agree. But in this case my vote doesn't count.


Some of the links in the above post lead to outdated versions/pages. The above was implemented on JBoss 4.2 on Java 1.5

2 comments:

John said...

Hmm.. this seems to have caused some strange issues where the first failed login doesn't show any error message but the second failed attemt shows the error message from the first attempt. We changed the Valve to org.jboss.web.tomcat.security.ExtendedFormAuthenticator instead as per http://www.jboss.org/community/wiki/ExtendedFormAuthenticator and everything was fine.

Sri said...

Hey John,
Thanks for your tip, it works nicely for me. And of course, it saved me a ton of time that I would have otherwise spent reading jboss docs.