[jboss-jira] [JBoss JIRA] (SECURITY-745) WebJASPIAuthenticator doesn't register Subject with SecurityContext
arjan tijms (JIRA)
jira-events at lists.jboss.org
Mon Jul 29 17:58:26 EDT 2013
arjan tijms created SECURITY-745:
------------------------------------
Summary: WebJASPIAuthenticator doesn't register Subject with SecurityContext
Key: SECURITY-745
URL: https://issues.jboss.org/browse/SECURITY-745
Project: PicketBox
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Reporter: arjan tijms
Assignee: Anil Saldhana
After an authenticated identity is established, WebJASPIAuthenticator registers this with the current request, session (if cache is enabled) and optionally SSO:
{code}
/**
* <p>
* Registers an authenticated Principal and authentication type in our request, in the current session (if there is one),
* and with our SingleSignOn valve, if there is one. Set the appropriate cookie to be returned.
* </p>
*
* [...[
*/
@Override
protected void register(...)
{code}
[Source|https://github.com/wildfly/wildfly/blob/master/web/src/main/java/org/jboss/as/web/security/jaspi/WebJASPIAuthenticator.java#L241]
What it does *not* do however is registering this same information with the [SecurityContext|http://grepcode.com/file/repo1.maven.org/maven2/org.picketbox/picketbox-spi-bare/4.0.18.Final/org/jboss/security/SecurityContext.java] where the EJB programmatic security can pick it up.
Now in the next request {{org.jboss.as.web.security.SecurityContextAssociationValve}} will do this registration, but this means:
# Programmatic EJB security ({{EJBContext#isCallerInRole}} etc) can not be used in the same request in which authentication took place, since the {{SecurityContextAssociationValve}} runs before {{WebJASPIAuthenticator}}
# This mechanism depends on the session cache being used. _(This is true by default in JBoss, but it should not be according to the JASPIC spec and users may opt to disable it, possibly since some SAM could require this in order to function correctly)_
I would like to propose putting code like the following in the mentioned {{register}} method or just after it, e.g.
{code}
protected boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException {
// [...]
// if the client principal is not a jboss generic principal, we need to build one before registering.
if (!(clientPrincipal instanceof JBossGenericPrincipal))
clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal, gpc);
this.register(request, response, clientPrincipal, authMethod, pvc != null ? pvc.getUsername() : null,
pvc != null && pvc.getPassword() != null ? new String(pvc.getPassword()) : null);
// NEW: Associate Subject with SecurityContext
SecurityContext context = SecurityActions.getSecurityContext();
if (context == null) {
throw PicketBoxMessages.MESSAGES.invalidNullSecurityContext();
}
JBossGenericPrincipal jbossGenericPrincipal = (JBossGenericPrincipal) clientPrincipal;
context.getUtil().createSubjectInfo(new SimplePrincipal(
jbossGenericPrincipal.getName()),
jbossGenericPrincipal.getCredentials(),
jbossGenericPrincipal.getSubject()
);
{code}
Maybe the security context should be created if it does not exists, but I think it should always exist at the given point, shouldn't it?
Note that this depends on SECURITY-744, since in the current trunk version of {{WebJASPIAuthenticator}} the {{Subject}} isn't build at all.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list