Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-728

WebJASPIOptionalAuthenticator does not actually authenticate

    Details

      Description

      According to the JASPIC specification, a SAM should be invoked for unprotected resources as well as protected resources. Invoking the SAM for unprotected resources is required for pre-emptive authentication.

      This is detailed in section 3.8 of the JSR 196 (JASPIC) specification and is explicitly acknowledged by the spec lead at http://java.net/jira/browse/SERVLET_SPEC-21

      However, the documented WebJASPIAuthenticator valve is not invoked for unprotected resources. There is an undocumented valve, WebJASPIOptionalAuthenticator, which can be used, but this one does not actually authenticate.

      See the following fragment:

        boolean isValid = sam.isValid(messageInfo, new Subject(), messageLayer, appContext, cbh);
        if (isValid) {
            WebLogger.WEB_SECURITY_LOGGER.debugf("JASPI validation for unprotected request context %s succeeded", request.getServletPath());
            sam.secureResponse(messageInfo, new Subject(),  messageLayer, appContext, cbh);
        }
      

      As can be seen, the callbackhandler (cbh) is not processed.

      Additionally, the javadoc comments for WebJASPIOptionalAuthenticator says calling unprotected resources is optional, but I don't think this is the case:

      /**
       * <p>
       * This class implements a JASPI authenticator for unprotected resources. In the JASPI Servlet profile, authentication
       * for unprotected resources is optional but it is still allowed. When performed, the JASPI authentication modules must
       * grant access to the unprotected resources irrespective of the caller, which may be anonymous (i.e, no security info
       * supplied).
       * </p>
       *
       * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
       */
      @SuppressWarnings("unused")
      public class WebJASPIOptionalAuthenticator extends ValveBase {
      

      WebJASPIOptionalAuthenticator should probably contain the following code in the isValid if statement:

       PasswordValidationCallback pvc = cbh.getPasswordValidationCallback();
                  CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback();
       
                  // get the client principal from the callback.
                  Principal clientPrincipal = cpc.getPrincipal();
                  if (clientPrincipal == null) {
                      clientPrincipal = new SimplePrincipal(cpc.getName());
                  }
       
                  // if the client principal is not a jboss generic principal, we need to build one before registering.
                  if (!(clientPrincipal instanceof JBossGenericPrincipal))
                      clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal);
       
                  this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(),
                          new String(pvc.getPassword()));
      

      (code taken from WebJASPIAuthenticator).

      Perhaps it's better if the two valves are merged?

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                atijms Arjan Tijms
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: