I'm not a security expert too but your solution looks reasonable for me :)
SY, Alexey
2006/9/30, Paulex Yang <[EMAIL PROTECTED]>:
Paulex Yang wrote:
> Hi, all
>
> I'm not a security expert, so please correct me if I miss something. I
> found some different behavior of Harmony and RI on
> javax.security.auth.login.LoginContext, the testcase[1] shows the
> difference.
>
> Actually I tried to create the event sequence like below:
> 1. create LoginContext with some Subject
> 2. LoginContext.login() and return successfully
> 3. Modify Subject's content to make it invalid(one Principal's name
> here, maybe passwd/username/servername in more general case)
> 4. LoginContext.login() again
>
> In RI, the second login() invocation really tried to invoke the
> relative LoginModule.login() and then failed to login with the
> modified Subject, but in Harmony, both invocations succeed. I consider
> RI's behavior is more reasonable.
>
> After a rough look of LoginContext implementation, I found the cause
> may be the Ln. 275
>
> private void loginImpl() throws LoginException {
> if (loggedIn) {
> return;
> }
> ....
> }
>
> Seems Harmony won't invoke the LoginModule.login() again only if the
> login ever succeeds. If I comment out these lines, the test below
> passes happily. Any ideas on this issue?
I've removed these lines at revision r451557 with regression test,
please shout if anyone thinks the update harmful for some reason.
>
>
> [1]
> public class LoginContextTest extends TestCase {
> private static final String VALID_NAME = "name1";
> private static final String INVALID_NAME = "name2";
>
> public void testLogin() throws Exception{
> MyPrincipal pri = new MyPrincipal();
> HashSet set = new HashSet();
> set.add(pri);
> Subject sub = new Subject(false, set, new HashSet(), new
> HashSet());
> Configuration.setConfiguration(new MyConfig());
> LoginContext context = new LoginContext("moduleName", sub);
> context.login();
> pri.name = INVALID_NAME;
> try{
> context.login();
> fail("Should throw LoginException");
> }catch(LoginException e){
> }
> } static class MyConfig extends Configuration{
> AppConfigurationEntry[] entries = new
> AppConfigurationEntry[]{new
> AppConfigurationEntry(MyModule.class.getName(),
> LoginModuleControlFlag.REQUIRED, new HashMap())};
> public AppConfigurationEntry[] getAppConfigurationEntry(String
> name) {
> return entries;
> }
> public void refresh() {
> }
> }
> public static class MyModule implements LoginModule{
> Subject sub;
> public void MyModule(){
> }
> public boolean abort() throws LoginException {
> return false;
> }
> public boolean commit() throws LoginException {
> return true;
> }
> public void initialize(Subject arg0, CallbackHandler arg1,
> Map<String, ?> arg2, Map<String, ?> arg3) {
> sub = arg0;
> }
> public boolean login() throws LoginException {
> Principal[] pris = sub.getPrincipals().toArray(new
> Principal[0]);
> return VALID_NAME.equals(pris[0].getName());
> }
> public boolean logout() throws LoginException {
> return false;
> }
> }
> public static class MyPrincipal implements Principal{
> public String name = VALID_NAME;
> public String getName() {
> return name;
> }
> public String toString(){
> return name;
> }
> };
> }
>
>
>
--
Paulex Yang
China Software Development Lab
IBM
---------------------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Alexey A. Petrenko
Intel Middleware Products Division
---------------------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
