I find one thing in JAASLoginInInterceptor a little bit dangerous from security perspective - exception handling.
JAASLoginInInterceptor throws different exceptions with detail error messages in cases:
- if user/password are not defined (SecurityException: NO_USER_PASSWORD)
- and if authentication is failed (AuthenticationException: "Unauthorized : " + ex.getMessage())
It is very practical for the development, but can give some advices to malicious application.
I will prefere to throw generic security violation exception for both cases.
Patch is attached