[ https://issues.apache.org/jira/browse/ARTEMIS-4263?focusedWorklogId=860133&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860133 ]
ASF GitHub Bot logged work on ARTEMIS-4263: ------------------------------------------- Author: ASF GitHub Bot Created on: 02/May/23 16:08 Start Date: 02/May/23 16:08 Worklog Time Spent: 10m Work Description: gtully commented on code in PR #4458: URL: https://github.com/apache/activemq-artemis/pull/4458#discussion_r1182758196 ########## artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/HttpServerAuthenticator.java: ########## @@ -0,0 +1,130 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> Review Comment: sorted. thanks! ########## artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/HttpServerAuthenticator.java: ########## @@ -0,0 +1,130 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.artemis.spi.core.security.jaas; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; + +import java.nio.charset.StandardCharsets; +import java.security.Principal; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Base64; +import java.util.StringTokenizer; + +import com.sun.net.httpserver.Authenticator; +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpPrincipal; +import com.sun.net.httpserver.HttpsExchange; + +/** + * delegate to our JAAS login modules by adapting our handlers to httpserver.httpExchange + */ +public class HttpServerAuthenticator extends Authenticator { + + static final String REALM_PROPERTY_NAME = "httpServerAuthenticator.realm"; + static final String REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME = "httpServerAuthenticator.requestSubjectAttribute"; + static String DEFAULT_SUBJECT_ATTRIBUTE = "org.apache.activemq.artemis.jaasSubject"; + static final String DEFAULT_REALM = "http_server_authenticator"; + static final String AUTHORIZATION_HEADER_NAME = "Authorization"; + + final String realm = System.getProperty(REALM_PROPERTY_NAME, DEFAULT_REALM); + final String subjectRequestAttribute = System.getProperty(REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME, DEFAULT_SUBJECT_ATTRIBUTE); + + @Override + public Result authenticate(HttpExchange httpExchange) { + + try { + LoginContext loginContext = new LoginContext(realm, callbacks -> { + for (Callback callback : callbacks) { + if (callback instanceof PasswordCallback) { + PasswordCallback passwordCallback = (PasswordCallback) callback; + + StringTokenizer stringTokenizer = new StringTokenizer(extractAuthHeader(httpExchange)); + String method = stringTokenizer.nextToken(); + if ("Basic".equalsIgnoreCase(method)) { + byte[] authHeaderBytes = Base64.getDecoder().decode(stringTokenizer.nextToken()); + + // :pass + byte[] password = Arrays.copyOfRange(authHeaderBytes, Arrays.binarySearch(authHeaderBytes, (byte) ':') + 1, authHeaderBytes.length); + passwordCallback.setPassword(new String(password, StandardCharsets.UTF_8).toCharArray()); + } else if ("Bearer".equalsIgnoreCase(method)) { + passwordCallback.setPassword(stringTokenizer.nextToken().toCharArray()); + } + } else if (callback instanceof NameCallback) { + NameCallback nameCallback = (NameCallback) callback; + + StringTokenizer stringTokenizer = new StringTokenizer(extractAuthHeader(httpExchange)); + String method = stringTokenizer.nextToken(); + if ("Basic".equalsIgnoreCase(method)) { + byte[] authHeaderBytes = Base64.getDecoder().decode(stringTokenizer.nextToken()); + + // user: + byte[] user = Arrays.copyOfRange(authHeaderBytes, 0, Arrays.binarySearch(authHeaderBytes, (byte) ':')); + nameCallback.setName(new String(user)); Review Comment: indeed, sorted Issue Time Tracking ------------------- Worklog Id: (was: 860133) Time Spent: 2h 10m (was: 2h) > support access to our JaasCallbackhandler from a jdk http Authenticator > ----------------------------------------------------------------------- > > Key: ARTEMIS-4263 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4263 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: JAAS > Affects Versions: 2.28.0 > Reporter: Gary Tully > Assignee: Gary Tully > Priority: Major > Time Spent: 2h 10m > Remaining Estimate: 0h > > To allow the jolokia jvm agent to utilise jaas with our callback handler, it > is necessary to provide a wrapper that is aware of the capabilities of the > various artemis login modules and provide the necessary callback > implementation > httpserver supports an extension point in the form of a > {{com.sun.net.httpserver.Authenticator}} that we can use. the jolokia jvm > agent has an authenticator that does jaas but is limited to plain > credentials. We can plug in a similar Artemis jaas delegating authenticator > and do proper rbac when the jolokia jvm agent is in play. > This will allow us to reduce the surface are that we expose to support > jolokia, avoiding the need for jetty. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)