Tynamo
  1. Tynamo
  2. TYNAMO-154

add FirstExceptionStrategy as the default AuthenticationStrategy for projects with multiple realms

    Details

    • Number of attachments :
      0

      Description

      After adding a new Realm to my project I've lost the ability to track
      granular login exceptions.
      When using only one Realm I'm able to catch and report
      UnknownAccountException, IncorrectCredentialsException and
      LockedAccountException, but when there is more than one Realm all
      exceptions are just plain AuthenticationException.

      This issue also affects the federated-accounts Realms. In my project I
      need to be able to differentiate between signups, signins and connect
      account callbacks, but no matter what exception I throw from my
      federate() method, all the exceptions get transformed into
      AuthenticationException without any trace of the original exception.

      After a lot of digging around I finally found the culprit. The
      AuthenticationStrategy !
      All the AuthenticationStrategy implementations for MultipleRealms
      completely ignore the exceptions. To workaround this I've implemented
      my own AuthenticationStrategy, called FirstExceptionStrategy, that
      works with multiple realms and throws the first exception it gets.
      This approach works fine as long as there is only one Realm per Token
      type.

      I think FirstExceptionStrategy should be the default
      AuthenticationStrategy for projects with multiple realms using the
      federated-accounts module.

        Activity

        Hide
        Alejandro Scandroli added a comment -


        fixed in r2374

        Show
        Alejandro Scandroli added a comment - fixed in r2374
        Hide
        Lenny Primak added a comment -

        Ahhh?..
        I am not much a complainer, but this issue has cost me a days' worth of work
        This should be turned on with a symbol by federated accounts,
        but be on by default in Tapestry-Security (without federated accounts)

        Show
        Lenny Primak added a comment - Ahhh?.. I am not much a complainer, but this issue has cost me a days' worth of work This should be turned on with a symbol by federated accounts, but be on by default in Tapestry-Security (without federated accounts)
        Hide
        Alejandro Scandroli added a comment -

        Hi Lenny

        I'm curious. What was your scenario? are you using federated-accounts or just plain tapestry-security?
        Did my fix for this issue caused you troubles? or was the fact that FirstExceptionStrategy is not the default strategy on shiro?

        Show
        Alejandro Scandroli added a comment - Hi Lenny I'm curious. What was your scenario? are you using federated-accounts or just plain tapestry-security? Did my fix for this issue caused you troubles? or was the fact that FirstExceptionStrategy is not the default strategy on shiro?
        Hide
        Lenny Primak added a comment -

        Yes, this fix has caused my issues.
        Shiro documentation (and nowhere in Tapestry-Security documentation) states that AtLeastOneSuccessfulStrategy is the default. So I was going under the assumption that this is the case.
        This fix "sneakily" overrides the default to FirstExceptionStrategy which does not make sense for "plain"
        tapestry-security install. It does make sense for federated accounts so if that isn't used, the default should stand.

        I had wanted to make another realm to authenticate users with Stormpath along with my other realm,
        and since one of them was obviously failing, all my login attempts were failing, and for the life of me I couldn't figure out why until I by sheer chance found this JIRA.

        Show
        Lenny Primak added a comment - Yes, this fix has caused my issues. Shiro documentation (and nowhere in Tapestry-Security documentation) states that AtLeastOneSuccessfulStrategy is the default. So I was going under the assumption that this is the case. This fix "sneakily" overrides the default to FirstExceptionStrategy which does not make sense for "plain" tapestry-security install. It does make sense for federated accounts so if that isn't used, the default should stand. I had wanted to make another realm to authenticate users with Stormpath along with my other realm, and since one of them was obviously failing, all my login attempts were failing, and for the life of me I couldn't figure out why until I by sheer chance found this JIRA.

          People

          • Assignee:
            Alejandro Scandroli
            Reporter:
            Alejandro Scandroli
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: