Details
-
Feature Request
-
Resolution: Done
-
Major
-
JBossAS-4.0.3 SP1
-
None
Description
On a Http request, JBoss does not call a configured JACC provider's implies method if Tomcat thinks the requested url is not protected.
The problem lies in the AuthenticatorBase invoke method between lines 399 and 409 as follows:
// Is this request URI subject to a security constraint?
SecurityConstraint [] constraints
= realm.findSecurityConstraints(request, this.context);
if ((constraints == null) /* &&
(!Constants.FORM_METHOD.equals(config.getAuthMethod())) */ ) {
if (log.isDebugEnabled())
log.debug(" Not subject to any constraint");
getNext().invoke(request, response);
return;
}
If no security constraints were found that match the request, AuthenticatorBase doesn't even call the realm. The problem with this is that if the JACC provider is configured to enforce policy that is not specified in the web.xml file, it doesn't get called. Therefore, the JACC provider is crippled in that it can't mark any resources that aren't already protected in the web.xml file. It defeats part of the purpose of even having JACC provider support.
Tomcat behaves this way because it has never had any built in JACC support. One way to fix this bug would be to have AuthenticatorBase call the Realm.hasResourcePermission method if no security constraints were found. If the JACC provider considers the request public, it should return true, in which case AuthenticatorBase can continue with calling getNext().invoke(request, response). If the JACC provider doesn't consider the request public, it would return false, in which case AuthenticatorBase should continue on as if it found a security constraint, with a few tweaks to make sure it works without any constraints.
Attachments
Issue Links
- relates to
-
-
- Closed
-
