You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Stefan Kalscheuer (Jira)" <ji...@apache.org> on 2022/10/05 12:43:00 UTC
[jira] [Created] (TOMEE-4065) LoginToContinue interceptor fails on custom auth mechanism
Stefan Kalscheuer created TOMEE-4065:
----------------------------------------
Summary: LoginToContinue interceptor fails on custom auth mechanism
Key: TOMEE-4065
URL: https://issues.apache.org/jira/browse/TOMEE-4065
Project: TomEE
Issue Type: Bug
Affects Versions: 9.0.0-M8
Reporter: Stefan Kalscheuer
I stumbled across an issue using a custom _HttpAuthenticationMechanism_ implementation using the _@LoginToContinue_ annotation directly.
*Minimal example code:*
{{@ApplicationScoped}}
{{@AutoApplySession}}
{{@LoginToContinue}}
{{public class AuthMechanism implements HttpAuthenticationMechanism {}}
{{ @Override}}
{{ public AuthenticationStatus validateRequest(HttpServletRequest request,}}
{{ HttpServletResponse response,}}
{{ HttpMessageContext httpMessageContext) throws AuthenticationException {}}
{{ /* do auth stuff */}}
{{ }}}
{{}}}
*Expected behavior*
I would expect the application server to redirect any request to a protected URL to the login page (without additional specification this would be "/login" here).
*Observable behavior*
Apparently this raises an error 500:
{quote}java.lang.IllegalArgumentException org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221) org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134) org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78) org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63)
...{quote}
The interceptor checks whether the invocation target implements _LoginToContinueMechanism_ and calls {_}getLoginToContinue(){_}. Because we do have a custom implementation here, this does not apply and raises an exception.
*Possible solution*
My workaround is a minor extension of the interceptor:
{{private LoginToContinue getLoginToContinue(final InvocationContext invocationContext) {}}
{{ if (invocationContext.getTarget() instanceof LoginToContinueMechanism) {}}
{{ return ((LoginToContinueMechanism) invocationContext.getTarget()).getLoginToContinue();}}
{{ }}}
{{ // WORKAROUND START}}
{{ LoginToContinue annotation = invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class);}}
{{ if (annotation != null) {}}
{{ return annotation;}}
{{ }}}
{{ // WORKAROUND END}}
{{ throw new IllegalArgumentException();}}
{{}}}
*RFC*
Did I miss or misinterpret anything here or should the behavior of the interceptor be extended, e.g. with the lines proposed above?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)