[
https://issues.apache.org/jira/browse/KARAF-4968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15860961#comment-15860961
]
Guillaume Nodet commented on KARAF-4968:
----------------------------------------
The integration tests definitely fail with your commit. This needs some
investigation.
> LDAPLoginModule does not correctly implement login method
> ---------------------------------------------------------
>
> Key: KARAF-4968
> URL: https://issues.apache.org/jira/browse/KARAF-4968
> Project: Karaf
> Issue Type: Bug
> Components: karaf-security
> Affects Versions: 4.0.8
> Reporter: Stijn Strickx
> Assignee: Guillaume Nodet
> Priority: Minor
> Fix For: 4.0.9, 4.1.1
>
>
> When the LDAPLoginModule fails to authenticate a user, given the provided
> credentials, the login() method will return false.
> This is incorrect behavior as explained in the JAAS Dev Guide:
> http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#login
> The login() method should throw a LoginException in that case. Returning
> false actually tells the LoginContext that this LoginModule should be ignored.
> As long as the LDAPLoginModule is the only LoginModule configured within a
> Realm, the resulting behavior from the LoginContext is as expected. The
> problem becomes apparent when using the LDAPLoginModule as one of multiple
> LoginModules defined within a Realm. If, for example, all LoginModules their
> flags are set to "required", a failure to login in the LDAPLoginModule will
> just be ignored (while it logs a warning about invalid credentials) as long
> as the other LoginModules were able to do a successful login. This is not the
> expected behavior since the LDAPLoginModule is also configured to be
> "required".
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
