Conditionally skip Jaspi processing during a web authentication workflow #33532
Description
Links:
PSIRT issue
Slack Channel Discussion
Original GitHub Issue
PR
Overview
Currently, if feature appSecurity-3.0 or greater is used by a Liberty application, then Jaspi authentication workflows are enabled unconditionally, and take presedence over any external, operator configuration such as within server.xml.
For example, if in your main program, you had the following:
@FormAuthenticationMechanismDefinition(
loginToContinue = @LoginToContinue(errorPage = "/login-error.html",
loginPage = "/login.html"))
and in your server.xml you had an open id client configured such as:
<openidConnectClient id="secure"
clientId="<clientId>"
clientSecret="<clientSecret>"
redirectToRPHostAndPort="https://localhost:9443/"
discoveryEndpointUrl="https://preprod.login.w3.ibm.com/oidc/endpoint/default/.well-known/openid-configuration"
...
>
</openidConnectClient>
then the authentication of a username and password always falls to the Jaspi @FormAuthenticationMechanismDefinition details, never the open id client details.
If feature appSecurity-2.0 or prior is used by a Liberty application, then Jaspi auathentication workflows are not enabled, therefore the @FormAuthenticationMechanismDefinition details are ignored and the open id client details are used instead.
The Issue
An operator may expect to override developer the developer coded Http authentication mechanism (HAM) via external configuration, such as in server.xml. But appSecurity-3.0 or above always enables Jaspi, and Jaspi will always be favoured over external configuration.
The Request
To allow Jaspi processing to be conditionally skipped, even if Jaspi configuration is enabled via the appSecurity feature version.
Acceptance Criteria
Given I am running a Liberty application which loads appSecurity-3.0 or above
And I have a HAM configured in my application
And I have a external authentication configured (i.e. an openid client in server.xml)
And I have explicitly configured Liberty to skip Jaspi processing
When I perform an action which triggers the web authentication flow
Then the external configuration details (i.e. an openid client in server.xml) are used for authentication.
(new behaviour when a new configuration variable is explicitly set to skip Jaspi processing)
Given I am running a Liberty application which loads appSecurity-3.0 or above
And I have a HAM configured in my application
And I have a external authentication configured (i.e. an openid client in server.xml)
And I have explicitly configured Liberty to NOT SKIP skip Jaspi processing
When I perform an action which triggers the web authentication flow
Then the HAM details are used for authentication.
(old behaviour when a new configuration variable is explicitly set to not skip Jaspi processing)
Given I am running a Liberty application which loads appSecurity-3.0 or above
And I have a HAM configured in my application
And I have a external authentication configured (such as an openid client in server.xml)
And I have NOT configured Liberty in any way to skip Jaspi processing (i.e. not added any new variables or attributes in server.xml)
When I perform an action which triggers the web authentication flow
Then the HAM details are used for authentication.
(regression testing the old behaviour when the new configuration variable is not set at all)
Given I am running a Liberty application which loads appSecurity-2.0 or below
And I have a HAM configured in my application
And I have an openid client configured externally (such as in server.xml)
And I have explicitly configured Liberty to skip or not skip Jaspi processing for all applications
When I perform an action which triggers the web authentication flow
Then the openid client details are used for authentication.
(regression testing the this new configuration variable does not interfere with appSecurity-2.0 or prior, as Jaspi is not enabled by default anyway)
Given I am browsing the Open Liberty server configuration docs
When I look for information on how to skip Jaspi processing
Then a variable exists which documents name, description, type, possible values, default value and location
And the documentation makes it clear that this applies to all applications.
Notes
As the acceptance criteria states, this configuration variable being set applies at the Liberty server level, i.e. for all applications. It cannot be conditionally set per application.