[JBoss JIRA] (WFLY-4618) JASPIC authentication processed on unsecured ressources

Friday, 22 April 2016

    [
https://issues.jboss.org/browse/WFLY-4618?page=com.atlassian.jira.plugin....
] 

Stuart Douglas commented on WFLY-4618:
--------------------------------------

You can check this in the validateRequest method call, but I think you are right that this
is not implemented correctly. From the spec:

{code}

Each ServerAuthContext obtained through getAuthContext must initialize its encapsulated
ServerAuthModule objects with a non-null value for requestPolicy. The encapsulated
authentication modules may be initialized with a null value for responsePolicy.
{code}

[~atijms] have you run into this issue with your JASPIC tests?

...
 JASPIC authentication processed on unsecured ressources
 -------------------------------------------------------

                 Key: WFLY-4618
                 URL: https://issues.jboss.org/browse/WFLY-4618
             Project: WildFly
          Issue Type: Bug
          Components: Security, Web (Undertow)
    Affects Versions: 8.2.0.Final, 9.0.0.CR1
            Reporter: Gernot Müller
            Assignee: Stuart Douglas

 When using JASPIC authentication in web-projects, then serving unsecured resources (like
unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.
 The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where
SecurityContext is never asked if the request has to be authenticated.
 So JASPIC can't be used wor web-applications which consist of secured AND unsecured
parts. 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006