[jboss-jira] [JBoss JIRA] (WFLY-4618) JASPIC authentication processed on unsecured ressources

Ladislav Petera (JIRA) issues at jboss.org
Fri Apr 22 09:35:00 EDT 2016 

    [ https://issues.jboss.org/browse/WFLY-4618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13195796#comment-13195796 ] 

Ladislav Petera commented on WFLY-4618:
---------------------------------------

Hello guys,

I am implementing a JASPI SAM and having trouble following the proposed solution.

Contrary to the JSR-196 (chapter 3.7.4) my SAM receives a "null" requestPolicy in ServerAuthModule.initialize call. 
Checking the isMandatory() property on a null does not work for obvious reasons.

This behavior corresponds to what I see in the Pickebox code which is responsible for SAM initialization:
[http://grepcode.com/file/repo1.maven.org/maven2/org.picketbox/picketbox/4.9.2.Final/org/jboss/security/auth/message/config/JBossServerAuthConfig.java#163]

I am Using Wildfly 9.0.2 Final. However decompiling the picketbox lib in 10.0 shows the same behaviour.

This bug and all related bugs are marked as RESOLVED, so I would assume that unsecured resources via web.xml should work now.
But from what I see, this cannot work yet.

Am I missing something?

Thanks a lot to anyone taking time to respond.

> JASPIC authentication processed on unsecured ressources
> -------------------------------------------------------
>
>                 Key: WFLY-4618
>                 URL: https://issues.jboss.org/browse/WFLY-4618
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web (Undertow)
>    Affects Versions: 8.2.0.Final, 9.0.0.CR1
>            Reporter: Gernot Müller
>            Assignee: Stuart Douglas
>
> When using JASPIC authentication in web-projects, then serving unsecured resources (like unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.
> The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where SecurityContext is never asked if the request has to be authenticated.
> So JASPIC can't be used wor web-applications which consist of secured AND unsecured parts.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list