1 2 Previous Next 16 Replies Latest reply: Oct 24, 2013 10:37 AM by Darren Jones RSS

Catching custom login module exceptions in remote swing client?

Serkan Yıldırım Newbie

Hi,

 

I have custom login modules in JBOSS 7.1.2 Snapshot. They are working with no error, i can authenticate and authorize a user. However, when an exception occurs at the time of login, i.e. wrong password, i throw javax.security.auth.login.LoginException with my custom message. But i couldn't catch the exception in the remote swing client, how is it possible???

  • 1. Re: Catching custom login module exceptions in remote swing client?
    Darran Lofthouse Master

    It is not possible to pass that information all the way back to the remote client, the client is going to recieve a generic exception relating to the underlying SASL failure.

     

    The reason for this is that it is bad to provide information to a remote client informing them why the connection failed to authentication - any information that you do supply can be used by an attacker attempting to break into an installation e.g. if you go for a UserNotFound exception or InvalidPassword they can quickly discover which users actually exist and then continue with a more targetted attack.

  • 2. Re: Catching custom login module exceptions in remote swing client?
    Serkan Yıldırım Newbie

    Thank you for your reply Darran. I understand you, however, my custom login module consists of several verification steps, at every step there can be verification exception and i want to inform the user about this exception by sending a message. At previous versions we could handle this. According to your explanation, i think the developer who writes the login module must be responsible for these possible attacks. If the environment is open to world, the messages can be limited for example. But our environment is in intranet, it is closed network. Third person could not access to the server. Therefore, i feel ok to send login exception messages to the client. I think JBOSS 7.x can be flexible about these login exceptions. It may have two options, one for strict mode that prevents sending messages to the remote client, one for manuel mode that developer is responsible for possible attacks that is arisen from login exception messages.

  • 3. Re: Catching custom login module exceptions in remote swing client?
    Darran Lofthouse Master

    It sounds like you are implementing more of a chalenge response type authentication scheme - can you describe more fully the typical exchange involved here?

  • 4. Re: Catching custom login module exceptions in remote swing client?
    Serkan Yıldırım Newbie

    Ok Darran, i want to explain my login scenario a bit detailed. My login scenario is like below:

     

    1. The application user sends the username and password to the server by using jboss remoting. Username consists of three parts, <application_name>@<computer_id>@<user's identification number>. We have more than one desktop application which connects to the server. So <application_name> resembles symbolic name of the application for server. At the time of login a verifier instance created for this application name. <computer_id> shows a special unique id that is given by the system to the users's computers. <user's identification number> shows the a special number that is assigned to the user by the system.

    2. Login module parses my username. It extracts application name, computer id and user's identification number. Login module creates a Verifier, i.e. an interface that is developed by me, instance by using application name. This verifier instance controls the steps below:

         a. Does user exist in the database

         b. Is user's state active in the system

         c. Does computer exist in the database

         d. Is computer's state active in the system

         e. Does user have necessary roles to use the application

    If there is a fail in any step, a LoginException is thrown to the application user to inform him/her.

    3. If step 2 is finished successfully, user's identification number and password is controlled. If they don't match with the database, a LoginException is thrown to the user.

     

    As you see, there doesn't exist a challenge response here, i only want to inform the user why login is failed.

     

  • 5. Re: Catching custom login module exceptions in remote swing client?
    Serkan Yıldırım Newbie

    Hi Darran, could you give an answer for the situation of me? Thank you....

  • 6. Re: Catching custom login module exceptions in remote swing client?
    Darran Lofthouse Master

    This is going to need to be raised as a feature request to consider further, authentication actually supports mucliple mechanisms concurrently so need to look a little more at how a message could be sent to the client - at the moment the client just sees a generic message once all mechanisms have failed rather than a mechanism specific message.

  • 7. Re: Catching custom login module exceptions in remote swing client?
    Serkan Yıldırım Newbie

    Thank you for your reply Darran. I opened a feature request for this discussion:

     

    https://issues.jboss.org/browse/AS7-4679

  • 8. Re: Catching custom login module exceptions in remote swing client?
    Marek Gregor Newbie

    Hello Serkan, we are in the same situation as you are. We have solved it by special servlet which we calls from remote client before any remote connection and JAAS initialisation. Servlet tries to authenticate and return serialized exception back in case of error. Remote client then deserialize exception and throws it like it was thrown in former implementation on previous JBoss version

  • 9. Re: Catching custom login module exceptions in remote swing client?
    Serkan Yıldırım Newbie

    Hi Marek,

     

    First of all, thank you for your answer. I understand that you move the authentication logic from login-module to the servlet. When you authenticate the user in servlet, a login-module doesn't work for ejb authentication. If so, how could you build up user roles? In our project, every ejb method has roles. A user's role information is build up in a login-module which runs in ejb-authentication.

  • 10. Re: Catching custom login module exceptions in remote swing client?
    Marek Gregor Newbie

    We have also EJB authentication, servlet authenticates with JAAS and serializes exception back to client, here is sample code of servlet:

     

    final String username =request.getParameter("USERNAME");

    final String password = request.getParameter("PASSWORD");

    LoginContext lc = new LoginContext("client-login", new ParameterCallBackHandler(username, password));

    lc.login();

    // now we set-up login context and need to call any bean to perfrom authentication via JAAS on server side, UserSvc is remote inderface for our EJB

    UserSvc svc = <here we get implementation of interface via JNDI (InitialContext)

    try {

    svc.getMyself(); // here we call any method of our EJB in order to process authentication via our login module

    } catch (Exception  e) {

      // here we catch exception from JBoss obviously it is javax.ejb.EJBAccessException: JBAS013323: Invalid User

    // unfortunatelly JBoss does not propagate our exception from login module here, but fortunatelly it is stored in special thread local storage so we do following hack

    if( e instanceof EJBAccessException) {

         final Object realExceptionFromLoginModule = SecurityContextAssociation.getContextInfo("org.jboss.security.exception");

         if( realExceptionFromLoginModule != null) {

             serializeObjectToServletResponse(realExceptionFromLoginModule );

         } else {

               serializeObjectToServletResponse(e);

         }

    }

    else {

              serializeObjectToServletResponse(e);

    }

     

    }

  • 11. Re: Catching custom login module exceptions in remote swing client?
    Marek Gregor Newbie

    Probably I do not explaint it correctly swing client calls servlet only once, after user has entered username and password. We at first call servlet to check if credentials are ok, if not, servlet returns serialized exception which we deserialize on client and interpret according business logic. Only when credentials are ok we set-up remote connection from client with usage of PropertiesBasedEJBClientConfiguration class: https://community.jboss.org/message/647202#647202#647202. There is another hack on client: remote connection is realized in separate thread, so after we init it from our swing thread, we need to wait with Thread.sleep() some time in order to have remote connection initialized correctly.

  • 12. Re: Catching custom login module exceptions in remote swing client?
    Serkan Yıldırım Newbie

    Thank you Marek for detail explanation. I think this solution is very interesting, congratulations. I will try this solution. However, I think JBOSS developers must implement this feature. I don't need to struggle like this because It's a simple exception throwing mechanism.

  • 13. Re: Catching custom login module exceptions in remote swing client?
    Marek Gregor Newbie

    I agree with you, we have spent 1 man week to get it finally working.

  • 14. Re: Catching custom login module exceptions in remote swing client?
    Darren Jones Newbie

    I found a possible alternative for EJB clients. In JBoss 7.2.0.Final there is a feature to add container interceptors. There is a jboss quickstart showing how to add container interceptors (ejb-security-plus), basically using <ci:container-interceptors> in jboss-ejb3.xml.

     

    In your container interceptor you could do something similar to what Marek does in his servlet. e.g.

     

        @AroundInvoke

        public Object aroundInvoke(final InvocationContext invocationContext) throws Exception {

            try {

                return invocationContext.proceed();

            } catch (EJBAccessException e) {

                Exception authException = (Exception)SecurityContextAssociation.getContextInfo("org.jboss.security.exception");

                // Do what you want with the authException.

                // You could wrap it in an Exception marked as an @ApplicationException, and it will be passed back to the client as that type.

            }

       }

1 2 Previous Next