On 10/14/06, Tim Ellison wrote:
Stepan Mishura wrote: > So we have following suggestions: > > 1) leave the check and document the difference with RI > 2) follow RI and put a warning What warning did you have in mind? And don't say j.u.logging 'cos I can find out where you live you know :-)
I meant adding a warning to javadoc for login() method. Thanks, Stepan. Regards,
Tim > 3) do LogingContext.logout() before the second login() > 4) introduce a system property to follow RI > > Should we vote? > > Thanks, > Stepan. > > > On 9/29/06, Paulex Yang wrote: >> >> Hi, all >> >> I'm not a security expert, so please correct me if I miss something. I >> found some different behavior of Harmony and RI on >> javax.security.auth.login.LoginContext, the testcase[1] shows the >> difference. >> >> Actually I tried to create the event sequence like below: >> 1. create LoginContext with some Subject >> 2. LoginContext.login() and return successfully >> 3. Modify Subject's content to make it invalid(one Principal's name >> here, maybe passwd/username/servername in more general case) >> 4. LoginContext.login() again >> >> In RI, the second login() invocation really tried to invoke the relative >> LoginModule.login() and then failed to login with the modified Subject, >> but in Harmony, both invocations succeed. I consider RI's behavior is >> more reasonable. >> >> After a rough look of LoginContext implementation, I found the cause may >> be the Ln. 275 >> >> private void loginImpl() throws LoginException { >> if (loggedIn) { >> return; >> } >> .... >> } >> >> Seems Harmony won't invoke the LoginModule.login() again only if the >> login ever succeeds. If I comment out these lines, the test below passes >> happily. Any ideas on this issue? >> >> >> [1] >> public class LoginContextTest extends TestCase { >> private static final String VALID_NAME = "name1"; >> private static final String INVALID_NAME = "name2"; >> >> public void testLogin() throws Exception{ >> MyPrincipal pri = new MyPrincipal(); >> HashSet set = new HashSet(); >> set.add(pri); >> Subject sub = new Subject(false, set, new HashSet(), new >> HashSet()); >> Configuration.setConfiguration(new MyConfig()); >> LoginContext context = new LoginContext("moduleName", sub); >> context.login(); >> pri.name = INVALID_NAME; >> try{ >> context.login(); >> fail("Should throw LoginException"); >> }catch(LoginException e){ >> >> } >> } >> static class MyConfig extends Configuration{ >> AppConfigurationEntry[] entries = new >> AppConfigurationEntry[]{new >> AppConfigurationEntry(MyModule.class.getName(), >> LoginModuleControlFlag.REQUIRED, new HashMap())}; >> public AppConfigurationEntry[] getAppConfigurationEntry(String >> name) { >> return entries; >> } >> public void refresh() { >> } >> } >> public static class MyModule implements LoginModule{ >> Subject sub; >> public void MyModule(){ >> } >> public boolean abort() throws LoginException { >> return false; >> } >> public boolean commit() throws LoginException { >> return true; >> } >> public void initialize(Subject arg0, CallbackHandler arg1, >> Map<String, ?> arg2, Map<String, ?> arg3) { >> sub = arg0; >> } >> public boolean login() throws LoginException { >> Principal[] pris = sub.getPrincipals().toArray(new >> Principal[0]); >> return VALID_NAME.equals(pris[0].getName()); >> } >> public boolean logout() throws LoginException { >> return false; >> } >> } >> public static class MyPrincipal implements Principal{ >> public String name = VALID_NAME; >> public String getName() { >> return name; >> } >> public String toString(){ >> return name; >> } >> }; >> } >> >> >> >> -- >> Paulex Yang >> China Software Development Lab >> IBM >> -- Tim Ellison ([EMAIL PROTECTED]) IBM Java technology centre, UK.
-- Stepan Mishura Intel Middleware Products Division ------------------------------------------------------ Terms of use : http://incubator.apache.org/harmony/mailing.html To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]