From a687b2fba261c787c323470aa22b0af7fc292a61 Mon Sep 17 00:00:00 2001 From: Stoty Date: Thu, 5 Jan 2017 23:20:04 +0100 Subject: [PATCH] JASPIC ServerAuthModule and ServerAuthContext spec compliance fixes This contains two sets of fixes: - The SAMs no longer return SUCCESS with emtpy principals for mandatory authentication - The ServerAuthContext sets up two SAM module instances to satisfy the spec requirement that the mandatory flag can be accessed from the requestPolicy The first fix is important, as currently the tests fail to return proper http status codes for unathenticated protected resources on multiple app servers. The second fix is just for complying with the letter of the spec, as the requestPolicy is not actually used in any of the current tests. --- .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/TestServerAuthModule.java | 9 +++- .../javaee7/jaspic/common/JaspicUtils.java | 4 +- .../jaspic/common/TestAuthConfigProvider.java | 8 +-- .../jaspic/common/TestServerAuthConfig.java | 8 +-- .../jaspic/common/TestServerAuthContext.java | 50 ++++++++++++++++--- .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/TestServerAuthModule.java | 9 +++- .../sam/SamAutoRegistrationListener.java | 2 +- .../dispatching/sam/TestServerAuthModule.java | 43 +++++++++------- .../sam/SamAutoRegistrationListener.java | 2 +- .../dispatching/sam/TestServerAuthModule.java | 33 +++++++----- .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/TestServerAuthModule.java | 8 +++ .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/TestServerAuthModule.java | 9 ++++ .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/TestServerAuthModule.java | 8 +++ .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/TestServerAuthModule.java | 8 +++ .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/TestServerAuthModule.java | 8 +++ .../sam/SamAutoRegistrationListener.java | 2 +- .../sam/SamAutoRegistrationListener.java | 2 +- 27 files changed, 171 insertions(+), 62 deletions(-) diff --git a/jaspic/async-authentication/src/main/java/org/javaee7/jaspic/asyncauthentication/sam/SamAutoRegistrationListener.java b/jaspic/async-authentication/src/main/java/org/javaee7/jaspic/asyncauthentication/sam/SamAutoRegistrationListener.java index 77118e5ac..9247e8b86 100644 --- a/jaspic/async-authentication/src/main/java/org/javaee7/jaspic/asyncauthentication/sam/SamAutoRegistrationListener.java +++ b/jaspic/async-authentication/src/main/java/org/javaee7/jaspic/asyncauthentication/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/SamAutoRegistrationListener.java b/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/SamAutoRegistrationListener.java index 5f3743192..fa99cbcab 100644 --- a/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/SamAutoRegistrationListener.java +++ b/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/TestServerAuthModule.java b/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/TestServerAuthModule.java index ca1616221..33ab40126 100644 --- a/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/TestServerAuthModule.java +++ b/jaspic/basic-authentication/src/main/java/org/javaee7/jaspic/basicauthentication/sam/TestServerAuthModule.java @@ -2,6 +2,8 @@ import static javax.security.auth.message.AuthStatus.SEND_SUCCESS; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -44,6 +46,7 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); Callback[] callbacks; @@ -58,8 +61,12 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject // the roles of the authenticated user new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) }; + } else if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + + // Must set error code is authentication is mandatory, but unsuccessful + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; } else { - // The JASPIC protocol for "do nothing" callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) }; } diff --git a/jaspic/common/src/main/java/org/javaee7/jaspic/common/JaspicUtils.java b/jaspic/common/src/main/java/org/javaee7/jaspic/common/JaspicUtils.java index d89eaf22f..1e86b704a 100644 --- a/jaspic/common/src/main/java/org/javaee7/jaspic/common/JaspicUtils.java +++ b/jaspic/common/src/main/java/org/javaee7/jaspic/common/JaspicUtils.java @@ -20,8 +20,8 @@ private JaspicUtils() { * * @param serverAuthModule */ - public static void registerSAM(ServletContext context, ServerAuthModule serverAuthModule) { - AuthConfigFactory.getFactory().registerConfigProvider(new TestAuthConfigProvider(serverAuthModule), "HttpServlet", + public static void registerSAM(ServletContext context, Class serverAuthModuleClass) { + AuthConfigFactory.getFactory().registerConfigProvider(new TestAuthConfigProvider(serverAuthModuleClass), "HttpServlet", getAppContextID(context), "Test authentication config provider"); } diff --git a/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestAuthConfigProvider.java b/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestAuthConfigProvider.java index 053ee1ee9..d3956fd01 100644 --- a/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestAuthConfigProvider.java +++ b/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestAuthConfigProvider.java @@ -22,10 +22,10 @@ public class TestAuthConfigProvider implements AuthConfigProvider { private static final String CALLBACK_HANDLER_PROPERTY_NAME = "authconfigprovider.client.callbackhandler"; private Map providerProperties; - private ServerAuthModule serverAuthModule; + private Class serverAuthModuleClass; - public TestAuthConfigProvider(ServerAuthModule serverAuthModule) { - this.serverAuthModule = serverAuthModule; + public TestAuthConfigProvider(Class serverAuthModuleClass) { + this.serverAuthModuleClass = serverAuthModuleClass; } /** @@ -53,7 +53,7 @@ public TestAuthConfigProvider(Map properties, AuthConfigFactory public ServerAuthConfig getServerAuthConfig(String layer, String appContext, CallbackHandler handler) throws AuthException, SecurityException { return new TestServerAuthConfig(layer, appContext, handler == null ? createDefaultCallbackHandler() : handler, - providerProperties, serverAuthModule); + providerProperties, serverAuthModuleClass); } @Override diff --git a/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthConfig.java b/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthConfig.java index 510a29f2f..158122b03 100644 --- a/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthConfig.java +++ b/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthConfig.java @@ -22,21 +22,21 @@ public class TestServerAuthConfig implements ServerAuthConfig { private String appContext; private CallbackHandler handler; private Map providerProperties; - private ServerAuthModule serverAuthModule; + private Class serverAuthModuleClass; public TestServerAuthConfig(String layer, String appContext, CallbackHandler handler, - Map providerProperties, ServerAuthModule serverAuthModule) { + Map providerProperties, Class serverAuthModuleClass) { this.layer = layer; this.appContext = appContext; this.handler = handler; this.providerProperties = providerProperties; - this.serverAuthModule = serverAuthModule; + this.serverAuthModuleClass = serverAuthModuleClass; } @Override public ServerAuthContext getAuthContext(String authContextID, Subject serviceSubject, @SuppressWarnings("rawtypes") Map properties) throws AuthException { - return new TestServerAuthContext(handler, serverAuthModule); + return new TestServerAuthContext(handler, serverAuthModuleClass); } // ### The methods below mostly just return what has been passed into the diff --git a/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthContext.java b/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthContext.java index 9c2d09558..2571dce1c 100644 --- a/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthContext.java +++ b/jaspic/common/src/main/java/org/javaee7/jaspic/common/TestServerAuthContext.java @@ -1,5 +1,6 @@ package org.javaee7.jaspic.common; +import java.lang.reflect.InvocationTargetException; import java.util.Collections; import javax.security.auth.Subject; @@ -7,6 +8,9 @@ import javax.security.auth.message.AuthException; import javax.security.auth.message.AuthStatus; import javax.security.auth.message.MessageInfo; +import javax.security.auth.message.MessagePolicy; +import javax.security.auth.message.MessagePolicy.TargetPolicy; +import javax.security.auth.message.MessagePolicy.ProtectionPolicy; import javax.security.auth.message.ServerAuth; import javax.security.auth.message.config.ServerAuthContext; import javax.security.auth.message.module.ServerAuthModule; @@ -22,28 +26,60 @@ * @author Arjan Tijms */ public class TestServerAuthContext implements ServerAuthContext { + + private static TargetPolicy[] targetPolicyArr = { new TargetPolicy(null, new ProtectionPolicy() { + public String getID() { + return ProtectionPolicy.AUTHENTICATE_SENDER; + } + }) }; + + private static MessagePolicy mandatoryRequestPolicy = new MessagePolicy(targetPolicyArr, true); + private static MessagePolicy optionalRequestPolicy = new MessagePolicy(targetPolicyArr, false); - private final ServerAuthModule serverAuthModule; + private ServerAuthModule mandatoryServerAuthModule; + private ServerAuthModule optionalServerAuthModule; + + private ServerAuthModule chooseModule(MessageInfo messageInfo){ + if("true".equals(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory"))) { + return mandatoryServerAuthModule; + } else { + return optionalServerAuthModule; + } + } + + public TestServerAuthContext(CallbackHandler handler, Class serverAuthModuleClass) throws AuthException { + + //The spec requires that the mandatory authentication parameter can be accessed from the requestPolicy, + //even though it is not really useful, as the same information is available from the messageInfo map. + //To satisfy this requirement two SAM objects are constructed, and they are initialized with the appropriate requestPolicies. + + try { + mandatoryServerAuthModule = serverAuthModuleClass.getConstructor().newInstance(); + mandatoryServerAuthModule.initialize(mandatoryRequestPolicy, null, handler, Collections. emptyMap()); + + optionalServerAuthModule = serverAuthModuleClass.getConstructor().newInstance(); + optionalServerAuthModule.initialize(optionalRequestPolicy, null, handler, Collections. emptyMap()); + } catch (InstantiationException | IllegalAccessException | IllegalArgumentException + | InvocationTargetException | NoSuchMethodException | SecurityException e) { + throw new AuthException(); + } - public TestServerAuthContext(CallbackHandler handler, ServerAuthModule serverAuthModule) throws AuthException { - this.serverAuthModule = serverAuthModule; - serverAuthModule.initialize(null, null, handler, Collections. emptyMap()); } @Override