-
Bug
-
Resolution: Done
-
Critical
-
JBossAS-4.0.2RC1
-
None
JaccAuthorizationRealm incorrectly returns false when an unauthenticated caller attempts to access an unprotected resource. The problem lies in the JaccAuthorizationRealm class.
Here's an example security constraint in a web.xml file that exposes the problem:
<security-constraint>
<web-resource-collection>
<web-resource-name>unchecked collection</web-resource-name>
<url-pattern>/unchecked</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
When an unauthenticated user attempts to access an unprotected resource, the hasResourcePermission method calls checkSecurityAssociation(perm, request.getUserPrincipal()). Note that since the user is unauthenticated, the getUserPrincipal method returns null. In the checkSecurityAssociation method, the code attempts to obtain the subject. In this case the subject will always be null and checkSecurityAssociation returns false without consulting the JACC policy provider.
Code snippet from the checkSecurityAssociation method:
Subject caller = null;
try
catch (PolicyContextException e)
{ if( trace ) log.trace("Failed to get subject from PolicyContext", e); } if( caller == null )
{
// Test the request principal that may come from the session cache
if( requestPrincpal instanceof JBossGenericPrincipal )
if( caller == null ) //** caller will be null since the user is unauthenticated **
{ if( trace ) log.trace("Denied, no active subject found in PolicyContext"); return false; }}
The proper behavior would be to always call the JACC policy provider instead of returning false prematurely.