Bug ID: JDK-4699771 JWS login prompt for secure resources is not robust.

Type: Bug
Component: deploy
Sub-Component: webstart
Affected Version: 1.0.1

Priority: P4
Status: Resolved
Resolution: Fixed
OS: windows_95,windows_2000
CPU: x86

Submitted: 2002-06-10
Updated: 2002-10-15
Resolved: 2002-10-15

Other
1.4.2 mantisFixed


Name: nt126004			Date: 06/10/2002


FULL PRODUCT VERSION :
java version "1.3.0"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.3.0-C)
Java HotSpot(TM) Client VM (build 1.3.0-C, mixed mode)

FULL OPERATING SYSTEM VERSION :Microsoft Windows 2000
[Version 5.00.2195]


A DESCRIPTION OF THE PROBLEM :
Hi,

We are using Java web start for starting up the
application. As we are accessing the protected resource (a
JSP) through JWS we are getting JWS login dialog box for
enterign into the system.

When we are enter a valid user name and password and click
Cancel button on the JWS login Dialog box the JWS continues
with the authentication and ends up successfully loggin
into the application.
Ideally on click of Cancel button the user should not be
able to loggin into the application.

The problem arises only when we tries to access a secured resource using
java web start.

We are using weblogic customized RDBMS realm for security during login
in into the system.

When we supply correct user name and password and hit cancle button on
the java web start login screen it validates and allows to login into
the application.

As for the sample code so it needs a setup of weblogic server and a
database. So I don't think its possible for me to send it across.

The application is on J2EE and uses Weblogic 6.0 sp2. 

We have a configuration file, a secured resource on server side, which
is accessed by Java Web Start for creating the GUI on the client side.

As this is a secured resource, JWS pops up a login dialog box for user
authentication.

When i supply an invalid username/password combination the
authentication fails (as desired). For relogin into the application i
have to again restart the java web start all over again.

I was hoping if there is any way by which JWS reprompts the login dialog
box so that i don't have to restart the application all over again.

I tried encapsulating the piece of code where the JWS pops for
authentication in a while(true) loop, but it seems that JWS uses the old
user name and password combination for authentication. This put the
application into an infinite loop. 

Is there any way by which i can reset the user name and password so that
next time JWS again pops a dialog box for authentication.

STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
1. Try accessing a secured resource through JWS
2. Enter a valid user name and password recognised by the
systen to be tested.
3. Click on the Cancel Button.

EXPECTED VERSUS ACTUAL BEHAVIOR :
Expected result: The user should not be allowed to enter
the system/application i.e the secured resource requested
for should not be accessed.

Actual Result: The login screen allows the user (who is a
valid user) to enter the application i.e. to access the
secured resource.

ERROR MESSAGES/STACK TRACES THAT OCCUR :
no error message.

This bug can be reproduced always.

CUSTOMER WORKAROUND :
not using JWS for starting the application.
(Review ID: 146252) 
======================================================================

CONVERTED DATA BugTraq+ Release Management Values COMMIT TO FIX: mantis FIXED IN: mantis INTEGRATED IN: mantis mantis-b04

31-08-2004

EVALUATION There are 2 problems here that should be addressed for mantis: Cancel button, and caching bad passwrd/username ###@###.### 2002-06-10

10-06-2002