public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { - return serverAuthModule.validateRequest(messageInfo, clientSubject, serviceSubject); + return chooseModule(messageInfo).validateRequest(messageInfo, clientSubject, serviceSubject); } @Override public AuthStatus secureResponse(MessageInfo messageInfo, Subject serviceSubject) throws AuthException { - return serverAuthModule.secureResponse(messageInfo, serviceSubject); + return chooseModule(messageInfo).secureResponse(messageInfo, serviceSubject); } @Override public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException { - serverAuthModule.cleanSubject(messageInfo, subject); + chooseModule(messageInfo).cleanSubject(messageInfo, subject); } } diff --git a/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/SamAutoRegistrationListener.java b/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/SamAutoRegistrationListener.java index 6562a46ef..c9a398979 100644 --- a/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/SamAutoRegistrationListener.java +++ b/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/TestServerAuthModule.java b/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/TestServerAuthModule.java index 8ff11b4d4..3fd068167 100644 --- a/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/TestServerAuthModule.java +++ b/jaspic/custom-principal/src/main/java/org/javaee7/jaspic/customprincipal/sam/TestServerAuthModule.java @@ -2,6 +2,8 @@ import static javax.security.auth.message.AuthStatus.SEND_SUCCESS; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -44,6 +46,7 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); Callback[] callbacks; @@ -59,8 +62,12 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject // the roles of the authenticated user new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) }; + } else if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + + // Must set error code if authentication is mandatory, but unsuccessful + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; } else { - // The JASPIC protocol for "do nothing" callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) }; } diff --git a/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java b/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java index b0e15c5d3..ac955b6da 100644 --- a/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java +++ b/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java b/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java index 02154b5d7..9b642c139 100644 --- a/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java +++ b/jaspic/dispatching-jsf-cdi/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java @@ -3,6 +3,7 @@ import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; import static javax.security.auth.message.AuthStatus.SEND_SUCCESS; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -44,26 +45,34 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject try { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); - + if ("include".equals(request.getParameter("dispatch"))) { - String target = "/includedServlet"; - if ("jsf".equals(request.getParameter("tech"))) { - target = "/include.jsf"; - } else if ("jsfcdi".equals(request.getParameter("tech"))) { - target = "/include-cdi.jsf"; + if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + //Since we do not set a principal, authentication is unsuccessful + + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; + } else { + + String target = "/includedServlet"; + if ("jsf".equals(request.getParameter("tech"))) { + target = "/include.jsf"; + } else if ("jsfcdi".equals(request.getParameter("tech"))) { + target = "/include-cdi.jsf"; + } + + request.getRequestDispatcher(target) + .include(request, response); + + // "Do nothing", required protocol when returning SUCCESS + handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) }); + + // When using includes, the response stays open and the main + // resource can also + // write to the response + return SUCCESS; } - - request.getRequestDispatcher(target) - .include(request, response); - - // "Do nothing", required protocol when returning SUCCESS - handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) }); - - // When using includes, the response stays open and the main - // resource can also - // write to the response - return SUCCESS; } else { diff --git a/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java b/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java index b0e15c5d3..ac955b6da 100644 --- a/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java +++ b/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java b/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java index d52159a5b..a9b75f0c1 100644 --- a/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java +++ b/jaspic/dispatching/src/main/java/org/javaee7/jaspic/dispatching/sam/TestServerAuthModule.java @@ -3,6 +3,7 @@ import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; import static javax.security.auth.message.AuthStatus.SEND_SUCCESS; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -42,19 +43,27 @@ public void initialize(MessagePolicy requestPolicy, MessagePolicy responsePolicy public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { try { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); - HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); - + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); + if ("include".equals(request.getParameter("dispatch"))) { - request.getRequestDispatcher("/includedServlet") - .include(request, response); - - // "Do nothing", required protocol when returning SUCCESS - handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) }); - - // When using includes, the response stays open and the main - // resource can also write to the response - return SUCCESS; - + + if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + //Since we do not set a principal, authentication is unsuccessful + + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; + } else { + + request.getRequestDispatcher("/includedServlet") + .include(request, response); + + // "Do nothing", required protocol when returning SUCCESS + handler.handle(new Callback[] { new CallerPrincipalCallback(clientSubject, (Principal) null) }); + + // When using includes, the response stays open and the main + // resource can also write to the response + return SUCCESS; + } } else { request.getRequestDispatcher("/forwardedServlet") .forward(request, response); diff --git a/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/SamAutoRegistrationListener.java b/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/SamAutoRegistrationListener.java index e91dd3576..cfd0a55cc 100644 --- a/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/SamAutoRegistrationListener.java +++ b/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/TestServerAuthModule.java b/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/TestServerAuthModule.java index a11992455..d4beb3bf9 100644 --- a/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/TestServerAuthModule.java +++ b/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/sam/TestServerAuthModule.java @@ -1,6 +1,8 @@ package org.javaee7.jaspic.ejbpropagation.sam; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -43,6 +45,7 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); Callback[] callbacks; @@ -50,6 +53,11 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, "test"), new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) }; + } else if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + + // Must set error code if authentication is mandatory, but unsuccessful + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; } else { // The JASPIC protocol for "do nothing" diff --git a/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java b/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java index 2241d934c..c7db293e0 100644 --- a/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java +++ b/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java b/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java index 89ea01287..3217e1069 100644 --- a/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java +++ b/jaspic/ejb-register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java @@ -1,7 +1,9 @@ package org.javaee7.jaspic.registersession.sam; import static java.lang.Boolean.TRUE; +import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -44,6 +46,8 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); + Callback[] callbacks; Principal userPrincipal = request.getUserPrincipal(); @@ -77,6 +81,11 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject // Tell container to register an authentication session. messageInfo.getMap().put("javax.servlet.http.registerSession", TRUE.toString()); + } else if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + + // Must set error code if authentication is mandatory, but unsuccessful + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; } else { // ### If no registered session and no login request "do nothing" diff --git a/jaspic/invoke-ejb-cdi/src/main/java/org/javaee7/jaspic/invoke/sam/SamAutoRegistrationListener.java b/jaspic/invoke-ejb-cdi/src/main/java/org/javaee7/jaspic/invoke/sam/SamAutoRegistrationListener.java index dc6b780ca..f0f60b821 100644 --- a/jaspic/invoke-ejb-cdi/src/main/java/org/javaee7/jaspic/invoke/sam/SamAutoRegistrationListener.java +++ b/jaspic/invoke-ejb-cdi/src/main/java/org/javaee7/jaspic/invoke/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/SamAutoRegistrationListener.java b/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/SamAutoRegistrationListener.java index 09e8e240a..504fe2949 100644 --- a/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/SamAutoRegistrationListener.java +++ b/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/TestServerAuthModule.java b/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/TestServerAuthModule.java index e75b2a4a0..ea8efae4d 100644 --- a/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/TestServerAuthModule.java +++ b/jaspic/jacc-propagation/src/main/java/org/javaee7/jaspic/jaccpropagation/sam/TestServerAuthModule.java @@ -1,6 +1,8 @@ package org.javaee7.jaspic.jaccpropagation.sam; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -43,6 +45,7 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); Callback[] callbacks; @@ -50,6 +53,11 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject callbacks = new Callback[] { new CallerPrincipalCallback(clientSubject, "test"), new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) }; + } else