Re: [PR] ARTEMIS-5310 check class of Principals in Subject [activemq-artemis]

Wed, 26 Feb 2025 20:20:10 -0800 


jbertram commented on code in PR #5518:
URL: https://github.com/apache/activemq-artemis/pull/5518#discussion_r1972832745


##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java:
##########
@@ -258,6 +263,27 @@ public String authenticate(final String user,
       return null;
    }
 
+   /*
+    * Verify that the Subject (if not null) contains at least one instance of 
the expected java.security.Principal
+    * implementation. This check is done before any caching because a failure 
here is considered an infrastructure
+    * failure and not something which should be cached as opposed to a 
"normal" authentication failure (e.g. wrong
+    * password) which should be cached.
+    */
+   private boolean validateExpectedUserPrincipal(Subject subject) throws 
ClassNotFoundException {
+      if (subject != null) {
+         Class expectedPrincipal = UserPrincipal.class;
+         if (securityManager instanceof ActiveMQJAASSecurityManager 
jaasManager) {
+            expectedPrincipal = 
Class.forName(jaasManager.getUserPrincipalClass());
+         }
+
+         if (subject.getPrincipals(expectedPrincipal).size() == 0) {

Review Comment:
   This is the way it's been since the JAAS security manager was first 
implemented way back in Artemis 1.2. We just haven't done this check until now, 
and we're only doing it because a user complained about it.
   
   Technically it would be possible to use the very generic 
`java.security.Principal` but then we wouldn't be able to distinguish from 
users and roles in the `Subject`. In any case, that change is beyond the scope 
of this PR.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@activemq.apache.org
For additional commands, e-mail: gitbox-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact

Reply via email to