[jira] [Created] (TOMEE-4108) Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth mechanism

Wed, 09 Nov 2022 06:45:32 -0800 

Richard Zowalla created TOMEE-4108:
--------------------------------------

             Summary: Backport TOMEE-4065: LoginToContinue interceptor fails on 
custom auth mechanism
                 Key: TOMEE-4108
                 URL: https://issues.apache.org/jira/browse/TOMEE-4108
             Project: TomEE
          Issue Type: Bug
    Affects Versions: 9.0.0.RC1
            Reporter: Stefan Kalscheuer
            Assignee: Stefan Kalscheuer
             Fix For: 9.0.0


I stumbled across an issue using a custom _HttpAuthenticationMechanism_ 
implementation using the _@LoginToContinue_ annotation directly.

*Minimal example code:*
{code:java}
@ApplicationScoped
@AutoApplySession
@LoginToContinue
public class AuthMechanism implements HttpAuthenticationMechanism {
  @Override
  public AuthenticationStatus validateRequest(HttpServletRequest request,
                                              HttpServletResponse response,
                                              HttpMessageContext 
httpMessageContext) throws AuthenticationException {
    /* do auth stuff */
  }
} {code}
 

*Expected behavior*

I would expect the application server to redirect any request to a protected 
URL to the login page (without additional specification this would be "/login" 
here).

 

*Observable behavior*

Apparently this raises an error 500:
{quote}java.lang.IllegalArgumentException     
org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221)
   
org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134)
   
org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78)
   
org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63)
...
{quote}
 

The interceptor checks whether the invocation  target implements 
_LoginToContinueMechanism_ and calls {_}getLoginToContinue(){_}. Because we do 
have a custom implementation here, this does not apply and raises an exception.

 

*Possible solution*

My workaround is a minor extension of the interceptor, i.e. add a fallback to a 
class-level annotation of the target.
{code:java}
private LoginToContinue getLoginToContinue(final InvocationContext 
invocationContext) {
  if (invocationContext.getTarget() instanceof LoginToContinueMechanism) {
    return ((LoginToContinueMechanism) 
invocationContext.getTarget()).getLoginToContinue();
  }

  // WORKAROUND START
  LoginToContinue annotation = 
invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class);
  if (annotation != null) {
    return annotation;
  }
  // WORKAROUND END

  throw new IllegalArgumentException();
}
{code}
 

*RFC*

Did I miss or misinterpret anything here or should the behavior of the 
interceptor be extended, e.g. with the lines proposed above?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to