[jboss-jira] [JBoss JIRA] (WFLY-4618) JASPIC authentication processed on unsecured ressources
Ladislav Petera (JIRA)
issues at jboss.org
Fri Apr 22 09:35:00 EDT 2016
[ https://issues.jboss.org/browse/WFLY-4618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13195796#comment-13195796 ]
Ladislav Petera commented on WFLY-4618:
---------------------------------------
Hello guys,
I am implementing a JASPI SAM and having trouble following the proposed solution.
Contrary to the JSR-196 (chapter 3.7.4) my SAM receives a "null" requestPolicy in ServerAuthModule.initialize call.
Checking the isMandatory() property on a null does not work for obvious reasons.
This behavior corresponds to what I see in the Pickebox code which is responsible for SAM initialization:
[http://grepcode.com/file/repo1.maven.org/maven2/org.picketbox/picketbox/4.9.2.Final/org/jboss/security/auth/message/config/JBossServerAuthConfig.java#163]
I am Using Wildfly 9.0.2 Final. However decompiling the picketbox lib in 10.0 shows the same behaviour.
This bug and all related bugs are marked as RESOLVED, so I would assume that unsecured resources via web.xml should work now.
But from what I see, this cannot work yet.
Am I missing something?
Thanks a lot to anyone taking time to respond.
> JASPIC authentication processed on unsecured ressources
> -------------------------------------------------------
>
> Key: WFLY-4618
> URL: https://issues.jboss.org/browse/WFLY-4618
> Project: WildFly
> Issue Type: Bug
> Components: Security, Web (Undertow)
> Affects Versions: 8.2.0.Final, 9.0.0.CR1
> Reporter: Gernot Müller
> Assignee: Stuart Douglas
>
> When using JASPIC authentication in web-projects, then serving unsecured resources (like unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.
> The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where SecurityContext is never asked if the request has to be authenticated.
> So JASPIC can't be used wor web-applications which consist of secured AND unsecured parts.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list