tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 60196] New: isMandatory erroneously always set to true for JASPIC SAM
Date Sun, 02 Oct 2016 19:10:45 GMT

            Bug ID: 60196
           Summary: isMandatory erroneously always set to true for JASPIC
           Product: Tomcat 9
           Version: 9.0.0.M10
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina

When the validateRequest method of a JASPIC SAM is called in Tomcat 9, the
"" key in the MessageInfo
map is erroneously always set to true.

This happens in
org.apache.catalina.authenticator.AuthenticatorBase.getJaspicState via the
following code:

    new MessageInfoImpl(request.getRequest(), response.getResponse(), true);

The "true" param becomes the "authMandatory" value in the MessageInfo map:

    map.put(IS_MANDATORY, Boolean.toString(authMandatory));

However, according to section of the JASPIC 1.1 spec this should only
be true if the target resource is protected. To be more exact when:

"... the resource identified by the HttpServletRequest is covered by a Servlet
auth- constraint, or in a JSR 115 compatible runtime, if the corresponding
WebResourcePermission is NOT granted to an unauthenticated caller."

So while the SAM should always be called (whether authentication is required or
not), "" should only be
set to true when authentication is actually required (which incidentally, is
also the case when HttpServletRequest#authenticate is called).

You are receiving this mail because:
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message