Uploaded image for project: 'PicketBox '
  1. PicketBox
  2. SECURITY-745

WebJASPIAuthenticator doesn't register Subject with SecurityContext

    Details

      Description

      After an authenticated identity is established, WebJASPIAuthenticator registers this with the current request, session (if cache is enabled) and optionally SSO:

        /**
           * <p>
           * Registers an authenticated Principal and authentication type in our request, in the current session (if there is one),
           * and with our SingleSignOn valve, if there is one.  Set the appropriate cookie to be returned.
           * </p>
           *
           * [...[
           */
          @Override
          protected void register(...)
      

      Source

      What it does not do however is registering this same information with the SecurityContext where the EJB programmatic security can pick it up.

      Now in the next request org.jboss.as.web.security.SecurityContextAssociationValve will do this registration, but this means:

      1. Programmatic EJB security (EJBContext#isCallerInRole etc) can not be used in the same request in which authentication took place, since the SecurityContextAssociationValve runs before WebJASPIAuthenticator
      2. This mechanism depends on the session cache being used. (This is true by default in JBoss, but it should not be according to the JASPIC spec and users may opt to disable it, possibly since some SAM could require this in order to function correctly)

      I would like to propose putting code like the following in the mentioned register method or just after it, e.g.

      protected boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException {
      
      	// [...]
      
      	// if the client principal is not a jboss generic principal, we need to build one before registering.
      	if (!(clientPrincipal instanceof JBossGenericPrincipal))
      	    clientPrincipal = this.buildJBossPrincipal(clientSubject, clientPrincipal, gpc);
      	
      	this.register(request, response, clientPrincipal, authMethod, pvc != null ? pvc.getUsername() : null,
      	        pvc != null && pvc.getPassword() != null ? new String(pvc.getPassword()) : null);
      
      	// NEW: Associate Subject with SecurityContext
      	
      	SecurityContext context = SecurityActions.getSecurityContext();
      	if (context == null) {
      		throw PicketBoxMessages.MESSAGES.invalidNullSecurityContext();
      	}
      	
      	JBossGenericPrincipal jbossGenericPrincipal = (JBossGenericPrincipal) clientPrincipal;
      	context.getUtil().createSubjectInfo(new SimplePrincipal(
      		jbossGenericPrincipal.getName()), 
      		jbossGenericPrincipal.getCredentials(),
      		jbossGenericPrincipal.getSubject()
      	);
      

      Maybe the security context should be created if it does not exists, but I think it should always exist at the given point, shouldn't it?

      Note that this depends on SECURITY-744, since in the current trunk version of WebJASPIAuthenticator the Subject isn't build at all.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                atijms Arjan Tijms
              • Votes:
                2 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated: