You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Stefan Kalscheuer (Jira)" <ji...@apache.org> on 2022/10/05 12:43:00 UTC

[jira] [Created] (TOMEE-4065) LoginToContinue interceptor fails on custom auth mechanism

Stefan Kalscheuer created TOMEE-4065:
----------------------------------------

             Summary: LoginToContinue interceptor fails on custom auth mechanism
                 Key: TOMEE-4065
                 URL: https://issues.apache.org/jira/browse/TOMEE-4065
             Project: TomEE
          Issue Type: Bug
    Affects Versions: 9.0.0-M8
            Reporter: Stefan Kalscheuer


I stumbled across an issue using a custom _HttpAuthenticationMechanism_ implementation using the _@LoginToContinue_ annotation directly.

*Minimal example code:*

 

{{@ApplicationScoped}}
{{@AutoApplySession}}
{{@LoginToContinue}}
{{public class AuthMechanism implements HttpAuthenticationMechanism {}}

{{  @Override}}
{{  public AuthenticationStatus validateRequest(HttpServletRequest request,}}
{{                                              HttpServletResponse response,}}
{{                                              HttpMessageContext httpMessageContext) throws AuthenticationException {}}

{{    /* do auth stuff */}}
{{  }}}
{{}}}

 

*Expected behavior*

I would expect the application server to redirect any request to a protected URL to the login page (without additional specification this would be "/login" here).

 

*Observable behavior*

Apparently this raises an error 500:
{quote}java.lang.IllegalArgumentException     org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221)   org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134)   org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78)   org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63)
...{quote}
 

The interceptor checks whether the invocation  target implements _LoginToContinueMechanism_ and calls {_}getLoginToContinue(){_}. Because we do have a custom implementation here, this does not apply and raises an exception.

 

*Possible solution*

My workaround is a minor extension of the interceptor:

 

{{private LoginToContinue getLoginToContinue(final InvocationContext invocationContext) {}}
{{  if (invocationContext.getTarget() instanceof LoginToContinueMechanism) {}}
{{    return ((LoginToContinueMechanism) invocationContext.getTarget()).getLoginToContinue();}}
{{  }}}

 

{{  // WORKAROUND START}}

{{  LoginToContinue annotation = invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class);}}
{{  if (annotation != null) {}}
{{    return annotation;}}
{{  }}}
{{  // WORKAROUND END}}


{{  throw new IllegalArgumentException();}}
{{}}}

 

*RFC*

Did I miss or misinterpret anything here or should the behavior of the interceptor be extended, e.g. with the lines proposed above?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)