Uploaded image for project: 'Shiro'
  1. Shiro
  2. SHIRO-606

Exception thrown in the log-in process is being ignored.

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 1.3.2
    • Fix Version/s: None
    • Labels:
    • Environment:
      OS: Windows 10
      Java Version: 1.8.0_51
      Web Server:Tomcat 8
      IDE: Eclipse Mars for JEE

      Description

      In my opinion, AbstractAuthenticator.authenticate(AuthenticationToken token) handles exception inappropriately. When the exception thrown in the try block is not instance of Authentication, the method will wrap the exception to a Authentication instance, and throw it all the way to AuthenticatingFilter.executeLogin(ServletRequest request, ServletResponse response), and just return a boolean.
      The process mentioned above, make the exception ignored, which make it hard for us to find out the mistake because the user can not take over the exception handling job directly.
      We can do some extension to handle the issue.I look into the source code and find out two ways about handling the exception.First, write a class that implements the AuthenticationListener, and inject it to the ModularRealmAuthenticator instance, then the listener we write will handle the exception in AbstractAuthenticator.notifyFailure(AuthenticationToken token, AuthenticationException ae).Second, FormAuthenticationFilter.setFailureAttribute(ServletRequest request, AuthenticationException ae), this method seems insignificant and cant help, because it only set a requset atrribute and the attribute value always is "AuthenticationException", ignores everything about the original Exception.
      Although there is a way to handle the exception on our own, I still dont think the exception should be ignored in the Shiro log-in process.
      In addtion, the way to handle the exception is a little tricky.In my situation, I am using Spring with Shiro, and I have to write a Class that extends the ModularRealmAuthenticator in order to inject the listener through constructor-arg, because through value-inject a exception will be thrown.Of course, without Spring, we could write a ModularRealmAuthenticator's subclass, and assign a List<AuthenticationListener> to the instance's field.
      It is easy to reproduce the issue, any exception thrown in the process metnioned above will cause the problem.This is my first open issue and I am sorry I dont know how to provide a test appropriately.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              LWW_SE Liang Weiwei
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Time Tracking

                Estimated:
                Original Estimate - 101.5h
                101.5h
                Remaining:
                Remaining Estimate - 101.5h
                101.5h
                Logged:
                Time Spent - Not Specified
                Not Specified