[
https://issues.apache.org/jira/browse/ARTEMIS-5310?focusedWorklogId=959097&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-959097
]
ASF GitHub Bot logged work on ARTEMIS-5310:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 27/Feb/25 03:19
Start Date: 27/Feb/25 03:19
Worklog Time Spent: 10m
Work Description: clebertsuconic commented on code in PR #5518:
URL: https://github.com/apache/activemq-artemis/pull/5518#discussion_r1972764182
##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java:
##########
@@ -258,6 +263,27 @@ public String authenticate(final String user,
return null;
}
+ /*
+ * Verify that the Subject (if not null) contains at least one instance of
the expected java.security.Principal
+ * implementation. This check is done before any caching because a failure
here is considered an infrastructure
+ * failure and not something which should be cached as opposed to a
"normal" authentication failure (e.g. wrong
+ * password) which should be cached.
+ */
+ private boolean validateExpectedUserPrincipal(Subject subject) throws
ClassNotFoundException {
+ if (subject != null) {
+ Class expectedPrincipal = UserPrincipal.class;
+ if (securityManager instanceof ActiveMQJAASSecurityManager
jaasManager) {
+ expectedPrincipal =
Class.forName(jaasManager.getUserPrincipalClass());
+ }
+
+ if (subject.getPrincipals(expectedPrincipal).size() == 0) {
Review Comment:
that's very specific for the implemention.. isn't?
Isn't there a way to make this more generic?
Issue Time Tracking
-------------------
Worklog Id: (was: 959097)
Time Spent: 20m (was: 10m)
> Check class of Principals in Subject
> ------------------------------------
>
> Key: ARTEMIS-5310
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5310
> Project: ActiveMQ Artemis
> Issue Type: Dependency upgrade
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
> Labels: pull-request-available
> Time Spent: 20m
> Remaining Estimate: 0h
>
> It's possible that a user is properly authenticated and their valid
> {{Subject}} cached but then fail to be granted access due to the
> {{LoginModule}} implementation returning an unexpected {{Principal}}
> implementation. Furthermore, upon retry the user will be granted access due
> to the cached {{Subject}} which is confusing.
> This can be resolved by checking the {{Subject}} for the expected content.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
