Comments (9)
- Issue Imported From: https://github.com/javaee/servlet-spec/issues/21
- Original Issue Raised By:@glassfishrobot
- Original Issue Assigned To: @shingwaichan
from servlet.
@glassfishrobot Commented
Reported by markt_asf
from servlet.
@glassfishrobot Commented
markt_asf said:
Note: pre-emptive authentication can never work with DIGEST auth
from servlet.
@glassfishrobot Commented
monzillo said:
imv, we should apply an established authentication session when we access
an unprotected resource within the session; that is, assuming the authentication session
conforms to the session mechanism configured for the application. iirc, the spec is not
clear on that, and it could be worth adding that as a requirement.
Regarding the processing of authenticators included in requests to unconstrained resources, I think such authenticators should be ignored during constraint processing (for the required to be supported authentication mechanism processors). Conversely they should be processed if the target resource makes a call to HttpServletRequest.authenticate.
That said, I think we should allow custom authentication mechanisms to decide how they will treat authenticators sent to unprotected resources. In the servlet profile of jsr 196, the the configured authentication system is called on every request, leaving it up to it, to decide whether or not to process a received authenticator.
from servlet.
@glassfishrobot Commented
arjan_t said:
In the servlet profile of jsr 196, the configured authentication system is called on every request, leaving it up to it, to decide whether or not to process a received authenticator.
Ron, is this tested in the TCK? At least JBoss EAP and AS don't do this at all, yet they are certified for Java EE 6.
from servlet.
@glassfishrobot Commented
arjan_t said:
Doing some more digging in the JBoss code, I found an optional "valve" (it's not documented), via which JBoss EAP/AS do process unprotected resources as well. It has an interesting comment:
/**
* <p>
* This class implements a JASPI authenticator for unprotected resources. In the JASPI Servlet profile, authentication
* for unprotected resources is optional but it is still allowed. When performed, the JASPI authentication modules must
* grant access to the unprotected resources irrespective of the caller, which may be anonymous (i.e, no security info
* supplied).
* </p>
*
* @author <a href="mailto:[email protected]">Stefan Guilhen</a>
*/
@SuppressWarnings("unused")
public class WebJASPIOptionalAuthenticator extends ValveBase {
I couldn't really find a spec reference that says authentication for unprotected resources is optional.
from servlet.
@glassfishrobot Commented
monzillo said:
Arjan, You are correct that the Servlet profile of jsrs 196 requires that ServerAuthContex#validateRequest be called on every request that satisfies the connection requirements (i.e., any user-data-constraint). Other than the above exception this includes all request urls independent of whether the resource would have been authorized prior to the the call to ValidateRequest. That said, once the validateRequest is called, the authentication module is expected to behave differently if authentication is not mandatory for the request url. This is spelled out in section 3.8. The module specific details are described in 3.8.3.1.
I will ask that the TCK add a test.
In the context of this issue in Servet, I would expect the same behavior to be required to handle "preemptive" authenticators, but as suggested by Mark, this could be limited to some specific auth mechanisms, in which case, it likely will be necessary to require the processing of an included authenticator.
from servlet.
@glassfishrobot Commented
markt_asf said:
One additional point of clarification. If the user pre-emtively sends a user name and password that are not valid (user doesn't exist, wrong password, etc.) to an unprotected resource how should the container react? Should it reject the request because the credentials are invalid or should it allow the request and just ignore the credentials. I lean towards the former as I am concerned that the latter approach may open the door to brute force password cracking attempts.
from servlet.
@glassfishrobot Commented
This issue was imported from java.net JIRA SERVLET_SPEC-21
from servlet.
Related Issues (20)
- Enable HttpSession to be used outside of the scope of an HttpServletRequest
- Add capability of ordering ServletContainerInitializer invocations HOT 44
- Make api clearer for SessionManager.newSession(Request request, String requestedSessionId, Consumer<ManagedSession> consumer) HOT 1
- HttpServletRequest Has method newPushBuilder giving null HOT 2
- HttpServletRequest Has method newPushBuilder giving null HOT 1
- Why is the description about obtaining jakarta.servlet.forward.mapping missing in Chapter 9.3.1 and 9.4.2? HOT 4
- There are a lot of redundant keywords that need to be removed in the jakarta.servlet-api. HOT 1
- Descriptor example in Servlet 6.0 doc is bad HOT 2
- TCK: HttpUpgradeHandler test incorrectly assumes reading of buffered POST data HOT 3
- bad javadoc for sessionIdChanged
- AsyncListener question HOT 1
- Clarify Cookie attribute behavior for empty and null values HOT 4
- TCK: Need to add the signature tests HOT 1
- jakarta.servlet-api.jar MANIFEST.MF contains path to builder's current directory HOT 6
- Need to update schema for 6.1.0 release HOT 1
- Servlet 6.1.0 - Tomcat 11.0.0-M19-SNAPSHOT certification request HOT 1
- New home for HttpServletRequest injection requirements
- tests should not be in the jakarta package HOT 6
- ServletResponse.setCharacterEncoding(CharSet encoding) throws NullPointerException if encoding is null
- Blocker for starting EE 11 ballot: TCK user guide, and two folders with a tck-runtime.jar and a tck-utils.jar. I guess an assembly file is needed to create a zip file with those two artefacts, and then we have to add a basic user guide still. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from servlet.