This is an automated email from the ASF dual-hosted git repository. gnodet pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/karaf.git
commit 3d57887b58745018808e2c2f67192201a8d0ef7d Author: Guillaume Nodet <[email protected]> AuthorDate: Thu Nov 9 17:58:27 2017 +0100 [KARAF-5475] Add a ClientPrincipal containing the connection method / remote ip --- .../karaf/jaas/boot/principal/ClientPrincipal.java | 54 ++++++++++++++++++++++ .../apache/karaf/management/JaasAuthenticator.java | 7 +++ .../impl/console/osgi/LocalConsoleManager.java | 2 + .../karaf/shell/ssh/KarafJaasAuthenticator.java | 2 + .../internal/servlet/JaasSecurityProvider.java | 9 ++-- 5 files changed, 71 insertions(+), 3 deletions(-) diff --git a/jaas/boot/src/main/java/org/apache/karaf/jaas/boot/principal/ClientPrincipal.java b/jaas/boot/src/main/java/org/apache/karaf/jaas/boot/principal/ClientPrincipal.java new file mode 100644 index 0000000..e76aec1 --- /dev/null +++ b/jaas/boot/src/main/java/org/apache/karaf/jaas/boot/principal/ClientPrincipal.java @@ -0,0 +1,54 @@ +/* + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * under the License. + */ +package org.apache.karaf.jaas.boot.principal; + +import java.io.Serializable; +import java.security.Principal; +import java.util.Objects; + +public class ClientPrincipal implements Principal, Serializable { + + private final String method; + private final String address; + + public ClientPrincipal(String method, String address) { + this.method = method; + this.address = address; + } + + @Override + public String getName() { + return method + "(" + address + ")"; + } + + public String getMethod() { + return method; + } + + public String getAddress() { + return address; + } + + @Override + public int hashCode() { + return Objects.hash(getName()); + } + + @Override + public String toString() { + return "ClientPrincipal[" + getName() + "]"; + } + +} diff --git a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java index 457d127..1dbab70 100644 --- a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java +++ b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java @@ -16,8 +16,10 @@ */ package org.apache.karaf.management; +import org.apache.karaf.jaas.boot.principal.ClientPrincipal; import org.apache.karaf.jaas.boot.principal.RolePrincipal; +import java.rmi.server.RemoteServer; import java.security.Principal; import javax.management.remote.JMXAuthenticator; @@ -53,6 +55,11 @@ public class JaasAuthenticator implements JMXAuthenticator { } try { Subject subject = new Subject(); + try { + subject.getPrincipals().add(new ClientPrincipal("jmx", RemoteServer.getClientHost())); + } catch (Throwable t) { + // Ignore + } LoginContext loginContext = new LoginContext(realm, subject, callbacks -> { for (int i = 0; i < callbacks.length; i++) { if (callbacks[i] instanceof NameCallback) { diff --git a/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/LocalConsoleManager.java b/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/LocalConsoleManager.java index 1bd3f20..e31d606 100644 --- a/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/LocalConsoleManager.java +++ b/shell/core/src/main/java/org/apache/karaf/shell/impl/console/osgi/LocalConsoleManager.java @@ -24,6 +24,7 @@ import java.security.PrivilegedAction; import javax.security.auth.Subject; +import org.apache.karaf.jaas.boot.principal.ClientPrincipal; import org.apache.karaf.jaas.boot.principal.RolePrincipal; import org.apache.karaf.jaas.boot.principal.UserPrincipal; import org.apache.karaf.shell.api.console.Session; @@ -134,6 +135,7 @@ public class LocalConsoleManager { final Subject subject = new Subject(); subject.getPrincipals().add(new UserPrincipal(userName)); + subject.getPrincipals().add(new ClientPrincipal("local", "localhost")); String roles = System.getProperty(KARAF_LOCAL_ROLES, KARAF_LOCAL_ROLES_DEFAULT); if (roles != null) { diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java index 3ab370d..8d4f88c 100644 --- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java +++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java @@ -30,6 +30,7 @@ import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginContext; +import org.apache.karaf.jaas.boot.principal.ClientPrincipal; import org.apache.karaf.jaas.boot.principal.RolePrincipal; import org.apache.karaf.jaas.modules.publickey.PublickeyCallback; import org.apache.sshd.common.session.Session; @@ -85,6 +86,7 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA private boolean doLogin(final ServerSession session, CallbackHandler callbackHandler) { try { Subject subject = new Subject(); + subject.getPrincipals().add(new ClientPrincipal("ssh", session.getClientAddress().toString())); LoginContext loginContext = new LoginContext(realm, subject, callbackHandler); loginContext.login(); assertRolePresent(subject); diff --git a/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java b/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java index fd2cc9d..5676a90 100644 --- a/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java +++ b/webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java @@ -36,6 +36,7 @@ import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.felix.webconsole.WebConsoleSecurityProvider2; +import org.apache.karaf.jaas.boot.principal.ClientPrincipal; import org.osgi.service.cm.ManagedService; import org.osgi.service.http.HttpContext; import org.slf4j.Logger; @@ -77,7 +78,7 @@ public class JaasSecurityProvider implements WebConsoleSecurityProvider2, Manage @Override public Object authenticate(final String username, final String password) { - return doAuthenticate( username, password ); + return doAuthenticate( "?", username, password ); } @Override @@ -100,9 +101,10 @@ public class JaasSecurityProvider implements WebConsoleSecurityProvider2, Manage return def; } - public Subject doAuthenticate(final String username, final String password) { + public Subject doAuthenticate(final String address, final String username, final String password) { try { Subject subject = new Subject(); + subject.getPrincipals().add(new ClientPrincipal("webconsole", address)); LoginContext loginContext = new LoginContext(realm, subject, callbacks -> { for (Callback callback : callbacks) { if (callback instanceof NameCallback) { @@ -195,7 +197,8 @@ public class JaasSecurityProvider implements WebConsoleSecurityProvider2, Manage } if ( subject == null ) { - subject = doAuthenticate(username, password); + String addr = request.getRemoteHost() + ":" + request.getRemotePort(); + subject = doAuthenticate( addr, username, password ); } if ( subject != null ) { -- To stop receiving notification emails like this one, please contact "[email protected]" <[email protected]>.
