Description
When the LDAPLoginModule fails to authenticate a user, given the provided credentials, the login() method will return false.
This is incorrect behavior as explained in the JAAS Dev Guide: http://docs.oracle.com/javase/8/docs/technotes/guides/security/jaas/JAASLMDevGuide.html#login
The login() method should throw a LoginException in that case. Returning false actually tells the LoginContext that this LoginModule should be ignored.
As long as the LDAPLoginModule is the only LoginModule configured within a Realm, the resulting behavior from the LoginContext is as expected. The problem becomes apparent when using the LDAPLoginModule as one of multiple LoginModules defined within a Realm. If, for example, all LoginModules their flags are set to "required", a failure to login in the LDAPLoginModule will just be ignored (while it logs a warning about invalid credentials) as long as the other LoginModules were able to do a successful login. This is not the expected behavior since the LDAPLoginModule is also configured to be "required".
Attachments
Issue Links
- links to