Forum Stats

  • 3,783,727 Users
  • 2,254,824 Discussions


JAAS: unclear doc on LoginContext.login()

843811 Member Posts: 49,851
I'm having difficulty understanding some of the javadoc text for
LoginContext.login(). Consider these three paragraphs:
If the commit phase of the authentication process fails, then the
overall authentication fails and this method invokes the abort method
for each configured LoginModule.
If the abort phase fails for any reason, then this method propagates
the original exception thrown either during the login phase or the
commit phase. In either case, the overall authentication fails.
In the case where multiple LoginModules fail, this method propagates
the exception raised by the first LoginModule which failed.
Specific questions:

1. Is it only when the abort phase fails that the original
exception should be propagated? How about when the abort phase
passes (ie, I presume, when there's no error in executing the
LoginModules' abort() methods)?

2. That 3rd paragraph: should it really be part of the 2nd paragraph,
or is it really a new thought? That is, should the first of multiple
LoginModule exceptions be propagated only when the abort phase
fails? Or should the first exception be propagated whenever there are
any exceptions, even when the abort phase passes?

General questions:

Generally, LoginExceptions are thrown upon login()
failures. I presume this is because you don't want to give specific
reasons for failed login attempts back to JoeCracker.

1. Should specific exceptions be propagated back at all?

2. It seems that the onus of logging the real problems should be the
responsibility of the LoginModule implementation, is that right? That
way, JoeCracker can't find out the real reasons for the failures, but
JoeLegitEmployee can walk over to the sysadmin and ask to peruse the
LoginModule logs ... does this make sense?


  • 843811
    843811 Member Posts: 49,851
    Perhaps I can simplify the questions ...

    It seems that the javadoc allows propagation of the original exception
    only in the case when the abort phase fails. Am I reading this

    Shouldn't it be OK to propagate the original LoginException for any
    sort of failure in overall authentication?
This discussion has been closed.