[ https://issues.apache.org/jira/browse/TOMEE-4065?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Louis Monteiro reassigned TOMEE-4065: ------------------------------------------ Assignee: Stefan Kalscheuer > LoginToContinue interceptor fails on custom auth mechanism > ---------------------------------------------------------- > > Key: TOMEE-4065 > URL: https://issues.apache.org/jira/browse/TOMEE-4065 > Project: TomEE > Issue Type: Bug > Affects Versions: 9.0.0-M8, 9.0.0.RC1 > Reporter: Stefan Kalscheuer > Assignee: Stefan Kalscheuer > Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > I stumbled across an issue using a custom _HttpAuthenticationMechanism_ > implementation using the _@LoginToContinue_ annotation directly. > *Minimal example code:* > {code:java} > @ApplicationScoped > @AutoApplySession > @LoginToContinue > public class AuthMechanism implements HttpAuthenticationMechanism { > @Override > public AuthenticationStatus validateRequest(HttpServletRequest request, > HttpServletResponse response, > HttpMessageContext > httpMessageContext) throws AuthenticationException { > /* do auth stuff */ > } > } {code} > > *Expected behavior* > I would expect the application server to redirect any request to a protected > URL to the login page (without additional specification this would be > "/login" here). > > *Observable behavior* > Apparently this raises an error 500: > {quote}java.lang.IllegalArgumentException > org.apache.tomee.security.cdi.LoginToContinueInterceptor.getLoginToContinue(LoginToContinueInterceptor.java:221) > > org.apache.tomee.security.cdi.LoginToContinueInterceptor.processContainerInitiatedAuthentication(LoginToContinueInterceptor.java:134) > > org.apache.tomee.security.cdi.LoginToContinueInterceptor.validateRequest(LoginToContinueInterceptor.java:78) > > org.apache.tomee.security.cdi.LoginToContinueInterceptor.intercept(LoginToContinueInterceptor.java:63) > ... > {quote} > > The interceptor checks whether the invocation target implements > _LoginToContinueMechanism_ and calls {_}getLoginToContinue(){_}. Because we > do have a custom implementation here, this does not apply and raises an > exception. > > *Possible solution* > My workaround is a minor extension of the interceptor, i.e. add a fallback to > a class-level annotation of the target. > {code:java} > private LoginToContinue getLoginToContinue(final InvocationContext > invocationContext) { > if (invocationContext.getTarget() instanceof LoginToContinueMechanism) { > return ((LoginToContinueMechanism) > invocationContext.getTarget()).getLoginToContinue(); > } > // WORKAROUND START > LoginToContinue annotation = > invocationContext.getTarget().getClass().getAnnotation(LoginToContinue.class); > if (annotation != null) { > return annotation; > } > // WORKAROUND END > throw new IllegalArgumentException(); > } > {code} > > *RFC* > Did I miss or misinterpret anything here or should the behavior of the > interceptor be extended, e.g. with the lines proposed above? -- This message was sent by Atlassian Jira (v8.20.10#820010)