[jboss-jira] [JBoss JIRA] (WFLY-4618) JASPIC authentication processed on unsecured ressources

[Stuart Douglas (JIRA)]

    [ https://issues.jboss.org/browse/WFLY-4618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13196057#comment-13196057 ] 

Stuart Douglas commented on WFLY-4618:
--------------------------------------

You can check this in the validateRequest method call, but I think you are right that this is not implemented correctly. From the spec:

{code}

Each ServerAuthContext obtained through getAuthContext must initialize its encapsulated ServerAuthModule objects with a non-null value for requestPolicy. The encapsulated authentication modules may be initialized with a null value for responsePolicy.
{code}

[~atijms] have you run into this issue with your JASPIC tests?

> JASPIC authentication processed on unsecured ressources
> -------------------------------------------------------
>
>                 Key: WFLY-4618
>                 URL: https://issues.jboss.org/browse/WFLY-4618
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web (Undertow)
>    Affects Versions: 8.2.0.Final, 9.0.0.CR1
>            Reporter: Gernot Müller
>            Assignee: Stuart Douglas
>
> When using JASPIC authentication in web-projects, then serving unsecured resources (like unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.
> The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where SecurityContext is never asked if the request has to be authenticated.
> So JASPIC can't be used wor web-applications which consist of secured AND unsecured parts.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)