Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-727

secureResponse with JASPIC called before service invocation instead of after

    Details

      Description

      WebJASPIAuthenticator in JBoss AS 7.1.1 and JBoss EAP 6.0.1 calls secureResponse right after validateRequest on a SAM has been called. The only intermediate code is registering the result of the callback handler with the container. The service invocation (e.g. calling a Servlet) is done afterwards, ie after the call to secureResponse.

      See the following fragment in WebJASPIAuthenticator:

          if (sam != null) {
                  result = sam.isValid(messageInfo, clientSubject, messageLayer, appContext, cbh);
              }
       
              // the authentication process has been a success. We need to register the principal, username, password and roles
              // with the container
              if (result) {
                  PasswordValidationCallback pvc = cbh.getPasswordValidationCallback();
                  CallerPrincipalCallback cpc = cbh.getCallerPrincipalCallback();
       
                  // get the client principal from the callback.
                  Principal clientPrincipal = cpc.getPrincipal();
                  if (clientPrincipal == null) {
                      clientPrincipal = new SimplePrincipal(cpc.getName());
                  }
       
                  // if the client principal is not a jboss generic principal, we need to build one before registering.
                  if (!(clientPrincipal instanceof JBossGenericPrincipal))
                      clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal);
       
                  this.register(request, response, clientPrincipal, authMethod, pvc.getUsername(),
                          new String(pvc.getPassword()));
       
                  if (this.secureResponse)
                      sam.secureResponse(messageInfo, new Subject(), messageLayer, appContext, cbh);
              }
      

      However, section 3.8.3.3 of the JSR 196 (JASPIC) spec says that the semantics of secureResponse are as defined in Section 3.8.2.2, which thus means that secureResponse should be called after a service invocation. Figure 1.1 in Section 1.1 shows this as well, and the general flow as described is Section 3.8 also mentions this.

      So, in JBoss the sequence is

      validateRequest -> secureResponse -> Invoke Service
      

      While the spec seems to say it should be:

       
      validateRequest -> Invoke Service -> secureResponse
      

      In the reference implementation GlassFish the sequence is indeed the latter one.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                atijms Arjan Tijms
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: