[jboss-jira] [JBoss JIRA] (SECURITY-728) WebJASPIOptionalAuthenticator does not actually authenticate

WebJASPIOptionalAuthenticator does not actually authenticate ------------------------------------------------------------ Key: SECURITY-728 URL: https://issues.jboss.org/browse/SECURITY-728 Project: PicketBox Issue Type: Feature Request Security Level: Public(Everyone can see) Affects Versions: PIcketBox_4_0_15.Final Reporter: arjan tijms Assignee: Stefan Guilhen Labels: jaspi, jaspic, jsr196, spec_violation According to the JASPIC specification, a SAM should be invoked for unprotected resources as well as protected resources. Invoking the SAM for unprotected resources is required for pre-emptive authentication. This is detailed in section 3.8 of the JSR 196 (JASPIC) specification and is explicitly acknowledged by the spec lead at http://java.net/jira/browse/SERVLET_SPEC-21 However, the documented {{WebJASPIAuthenticator}} valve is not invoked for unprotected resources. There is an undocumented valve, {{WebJASPIOptionalAuthenticator}}, which can be used, but this one does not actually authenticate. See the following fragment: {code} boolean isValid = sam.isValid(messageInfo, new Subject(), messageLayer, appContext, cbh); if (isValid) { WebLogger.WEB_SECURITY_LOGGER.debugf("JASPI validation for unprotected request context %s succeeded", request.getServletPath()); sam.secureResponse(messageInfo, new Subject(), messageLayer, appContext, cbh); } {code} As can be seen, the callbackhandler ({{cbh}}) is *not* processed. Additionally, the javadoc comments for {{WebJASPIOptionalAuthenticator}} says calling unprotected resources is optional, but I don't think this is the case: {code} /** * <p> * This class implements a JASPI authenticator for unprotected resources. In the JASPI Servlet profile, authentication * for unprotected resources is optional but it is still allowed. When performed, the JASPI authentication modules must * grant access to the unprotected resources irrespective of the caller, which may be anonymous (i.e, no security info * supplied). * </p> * * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a> */ @SuppressWarnings("unused") public class WebJASPIOptionalAuthenticator extends ValveBase { {code} {{WebJASPIOptionalAuthenticator}} should probably contain the following code in the {{isValid}} if statement: {code} PasswordValidationCallback pvc = cbh.getPasswordValidationCallback(); CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback(); // get the client principal from the callback. Principal clientPrincipal = cpc.getPrincipal(); if (clientPrincipal == null) { clientPrincipal = new SimplePrincipal(cpc.getName()); } // if the client principal is not a jboss generic principal, we need to build one before registering. if (!(clientPrincipal instanceof JBossGenericPrincipal)) clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal); this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(), new String(pvc.getPassword())); {code} (code taken from {{WebJASPIAuthenticator}}). Perhaps it's better if the two valves are merged?