JBoss JAAS custom Login Module Error messages

Question

I have an application that makes used of a custom login module of JBoss. Authentication can fail for a wide variety of reasons and i have to display these to the user instead of the usual Inavlid username / password error.

Is there a way to get error message from the login message? I think the best would be to through an exception since authenticate returns a boolean, however i can't figure how to catch it after authentication. Any pointers welcomes.

Answer 1

Used valve org.jboss.web.tomcat.security.ExtendedFormAuthenticator and grabbed j_exception from the session.

Ref:

1. http://books.zkoss.org/wiki/Small_Talks/2009/August/Form_Based_Login_with_JAAS_on_JBoss_and_ZK
2. http://community.jboss.org/wiki/ExtendedFormAuthenticator

Answer 2

You can use the Database login module and then get the exception using

Exception e = (Exception) SecurityContextAssociation.getContextInfo("org.jboss.security.exception");

You can use this code inside managed bean function to fetch the error message ex.

public String getLoginFailureMsg(){
        Exception e =  (Exception) SecurityContextAssociation.
                                     getContextInfo("org.jboss.security.exception");
        if(e != null){
            if(e.getMessage().contains("PB00019"))
                return "invalid username";
            else
                return "invalid password";
        }
        return null;
    }

for setting up JAAS with Jboss 7 see this blow:

http://amatya.net/blog/implementing-security-with-jaas-in-jboss-as-7/

Answer 3

I had the same problem..., but I don't like writting code tied to container for obvious reasons.

So what I did was to add the exception to the session myself.

First, build a ThreadLocal exception holder to send the exception between LoginContext and ServletContext:

public final class SecurityThreadLocal {
 private static final ThreadLocal<Exception> j_exception = new ThreadLocal<Exception>();

 public static void setException(Exception e) {
   j_exception.set(e);
 }

 public static Exception getException() {
   return (Exception)j_exception.get();
 }

 public static void clear() {
   j_exception.remove();
 }

}

Add LoginException to SecurityThreadLocal:

    catch (Exception e) { // or just catch LoginException
      log.log(Level.SEVERE, e.getMessage(), e);
      SecurityThreadLocal.setException(e);
    }

Add Exception to the HttpSession with a Filter:

web.xml

  <filter-mapping>
    <filter-name>SecurityFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

SecurityFilter.java

  if (uri.endsWith("<form-error-page>") && session != null){
    Exception j_exception = SecurityThreadLocal.getException();
    if( j_exception != null)
      session.setAttribute("j_exception", j_exception);
  }

But you should know as I know this is a bad practice and a security crack.

Well.., in my case the customer won ...