[es-dev] Jakarta Security - app-mem-basic-decorate test

[Darran Lofthouse <darran.lofthouse@xxxxxxxxx>]

I am also running into an issue running the app-mem-basic-decorate test case within the TCK on WildFly I would like to discuss.

The implementation of the decorator I believe does not adhere to the requirements of the Jakarta Authentication specification, specifically regarding wrapping the HttpServletRequest:

https://github.com/jakartaee/security/blob/master/tck/app-mem-basic-decorate/src/main/java/ee/jakarta/tck/security/test/AuthenticationMechanismDecorator.java#L57

https://github.com/jakartaee/security/blob/master/tck/app-mem-basic-decorate/src/main/java/ee/jakarta/tck/security/test/AuthenticationMechanismDecorator.java#L77

The restrictions on a ServerAuthModule are described in section 3.9.3.5:

https://jakarta.ee/specifications/authentication/3.0/jakarta-authentication-spec-3.0.html#a459

"During validateRequest processing, a ServerAuthModule must NOT unwrap a message in MessageInfo, and must NOT establish a wrapped message in MessageInfo unless the ServerAuthModule returns AuthStatus.SUCCESS"

Line 57 is really contrary to the second half of this sentence as it is being set to detect a failed authentication rather than as a result of deciding to send "AuthStatus.SUCCESS".  This isn't actually causing me an issue but maybe worth reconsidering.

Line 77 however is causing me an issue as the ServerAuthModule "must NOT" unwrap the message in MessageInfo so within WildFly we are detecting this banned action and rejecting it.  This in turn is leading to the TCK test failing.

--

Darran Lofthouse

Red Hat

darran.lofthouse@xxxxxxxxx