Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-745

WebJASPIAuthenticator doesn't register Subject with SecurityContext


      After an authenticated identity is established, WebJASPIAuthenticator registers this with the current request, session (if cache is enabled) and optionally SSO:

           * <p>
           * Registers an authenticated Principal and authentication type in our request, in the current session (if there is one),
           * and with our SingleSignOn valve, if there is one.  Set the appropriate cookie to be returned.
           * </p>
           * [...[
          protected void register(...)


      What it does not do however is registering this same information with the SecurityContext where the EJB programmatic security can pick it up.

      Now in the next request org.jboss.as.web.security.SecurityContextAssociationValve will do this registration, but this means:

      1. Programmatic EJB security (EJBContext#isCallerInRole etc) can not be used in the same request in which authentication took place, since the SecurityContextAssociationValve runs before WebJASPIAuthenticator
      2. This mechanism depends on the session cache being used. (This is true by default in JBoss, but it should not be according to the JASPIC spec and users may opt to disable it, possibly since some SAM could require this in order to function correctly)

      I would like to propose putting code like the following in the mentioned register method or just after it, e.g.

      protected boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException {
      	// [...]
      	// if the client principal is not a jboss generic principal, we need to build one before registering.
      	if (!(clientPrincipal instanceof JBossGenericPrincipal))
      	    clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal, gpc);
      	this.register(request, response, clientPrincipal, authMethod, pvc != null ? pvc.getUsername() : null,
      	        pvc != null && pvc.getPassword() != null ? new String(pvc.getPassword()) : null);
      	// NEW: Associate Subject with SecurityContext
      	SecurityContext context = SecurityActions.getSecurityContext();
      	if (context == null) {
      		throw PicketBoxMessages.MESSAGES.invalidNullSecurityContext();
      	JBossGenericPrincipal jbossGenericPrincipal = (JBossGenericPrincipal) clientPrincipal;
      	context.getUtil().createSubjectInfo(new SimplePrincipal(

      Maybe the security context should be created if it does not exists, but I think it should always exist at the given point, shouldn't it?

      Note that this depends on SECURITY-744, since in the current trunk version of WebJASPIAuthenticator the Subject isn't build at all.

            Unassigned Unassigned
            arjan.tijms@gmail.com Arjan Tijms
            2 Vote for this issue
            5 Start watching this issue