Type: New Feature
Section 22.214.171.124 of the JASPIC spec discusses the invocation of validateRequest after a service invocation for the Servlet Container Profile.
It does however not give any details under which circumstances the runtime should call this method after a service invocation, and neither does it give any details about how an implementation of this method should distinguish between being called before service invocation (in which its job is to do authentication) and after service invocation (in which its job is to secure a response). For the SOAP profile, footnote 6 in 126.96.36.199 does give an explanation.
Section 188.8.131.52 says that the semantics of secureResponse are as defined in Section 184.108.40.206, which thus means that secureResponse should be called after a service invocation. Figure 1.1 in Section 1.1 shows this as well, and the general flow as described is Section 3.8 also mentions this.
Unfortunately, not all JASPIC implementations indeed call secureResponse after a service invocation. GlassFish 220.127.116.11, Geronimo V3.0 and WebSphere 8.5 do make the call afterwards, but the certified implementations of JBoss EAP 6.0.1 (and AS 7.1.1) as well as WebLogic 12.1.1 call secureResponse before a service invocation. In fact, both those implementations call secureResponse nearly immediately after validateRequest is called. In case of WebLogic 12.1.1 this can be deduced from the call stack in debug mode, while in case of JBoss EAP 6.0.1 it can be seen directly in its source code.
E.g. consider the following abbreviated excerpt from JBoss EAP's WebJASPIAuthenticator:
In case of JBoss EAP, secureResponse is not only seemingly called at the wrong time, it's also an optional operation (default false) but the spec does not mention this operation to be optional.
I would like to request a TCK test to be added that tests that secureResponse is indeed called after a service invocation, and clarification of the following items:
- 18.104.22.168 - Why or when would validateRequest be called after a service invocation
- Perhaps in 22.214.171.124 an explicit statement that secureResponse is to be called after a service invocation and not before.