You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2016/10/02 19:10:45 UTC

[Bug 60196] New: isMandatory erroneously always set to true for JASPIC SAM

https://bz.apache.org/bugzilla/show_bug.cgi?id=60196

            Bug ID: 60196
           Summary: isMandatory erroneously always set to true for JASPIC
                    SAM
           Product: Tomcat 9
           Version: 9.0.0.M10
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: arjan.tijms@gmail.com

When the validateRequest method of a JASPIC SAM is called in Tomcat 9, the
"javax.security.auth.message.MessagePolicy.isMandatory" key in the MessageInfo
map is erroneously always set to true.

This happens in
org.apache.catalina.authenticator.AuthenticatorBase.getJaspicState via the
following code:

    new MessageInfoImpl(request.getRequest(), response.getResponse(), true);

The "true" param becomes the "authMandatory" value in the MessageInfo map:

    map.put(IS_MANDATORY, Boolean.toString(authMandatory));

However, according to section 3.8.1.1 of the JASPIC 1.1 spec this should only
be true if the target resource is protected. To be more exact when:

"... the resource identified by the HttpServletRequest is covered by a Servlet
auth- constraint, or in a JSR 115 compatible runtime, if the corresponding
WebResourcePermission is NOT granted to an unauthenticated caller."

So while the SAM should always be called (whether authentication is required or
not), "javax.security.auth.message.MessagePolicy.isMandatory" should only be
set to true when authentication is actually required (which incidentally, is
also the case when HttpServletRequest#authenticate is called).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60196] isMandatory erroneously always set to true for JASPIC SAM

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60196

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
This has been fixed in the following branches:
- 9.0.x for 9.0.0.M11 onwards
- 8.5.x for 8.5.6 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60196] isMandatory erroneously always set to true for JASPIC SAM

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60196

Thomas Maslen <th...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |thomas.mpp.maslen@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 60196] isMandatory erroneously always set to true for JASPIC SAM

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60196

--- Comment #2 from Arjan Tijms <ar...@gmail.com> ---
Thanks a lot for the quick fix!

ps. 

I added a CI target for Tomcat to the Java EE samples project
(https://github.com/javaee-samples/javaee7-samples.git)

After a git clone the JASPIC tests can be started using:

mvn clean install -pl "test-utils,util" -am
cd jaspic
mvn clean test -P tomcat-ci-managed

Tomcat versions from the Apache public and staging repositories can be tested.
It currently defaults to version 8.5.6, but another version can be used via the
-Dtomcat.version option. E.g.

mvn clean test -P tomcat-co-managed -Dtomcat.version=8.5.5

Note that for Tomcat the integration tests with EJB, JSF, JACC, etc are
automatically skipped.

The staged Tomcat 8.5.6 has a perfect test result btw, all tests pass. Very
impressive!

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org