[undertow-dev] Security constraints and population of ServletSecurityInfo
Paul K Moore
paulkmoore at gmail.com
Sun Feb 16 17:38:54 EST 2014
Stuart,
Just a quick follow-up, as promised. I’ve merged your change locally, and all is working well.
Thanks again for sorting :)
Paul
On 16 Feb 2014, at 10:12, Paul K Moore <paulkmoore at gmail.com> wrote:
> Hi Stuart,
>
> Superb - thank you.
>
> I noticed that the build has failed on the pull request due to what looks like environmental reasons. I’ll try a merge locally and report back.
>
> Thanks again
>
> Paul
>
> On 15 Feb 2014, at 01:13, Stuart Douglas <sdouglas at redhat.com> wrote:
>
>> I have filed this:
>>
>> https://issues.jboss.org/browse/WFLY-2938
>>
>> Basically this is a bug, we should not be using that attribute here as it only corresponds to constraints applied directly to the servlet, and not other path based constrains. The actual current constraint set is aggregated in the ServletRequestContext.
>>
>> Fix is here: https://github.com/wildfly/wildfly/pull/5916
>>
>> Stuart
>>
>> ----- Original Message -----
>>> From: "Paul K Moore" <paulkmoore at gmail.com>
>>> To: "Stuart Douglas" <sdouglas at redhat.com>
>>> Cc: undertow-dev at lists.jboss.org
>>> Sent: Friday, 14 February, 2014 2:40:05 PM
>>> Subject: Re: [undertow-dev] Security constraints and population of ServletSecurityInfo
>>>
>>> Hi Stuart,
>>>
>>> I’m checking it in the debugger, with a breakpoint in the doGet method of a
>>> (test) servlet.
>>>
>>> I then examine the request property at the following path:
>>>
>>> request.exchange.attachments and look for the ServletRequestContext,
>>>
>>> and from there the
>>> currentServlet.managedServlet.servletInfo.servletSecurityInfo
>>>
>>> I’ve put a Gist here: https://gist.github.com/paulkmoore/8997728 so that you
>>> can see the servlet and web.xml.
>>>
>>> The reason for the investigation is that I’m using JASPI which relies on
>>> ServletSecurityInfo being populated, as in the
>>> JASPIAuthenticationMechanism.isMandatory() method here.
>>>
>>> Make sense?
>>>
>>> Paul
>>>
>>>
>>> On 14 Feb 2014, at 02:40, Stuart Douglas <sdouglas at redhat.com> wrote:
>>>
>>>> When you say 'in the request the ServletSecurityInfo is (correctly)
>>>> populated.' how are you actually checking this?
>>>>
>>>> Stuart
>>>>
>>>> ----- Original Message -----
>>>>> From: "Paul K Moore" <paulkmoore at gmail.com>
>>>>> To: undertow-dev at lists.jboss.org
>>>>> Sent: Thursday, 13 February, 2014 9:59:42 PM
>>>>> Subject: [undertow-dev] Security constraints and population of
>>>>> ServletSecurityInfo
>>>>>
>>>>> Hi all,
>>>>>
>>>>> I am seeing some odd behaviour regarding security constraints.
>>>>>
>>>>> If I add an @ServletSecurity annotation to a servlet, in the request the
>>>>> ServletSecurityInfo is (correctly) populated.
>>>>>
>>>>> However, if I add (notionally) the same constraint in web.xml, the
>>>>> ServletSecurityInfo is *not* populated (it’s actually a null).
>>>>>
>>>>> Is this the intended behaviour?
>>>>>
>>>>> Many thanks
>>>>>
>>>>> Paul
>>>>>
>>>>> PS: Undertow version is Undertow 1.0.0.Final-SNAPSHOT, I’ve not moved to
>>>>> Wildfly 8.0.0 Final yet :)
>>>>> _______________________________________________
>>>>> undertow-dev mailing list
>>>>> undertow-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/undertow-dev
>>>>>
>>>
>>>
>
More information about the undertow-dev
mailing list