Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4414167

LoginContext does not preserve credentials/principals on retries

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: P3 P3
    • None
    • 1.0
    • security-libs



      Name: krC82822 Date: 02/11/2001


      orig synopsis: "LoginContext does not behave as advertised on retries"

      11 Feb 2001, eval1127@eng -- apparently already fixed for merlin (1.4)
      under # 4378100. Submitting new bug to request possible
      back-porting of fix to 1.3.1 (final release...too late for beta).
      -----------------
      java version "1.3.0"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0)
      Java HotSpot(TM) Client VM (build 1.3.0, mixed mode)

      The JAAS API for javax.security.auth.login.LoginContext (
      http://java.sun.com/security/jaas/apidoc/javax/security/auth/login/LoginContext.
      html ) states "A LoginContext supports authentication retries by the calling
      application. For example, a LoginContext's login method may be invoked multiple
      times if the user incorrectly types in a password. However, a LoginContext
      should not be used to authenticate more than one Subject. A separate
      LoginContext should be used to authenticate each different Subject."

      However using a single LoginContext and calling login() on it multiple times (as
      in the sample, Sample.java) does not behave correctly when the first attempt
      results in failure; despite the success of any subsequent login()s, any
      credentials or principals associated with the subject by a LoginModule are
      destroyed before control returns to the calling method.

      So, for example (from Sample.java provided with the JAAS1.0 download):

           public static void main(String[] args) {
      // use the configured LoginModules for the "Sample" entry
      LoginContext lc = null;
      try {
      lc = new LoginContext("Sample", new MyCallbackHandler());
      } catch (LoginException le) {
      le.printStackTrace();
      System.exit(-1);
      }

      // the user has 3 attempts to authenticate successfully
      int i;
      for (i = 0; i < 3; i++) {
      try {

      // attempt authentication
      lc.login();

      // if we return with no exception, authentication succeeded
      break;

      } catch ...

             ... blah blah blah...

             return true;
           }

      If you deliberately fail on the first attempt, you may succeed authentication on
      the second (or subsequent) attempts, but will never get the Principals or
      Credentials you need.
      (Review ID: 114847)
      ======================================================================

            rmartisunw Ramachandran Marti (Inactive)
            kryansunw Kevin Ryan (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: