Repository: karaf Updated Branches: refs/heads/karaf-4.0.x 1c0af9708 -> 001017f10
[KARAF-5330] Require a specific role to access the SSH console Project: http://git-wip-us.apache.org/repos/asf/karaf/repo Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/001017f1 Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/001017f1 Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/001017f1 Branch: refs/heads/karaf-4.0.x Commit: 001017f10bc151770b920fffed23c89cedb3ee54 Parents: 1c0af97 Author: Guillaume Nodet <[email protected]> Authored: Wed Sep 6 16:04:44 2017 +0200 Committer: Guillaume Nodet <[email protected]> Committed: Wed Sep 6 16:10:11 2017 +0200 ---------------------------------------------------------------------- .../main/java/org/apache/karaf/shell/ssh/Activator.java | 3 ++- .../apache/karaf/shell/ssh/KarafJaasAuthenticator.java | 11 ++++++++++- 2 files changed, 12 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/karaf/blob/001017f1/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java index b88d5c4..7c2d55e 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/Activator.java @@ -143,6 +143,7 @@ public class Activator extends BaseActivator implements ManagedService { String sshHost = getString("sshHost", "0.0.0.0"); long sshIdleTimeout = getLong("sshIdleTimeout", 1800000); String sshRealm = getString("sshRealm", "karaf"); + String sshRole = getString("sshRole", null); String hostKey = getString("hostKey", System.getProperty("karaf.etc") + "/host.key"); String hostKeyFormat = getString("hostKeyFormat", "simple"); String authMethods = getString("authMethods", "keyboard-interactive,password,publickey"); @@ -173,7 +174,7 @@ public class Activator extends BaseActivator implements ManagedService { keyPairProvider.setAlgorithm(algorithm); } - KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm); + KarafJaasAuthenticator authenticator = new KarafJaasAuthenticator(sshRealm, sshRole); UserAuthFactoriesFactory authFactoriesFactory = new UserAuthFactoriesFactory(); authFactoriesFactory.setAuthMethods(authMethods); http://git-wip-us.apache.org/repos/asf/karaf/blob/001017f1/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java ---------------------------------------------------------------------- diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java index 8bb10bc..a968357 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java @@ -46,12 +46,14 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA private final Logger LOGGER = LoggerFactory.getLogger(KarafJaasAuthenticator.class); private String realm; + private String role; public KarafJaasAuthenticator() { } - public KarafJaasAuthenticator(String realm) { + public KarafJaasAuthenticator(String realm, String role) { this.realm = realm; + this.role = role; } public String getRealm() { @@ -117,9 +119,13 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA }); loginContext.login(); + boolean hasCorrectRole = role == null || role.isEmpty(); int roleCount = 0; for (Principal principal : subject.getPrincipals()) { if (principal instanceof RolePrincipal) { + if (!hasCorrectRole) { + hasCorrectRole = role.equals(principal.getName()); + } roleCount++; } } @@ -127,6 +133,9 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA if (roleCount == 0) { throw new FailedLoginException("User doesn't have role defined"); } + if (!hasCorrectRole) { + throw new FailedLoginException("User doesn't have the required role " + role); + } session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject); return true;
