<div dir="ltr"><div><div><div>I think if would make sense to port / include at least some of this tests to <br></div>wildfly testsuite, so we would make sure we don't break anything unintentionally.<br><br></div>This way it would be tested for every pull request and in every job we run on multiple platforms.<br><br>--<br></div>tomaz<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 25, 2015 at 5:14 PM, arjan tijms <span dir="ltr"><<a href="mailto:arjan.tijms@gmail.com" target="_blank">arjan.tijms@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I discovered some more issues originating from 5298:<br>
<br>
pre-emptive authentication on a public page doesn't work anymore<br>
either. It still worked fine in WildFly 9.0.1.<br>
<br>
This can be easily seen when running the JASPIC tests from<br>
<a href="https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic" rel="noreferrer" target="_blank">https://github.com/javaee-samples/javaee7-samples/tree/master/jaspic</a><br>
<br>
For the basic authentication tests, the following now fail:<br>
<br>
Failed tests:<br>
testPublicPageNotRememberLogin(org.javaee7.jaspic.basicauthentication.BasicAuthenticationPublicTest)<br>
testPublicPageLoggedin(org.javaee7.jaspic.basicauthentication.BasicAuthenticationPublicTest)<br>
<br>
These tests don't rely on request#authenticate, but depend on<br>
automatic calling of a SAM at the beginning of a request. After manual<br>
inspection it's clear that the SAM is called, but its outcome is not<br>
being applied.<br>
<br>
Kind regards,<br>
Arjan<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
<br>
<br>
<br>
On Fri, Sep 25, 2015 at 3:18 PM, arjan tijms <<a href="mailto:arjan.tijms@gmail.com">arjan.tijms@gmail.com</a>> wrote:<br>
> Hi,<br>
><br>
> I checked again on the just released WildFly 10.0 CR2, but<br>
> unfortunately the code is still severely broken now.<br>
><br>
> There are two main issues, and they're both in this fragment in<br>
> JASPIAuthenticationMechanism:<br>
><br>
> if(isValid == null) {<br>
> isValid = createJASPIAuthenticationManager().isValid(messageInfo,<br>
> new Subject(), JASPI_HTTP_SERVLET_LAYER,<br>
> attachment.getApplicationIdentifier(), new JBossCallbackHandler());<br>
> }<br>
><br>
> The first problem is the "isValid == null" check. After the first call<br>
> to request#authenticate in a given request this will always be<br>
> non-null. The result is that a request for programmatic authentication<br>
> will effectively be ignored the first time.<br>
><br>
> The second problem is that this passes in the JBossCallbackHandler,<br>
> but this doesn't know how to handle JASPIC callbacks and this will<br>
> result in an exception like the following:<br>
><br>
> javax.security.auth.callback.UnsupportedCallbackException: PBOX00014:<br>
> org.jboss.security.auth.callback.JBossCallbackHandler does not handle<br>
> a callback of type<br>
> javax.security.auth.message.callback.CallerPrincipalCallback<br>
> at org.jboss.security.auth.callback.JBossCallbackHandler.handleCallBack(JBossCallbackHandler.java:138)<br>
> at org.jboss.security.auth.callback.JBossCallbackHandler.handle(JBossCallbackHandler.java:87)<br>
><br>
> The code should pass in a JASPICallbackHandler here.<br>
><br>
> Hope this can be fixed. Perhaps it's just a matter of removing the<br>
> "isValid == null" check and passing in the right callback handler.<br>
><br>
> Kind regards,<br>
> Arjan Tijms<br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
><br>
> On Wed, Sep 23, 2015 at 5:58 PM, arjan tijms <<a href="mailto:arjan.tijms@gmail.com">arjan.tijms@gmail.com</a>> wrote:<br>
>> p.s. if I just revert JASPIAuthenticationMechanism to the previous<br>
>> version, but leaving in the new JASPICInitialHandler, then everything<br>
>> seems to work again. This is a bit of hacky workaround perhaps, but in<br>
>> some quick testing it does do the trick.<br>
>><br>
>> On Wed, Sep 23, 2015 at 3:31 PM, arjan tijms <<a href="mailto:arjan.tijms@gmail.com">arjan.tijms@gmail.com</a>> wrote:<br>
>>> Hi,<br>
>>><br>
>>> It looks like that after WFLY-5298 (this commit specifically<br>
>>> <a href="https://github.com/wildfly/wildfly/commit/121a305c59c3619bb747681c62d099dfddd82709#diff-540388fb45365d1d79353d8b4552bcf6" rel="noreferrer" target="_blank">https://github.com/wildfly/wildfly/commit/121a305c59c3619bb747681c62d099dfddd82709#diff-540388fb45365d1d79353d8b4552bcf6</a>)<br>
>>> HttpServletRequest#authenticate does not longer do anything.<br>
>>><br>
>>> HttpServletRequest#authenticate calls though to<br>
>>> JASPIAuthenticationMechanism#authenticate.<br>
>>><br>
>>> There it now obtains the attachment that was set by the new<br>
>>> JASPICInitialHandler, which calls the SAM at the beginning of the<br>
>>> request. And then uses the stored "isValid" outcome directly, without<br>
>>> calling the SAM again.<br>
>>><br>
>>> See the code below:<br>
>>><br>
>>> public AuthenticationMechanismOutcome authenticate(final<br>
>>> HttpServerExchange exchange, final SecurityContext sc) {<br>
>>> JASPICAttachment attachment =<br>
>>> exchange.getAttachment(JASPICAttachment.ATTACHMENT_KEY);<br>
>>><br>
>>> AuthenticationMechanismOutcome outcome;<br>
>>> Account authenticatedAccount = null;<br>
>>><br>
>>> boolean isValid = attachment.isValid();<br>
>>> final ServletRequestContext requestContext =<br>
>>> attachment.getRequestContext();<br>
>>> final JASPIServerAuthenticationManager sam = attachment.getSam();<br>
>>> final JASPICallbackHandler cbh = attachment.getCbh();<br>
>>><br>
>>> GenericMessageInfo messageInfo = attachment.getMessageInfo();<br>
>>> if (isValid) {<br>
>>> // The CBH filled in the JBOSS SecurityContext, we need to<br>
>>> create an Undertow account based on that<br>
>>> org.jboss.security.SecurityContext jbossSct =<br>
>>> SecurityActions.getSecurityContext();<br>
>>> authenticatedAccount =<br>
>>> createAccount(attachment.getCachedAccount(), jbossSct);<br>
>>> }<br>
>>><br>
>>> This is not correct I think. The code should call the SAM once again<br>
>>> and use the outcome from that call.<br>
>>><br>
>>> Am I missing something, or was the new call to the SAM simply<br>
>>> forgotten at this point?<br>
>>><br>
>>> Kind regards,<br>
>>> Arjan Tijms<br>
_______________________________________________<br>
wildfly-dev mailing list<br>
<a href="mailto:wildfly-dev@lists.jboss.org">wildfly-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/wildfly-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/wildfly-dev</a><br>
</div></div></blockquote></div><br></div>