Hi,

In JBoss AS 7.1.1, with Infinispan integration (4.0.7) enabled using cache-type="infinispan" on security-domain element in standalone.xml.

A horrible exception in the logs (when authentication fails) seems to be unavoidable.

Exception stacktrace:

2012-04-16 11:03:32 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (http--127.0.0.1-8080-2) Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored
          at javax.security.auth.login.LoginContext.invoke(LoginContext.java:921) [rt.jar:1.6.0_26]
          at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186) [rt.jar:1.6.0_26]
          at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683) [rt.jar:1.6.0_26]
          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_26]
          at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) [rt.jar:1.6.0_26]
          at javax.security.auth.login.LoginContext.login(LoginContext.java:579) [rt.jar:1.6.0_26]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:371) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160) [picketbox-infinispan-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.as.web.security.JBossWebRealm.authenticate(JBossWebRealm.java:214) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:280) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:381) [jbossweb-7.0.13.Final.jar:]
          at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
          at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
          at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
          at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
          at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_26]
 
 

I cannot figure out how to avoid having an exception in the error log when authentication of a user fails (incorrect credentials).

JBossCachedAuthenticationManager calls LoginContext.login - if this throws an exception, then the exception is logged at error level. If the call fails to throw an exception, LoginContext.getSubject will never return null, and authenication be determined to have been successful.

See this snippet from java-6-sun LoginContext which shows the loginSucceeded boolean, which is used later on when calling LoginContext#getSubject.

    public void login() throws LoginException {
 
 
        loginSucceeded = false;
 
 
        if (subject == null) {
            subject = new Subject();
        }
 
 
        try {
            if (configProvided) {
                // module invoked in doPrivileged with creatorAcc
                invokeCreatorPriv(LOGIN_METHOD);
                invokeCreatorPriv(COMMIT_METHOD);
            } else {
                // module invoked in doPrivileged
                invokePriv(LOGIN_METHOD);
                invokePriv(COMMIT_METHOD);
            }
            loginSucceeded = true;
        } catch (LoginException le) {
            try {
                if (configProvided) {
                    invokeCreatorPriv(ABORT_METHOD);
                } else {
                    invokePriv(ABORT_METHOD);
                }
            } catch (LoginException le2) {
                throw le;
            }
            throw le;
        }
    }
 

I'm not sure what the correct behaviour should be here - it seems that LoginContext.login throws an error if authentication failed for any reason - whether that reason is that the user has supplied the incorrect credentials, or that all the login modules are broken. If an exception may not be exceptional, perhaps it should be logged at debug?