"During validateRequest processing, a ServerAuthModule must NOT unwrap a message in MessageInfo"
This is a fairly specific "must NOT" statement which is why we added verification that this is adhered to.
It says that, but note that the sentence continues as follows:
"During validateRequest processing, a ServerAuthModule must NOT unwrap a message in MessageInfo, and must NOT establish a wrapped message in MessageInfo"
Specifically note the difference between "unwrap a message in MessageInfo" and "establish a wrapped message in MessageInfo". They key here is in "unwrap" vs "establish a wrapped message".
I agree it's not super easy to interpret, but I think it means:
1. During request processing, the message that you get from MessageInfo, should not be unwrapped and then used.
2. Request processing should not result in setting a wrapped message in MessageInfo. This is made evident by the reference to the return value, which is obviously only observed by the caller of validateRequest.
E.g. the following should not be done for "unwrap a message in MessageInfo"
HttpServletResponse response = ( HttpServletResponse) messageInfo.getResponseMessage();
// Don't do this
if (response instanceof HttpServletResponseWrapper) {
response = ((HttpServletResponseWrapper) response).getResponse();
}
and the following should also not be done:
validateRequest() {
// ...
messageInfo.setResponseMessage(new HttpServletResponseWrapper(response));
return AuthStatus.SEND_FAILURE;
}
This is where in WildFly we prohibit unwrapping during the call to validateResponse which leads to the failure when line 77 is hit on the decorator.
The example further reinforces this:
"For example, if during validateRequest processing a ServerAuthModule calls MessageInfo.setResponseMessage(), the response argument must be an HttpServletResponseWrapper that wraps the HttpServletResponse within MessageInfo."
During validateRequest the only allowed argument to these methods is an instance that wraps the existing message.
It's probably not the only allowed one, otherwise it would not say "for example", but I agree especially this one is tricky and open to interpretation. But in combination with the sentence above, that explicitly uses different verbiage with the "establish" word, I would go for the previous reading.
Even more so, since it's not even close to doing this:
// Really don't do this in validateRequest
HttpServletResponse response = ( HttpServletResponse) messageInfo.getResponseMessage();
if (response instanceof HttpServletResponseWrapper) {
response = ((HttpServletResponseWrapper) response).getResponse();
// Allowed by internal messageInfo validation rules, not allowed by validateRequest rules
messageInfo.setResponseMessage(response);
}
That part of the rules is intended for the validateRequest/secureResponse balance (validateRequest wraps, secureResponse unwraps).
Kind regards,
Arjan Tijms
