Feature request: Stop throwing exceptions on invalid authentication info

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Feature request: Stop throwing exceptions on invalid authentication info

armandoxxx
This post was updated on .
I would like to propose a feature:

use case:
We are developing a big media platform with lots of services (rest, web ...)
We are using several realms to auth and authz users

For exmaple we use:
token realm - to login user with predefined token
username password - realm to login user with user password
username hashed password  - realm to login user with user hashed password

and all realms are called on authentication ...

you get my frustration ? ;)

problem:
if user loges in with username and password, username hashed password realm creates invalid auth info and exception is thrown. if user loges in with username and hased password, username password realm creates invalid auth info and exception is thrown.

It's annoying to get this exeception instead of just message .. "REALM DID NOT AUTH XYZ" .. specialy if for every rest cal I get exceptions in log ... and I really cant turn off the logs ... well guess what we really need them ...

example of 1 log message... but you can image we have gozzilion of them  
ARN  org.apache.shiro.authc.pam.ModularRealmAuthenticator [dcmp-batch-reports||||||||] - Realm [org.dropchop.jop.security.cache.realms.CachedUsernamePasswordRealm@beafab3] threw an exception during a multi-realm authentication attempt:
org.apache.shiro.authc.IncorrectCredentialsException: Submitted credentials for token [org.apache.shiro.authc.UsernamePasswordToken - administrator, rememberMe=false (127.0.0.1)] did not match the expected credentials.

Suggestion:
Shiro should throw exception depending on authentication strategy and combine if multiple realms on authentication failed

And I'm open to other suggestions as well !

Regards

Armando




Reply | Threaded
Open this post in threaded view
|

Re: Feature request: Stop throwing exceptions on invalid authentication info

otter606
Use different classes for your different tokens ,and call the method 
setAuthenticationTokenClass(MyToken.class);
in the constructor of each realm.
A realm will only try to authenticate matching token classes.

Richard
On 6 Jul 2017, at 09:28, armandoxxx <[hidden email]> wrote:

I would like to propose a feature:

use case:
We are developing a big media platform with lots of services (rest, web ...)
We are using several realms to auth and authz users

For exmaple we use:
token realm - to login user with predefined token
username password - realm to login user with user password
username hashed password  - realm to login user with user hashed password

and all realms are called on authentication ...

you get my frustration ? ;)

problem:
if user loges in with username and password, username hashed password realm
creates invalid auth info and exception is thrown. if user loges in with
username and hased password, username password realm creates invalid auth
info and exception is thrown.

It's annoying to get this exeception instead of just message .. "REALM DID
NOT AUTH XYZ" .. specialy if for every rest cal I get exceptions in log ...
and I really cant turn of the logs ... well guess what we really need them
...

example of 1 log message... but you can image we have them gozzilion


Suggestion:
Shiro should throw exception depending on authentication strategy and
combine if multiple realms on authentication failed

And I'm open to other suggestions as well !

Regards

Armando








--
View this message in context: http://shiro-user.582556.n2.nabble.com/Feature-request-Stop-throwing-exceptions-on-invalid-authentication-info-tp7581669.html
Sent from the Shiro User mailing list archive at Nabble.com.

Reply | Threaded
Open this post in threaded view
|

Re: Feature request: Stop throwing exceptions on invalid authentication info

armandoxxx
yeah ... ofc .. missed that one ...

override createToken method in my fiter and the correct realm will be called ... thank you for the idea ...

regards

Armando