[jboss-jira] [JBoss JIRA] Commented: (JBPORTAL-2458) CasAuthenticationValve forces login for requests matching the /sec pattern

Martin Putz (JIRA) jira-events at lists.jboss.org
Tue Sep 29 04:40:49 EDT 2009 

    [ https://jira.jboss.org/jira/browse/JBPORTAL-2458?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12487678#action_12487678 ] 

Martin Putz commented on JBPORTAL-2458:
---------------------------------------

patch proposal, check if there is an auth-constraint :

[mputz at mputz JBP_IDENTITY_1_1_0]$ svn diff
Index: identity/src/main/java/org/jboss/portal/identity/helper/IdentityTools.java
===================================================================
--- identity/src/main/java/org/jboss/portal/identity/helper/IdentityTools.java	(revision 13808)
+++ identity/src/main/java/org/jboss/portal/identity/helper/IdentityTools.java	(working copy)
@@ -52,6 +52,7 @@
          SecurityConstraint constraint = constraints[i];
 
 
+         if(constraint.getAuthConstraint()) {
          SecurityCollection[] collections = constraint.findCollections();
 
          for (int j = 0; j < collections.length; j++)
@@ -68,7 +69,7 @@
                urls.add(pattern);
             }
          }
-
+         }
       }
 
       return urls;


> CasAuthenticationValve forces login for requests matching the /sec pattern
> --------------------------------------------------------------------------
>
>                 Key: JBPORTAL-2458
>                 URL: https://jira.jboss.org/jira/browse/JBPORTAL-2458
>             Project: JBoss Portal
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: Portal Security
>    Affects Versions: 2.7.2 Final
>         Environment: JBoss Portal configured with CAS and HTTPS as outlined in Chapter 1.2 of the SSO Frameworks Integration Guide
> http://docs.jboss.org/jbportal/sso/html/portal_cas.html#1.2
>            Reporter: Martin Putz
>            Assignee: Sohil Shah
>
> The CasAuthenticationValve delegates to the CAS login for all requests that have no ticket parameter and match one of the patterns declared in the <security-constraint> elements in jboss-portal.sar/portal-server.war/WEB-INF/web.xml.
> If you click on the 'News' tab, for instance, the request goes to:
> https://localhost:8443/portal/sec/portal/default/News
> This matches the pattern defined in the following <security-constraint> section:
>   <security-constraint>
>     <web-resource-collection>
>       <web-resource-name>Secure</web-resource-name>
>       <url-pattern>/sec/*</url-pattern>
>     </web-resource-collection>
>     <user-data-constraint>
>       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>     </user-data-constraint>
>   </security-constraint>
> As there is only a <user-data-constraint> defined, but no <auth-constraint>, requests for /sec/* should not require authentication.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list