[jira] [Work logged] (ARTEMIS-4263) support access to our JaasCallbackhandler from a jdk http Authenticator

ASF GitHub Bot (Jira) Tue, 02 May 2023 09:09:10 -0700


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-4263?focusedWorklogId=860133&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-860133
 ]


ASF GitHub Bot logged work on ARTEMIS-4263:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 02/May/23 16:08
            Start Date: 02/May/23 16:08
    Worklog Time Spent: 10m 
      Work Description: gtully commented on code in PR #4458:
URL: https://github.com/apache/activemq-artemis/pull/4458#discussion_r1182758196


##########
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/HttpServerAuthenticator.java:
##########
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>

Review Comment:
   sorted. thanks!



##########
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/HttpServerAuthenticator.java:
##########
@@ -0,0 +1,130 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.activemq.artemis.spi.core.security.jaas;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+
+import java.nio.charset.StandardCharsets;
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.StringTokenizer;
+
+import com.sun.net.httpserver.Authenticator;
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpPrincipal;
+import com.sun.net.httpserver.HttpsExchange;
+
+/**
+ * delegate to our JAAS login modules by adapting our handlers to 
httpserver.httpExchange
+ */
+public class HttpServerAuthenticator extends Authenticator {
+
+   static final String REALM_PROPERTY_NAME = "httpServerAuthenticator.realm";
+   static final String REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME = 
"httpServerAuthenticator.requestSubjectAttribute";
+   static String DEFAULT_SUBJECT_ATTRIBUTE = 
"org.apache.activemq.artemis.jaasSubject";
+   static final String DEFAULT_REALM = "http_server_authenticator";
+   static final String AUTHORIZATION_HEADER_NAME = "Authorization";
+
+   final String realm = System.getProperty(REALM_PROPERTY_NAME, DEFAULT_REALM);
+   final String subjectRequestAttribute = 
System.getProperty(REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME, 
DEFAULT_SUBJECT_ATTRIBUTE);
+
+   @Override
+   public Result authenticate(HttpExchange httpExchange) {
+
+      try {
+         LoginContext loginContext = new LoginContext(realm, callbacks -> {
+            for (Callback callback : callbacks) {
+               if (callback instanceof PasswordCallback) {
+                  PasswordCallback passwordCallback = (PasswordCallback) 
callback;
+
+                  StringTokenizer stringTokenizer = new 
StringTokenizer(extractAuthHeader(httpExchange));
+                  String method = stringTokenizer.nextToken();
+                  if ("Basic".equalsIgnoreCase(method)) {
+                     byte[] authHeaderBytes = 
Base64.getDecoder().decode(stringTokenizer.nextToken());
+
+                     // :pass
+                     byte[] password = Arrays.copyOfRange(authHeaderBytes, 
Arrays.binarySearch(authHeaderBytes, (byte) ':') + 1, authHeaderBytes.length);
+                     passwordCallback.setPassword(new String(password, 
StandardCharsets.UTF_8).toCharArray());
+                  } else if ("Bearer".equalsIgnoreCase(method)) {
+                     
passwordCallback.setPassword(stringTokenizer.nextToken().toCharArray());
+                  }
+               } else if (callback instanceof NameCallback) {
+                  NameCallback nameCallback = (NameCallback) callback;
+
+                  StringTokenizer stringTokenizer = new 
StringTokenizer(extractAuthHeader(httpExchange));
+                  String method = stringTokenizer.nextToken();
+                  if ("Basic".equalsIgnoreCase(method)) {
+                     byte[] authHeaderBytes = 
Base64.getDecoder().decode(stringTokenizer.nextToken());
+
+                     // user:
+                     byte[] user = Arrays.copyOfRange(authHeaderBytes, 0, 
Arrays.binarySearch(authHeaderBytes, (byte) ':'));
+                     nameCallback.setName(new String(user));

Review Comment:
   indeed, sorted





Issue Time Tracking
-------------------

    Worklog Id:     (was: 860133)
    Time Spent: 2h 10m  (was: 2h)

> support access to our JaasCallbackhandler from a jdk http Authenticator
> -----------------------------------------------------------------------
>
>                 Key: ARTEMIS-4263
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-4263
>             Project: ActiveMQ Artemis
>          Issue Type: Improvement
>          Components: JAAS
>    Affects Versions: 2.28.0
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>            Priority: Major
>          Time Spent: 2h 10m
>  Remaining Estimate: 0h
>
> To allow the jolokia jvm agent to utilise jaas with our callback handler, it 
> is necessary to provide a wrapper that is aware of the capabilities of the 
> various artemis login modules and provide the necessary callback 
> implementation
> httpserver supports an extension point in the form of a 
> {{com.sun.net.httpserver.Authenticator}} that we can use.  the jolokia jvm 
> agent has an authenticator that does jaas but is limited to plain 
> credentials. We can plug in a similar Artemis jaas delegating authenticator 
> and do proper rbac when the jolokia jvm agent is in play.
> This will allow us to reduce the surface are that we expose to support 
> jolokia, avoiding the need for jetty. 
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Work logged] (ARTEMIS-4263) support access to our JaasCallbackhandler from a jdk http Authenticator

Reply via email to