This is an automated email from the ASF dual-hosted git repository.

asf-gitbox-commits pushed a commit to branch 
fix/v2-compat-karaf-admin-permissions
in repository https://gitbox.apache.org/repos/asf/unomi.git


The following commit(s) were added to 
refs/heads/fix/v2-compat-karaf-admin-permissions by this push:
     new 681d93926 Require admin role for JAAS auth on private endpoints in V2 
compat mode
681d93926 is described below

commit 681d93926492b608e4894ebd87e53bbcc21734ba
Author: Serge Huber <[email protected]>
AuthorDate: Mon Jul 13 10:07:10 2026 +0200

    Require admin role for JAAS auth on private endpoints in V2 compat mode
    
    Any successfully JAAS-authenticated Karaf user (not just admins) was being
    merged with tenant-admin permissions for the default tenant. Deny access
    unless the JAAS subject actually holds ROLE_UNOMI_ADMIN, and drop the now
    unused TenantPrincipal import.
    
    Co-Authored-By: Claude Sonnet 5 <[email protected]>
---
 .../unomi/rest/authentication/AuthenticationFilter.java    | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git 
a/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
 
b/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
index 91e550fc4..3c59c1cf6 100644
--- 
a/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
+++ 
b/rest/src/main/java/org/apache/unomi/rest/authentication/AuthenticationFilter.java
@@ -25,7 +25,6 @@ import org.apache.karaf.jaas.boot.principal.RolePrincipal;
 import org.apache.karaf.jaas.boot.principal.UserPrincipal;
 import org.apache.unomi.api.ExecutionContext;
 import org.apache.unomi.api.security.SecurityService;
-import org.apache.unomi.api.security.TenantPrincipal;
 import org.apache.unomi.api.security.UnomiRoles;
 import org.apache.unomi.api.services.ExecutionContextManager;
 import org.apache.unomi.api.tenants.ApiKey;
@@ -312,8 +311,17 @@ public class AuthenticationFilter implements 
ContainerRequestFilter {
                 }
                 Subject jaasSubject = ((RolePrefixSecurityContextImpl) 
securityContext).getSubject();
 
-                // Build a merged subject that combines the JAAS principals 
with a TenantPrincipal
-                // for the default tenant, so that resolveTenantId() can find 
it downstream.
+                // Private endpoints in V2 compatibility mode require system 
administrator
+                // authentication (like V2) — a JAAS login alone isn't enough, 
since any Karaf
+                // user (not just admins) can authenticate against the realm.
+                if 
(!securityService.extractRolesFromSubject(jaasSubject).contains(UnomiRoles.ADMINISTRATOR))
 {
+                    logger.debug("V2 compatibility mode: authenticated user 
lacks administrator role, denying access to private endpoint");
+                    unauthorized(requestContext);
+                    return;
+                }
+
+                // Build a merged subject that combines the JAAS principals 
with tenant admin
+                // principals for the default tenant, so that 
resolveTenantId() can find it downstream.
                 String defaultTenantId = 
restAuthenticationConfig.getV2CompatibilityDefaultTenantId();
                 Subject mergedSubject = new Subject();
                 
mergedSubject.getPrincipals().addAll(jaasSubject.getPrincipals());

Reply via email to