United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: 4469116 LoginException subclasses
4469116 : LoginException subclasses

Details
Type:
Enhancement
Submit Date:
2001-06-13
Status:
Resolved
Updated Date:
2003-05-16
Project Name:
JDK
Resolved Date:
2003-05-16
Component:
security-libs
OS:
generic
Sub-Component:
java.security
CPU:
generic
Priority:
P4
Resolution:
Fixed
Affected Versions:
1.4.0
Fixed Versions:
5.0

Related Reports

Sub Tasks

Description
 

Name: bsC130419			Date: 06/12/2001


javax.security.auth.login.LoginException signals an authentication failue.
Three subclasses are defined for LoginException that represent specific
failures:

CredentialExpiredException: the credential (eg. password or cookie) used to
login has expired
AccountExpiredException: the user account has expired
FailedLoginException: something else happened

These do not adequately capture a number of other common causes.  May I suggest:

CredentialException: direct subclass of LoginException and superclass of
CredentialExpired exception; represents errors with authentication credentials.
Its subclasses mirror the subclasses of java.security.cert.CertificateException

CredentialNotYetValidException: subclass of CredentialException; cf.
CertificateNotYetValidException

CredentialParsingException: subclass of CredentialException; cf.
CertificateParsingException

CredentialEncodingException: subclass of CredentialException; cf.
CertificateEncodingException

AccountException: direct subclass of LoginException and superclass of
AccountExpiredException; represents errors with user account status

NoSuchAccountException: subclass of AccountException; thrown when the requested
account does not exist

AccountLockedException: subclass of AccountException; thrown when the requested
account has been locked (eg. because of too many failed login attempts).

Notice how these two sets of exceptions (subclasses of AccountException and
subclasses of CredentialException) capture problems with "usernames" and
"passwords", respectively (in a generalized sense).  I have found that all of
the cases represented by these exceptions arise in real authentication systems,
and suggest that they be added to the javax.security.auth.login package for Java
1.4.
(Review ID: 126406) 
======================================================================


charlie.lai@Eng 2001-06-18

received from the bug submitter:

In a system that I'm currently developing, I read authentication
credentials from the client in the form of HTTP cookies.  If the cookie
is badly-formed (say, the client was attempting to forge an
authentication token), I throw a parsing exception.  This exception can
be used to detect such tampering and shutdown an account if the client
makes repeated attempts to log in with a bad cookie.

When issuing a cookie to the client, my system needs to make some
cryptographic calculations (specifically, it must calculate a message
authentication code for the cookie contents).  If this operation fails,
I throw an encoding exception.  This exception is thrown in the commit
phase of the login, since the cookie is issued only once authentication
has succeeded.

Comments
CONVERTED DATA

BugTraq+ Release Management Values

COMMIT TO FIX:
tiger

FIXED IN:
tiger

INTEGRATED IN:
tiger
tiger-b07
2004-06-14 
EVALUATION

charlie.lai@Eng 2001-06-20

due to J2EE/J2SE versioning issues, we're unable to update
the javax.security.auth.login package in the J2SE 1.4 release.
we'll address this RFE in the next major JDK release.

###@###.### 2003-06-04

this was what got put back:
    LoginException
        CredentialException
            CredentialExpiredException
            CredentialNotFoundException
        AccountException
            AccountExpiredException
            AccountNotFoundException
            AccountLockedException
        FailedLoginException
2004-06-11


Hardware and Software, Engineered to Work Together