https://bz.apache.org/bugzilla/show_bug.cgi?id=60196
Bug ID: 60196 Summary: isMandatory erroneously always set to true for JASPIC SAM Product: Tomcat 9 Version: 9.0.0.M10 Hardware: All OS: All Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: arjan.ti...@gmail.com When the validateRequest method of a JASPIC SAM is called in Tomcat 9, the "javax.security.auth.message.MessagePolicy.isMandatory" key in the MessageInfo map is erroneously always set to true. This happens in org.apache.catalina.authenticator.AuthenticatorBase.getJaspicState via the following code: new MessageInfoImpl(request.getRequest(), response.getResponse(), true); The "true" param becomes the "authMandatory" value in the MessageInfo map: map.put(IS_MANDATORY, Boolean.toString(authMandatory)); However, according to section 3.8.1.1 of the JASPIC 1.1 spec this should only be true if the target resource is protected. To be more exact when: "... the resource identified by the HttpServletRequest is covered by a Servlet auth- constraint, or in a JSR 115 compatible runtime, if the corresponding WebResourcePermission is NOT granted to an unauthenticated caller." So while the SAM should always be called (whether authentication is required or not), "javax.security.auth.message.MessagePolicy.isMandatory" should only be set to true when authentication is actually required (which incidentally, is also the case when HttpServletRequest#authenticate is called). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org