Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8908

PicketBoxBasedIdentity.exists() should check if a valid JAAS Subject exists instead of always returning true

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 11.0.0.Alpha1
    • Fix Version/s: 11.0.0.Beta1
    • Component/s: Security
    • Labels:
      None

      Description

      The RealmIdentity.exists() method should be used to verify if a valid identity exists before an attempt to call other non-authentication methods - e.g. getAuthorizationIdentity() - is made.

      The PicketBoxBasedIdentity implementation in the SecurityDomainContextRealm is erroneously returning true when in fact it should be checking if a valid Subject was established as part of a previous JAAS authentication.

      The getAuthorizationIdentity() method can then simply throw an Exception if it is called without a valid JAAS Subject in place. Client code should check the result of the exists() method before attempting to get an AuthorizationIdentity so any code invoking getAuthorizationIdentity() without checking first if a valid identity exists should fail.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  sguilhen Stefan Guilhen
                  Reporter:
                  sguilhen Stefan Guilhen
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: