[jboss-jira] [JBoss JIRA] (SECURITY-728) WebJASPIOptionalAuthenticator does not actually authenticate
Anil Saldhana (JIRA)
jira-events at lists.jboss.org
Mon Feb 25 10:56:57 EST 2013
[ https://issues.jboss.org/browse/SECURITY-728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Anil Saldhana reassigned SECURITY-728:
--------------------------------------
Assignee: Stefan Guilhen (was: Anil Saldhana)
Check this...
> WebJASPIOptionalAuthenticator does not actually authenticate
> ------------------------------------------------------------
>
> Key: SECURITY-728
> URL: https://issues.jboss.org/browse/SECURITY-728
> Project: PicketBox
> Issue Type: Feature Request
> Security Level: Public(Everyone can see)
> Affects Versions: PIcketBox_4_0_15.Final
> Reporter: arjan tijms
> Assignee: Stefan Guilhen
> Labels: jaspi, jaspic, jsr196, spec_violation
>
> According to the JASPIC specification, a SAM should be invoked for unprotected resources as well as protected resources. Invoking the SAM for unprotected resources is required for pre-emptive authentication.
> This is detailed in section 3.8 of the JSR 196 (JASPIC) specification and is explicitly acknowledged by the spec lead at http://java.net/jira/browse/SERVLET_SPEC-21
> However, the documented {{WebJASPIAuthenticator}} valve is not invoked for unprotected resources. There is an undocumented valve, {{WebJASPIOptionalAuthenticator}}, which can be used, but this one does not actually authenticate.
> See the following fragment:
> {code}
> boolean isValid = sam.isValid(messageInfo, new Subject(), messageLayer, appContext, cbh);
> if (isValid) {
> WebLogger.WEB_SECURITY_LOGGER.debugf("JASPI validation for unprotected request context %s succeeded", request.getServletPath());
> sam.secureResponse(messageInfo, new Subject(), messageLayer, appContext, cbh);
> }
> {code}
> As can be seen, the callbackhandler ({{cbh}}) is *not* processed.
> Additionally, the javadoc comments for {{WebJASPIOptionalAuthenticator}} says calling unprotected resources is optional, but I don't think this is the case:
> {code}
> /**
> * <p>
> * This class implements a JASPI authenticator for unprotected resources. In the JASPI Servlet profile, authentication
> * for unprotected resources is optional but it is still allowed. When performed, the JASPI authentication modules must
> * grant access to the unprotected resources irrespective of the caller, which may be anonymous (i.e, no security info
> * supplied).
> * </p>
> *
> * @author <a href="mailto:sguilhen at redhat.com">Stefan Guilhen</a>
> */
> @SuppressWarnings("unused")
> public class WebJASPIOptionalAuthenticator extends ValveBase {
> {code}
> {{WebJASPIOptionalAuthenticator}} should probably contain the following code in the {{isValid}} if statement:
> {code}
> PasswordValidationCallback pvc = cbh.getPasswordValidationCallback();
> CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback();
>
> // get the client principal from the callback.
> Principal clientPrincipal = cpc.getPrincipal();
> if (clientPrincipal == null) {
> clientPrincipal = new SimplePrincipal(cpc.getName());
> }
>
> // if the client principal is not a jboss generic principal, we need to build one before registering.
> if (!(clientPrincipal instanceof JBossGenericPrincipal))
> clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal);
>
> this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(),
> new String(pvc.getPassword()));
> {code}
> (code taken from {{WebJASPIAuthenticator}}).
> Perhaps it's better if the two valves are merged?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list