[
https://issues.apache.org/jira/browse/TOMEE-4065?focusedWorklogId=824596&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-824596
]
ASF GitHub Bot logged work on TOMEE-4065:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Nov/22 14:08
Start Date: 09/Nov/22 14:08
Worklog Time Spent: 10m
Work Description: jeanouii commented on PR #959:
URL: https://github.com/apache/tomee/pull/959#issuecomment-1308819736
I agree that it does not hurt. Can you push your changes in this branch so
when I merge, your changes are included instead of me stealing your test?
Issue Time Tracking
-------------------
Worklog Id: (was: 824596)
Time Spent: 20m (was: 10m)
> LoginToContinue interceptor fails on custom auth mechanism
> ----------------------------------------------------------
>
> Key: TOMEE-4065
> URL: https://issues.apache.org/jira/browse/TOMEE-4065
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 9.0.0-M8, 9.0.0.RC1
> Reporter: Stefan Kalscheuer
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> I stumbled across an issue using a custom _HttpAuthenticationMechanism_
> implementation using the _@LoginToContinue_ annotation directly.
> *Minimal example code:*
> {code:java}
> @ApplicationScoped
> @AutoApplySession
> @LoginToContinue
> public class AuthMechanism implements HttpAuthenticationMechanism {
> @Override
> public AuthenticationStatus validateRequest(HttpServletRequest request,
> HttpServletResponse response,
> HttpMessageContext
> httpMessageContext) throws AuthenticationException {
> /* do auth stuff */
> }
> } {code}
>
> *Expected behavior*
> I would expect the application server to redirect any request to a protected
> URL to the login page (without additional specification this would be
> "/login" here).
>
> *Observable behavior*
> Apparently this raises an error 500:
> {quote}java.lang.IllegalArgumentException
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63)
> ...
> {quote}
>
> The interceptor checks whether the invocation target implements
> _LoginToContinueMechanism_ and calls {_}getLoginToContinue(){_}. Because we
> do have a custom implementation here, this does not apply and raises an
> exception.
>
> *Possible solution*
> My workaround is a minor extension of the interceptor, i.e. add a fallback to
> a class-level annotation of the target.
> {code:java}
> private LoginToContinue getLoginToContinue(final InvocationContext
> invocationContext) {
> if (invocationContext.getTarget() instanceof LoginToContinueMechanism) {
> return ((LoginToContinueMechanism)
> invocationContext.getTarget()).getLoginToContinue();
> }
> // WORKAROUND START
> LoginToContinue annotation =
> invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class);
> if (annotation != null) {
> return annotation;
> }
> // WORKAROUND END
> throw new IllegalArgumentException();
> }
> {code}
>
> *RFC*
> Did I miss or misinterpret anything here or should the behavior of the
> interceptor be extended, e.g. with the lines proposed above?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
