[wildfly-dev] Regression after WFLY-5298; request#authenticate does nothing now

arjan tijms arjan.tijms at gmail.com
Wed Sep 23 09:31:17 EDT 2015


Hi,

It looks like that after WFLY-5298 (this commit specifically
https://github.com/wildfly/wildfly/commit/121a305c59c3619bb747681c62d099dfddd82709#diff-540388fb45365d1d79353d8b4552bcf6)
HttpServletRequest#authenticate does not longer do anything.

HttpServletRequest#authenticate calls though to
JASPIAuthenticationMechanism#authenticate.

There it now obtains the attachment that was set by the new
JASPICInitialHandler, which calls the SAM at the beginning of the
request. And then uses the stored "isValid" outcome directly, without
calling the SAM again.

See the code below:

  public AuthenticationMechanismOutcome authenticate(final
HttpServerExchange exchange, final SecurityContext sc) {
        JASPICAttachment attachment =
exchange.getAttachment(JASPICAttachment.ATTACHMENT_KEY);

        AuthenticationMechanismOutcome outcome;
        Account authenticatedAccount = null;

        boolean isValid = attachment.isValid();
        final ServletRequestContext requestContext =
attachment.getRequestContext();
        final JASPIServerAuthenticationManager sam = attachment.getSam();
        final JASPICallbackHandler cbh = attachment.getCbh();

        GenericMessageInfo messageInfo = attachment.getMessageInfo();
        if (isValid) {
            // The CBH filled in the JBOSS SecurityContext, we need to
create an Undertow account based on that
            org.jboss.security.SecurityContext jbossSct =
SecurityActions.getSecurityContext();
            authenticatedAccount =
createAccount(attachment.getCachedAccount(), jbossSct);
        }

This is not correct I think. The code should call the SAM once again
and use the outcome from that call.

Am I missing something, or was the new call to the SAM simply
forgotten at this point?

Kind regards,
Arjan Tijms


More information about the wildfly-dev mailing list