Re: [es-dev] Jakarta Security - app-mem-basic-decorate test

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [es-dev] Jakarta Security - app-mem-basic-decorate test

From: Darran Lofthouse <darran.lofthouse@xxxxxxxxx>
Date: Wed, 17 Aug 2022 19:46:16 +0100
Delivered-to: es-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/es-dev/>
List-help: <mailto:es-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/es-dev>, <mailto:es-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/es-dev>, <mailto:es-dev-request@eclipse.org?subject=unsubscribe>

Thank you for your reply Arjan but I don't think this section is talking about what is returned, I believe it is talking about the name of the arguments passed into the MessageInfo calls.

Going back to the first sentence in this section:

"A ServerAuthModule must only call MessageInfo.setResponseMessage() to wrap or unwrap the existing response within MessageInfo. That is, if a ServerAuthModule calls MessageInfo.setResponseMessage(), the response argument must be an HtppServletResponseWrapper"

The method being called is setResponseMessage(), that method takes a single argument which is called "response" so when referring to "response argument" it is referring to the argument passed into the message call.

It then includes the following line:

" The analogous requirements apply to MessageInfo.setRequestMessage()."

So if this section had been written from the perspective of the request first it would have instead been:

"A ServerAuthModule must only call MessageInfo.setRequestMessage() to wrap or unwrap the existing request within MessageInfo. That is, if a ServerAuthModule calls MessageInfo.setRequestMessage(), the request argument must be an HtppServletRequestWrapper"

The example within this section is then specifically talking about the method call within validateRequest, the following sentence doesn't leave any leeway to be talking about the resulting state after the call has completed.

"For example, if during validateRequest processing a ServerAuthModule calls MessageInfo.setResponseMessage(), the response argument must be an HttpServletResponseWrapper that wraps the HttpServletResponse within MessageInfo."

response here is just the name of the argument being passed to the setResponseMessage method.

Based on the terminology today it would probably be more correct to refer to this as "response parameter" especially as today that is how we would document them in javadoc however this spec has chosen to refer to them as '"name" argument'. This can be seen going back to section 1.2.4:

https://jakarta.ee/specifications/authentication/3.0/jakarta-authentication-spec-3.0.html#a172

"ServerAuthContext serverContext =
serverConfig.getAuthContext(authContextID, serviceSubject, properties);

The properties argument is used to pass additional initialization time properties to the authentication modules"

This pattern then repeats throughout the specification in the form "name argument" to refer to the name of the parameter passed into the method being discussed.

At no other point in the specification is "response argument" used to indicate the state of an object instance after a specific call.

On Wed, Aug 17, 2022 at 6:54 PM arjan tijms <arjan.tijms@xxxxxxxxx> wrote:

Hi,

On Wed, Aug 17, 2022 at 5:59 PM Darran Lofthouse <darran.lofthouse@xxxxxxxxx> wrote:
I am also running into an issue running the app-mem-basic-decorate test case within the TCK on WildFly I would like to discuss.

The implementation of the decorator I believe does not adhere to the requirements of the Jakarta Authentication specification, specifically regarding wrapping the HttpServletRequest:

https://github.com/jakartaee/security/blob/master/tck/app-mem-basic-decorate/src/main/java/ee/jakarta/tck/security/test/AuthenticationMechanismDecorator.java#L57
https://github.com/jakartaee/security/blob/master/tck/app-mem-basic-decorate/src/main/java/ee/jakarta/tck/security/test/AuthenticationMechanismDecorator.java#L77

The restrictions on a ServerAuthModule are described in section 3.9.3.5:

https://jakarta.ee/specifications/authentication/3.0/jakarta-authentication-spec-3.0.html#a459
"During validateRequest processing, a ServerAuthModule must NOT unwrap a message in MessageInfo, and must NOT establish a wrapped message in MessageInfo unless the ServerAuthModule returns AuthStatus.SUCCESS"

Line 57 is really contrary to the second half of this sentence as it is being set to detect a failed authentication rather than as a result of deciding to send "AuthStatus.SUCCESS". This isn't actually causing me an issue but maybe worth reconsidering.

I see how that could come across as confusing, although technically (but see next comment) this is not what is happening here. 3.9.3.5 is about not "returning" a wrapped response when the status is not "AuthStatus.SUCCESS".

E.g. only after "AuthStatus.SUCCESS" is "the resource invoked" (the Servlet chain, including Filters called). I believe the idea of this restriction is that a wrapped response would be intended for the next Servlet and/or Filter, which in that case would not be called.

But as the wrapped response is not "returned" (only used internally during processing), in principal no rules would have been violated (but again see next comment):

Or in some pseudo code:

Messaging runtime:
Object responseMessage = ...
messageInfo.setResponseMessage(responseMessage);

Call validateRequest(messageInfo);

if (AuthStatus.SUCCESS) {
invokeResource(...)
} else {
if !responseMessage.equals(messageInfo.getResponseMessage()) {
throw new Exception("illegal wrapping");
}
}

That's why the following part is there:

} finally {
// Restore the original response
httpMessageContext.getMessageInfo().setResponseMessage(response);
}

The test only uses the getError for a quick detection of failure, and wouldn't care about a response being reset by itself. It was done so not to violate 3.9.3.5 in principal.

Line 77 however is causing me an issue as the ServerAuthModule "must NOT" unwrap the message in MessageInfo so within WildFly we are detecting this banned action and rejecting it. This in turn is leading to the TCK test failing.

So the confusion is with this definition:

"if a ServerAuthModule calls MessageInfo.setResponseMessage(), the response argument must be an HtppServletResponseWrapper that wraps the HttpServletResponse within MessageInfo, or the response argument must be an HttpServletResponse that is wrapped by the HttpServletResponseWrapper within MessageInfo"

In this very strict definition:

MessageInfo.setResponseMessage(HtppServletResponseWrapper) // counts as wrapping
MessageInfo.setResponseMessage(HttpServletResponse) // counts as unwrapping

By setting the original response again, it would by that definition count as unwrapping, even if there's no actual unwrapping of any kind being done.

So going back to this:

"During validateRequest processing, a ServerAuthModule must NOT unwrap a message in MessageInfo, and must NOT establish a wrapped message in MessageInfo unless the ServerAuthModule returns AuthStatus.SUCCESS"

That all seems to be fine. During processing no unwrapped message is set (instead, a wrapped one is), and after processing there is no wrapped message present (instead, the original one is, which could say is unwrapped).

Now if you look at this one, it's perhaps confusing:

"if a ServerAuthModule calls MessageInfo.setResponseMessage(), the response argument must be an HtppServletResponseWrapper that wraps the HttpServletResponse within MessageInfo, or the response argument must be an HttpServletResponse that is wrapped by the HttpServletResponseWrapper within MessageInfo"

It's stated that way such that one can not set an arbitrary response. It must always be the response by either adding a wrapper layer, or removing one, of the version that is currently set in message info.

So if you look at what the test does

ResponseWrapper responseWrapper = new ResponseWrapper(response);
httpMessageContext.getMessageInfo().setResponseMessage(responseWrapper);

1. Wrapping during validateRequest - allowed
2. Argument is HtppServletResponseWrapper wrapping the HttpServletResponse currently in message info - allowed

httpMessageContext.getMessageInfo().setResponseMessage(response);

1. Not establishing a wrapped response - allowed (required)
2. Argument is HttpServletResponse unwrapping the HtppServletResponseWrapper currently in message info - allowed

I had to read the sections a couple of times as well, but I think the test should be correct. The code to detect unwrapping / wrapping by the implementation is quite subtle.

Kind regards,
Arjan Tijms

--
Darran Lofthouse
Red Hat
darran.lofthouse@xxxxxxxxx
_______________________________________________
es-dev mailing list
es-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/es-dev

_______________________________________________
es-dev mailing list
es-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/es-dev

Follow-Ups:
- Re: [es-dev] Jakarta Security - app-mem-basic-decorate test
  - From: arjan tijms

References:
- [es-dev] Jakarta Security - app-mem-basic-decorate test
  - From: Darran Lofthouse
- Re: [es-dev] Jakarta Security - app-mem-basic-decorate test
  - From: arjan tijms

Prev by Date: Re: [es-dev] Jakarta Security - app-mem-basic-decorate test
Next by Date: Re: [es-dev] Jakarta Security - app-mem-basic-decorate test
Previous by thread: Re: [es-dev] Jakarta Security - app-mem-basic-decorate test
Next by thread: Re: [es-dev] Jakarta Security - app-mem-basic-decorate test
Index(es):
- Date
- Thread

Breadcrumbs