Stepan Mishura wrote:
> So we have following suggestions:
>
> 1) leave the check and document the difference with RI
> 2) follow RI and put a warning
What warning did you have in mind? And don't say j.u.logging 'cos I can
find out where you live you know :-)
Regards,
Tim
> 3) do LogingContext.logout() before the second login()
> 4) introduce a system property to follow RI
>
> Should we vote?
>
> Thanks,
> Stepan.
>
>
> On 9/29/06, Paulex Yang wrote:
>>
>> Hi, all
>>
>> I'm not a security expert, so please correct me if I miss something. I
>> found some different behavior of Harmony and RI on
>> javax.security.auth.login.LoginContext, the testcase[1] shows the
>> difference.
>>
>> Actually I tried to create the event sequence like below:
>> 1. create LoginContext with some Subject
>> 2. LoginContext.login() and return successfully
>> 3. Modify Subject's content to make it invalid(one Principal's name
>> here, maybe passwd/username/servername in more general case)
>> 4. LoginContext.login() again
>>
>> In RI, the second login() invocation really tried to invoke the relative
>> LoginModule.login() and then failed to login with the modified Subject,
>> but in Harmony, both invocations succeed. I consider RI's behavior is
>> more reasonable.
>>
>> After a rough look of LoginContext implementation, I found the cause may
>> be the Ln. 275
>>
>> private void loginImpl() throws LoginException {
>> if (loggedIn) {
>> return;
>> }
>> ....
>> }
>>
>> Seems Harmony won't invoke the LoginModule.login() again only if the
>> login ever succeeds. If I comment out these lines, the test below passes
>> happily. Any ideas on this issue?
>>
>>
>> [1]
>> public class LoginContextTest extends TestCase {
>> private static final String VALID_NAME = "name1";
>> private static final String INVALID_NAME = "name2";
>>
>> public void testLogin() throws Exception{
>> MyPrincipal pri = new MyPrincipal();
>> HashSet set = new HashSet();
>> set.add(pri);
>> Subject sub = new Subject(false, set, new HashSet(), new
>> HashSet());
>> Configuration.setConfiguration(new MyConfig());
>> LoginContext context = new LoginContext("moduleName", sub);
>> context.login();
>> pri.name = INVALID_NAME;
>> try{
>> context.login();
>> fail("Should throw LoginException");
>> }catch(LoginException e){
>>
>> }
>> }
>> static class MyConfig extends Configuration{
>> AppConfigurationEntry[] entries = new
>> AppConfigurationEntry[]{new
>> AppConfigurationEntry(MyModule.class.getName(),
>> LoginModuleControlFlag.REQUIRED, new HashMap())};
>> public AppConfigurationEntry[] getAppConfigurationEntry(String
>> name) {
>> return entries;
>> }
>> public void refresh() {
>> }
>> }
>> public static class MyModule implements LoginModule{
>> Subject sub;
>> public void MyModule(){
>> }
>> public boolean abort() throws LoginException {
>> return false;
>> }
>> public boolean commit() throws LoginException {
>> return true;
>> }
>> public void initialize(Subject arg0, CallbackHandler arg1,
>> Map<String, ?> arg2, Map<String, ?> arg3) {
>> sub = arg0;
>> }
>> public boolean login() throws LoginException {
>> Principal[] pris = sub.getPrincipals().toArray(new
>> Principal[0]);
>> return VALID_NAME.equals(pris[0].getName());
>> }
>> public boolean logout() throws LoginException {
>> return false;
>> }
>> }
>> public static class MyPrincipal implements Principal{
>> public String name = VALID_NAME;
>> public String getName() {
>> return name;
>> }
>> public String toString(){
>> return name;
>> }
>> };
>> }
>>
>>
>>
>> --
>> Paulex Yang
>> China Software Development Lab
>> IBM
>>
>>
> ------------------------------------------------------
> Terms of use : http://incubator.apache.org/harmony/mailing.html
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
--
Tim Ellison ([EMAIL PROTECTED])
IBM Java technology centre, UK.
---------------------------------------------------------------------
Terms of use : http://incubator.apache.org/harmony/mailing.html
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
