Bug 60196 - isMandatory erroneously always set to true for JASPIC SAM
Summary: isMandatory erroneously always set to true for JASPIC SAM
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.0.M10
Hardware: All All
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-02 19:10 UTC by Arjan Tijms
Modified: 2016-10-10 17:53 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arjan Tijms 2016-10-02 19:10:45 UTC
When the validateRequest method of a JASPIC SAM is called in Tomcat 9, the "javax.security.auth.message.MessagePolicy.isMandatory" key in the MessageInfo map is erroneously always set to true.

This happens in org.apache.catalina.authenticator.AuthenticatorBase.getJaspicState via the following code:

    new MessageInfoImpl(request.getRequest(), response.getResponse(), true);

The "true" param becomes the "authMandatory" value in the MessageInfo map:

    map.put(IS_MANDATORY, Boolean.toString(authMandatory));

However, according to section 3.8.1.1 of the JASPIC 1.1 spec this should only be true if the target resource is protected. To be more exact when:

"... the resource identified by the HttpServletRequest is covered by a Servlet auth- constraint, or in a JSR 115 compatible runtime, if the corresponding WebResourcePermission is NOT granted to an unauthenticated caller."

So while the SAM should always be called (whether authentication is required or not), "javax.security.auth.message.MessagePolicy.isMandatory" should only be set to true when authentication is actually required (which incidentally, is also the case when HttpServletRequest#authenticate is called).
Comment 1 Mark Thomas 2016-10-05 13:57:40 UTC
This has been fixed in the following branches:
- 9.0.x for 9.0.0.M11 onwards
- 8.5.x for 8.5.6 onwards
Comment 2 Arjan Tijms 2016-10-10 17:53:29 UTC
Thanks a lot for the quick fix!

ps. 

I added a CI target for Tomcat to the Java EE samples project (https://github.com/javaee-samples/javaee7-samples.git)

After a git clone the JASPIC tests can be started using:

mvn clean install -pl "test-utils,util" -am
cd jaspic
mvn clean test -P tomcat-ci-managed

Tomcat versions from the Apache public and staging repositories can be tested. It currently defaults to version 8.5.6, but another version can be used via the -Dtomcat.version option. E.g.

mvn clean test -P tomcat-co-managed -Dtomcat.version=8.5.5

Note that for Tomcat the integration tests with EJB, JSF, JACC, etc are automatically skipped.

The staged Tomcat 8.5.6 has a perfect test result btw, all tests pass. Very impressive!