https://bz.apache.org/bugzilla/show_bug.cgi?id=63333
Bug ID: 63333
Summary: JAASRealm needs to override isAvailable method to
prevent LockOutRealm to lock the user in case JAAS
login modules are unavailable
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: jchobanto...@yahoo.com
Target Milestone: ----
JAASRealm needs to override isAvailable method to prevent LockOutRealm to lock
the user in case JAAS login modules are unavailable
If JAAS login module fails to authenticate because of network communication
issues it could throw RuntimeException (unstead of checked LoginException) in
that case and if the configuration of JAAS is invalid
In following method:
protected Principal authenticate(String username, CallbackHandler
callbackHandler)
where
ExceptionUtils.handleThrowable(e); is invoked set the available flag to false
so that it indicates that JAASRealm is not available to authenticate the user
instead of LockOutRealm to think that the user is not authenticated because of
Principal is null.
In CombinedRealm it's isAvailable() method will check if the realm
!realm.isAvailable() and will not lock the user out
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
