Details
-
Bug
-
Status: Open
-
Minor
-
Resolution: Unresolved
-
1.2.2
-
None
-
None
Description
We are using NTLM authentication with Waffle using a filter. If waffle can't succeed at the integrated authentication, a form is provided. When the integrated auth fails, it is typically because the user is not part of the domain. As a result, there is no username discovered/provided. When this occurs, Shiro is throwing an IllegalStateException as shown in the stacktrace below. By throwing an IllegalStateException, the normal flow of error handling is bypassed and the unchecked exception propagates out of the servlet, improperly generating a server error instead of a standard AuthenticationException. If a principal is not provided, a warning/error can be logged, but the framework should generate the standard AuthenticationException forcing the client to be challenged to reauthenticate.
16 Jan 2015 14:48:15,872 [] - Realm [org.apache.shiro.realm.ldap.JndiLdapRealm@3630843] threw an exception during a multi-realm authentication attempt: java.lang.IllegalArgumentException: principal argument cannot be null. at org.apache.shiro.subject.SimplePrincipalCollection.add(SimplePrincipalCollection.java:104) at org.apache.shiro.subject.SimplePrincipalCollection.(SimplePrincipalCollection.java:59) at org.apache.shiro.authc.SimpleAuthenticationInfo.(SimpleAuthenticationInfo.java:74) at org.apache.shiro.realm.ldap.JndiLdapRealm.createAuthenticationInfo(JndiLdapRealm.java:412) at org.apache.shiro.realm.ldap.JndiLdapRealm.queryForAuthenticationInfo(JndiLdapRealm.java:377) at org.apache.shiro.realm.ldap.JndiLdapRealm.doGetAuthenticationInfo(JndiLdapRealm.java:295) at org.apache.shiro.realm.AuthenticatingRealm.getAuthenticationInfo(AuthenticatingRealm.java:568) at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doMultiRealmAuthentication(ModularRealmAuthenticator.java:219) at org.apache.shiro.authc.pam.ModularRealmAuthenticator.doAuthenticate(ModularRealmAuthenticator.java:269) at org.apache.shiro.authc.AbstractAuthenticator.authenticate(AbstractAuthenticator.java:198) at org.apache.shiro.mgt.AuthenticatingSecurityManager.authenticate(AuthenticatingSecurityManager.java:106) at org.apache.shiro.mgt.DefaultSecurityManager.login(DefaultSecurityManager.java:270) at org.apache.shiro.subject.support.DelegatingSubject.login(DelegatingSubject.java:256) at org.apache.shiro.web.filter.authc.AuthenticatingFilter.executeLogin(AuthenticatingFilter.java:53) at waffle.shiro.negotiate.NegotiateAuthenticationFilter.onAccessDenied(NegotiateAuthenticationFilter.java:168)