I am attempting to implement a scheme which causes a user to change their
password on their first login. I have read the documentation about
exceptions, and decided to throw one of the shiro exceptions if there was a
field set that required a password reset.
My doGetAuthenticationInfo method in my realm is as follows:
@Override
protected AuthenticationInfo doGetAuthenticationInfo(
AuthenticationToken token) throws UnknownAccountException,
ExcessiveAttemptsException, IncorrectCredentialsException {
// null usernames are invalid
if (token == null) {
throw new AuthenticationException(
"PrincipalCollection method argument cannot be null.");
}
UsernamePasswordToken usernamePasswordToken =
(UsernamePasswordToken) token;
InventoryReportUser user =
service.getUserByUsername(usernamePasswordToken
.getUsername());
if (user == null) {
throw new UnknownAccountException("Could not find user");
}
if (user.isResetPasswordReqd()) {
throw new ExcessiveAttemptsException("Password change
required"); //"Password change required");
}
if
(getCredentialsMatcher().doCredentialsMatch(usernamePasswordToken,
user.getAsAuthenticationInfo())) {
return user.getAsAuthenticationInfo();
}
throw new IncorrectCredentialsException("Failed to authenticate");
}
The controller for the login view catches (or tries to) each of these thrown
exceptions:
@UIScoped
public class LoginViewPresenter extends AbstractPresenter<LoginView> {
private static final Logger logger =
LoggerFactory.getLogger(LoginViewPresenter.class.getName());
@Inject
private javax.enterprise.event.Event<UserLoggedInEvent> loggedInEvent;
@Override
protected void onViewEnter() {
}
public void onLoginPressed(String username, String password) {
logger.info("Entering {}:{}.", this.getClass().getName(),
"onLoginPressed");
UsernamePasswordToken token = new UsernamePasswordToken(username,
password);
Subject subject; // = SecurityUtils.getSubject();
subject = SecurityUtils.getSubject();
Session session = subject.getSession();
logger.info("session information = {}.", session.getHost());
token.setRememberMe(true);
// subject = SecurityUtils.getSecurityManager().login(subject,
token);
try {
subject.login(token);
if (subject.isAuthenticated()) {
logger.info("User Authenticated {}.",
subject.getPrincipal().toString());
loggedInEvent.fire(new
UserLoggedInEvent(subject.getPrincipal().toString()));
}
} catch (UnknownAccountException uae) {
logger.info("Unknown Account: {}.", uae.toString());
} catch (ExcessiveAttemptsException eae) {
// logger.info("User Authenticated {}.",
subject.getPrincipal().toString() + " but password change required.");
// loggedInEvent.fire(new
UserLoggedInEvent(subject.getPrincipal().toString(), true));
UI.getCurrent().getNavigator().navigateTo("PasswordChange");
} catch (IncorrectCredentialsException e) {
getView().showInvalidLoginNotification(e.getMessage());
} catch (AuthenticationException ae) {
logger.info("Caught Exception: {}.", ae.toString());
}
}
I can follow the execution in the debugger, and although the authentication
method is throwing an explicit type of exception, the only catch is always
on the AuthenticationException. If I try to remove that, Vaadin's
defaultErrorHandler catches it and causes the app to exit.
Can someone tell me what I'm doing wrong? I have set the security manager
to my realm, and as I said, I know the code is executing, but the exceptions
I throw are not caught.
All help appreciated.
--
View this message in context:
http://shiro-user.582556.n2.nabble.com/Shiro-exception-handling-with-Vaadin-tp7580584.html
Sent from the Shiro User mailing list archive at Nabble.com.
