[TCK] Clarification/JASPIC: coordinating CallbackHandler calls to build proper principal.

[jeanouii]

While running the TCK against Tomcat I noticed some random failures related to this. https://github.com/eclipse-ee4j/jakartaee-tck/blob/master/src/com/sun/ts/tests/jaspic/tssv/module/servlet/TSServerAuthModule.java#L371

What happens is that the module is calling multiple time the callback handler and it fills the subject with multiple principals. One has only the name and the other one has the name and the group. See picture bellow.

When the container then gets back the Subject from the ServerAuthContext, it pulls either of the 2. If you are lucky and it pulls the principal with the subject, then it works. Otherwise, test fails.

From 3.8.3.1 of the specification

... handle a CallerPrincipalCallback using the clientSubject as argument to the callback. If more than one module of a context uses the CallbackHandler to handle this callback, the context is responsible for coordinating the calls such that the appropriate caller principal value is established.

So I'm tempted to say it's probably a bug in the TCK.

What are your thoughts on this?

[markt-asf]

I stumbled across this will trying to get Tomcat 11 to pass the 3.1.0 TCK.

The Servlet API expects the container to present it with a single Principal, not a Subject with multiple Principals so I took the view that Tomcat should merge those Principals into a single Principal. That makes this a Tomcat bug.

If the Jakarta Auth experts disagree, please speak up.

I have just fixed this in Tomcat and the fix will be included in the October releases.