We've developed an application that lives in a JBoss server. In order to access the application you need to login with a username and a password. A pretty common scenario I would imagine. We handle this by delegation to a subclass of the login module
DatabaseServerLoginModuleprovided by JBoss. Our subclass overrides the method
getUsersPassword()and does some extra SQL-stuff and we've also put in some more validation etc in this method. There's probably a bit too much in there. Some of the validations will throw
LoginExceptionwhen some of the criterias are not met. If an exception is thrown this will propagate through the whole login mechanism and the user will be met by the page defined in the page
form-error-pagedirective in the
login-configsection of your
Now, in order to actually show some information about the
LoginExceptionwe have to define a Valve first. This was completely new to me and I wasn't very hopeful. But after some reading I figured that the following information should go into the file
<?xml version="1.0" encoding="UTF-8"?>
Once that information was in the file the exception from the login module became available through the attribute
j_exceptionon the users session and we could present the user with a valid reason for the failed login.
Yes, I know that there is a common belief that when it comes to logins and security you should not really tell the user what went wrong. Giving away too much information might actually help the bad guys trying to get in. I agree. But in this case my vote doesn't count.
Some of the links in the above post lead to outdated versions/pages. The above was implemented on JBoss 4.2 on Java 1.5