Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-3373

Log lower level root cause exception in LDAPLoginModule.doLogin()

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.0
    • Fix Version/s: 3.0.3, 2.3.10, 2.4.2, 4.0.0.M3
    • Component/s: karaf
    • Labels:
    • Environment:

      LDAP based JAAS login module

      Description

      Method org.apache.karaf.jaas.modules.ldap.LDAPLoginModule.doLogin() catches any exception and raises a new LoginException

      LDAPLoginModule.java
      } catch (Exception e) {
        throw new LoginException("Can't connect to the LDAP server: " + e.getMessage());
      } finally {
        ...
      }
      

      However in case something is wrong with the LDAP configuration (e.g. wrong SSL certificates) the root cause will be lost as e.getMessage() only returns a fairly generic message, like

      Can't connect to the LDAP server: simple bind failed: localhost:10636
      

      whereas the root cause really is

      sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
      

      We should somehow ensure this root cause is getting logged as well.
      Unfortunately the call stack to calling LDAPLoginModule.doLogin() includes the javax.security.auth.login.LoginContext which completely swallows the original LoginException raised in doLogin(). It only re-raises a very generic LoginException with the message:

      javax.security.auth.login.FailedLoginException: User doesn't exist
      

      The original exception message is lost.

      So there is no point in wrapping the root cause exception message in the LoginException to be thrown by LDAPLoginModule.doLogin().
      Instead I suggest to log the root cause in doLogin() as a warning as in the attached patch.

        Attachments

        1. KARAF-3373.patch
          1 kB
          Torsten Mielke

          Issue Links

            Activity

              People

              • Assignee:
                jbonofre Jean-Baptiste Onofré
                Reporter:
                tmielke Torsten Mielke
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: