[
https://issues.apache.org/jira/browse/TOMEE-4108?focusedWorklogId=824629&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-824629
]
ASF GitHub Bot logged work on TOMEE-4108:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Nov/22 15:00
Start Date: 09/Nov/22 15:00
Worklog Time Spent: 10m
Work Description: rzo1 opened a new pull request, #961:
URL: https://github.com/apache/tomee/pull/961
as the title says
Issue Time Tracking
-------------------
Worklog Id: (was: 824629)
Remaining Estimate: 0h
Time Spent: 10m
> Backport TOMEE-4065: LoginToContinue interceptor fails on custom auth
> mechanism
> -------------------------------------------------------------------------------
>
> Key: TOMEE-4108
> URL: https://issues.apache.org/jira/browse/TOMEE-4108
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 8.0.13
> Reporter: Stefan Kalscheuer
> Assignee: Stefan Kalscheuer
> Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> I stumbled across an issue using a custom _HttpAuthenticationMechanism_
> implementation using the _@LoginToContinue_ annotation directly.
> *Minimal example code:*
> {code:java}
> @ApplicationScoped
> @AutoApplySession
> @LoginToContinue
> public class AuthMechanism implements HttpAuthenticationMechanism {
> @Override
> public AuthenticationStatus validateRequest(HttpServletRequest request,
> HttpServletResponse response,
> HttpMessageContext
> httpMessageContext) throws AuthenticationException {
> /* do auth stuff */
> }
> } {code}
>
> *Expected behavior*
> I would expect the application server to redirect any request to a protected
> URL to the login page (without additional specification this would be
> "/login" here).
>
> *Observable behavior*
> Apparently this raises an error 500:
> {quote}java.lang.IllegalArgumentException
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63)
> ...
> {quote}
>
> The interceptor checks whether the invocation target implements
> _LoginToContinueMechanism_ and calls {_}getLoginToContinue(){_}. Because we
> do have a custom implementation here, this does not apply and raises an
> exception.
>
> *Possible solution*
> My workaround is a minor extension of the interceptor, i.e. add a fallback to
> a class-level annotation of the target.
> {code:java}
> private LoginToContinue getLoginToContinue(final InvocationContext
> invocationContext) {
> if (invocationContext.getTarget() instanceof LoginToContinueMechanism) {
> return ((LoginToContinueMechanism)
> invocationContext.getTarget()).getLoginToContinue();
> }
> // WORKAROUND START
> LoginToContinue annotation =
> invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class);
> if (annotation != null) {
> return annotation;
> }
> // WORKAROUND END
> throw new IllegalArgumentException();
> }
> {code}
>
> *RFC*
> Did I miss or misinterpret anything here or should the behavior of the
> interceptor be extended, e.g. with the lines proposed above?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
