Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-759

JASPIServerAuthenticationManager.isValid method should log configuration problems at WARN or ERROR level

    XMLWordPrintable

Details

    • Enhancement
    • Resolution: Done
    • Major
    • 2.0.3.Beta2
    • PicketBox_4_0_20.Beta1
    • JBossSX
    • None

    Description

      As reported by Josef Cacek:

      All fatal exception are swallowed in JASPIServerAuthenticationManager.isValid() method.

      // PicketBox 4.0.9 used in EAP 6.0.0 - TRACE level
      catch(AuthException ae)
      {
         if(trace)
            log.trace("AuthException:",ae);
      }
// PicketBox 4.0.14 - DEBUG level
      catch(AuthException ae)
      {
          PicketBoxLogger.LOGGER.debugIgnoredException(ae);
      }

      It includes configuration errors, which should absolutely be visible on ERROR log level or another relevant level.

      We need to make sure to use ERROR log if the user-defined module cannot be found for instance.

      Attachments

        Activity

          People

            sguilhen Stefan Guilhen
            sguilhen Stefan Guilhen
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: