[jboss-jira] [JBoss JIRA] (WFLY-4618) JASPIC authentication processed on unsecured ressources

arjan tijms (JIRA) issues at jboss.org
Fri Apr 22 18:50:00 EDT 2016 

    [ https://issues.jboss.org/browse/WFLY-4618?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13196070#comment-13196070 ] 

arjan tijms commented on WFLY-4618:
-----------------------------------

{quote}arjan tijms have you run into this issue with your JASPIC tests?{quote}

I think the issue here is that there's a confusion between whether authentication for the current request is mandatory, and whether the authentication module itself is mandatory.

>From the issue's description I'm pretty sure the former is meant. The proposed solution mentioned by Stuart is correct, but for completeness; this property has to be checked on the Map contained within the {{MessageInfo}} parameter that's passed in the {{validateRequest}} method. The following shows an example:

{code:java}
Boolean.valueOf((String) messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory"));
{code}

This works correctly in all versions of WildFly.

Per request authentication is mandatory when the resource is secured (i.e. matches a security constraint) OR when {{HttpServletRequest#authenticate}} has been called for that request. There's no problem in {{JASPIAuthenticationMechanism}} (now {{JASPICAuthenticationMechanism}}). It's explicitly specified in the JASPIC spec that an authentication module is always called for every request, whether the resource is secured or non-secured and whether the caller has been authenticated before within the same http session or not.

Now the {{MessagePolicy}} is a different thing entirely. This could be used when for instance multiple authentication modules are used, which are managed by the authentication context ({{ServerAuthContext}}). The intend was here that this would function kinda like we see in PAM and JAAS, where multiple modules can be configured with REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL.

Unfortunately, the way how multiple modules would exactly have to work together was never specified. JASPIC 1.0 put up some base infrastructure for it, but this was never really followed up on, leaving the implementation details up to the server. The spec lead explains this in some more detail here: https://java.net/jira/browse/JASPIC_SPEC-15

In practice, I haven't seen {{MessagePolicy}} used a lot.

Long story short, use the {{MessageInfo}} for the property Stuart mentioned and not the method on {{MessagePolicy}}.




> JASPIC authentication processed on unsecured ressources
> -------------------------------------------------------
>
>                 Key: WFLY-4618
>                 URL: https://issues.jboss.org/browse/WFLY-4618
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security, Web (Undertow)
>    Affects Versions: 8.2.0.Final, 9.0.0.CR1
>            Reporter: Gernot Müller
>            Assignee: Stuart Douglas
>
> When using JASPIC authentication in web-projects, then serving unsecured resources (like unsecured pages, css/js-resources) ends in calling configured JASPI auth-modules.
> The problem is located in class JASPIAuthenticationMechanism (Undertow extension) where SecurityContext is never asked if the request has to be authenticated.
> So JASPIC can't be used wor web-applications which consist of secured AND unsecured parts.



--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list