I have an application that makes used of a custom login module of JBoss. Authentication can fail for a wide variety of reasons and i have to display these to the user instead of the usual Inavlid username / password
error.
Is there a way to get error message from the login message? I think the best would be to through an exception since authenticate returns a boolean, however i can't figure how to catch it after authentication. Any pointers welcomes.
Used valve org.jboss.web.tomcat.security.ExtendedFormAuthenticator
and grabbed j_exception
from the session.
Ref:
You can use the Database login module and then get the exception using
Exception e = (Exception) SecurityContextAssociation.getContextInfo("org.jboss.security.exception");
You can use this code inside managed bean function to fetch the error message ex.
public String getLoginFailureMsg(){
Exception e = (Exception) SecurityContextAssociation.
getContextInfo("org.jboss.security.exception");
if(e != null){
if(e.getMessage().contains("PB00019"))
return "invalid username";
else
return "invalid password";
}
return null;
}
for setting up JAAS with Jboss 7 see this blow:
http://amatya.net/blog/implementing-security-with-jaas-in-jboss-as-7/
I had the same problem..., but I don't like writting code tied to container for obvious reasons.
So what I did was to add the exception to the session myself.
First, build a ThreadLocal exception holder to send the exception between LoginContext and ServletContext:
public final class SecurityThreadLocal {
private static final ThreadLocal<Exception> j_exception = new ThreadLocal<Exception>();
public static void setException(Exception e) {
j_exception.set(e);
}
public static Exception getException() {
return (Exception)j_exception.get();
}
public static void clear() {
j_exception.remove();
}
}
Add LoginException to SecurityThreadLocal:
catch (Exception e) { // or just catch LoginException
log.log(Level.SEVERE, e.getMessage(), e);
SecurityThreadLocal.setException(e);
}
Add Exception to the HttpSession with a Filter:
web.xml
<filter-mapping>
<filter-name>SecurityFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
SecurityFilter.java
if (uri.endsWith("<form-error-page>") && session != null){
Exception j_exception = SecurityThreadLocal.getException();
if( j_exception != null)
session.setAttribute("j_exception", j_exception);
}
But you should know as I know this is a bad practice and a security crack.
Well.., in my case the customer won ...
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With