[jboss-jira] [JBoss JIRA] (WFLY-8908) PicketBoxBasedIdentity.exists() should check if a valid JAAS Subject exists instead of always returning true

Stefan Guilhen (JIRA) issues at jboss.org
Wed Jun 7 14:08:00 EDT 2017 

     [ https://issues.jboss.org/browse/WFLY-8908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Stefan Guilhen updated WFLY-8908:
---------------------------------
    Description: 
The RealmIdentity.exists() method should be used to verify if a valid identity exists before an attempt to call other non-authentication methods - e.g. getAuthorizationIdentity() - is made.

The PicketBoxBasedIdentity implementation in the SecurityDomainContextRealm is erroneously returning true when in fact it should be checking if a valid Subject was established as part of a previous JAAS authentication.

The getAuthorizationIdentity() method can then simply throw an Exception if it is called without a valid JAAS Subject in place. Client code should check the result of the exists() method before attempting to get an AuthorizationIdentity so any code invoking getAuthorizationIdentity() without checking first if a valid identity exists should fail.



> PicketBoxBasedIdentity.exists() should check if a valid JAAS Subject exists instead of always returning true
> ------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-8908
>                 URL: https://issues.jboss.org/browse/WFLY-8908
>             Project: WildFly
>          Issue Type: Bug
>          Components: Security
>    Affects Versions: 11.0.0.Alpha1
>            Reporter: Stefan Guilhen
>            Assignee: Stefan Guilhen
>
> The RealmIdentity.exists() method should be used to verify if a valid identity exists before an attempt to call other non-authentication methods - e.g. getAuthorizationIdentity() - is made.
> The PicketBoxBasedIdentity implementation in the SecurityDomainContextRealm is erroneously returning true when in fact it should be checking if a valid Subject was established as part of a previous JAAS authentication.
> The getAuthorizationIdentity() method can then simply throw an Exception if it is called without a valid JAAS Subject in place. Client code should check the result of the exists() method before attempting to get an AuthorizationIdentity so any code invoking getAuthorizationIdentity() without checking first if a valid identity exists should fail.



--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list