[jboss-jira] [JBoss JIRA] (SECURITY-727) secureResponse with JASPIC called before service invocation instead of after

arjan tijms (JIRA) jira-events at lists.jboss.org
Sat Feb 23 13:57:56 EST 2013 

arjan tijms created SECURITY-727:
------------------------------------

             Summary: secureResponse with JASPIC called before service invocation instead of after
                 Key: SECURITY-727
                 URL: https://issues.jboss.org/browse/SECURITY-727
             Project: PicketBox 
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
    Affects Versions: PIcketBox_4_0_15.Final
            Reporter: arjan tijms
            Assignee: Anil Saldhana


{{WebJASPIAuthenticator}} in JBoss AS 7.1.1 and JBoss EAP 6.0.1 calls _secureResponse_ right after _validateRequest_ on a SAM has been called. The only intermediate code is registering the result of the callback handler with the container. The service invocation (e.g. calling a Servlet) is done afterwards, ie after the call to _secureResponse_.
 
See the following fragment in {{WebJASPIAuthenticator}}:
 
{code}
    if (sam != null) {
            result = sam.isValid(messageInfo, clientSubject, messageLayer, appContext, cbh);
        }
 
        // the authentication process has been a success. We need to register the principal, username, password and roles
        // with the container
        if (result) {
            PasswordValidationCallback pvc = cbh.getPasswordValidationCallback();
            CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback();
 
            // get the client principal from the callback.
            Principal clientPrincipal = cpc.getPrincipal();
            if (clientPrincipal == null) {
                clientPrincipal = new SimplePrincipal(cpc.getName());
            }
 
            // if the client principal is not a jboss generic principal, we need to build one before registering.
            if (!(clientPrincipal instanceof JBossGenericPrincipal))
                clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal);
 
            this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(),
                    new String(pvc.getPassword()));
 
            if (this.secureResponse)
                sam.secureResponse(messageInfo, new Subject(), messageLayer, appContext, cbh);
        }
{code}
 
However, section 3.8.3.3 of the JSR 196 (JASPIC) spec says that the semantics of secureResponse are as defined in Section 3.8.2.2, which thus means that secureResponse should be called after a service invocation. Figure 1.1 in Section 1.1 shows this as well, and the general flow as described is Section 3.8 also mentions this.
 
So, in JBoss the sequence is

{noformat}
validateRequest -> secureResponse -> Invoke Service
{noformat}

While the spec seems to say it should be:

{noformat} 
validateRequest -> Invoke Service -> secureResponse
{noformat}
 
In the reference implementation GlassFish the sequence is indeed the latter one.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list