Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-4108

Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth mechanism

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 8.0.13
    • 8.0.14
    • None
    • None

    Description

      I stumbled across an issue using a custom HttpAuthenticationMechanism implementation using the @LoginToContinue annotation directly.

      Minimal example code:

      @ApplicationScoped
@AutoApplySession
@LoginToContinue
public class AuthMechanism implements HttpAuthenticationMechanism {
  @Override
  public AuthenticationStatus validateRequest(HttpServletRequest request,
                                              HttpServletResponse response,
                                              HttpMessageContext httpMessageContext) throws AuthenticationException {
    /* do auth stuff */
  }
}

       

      Expected behavior

      I would expect the application server to redirect any request to a protected URL to the login page (without additional specification this would be "/login" here).

       

      Observable behavior

      Apparently this raises an error 500:

      java.lang.IllegalArgumentException     org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221)   org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134)   org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78)   org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63)
      ...

       

      The interceptor checks whether the invocation  target implements LoginToContinueMechanism and calls getLoginToContinue(). Because we do have a custom implementation here, this does not apply and raises an exception.

       

      Possible solution

      My workaround is a minor extension of the interceptor, i.e. add a fallback to a class-level annotation of the target.

      private LoginToContinue getLoginToContinue(final InvocationContext invocationContext) {
  if (invocationContext.getTarget() instanceof LoginToContinueMechanism) {
    return ((LoginToContinueMechanism) invocationContext.getTarget()).getLoginToContinue();
  }

  // WORKAROUND START
  LoginToContinue annotation = invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class);
  if (annotation != null) {
    return annotation;
  }
  // WORKAROUND END

  throw new IllegalArgumentException();
}

       

      RFC

      Did I miss or misinterpret anything here or should the behavior of the interceptor be extended, e.g. with the lines proposed above?

      Attachments

        Issue Links

          is a clone of

          Bug - A problem which impairs or prevents the functions of the product. TOMEE-4065 LoginToContinue interceptor fails on custom auth mechanism

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #961

          Activity

            People

              Unassigned Unassigned
              stklcode Stefan Kalscheuer
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m