glassfish
  1. glassfish
  2. GLASSFISH-20317

JASPIC 1.1's new register session doesn't work

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.0_b84_RC1
    • Fix Version/s: 4.0_b88_RC4
    • Component/s: security
    • Labels:
      None

      Description

      In JASPIC 1.1 a new feature was specified that allows a SAM to ask the runtime to register a session. See http://java.net/jira/browse/JASPIC_SPEC-3 and http://jcp.org/aboutJava/communityprocess/maintenance/jsr196/module-asking-for-container-auth-session.pdf

      Changes for this were made to GlassFish 4, but in practice they don't seem to work.

      From a SAM's validateRequest method I called the following code:

      public static void setRegisterSession(MessageInfo messageInfo) {
          messageInfo.getMap().put("javax.servlet.http.registerSession", TRUE.toString());
      }
      

      An authenticated identity was set via code such as the following:

      CallerPrincipalCallback callerPrincipalCallback = new CallerPrincipalCallback(clientSubject, "test");
      GroupPrincipalCallback groupPrincipalCallback = new GroupPrincipalCallback(
          clientSubject, new String[] { "architect" }
      );
       
      try {
          handler.handle(new Callback[] { callerPrincipalCallback, groupPrincipalCallback });
      } catch (IOException | UnsupportedCallbackException e) {
          e.printStackTrace();
      }
       
      return SUCCESS;
      

      After this a protected resource could indeed be invoked, but after requesting the same protected resource again, the SAM was also invoked again without any trace from the previously established authenticated identity. If I'm not mistaken the idea is that the runtime remembers this authenticated identity (name + groups/roles) and will not invoke the SAM again until the user explicitly log outs, or removes the HTTP session.

      p.s. I also tested on GlassFish 3.1.2.2 using the proprietary key com.sun.web.RealmAdapter.register and checked by stepping into the GlassFish source code that the "register" branch is indeed taken in RealmAdapter:

      if (register) {
            AuthenticatorProxy proxy = new AuthenticatorProxy(authenticator, wp, authType);
            proxy.authenticate(request, response, config);
      } else {
             request.setAuthType((authType == null) ? PROXY_AUTH_TYPE : authType);
             request.setUserPrincipal(wp);
      }
      

      There too the authenticated identity was not remembered.

        Activity

        Hide
        Tom Mueller added a comment -

        Approved for 4.0. Please be sure to check the fix in to the 4.0 branch and the trunk.

        Show
        Tom Mueller added a comment - Approved for 4.0. Please be sure to check the fix in to the 4.0 branch and the trunk.
        Hide
        quang.dang added a comment -

        4.0 revision 61884, appserver/security/core-ee/src/main/java/com/sun/enterprise/security/jmac/callback/BaseContainerCallbackHandler.java

        Show
        quang.dang added a comment - 4.0 revision 61884, appserver/security/core-ee/src/main/java/com/sun/enterprise/security/jmac/callback/BaseContainerCallbackHandler.java
        Hide
        arjan tijms added a comment -

        Thanks for the fix Quang Dang!

        If you're still working on the code, please ignore the following, but I noticed that in rev 61884 of BaseContainerCallbackHandler#processCallerPrincipal there's a boolean useName set to false but thereafter not used anymore.

        When reading through reuseWebPrincipal (which is quite an impressive check), I noticed two tiny typos in the comments. Hardly worth mentioning really, but on line 263 it says "WebPrincipla" and on line 331 it says "remove any exiting".

        I'll see if I can do some local testing with the code later today. Thanks again!

        Show
        arjan tijms added a comment - Thanks for the fix Quang Dang! If you're still working on the code, please ignore the following, but I noticed that in rev 61884 of BaseContainerCallbackHandler#processCallerPrincipal there's a boolean useName set to false but thereafter not used anymore. When reading through reuseWebPrincipal (which is quite an impressive check), I noticed two tiny typos in the comments. Hardly worth mentioning really, but on line 263 it says "WebPrincipla" and on line 331 it says "remove any exiting". I'll see if I can do some local testing with the code later today. Thanks again!
        Hide
        quang.dang added a comment -

        trunk rev. 61899

        Show
        quang.dang added a comment - trunk rev. 61899
        Hide
        quang.dang added a comment -

        Ron gave some serious thought on this issue and came up with that fix.
        The spellings got corrected.

        Show
        quang.dang added a comment - Ron gave some serious thought on this issue and came up with that fix. The spellings got corrected.

          People

          • Assignee:
            quang.dang
            Reporter:
            arjan tijms
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: