[jboss-dev-forums] [PicketBox Development] - secureResponse called before service invocation instead of after

arjan tijms [https://community.jboss.org/people/atijms] created the discussion "secureResponse called before service invocation instead of after" To view the discussion, visit: https://community.jboss.org/message/799210#799210 -------------------------------------------------------------- WebJASPIAuthenticator in JBoss AS 7.1.1 and JBoss EAP 6.0.1 calls +secureResponse+ right after +validateRequest+ on a SAM has been called. The only intermediate code is registering the result of the callback handler with the container. The service invocation (e.g. calling a Servlet) is done afterwards, ie after the call to +secureResponse+. See the following fragment:     if (sam != null) {             result = sam.isValid(messageInfo, clientSubject, messageLayer, appContext, cbh);         }         // the authentication process has been a success. We need to register the principal, username, password and roles         // with the container         if (result) {             PasswordValidationCallback pvc = cbh.getPasswordValidationCallback();             CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback();             // get the client principal from the callback.             Principal clientPrincipal = cpc.getPrincipal();             if (clientPrincipal == null) {                 clientPrincipal = new SimplePrincipal(cpc.getName());             }             // if the client principal is not a jboss generic principal, we need to build one before registering.             if (!(clientPrincipal instanceof JBossGenericPrincipal))                 clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal);             this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(),                     new String(pvc.getPassword()));             if (this.secureResponse)                 sam.secureResponse(messageInfo, new Subject(), messageLayer, appContext, cbh);         } However, section 3.8.3.3 of the JSR 196 (JASPIC) spec says that the semantics of secureResponse are as defined in Section 3.8.2.2, which thus means that secureResponse should be called +after+ a service invocation. Figure 1.1 in Section 1.1 shows this as well, and the general flow as described is Section 3.8 also mentions this. So, in JBoss the sequence is validateRequest -> secureResponse -> Invoke Service While the spec seems to say it should be: validateRequest -> Invoke Service -> secureResponse In the reference implementation GlassFish the sequence is indeed the latter one. -------------------------------------------------------------- Reply to this message by going to Community [https://community.jboss.org/message/799210#799210] Start a new discussion in PicketBox Development at Community [https://community.jboss.org/choose-container!input.jspa?contentType=1&...]