Skip to main content

Custom JACC's Policy.implies method called twice per REST WS call issue

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
No replies
kcg
Offline
Joined: 2013-08-13

Hello,

I'm using GlassFish 3.1.2.2 and I'm developing on top of it our custom JACC implementation. I'm testing the implementation with the REST WS which is using mutual X509 certificate authentication. The problem I see is that my Policy.implies method is called twice per WS invocation. Once it's called from RealmAdapter preAuthenticateCheck:

at com.sun.enterprise.security.web.integration.WebSecurityManager.checkPermissionWithoutCache(WebSecurityManager.java:415)
at com.sun.enterprise.security.web.integration.WebSecurityManager.checkPermission(WebSecurityManager.java:349)
at com.sun.enterprise.security.web.integration.WebSecurityManager.hasResourcePermission(WebSecurityManager.java:484)
at com.sun.web.security.RealmAdapter.invokeWebSecurityManager(RealmAdapter.java:848)
at com.sun.web.security.RealmAdapter.preAuthenticateCheck(RealmAdapter.java:1242)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)

and second time it's called by RealmAdapter hasResourcePersmission:

at com.sun.enterprise.security.web.integration.WebSecurityManager.checkPermissionWithoutCache(WebSecurityManager.java:415)
at com.sun.enterprise.security.web.integration.WebSecurityManager.checkPermission(WebSecurityManager.java:349)
at com.sun.enterprise.security.web.integration.WebSecurityManager.hasResourcePermission(WebSecurityManager.java:484)
at com.sun.web.security.RealmAdapter.invokeWebSecurityManager(RealmAdapter.java:848)
at com.sun.web.security.RealmAdapter.hasResourcePermission(RealmAdapter.java:742)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:568)

the first invocation is actually done without providing any invocation principal info down to the Policy implies method so Policy returns false in this case (resource is protected). The second invocation provides all the principal info and the authorization code of the Policy may decide if to grand or refuse access based on it.

My question is: is there any way how to avoid the first call to implies which is not providing any principal info? I see in the code that:

1239 if (helper != null && helper.getServerAuthConfig() != null) {
1240 return Realm.AUTHENTICATE_NEEDED;
1241 }
1242 isGranted = invokeWebSecurityManager(
1243 request, response, constraints);

if I do have helper != null and if it provides this server auth config, then I may run without this "pre-" implies call. My question here is how to configure the server or the service itself in a way that this condition is met and preAuth returns Realm.AUTHENTICATE_NEEDED;

Thanks a lot!
Karel