[
https://issues.apache.org/jira/browse/ARTEMIS-5310?focusedWorklogId=959099&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-959099
]
ASF GitHub Bot logged work on ARTEMIS-5310:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 27/Feb/25 04:18
Start Date: 27/Feb/25 04:18
Worklog Time Spent: 10m
Work Description: jbertram commented on code in PR #5518:
URL: https://github.com/apache/activemq-artemis/pull/5518#discussion_r1972832745
##########
artemis-server/src/main/java/org/apache/activemq/artemis/core/security/impl/SecurityStoreImpl.java:
##########
@@ -258,6 +263,27 @@ public String authenticate(final String user,
return null;
}
+ /*
+ * Verify that the Subject (if not null) contains at least one instance of
the expected java.security.Principal
+ * implementation. This check is done before any caching because a failure
here is considered an infrastructure
+ * failure and not something which should be cached as opposed to a
"normal" authentication failure (e.g. wrong
+ * password) which should be cached.
+ */
+ private boolean validateExpectedUserPrincipal(Subject subject) throws
ClassNotFoundException {
+ if (subject != null) {
+ Class expectedPrincipal = UserPrincipal.class;
+ if (securityManager instanceof ActiveMQJAASSecurityManager
jaasManager) {
+ expectedPrincipal =
Class.forName(jaasManager.getUserPrincipalClass());
+ }
+
+ if (subject.getPrincipals(expectedPrincipal).size() == 0) {
Review Comment:
This is the way it's been since the JAAS security manager was first
implemented way back in Artemis 1.2. We just haven't done this check until now,
and we're only doing it because a user complained about it.
Technically it would be possible to use the very generic
`java.security.Principal` but then we wouldn't be able to distinguish from
users and roles in the `Subject`. In any case, that change is beyond the scope
of this PR.
Issue Time Tracking
-------------------
Worklog Id: (was: 959099)
Time Spent: 0.5h (was: 20m)
> Check class of Principals in Subject
> ------------------------------------
>
> Key: ARTEMIS-5310
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5310
> Project: ActiveMQ Artemis
> Issue Type: Dependency upgrade
> Reporter: Justin Bertram
> Assignee: Justin Bertram
> Priority: Major
> Labels: pull-request-available
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> It's possible that a user is properly authenticated and their valid
> {{Subject}} cached but then fail to be granted access due to the
> {{LoginModule}} implementation returning an unexpected {{Principal}}
> implementation. Furthermore, upon retry the user will be granted access due
> to the cached {{Subject}} which is confusing.
> This can be resolved by checking the {{Subject}} for the expected content.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