if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + + // Must set error code if authentication is mandatory, but unsuccessful + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; } else { // The JASPIC protocol for "do nothing" diff --git a/jaspic/lifecycle/src/main/java/org/javaee7/jaspic/lifecycle/sam/SamAutoRegistrationListener.java b/jaspic/lifecycle/src/main/java/org/javaee7/jaspic/lifecycle/sam/SamAutoRegistrationListener.java index bab879840..200fd0b33 100644 --- a/jaspic/lifecycle/src/main/java/org/javaee7/jaspic/lifecycle/sam/SamAutoRegistrationListener.java +++ b/jaspic/lifecycle/src/main/java/org/javaee7/jaspic/lifecycle/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestLifecycleAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestLifecycleAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/SamAutoRegistrationListener.java b/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/SamAutoRegistrationListener.java index 202575e5f..6ff2af6ab 100644 --- a/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/SamAutoRegistrationListener.java +++ b/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/TestServerAuthModule.java b/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/TestServerAuthModule.java index b4a057502..7ebf350c0 100644 --- a/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/TestServerAuthModule.java +++ b/jaspic/programmatic-authentication/src/main/java/org/javaee7/jaspic/programmaticauthentication/sam/TestServerAuthModule.java @@ -2,6 +2,8 @@ import static javax.security.auth.message.AuthStatus.SEND_SUCCESS; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -44,6 +46,7 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); Callback[] callbacks; @@ -58,6 +61,11 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject // the roles of the authenticated user new GroupPrincipalCallback(clientSubject, new String[] { "architect" }) }; + } else if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + + // Must set error code if authentication is mandatory, but unsuccessful + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; } else { // The JASPIC protocol for "do nothing" diff --git a/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java b/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java index 2241d934c..c7db293e0 100644 --- a/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java +++ b/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java b/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java index 89ea01287..438f60efc 100644 --- a/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java +++ b/jaspic/register-session/src/main/java/org/javaee7/jaspic/registersession/sam/TestServerAuthModule.java @@ -2,6 +2,8 @@ import static java.lang.Boolean.TRUE; import static javax.security.auth.message.AuthStatus.SUCCESS; +import static javax.security.auth.message.AuthStatus.SEND_CONTINUE; +import static javax.servlet.http.HttpServletResponse.SC_UNAUTHORIZED; import java.io.IOException; import java.security.Principal; @@ -44,6 +46,7 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject throws AuthException { HttpServletRequest request = (HttpServletRequest) messageInfo.getRequestMessage(); + HttpServletResponse response = (HttpServletResponse) messageInfo.getResponseMessage(); Callback[] callbacks; Principal userPrincipal = request.getUserPrincipal(); @@ -77,6 +80,11 @@ public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject // Tell container to register an authentication session. messageInfo.getMap().put("javax.servlet.http.registerSession", TRUE.toString()); + } else if(messageInfo.getMap().get("javax.security.auth.message.MessagePolicy.isMandatory").equals("true")) { + + // Must set error code if authentication is mandatory, but unsuccessful + response.setStatus(SC_UNAUTHORIZED); + return SEND_CONTINUE; } else { // ### If no registered session and no login request "do nothing" diff --git a/jaspic/status-codes/src/main/java/org/javaee7/jaspic/statuscodes/sam/SamAutoRegistrationListener.java b/jaspic/status-codes/src/main/java/org/javaee7/jaspic/statuscodes/sam/SamAutoRegistrationListener.java index 85f3dcdcb..1d45f1bae 100644 --- a/jaspic/status-codes/src/main/java/org/javaee7/jaspic/statuscodes/sam/SamAutoRegistrationListener.java +++ b/jaspic/status-codes/src/main/java/org/javaee7/jaspic/statuscodes/sam/SamAutoRegistrationListener.java @@ -16,7 +16,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestServerAuthModule.class); } } \ No newline at end of file diff --git a/jaspic/wrapping/src/main/java/org/javaee7/jaspic/wrapping/sam/SamAutoRegistrationListener.java b/jaspic/wrapping/src/main/java/org/javaee7/jaspic/wrapping/sam/SamAutoRegistrationListener.java index 271947358..be69510bc 100644 --- a/jaspic/wrapping/src/main/java/org/javaee7/jaspic/wrapping/sam/SamAutoRegistrationListener.java +++ b/jaspic/wrapping/src/main/java/org/javaee7/jaspic/wrapping/sam/SamAutoRegistrationListener.java @@ -20,7 +20,7 @@ public class SamAutoRegistrationListener extends BaseServletContextListener { @Override public void contextInitialized(ServletContextEvent sce) { - JaspicUtils.registerSAM(sce.getServletContext(), new TestWrappingServerAuthModule()); + JaspicUtils.registerSAM(sce.getServletContext(), TestWrappingServerAuthModule.class); sce.getServletContext() .addFilter("Programmatic filter", ProgrammaticFilter.class)