[jboss-jira] [JBoss JIRA] (SECURITY-728) WebJASPIOptionalAuthenticator does not actually authenticate

[arjan tijms (JIRA)]

arjan tijms created SECURITY-728:
------------------------------------

             Summary: WebJASPIOptionalAuthenticator does not actually authenticate
                 Key: SECURITY-728
                 URL: https://issues.jboss.org/browse/SECURITY-728
             Project: PicketBox 
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
    Affects Versions: PIcketBox_4_0_15.Final
            Reporter: arjan tijms
            Assignee: Anil Saldhana


According to the JASPIC specification, a SAM should be invoked for unprotected resources as well as protected resources. Invoking the SAM for unprotected resources is required for pre-emptive authentication.

This is detailed in section 3.8 of the JSR 196 (JASPIC) specification and is explicitly acknowledged by the spec lead at http://java.net/jira/browse/SERVLET_SPEC-21

However, the documented {{WebJASPIAuthenticator}} valve is not invoked for unprotected resources. There is an undocumented valve, {{WebJASPIOptionalAuthenticator}}, which can be used, but this one does not actually authenticate.

See the following fragment:

{code}
  boolean isValid = sam.isValid(messageInfo, new Subject(), messageLayer, appContext, cbh);
  if (isValid) {
      WebLogger.WEB_SECURITY_LOGGER.debugf("JASPI validation for unprotected request context %s succeeded", request.getServletPath());
      sam.secureResponse(messageInfo, new Subject(),  messageLayer, appContext, cbh);
  }
{code}

As can be seen, the callbackhandler ({{cbh}}) is *not* processed.

Additionally, the javadoc comments for {{WebJASPIOptionalAuthenticator}} says calling unprotected resources is optional, but I don't think this is the case:

{code}
/**
 * <p>
 * This class implements a JASPI authenticator for unprotected resources. In the JASPI Servlet profile, authentication
 * for unprotected resources is optional but it is still allowed. When performed, the JASPI authentication modules must
 * grant access to the unprotected resources irrespective of the caller, which may be anonymous (i.e, no security info
 * supplied).
 * </p>
 *
 * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
 */
@SuppressWarnings("unused")
public class WebJASPIOptionalAuthenticator extends ValveBase {
{code}

{{WebJASPIOptionalAuthenticator}} should probably contain the following code in the {{isValid}} if statement:

{code}
 PasswordValidationCallback pvc = cbh.getPasswordValidationCallback();
            CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback();
 
            // get the client principal from the callback.
            Principal clientPrincipal = cpc.getPrincipal();
            if (clientPrincipal == null) {
                clientPrincipal = new SimplePrincipal(cpc.getName());
            }
 
            // if the client principal is not a jboss generic principal, we need to build one before registering.
            if (!(clientPrincipal instanceof JBossGenericPrincipal))
                clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal);
 
            this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(),
                    new String(pvc.getPassword()));
{code}

(code taken from {{WebJASPIAuthenticator}}).

Perhaps it's better if the two valves are merged?




--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira