Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-759

JASPIServerAuthenticationManager.isValid method should log configuration problems at WARN or ERROR level

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: PicketBox_4_0_20.Beta1
    • Fix Version/s: 2.0.3.Beta2
    • Component/s: JBossSX
    • Labels:
      None

      Description

      As reported by Josef Cacek:

      All fatal exception are swallowed in JASPIServerAuthenticationManager.isValid() method.

      // PicketBox 4.0.9 used in EAP 6.0.0 - TRACE level
            catch(AuthException ae)
            {
               if(trace)
                  log.trace("AuthException:",ae);
            }
      // PicketBox 4.0.14 - DEBUG level
            catch(AuthException ae)
            {
                PicketBoxLogger.LOGGER.debugIgnoredException(ae);
            }
      

      It includes configuration errors, which should absolutely be visible on ERROR log level or another relevant level.

      We need to make sure to use ERROR log if the user-defined module cannot be found for instance.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                sguilhen Stefan Guilhen
                Reporter:
                sguilhen Stefan Guilhen
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: