arjan tijms created SECURITY-727: ------------------------------------ Summary: secureResponse with JASPIC called before service invocation instead of after Key: SECURITY-727 URL: https://issues.jboss.org/browse/SECURITY-727 Project: PicketBox Issue Type: Feature Request Security Level: Public (Everyone can see) Affects Versions: PIcketBox_4_0_15.Final Reporter: arjan tijms Assignee: Anil Saldhana {{WebJASPIAuthenticator}} in JBoss AS 7.1.1 and JBoss EAP 6.0.1 calls _secureResponse_ right after _validateRequest_ on a SAM has been called. The only intermediate code is registering the result of the callback handler with the container. The service invocation (e.g. calling a Servlet) is done afterwards, ie after the call to _secureResponse_. See the following fragment in {{WebJASPIAuthenticator}}: {code} if (sam != null) { result = sam.isValid(messageInfo, clientSubject, messageLayer, appContext, cbh); } // the authentication process has been a success. We need to register the principal, username, password and roles // with the container if (result) { PasswordValidationCallback pvc = cbh.getPasswordValidationCallback(); CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback(); // get the client principal from the callback. Principal clientPrincipal = cpc.getPrincipal(); if (clientPrincipal == null) { clientPrincipal = new SimplePrincipal(cpc.getName()); } // if the client principal is not a jboss generic principal, we need to build one before registering. if (!(clientPrincipal instanceof JBossGenericPrincipal)) clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal); this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(), new String(pvc.getPassword())); if (this.secureResponse) sam.secureResponse(messageInfo, new Subject(), messageLayer, appContext, cbh); } {code} However, section 3.8.3.3 of the JSR 196 (JASPIC) spec says that the semantics of secureResponse are as defined in Section 3.8.2.2, which thus means that secureResponse should be called after a service invocation. Figure 1.1 in Section 1.1 shows this as well, and the general flow as described is Section 3.8 also mentions this. So, in JBoss the sequence is {noformat} validateRequest -> secureResponse -> Invoke Service {noformat} While the spec seems to say it should be: {noformat} validateRequest -> Invoke Service -> secureResponse {noformat} In the reference implementation GlassFish the sequence is indeed the latter one. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira