[
https://issues.apache.org/jira/browse/TOMEE-4065?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17630537#comment-17630537
]
Jean-Louis Monteiro commented on TOMEE-4065:
--------------------------------------------
Hi Stefan,
Here is a PR that adds your peace of code with a minimal test. Can you review
and approve the PR if you are ok?
[https://github.com/apache/tomee/pull/959]
Thanks
> LoginToContinue interceptor fails on custom auth mechanism
> ----------------------------------------------------------
>
> Key: TOMEE-4065
> URL: https://issues.apache.org/jira/browse/TOMEE-4065
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 9.0.0-M8, 9.0.0.RC1
> Reporter: Stefan Kalscheuer
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> I stumbled across an issue using a custom _HttpAuthenticationMechanism_
> implementation using the _@LoginToContinue_ annotation directly.
> *Minimal example code:*
> {code:java}
> @ApplicationScoped
> @AutoApplySession
> @LoginToContinue
> public class AuthMechanism implements HttpAuthenticationMechanism {
> @Override
> public AuthenticationStatus validateRequest(HttpServletRequest request,
> HttpServletResponse response,
> HttpMessageContext
> httpMessageContext) throws AuthenticationException {
> /* do auth stuff */
> }
> } {code}
>
> *Expected behavior*
> I would expect the application server to redirect any request to a protected
> URL to the login page (without additional specification this would be
> "/login" here).
>
> *Observable behavior*
> Apparently this raises an error 500:
> {quote}java.lang.IllegalArgumentException
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78)
>
> org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63)
> ...
> {quote}
>
> The interceptor checks whether the invocation target implements
> _LoginToContinueMechanism_ and calls {_}getLoginToContinue(){_}. Because we
> do have a custom implementation here, this does not apply and raises an
> exception.
>
> *Possible solution*
> My workaround is a minor extension of the interceptor, i.e. add a fallback to
> a class-level annotation of the target.
> {code:java}
> private LoginToContinue getLoginToContinue(final InvocationContext
> invocationContext) {
> if (invocationContext.getTarget() instanceof LoginToContinueMechanism) {
> return ((LoginToContinueMechanism)
> invocationContext.getTarget()).getLoginToContinue();
> }
> // WORKAROUND START
> LoginToContinue annotation =
> invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class);
> if (annotation != null) {
> return annotation;
> }
> // WORKAROUND END
> throw new IllegalArgumentException();
> }
> {code}
>
> *RFC*
> Did I miss or misinterpret anything here or should the behavior of the
> interceptor be extended, e.g. with the lines proposed above?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
