[jira] [Commented] (KARAF-2364) org.apache.karaf.jaas.boot.principal.RolePrincipal class should implement Group, not Principal

[Freeman Fang (JIRA)]

    [ 
https://issues.apache.org/jira/browse/KARAF-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13689888#comment-13689888
 ] 

Freeman Fang commented on KARAF-2364:
-------------------------------------

Hi,

This is a known question and solution is available.
By default CXF will assume that role Principals are represented by 
javax.security.acl.Group instances.

However in some cases objects representing a user principal and roles are 
implementing the same marker interface such as Principal, Karaf is in this case.

In this case we can configure "roleClassifier" & "roleClassifierType" property 
for CXF, which is needed by the CXF SecurityContext in order to differentiate 
between user and role Principals.

Just add
       <property name="roleClassifier" value="RolePrincipal"/>
       <property name="roleClassifierType" value="classname"/>
Take a look at [1] to get more details.

AFAIK, Activemq has similar mechanism to let you specify the Role class name.
[1]http://cxf.apache.org/docs/security.html

Freeman
                
> org.apache.karaf.jaas.boot.principal.RolePrincipal class should implement 
> Group, not Principal
> ----------------------------------------------------------------------------------------------
>
>                 Key: KARAF-2364
>                 URL: https://issues.apache.org/jira/browse/KARAF-2364
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 2.3.1
>            Reporter: Scott Tustison
>            Assignee: Freeman Fang
>
> When using the Karaf JAAS LDAPLoginModule in combination with Apache CXF (or 
> a similar product), there is no way to determine whether the Principal 
> obtained from the Subject corresponds to a user or a role(group). CXF 
> (org.apache.cxf.interceptor.security.DefaultSecurityContext.findPrincipal()) 
> will attempt to pull out a Principal which is not a java.security.acl.Group. 
> However, since the JAAS login module does not make use of the 
> java.security.acl.Group interface for its RolePrincipal, there is no way to 
> determine the correct Principal to use. This can end up with Apache CXF 
> generating a SAML assertion for a group that belongs to a user instead of the 
> user itself, which is obviously invalid.
> If RolePrincipal implemented Group instead of Principal it would fix this 
> issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira