Security API ignores roles provided by custom security extension

mkarg · March 23, 2022, 10:08am

In my EAR I have WAR with the following custom security extension:

@ApplicationScoped
public class CustomAuth implements HttpAuthenticationMechanism {

    @Override
    public AuthenticationStatus validateRequest(HttpServletRequest request, HttpServletResponse response, HttpMessageContext httpMsgContext)
            throws AuthenticationException {
        Principal principal = new Principal() {
            @Override
            public String getName() {
                return "P";
            }
        };

        Set<String> roles = Set.of("R");

        return httpMsgContext.notifyContainerAboutLogin(principal, roles);
    }

}

Then I am running a BASIC Auth’ed request against this resource:

    ...

    @Context
    public SecurityContext scx;

    @Path("test") @GET @PermitAll
    public String test() {
        System.out.println(this.scx.getCallerPrincipal().getName() + " " + this.scx.isUserInRole("R"));
    }

The result is that the string P false is found in server.log, while certainly it should be P true.

Apparently Payara ignores the roles provided by the custom security extension!

mkarg · March 31, 2022, 8:24am

Hi guys, any ideas on this?

Topic		Replies	Views
Security API deployment failure in Payara Full CE 5.2022.1 Technical Discussion	0	441	March 23, 2022
How to disable JWT? Technical Discussion	0	275	March 18, 2022
Logging of the Authentication mechanism in PAYARA Technical Discussion	1	298	December 9, 2021
Client Certificate Usage Question Technical Discussion security	1	216	July 6, 2023
Run some applications as HTTP, others as HTTPS Technical Discussion	1	135	January 15, 2024

Security API ignores roles provided by custom security extension

Related Topics