Brian Demers updated SHIRO-606:
Fix Version/s: (was: 1.3.2)
> Exception thrown in the log-in process is being ignored.
> Key: SHIRO-606
> URL: https://issues.apache.org/jira/browse/SHIRO-606 > Project: Shiro
> Issue Type: Improvement
> Components: Authentication (log-in)
> Affects Versions: 1.3.2
> Environment: OS: Windows 10
> Java Version: 1.8.0_51
> Web Server:Tomcat 8
> IDE: Eclipse Mars for JEE
> Reporter: Liang Weiwei
> Labels: newbie, patch
> Original Estimate: 101.5h
> Remaining Estimate: 101.5h
> In my opinion, AbstractAuthenticator.authenticate(AuthenticationToken token) handles exception inappropriately. When the exception thrown in the try block is not instance of Authentication, the method will wrap the exception to a Authentication instance, and throw it all the way to AuthenticatingFilter.executeLogin(ServletRequest request, ServletResponse response), and just return a boolean.
> The process mentioned above, make the exception ignored, which make it hard for us to find out the mistake because the user can not take over the exception handling job directly.
> We can do some extension to handle the issue.I look into the source code and find out two ways about handling the exception.First, write a class that implements the AuthenticationListener, and inject it to the ModularRealmAuthenticator instance, then the listener we write will handle the exception in AbstractAuthenticator.notifyFailure(AuthenticationToken token, AuthenticationException ae).Second, FormAuthenticationFilter.setFailureAttribute(ServletRequest request, AuthenticationException ae), this method seems insignificant and cant help, because it only set a requset atrribute and the attribute value always is "AuthenticationException", ignores everything about the original Exception.
> Although there is a way to handle the exception on our own, I still dont think the exception should be ignored in the Shiro log-in process.
> In addtion, the way to handle the exception is a little tricky.In my situation, I am using Spring with Shiro, and I have to write a Class that extends the ModularRealmAuthenticator in order to inject the listener through constructor-arg, because through value-inject a exception will be thrown.Of course, without Spring, we could write a ModularRealmAuthenticator's subclass, and assign a List<AuthenticationListener> to the instance's field.
> It is easy to reproduce the issue, any exception thrown in the process metnioned above will cause the problem.This is my first open issue and I am sorry I dont know how to provide a test appropriately.
This message was sent by Atlassian JIRA