[jira] [Commented] (KARAF-7805) Add JAAS Subject to Karaf shell session

Thu, 08 May 2025 08:47:05 -0700 


    [ 
https://issues.apache.org/jira/browse/KARAF-7805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950319#comment-17950319
 ] 

ASF GitHub Bot commented on KARAF-7805:
---------------------------------------

jbonofre commented on code in PR #1946:
URL: https://github.com/apache/karaf/pull/1946#discussion_r2079990083


##########
shell/ssh/src/main/java/org/apache/karaf/shell/ssh/ShellCommand.java:
##########
@@ -62,7 +62,7 @@ public class ShellCommand implements Command {
     private OutputStream out;
     private OutputStream err;
     private ExitCallback callback;
-    private ServerSession session;
+    private ServerSession serverSession;

Review Comment:
   Why changing the name here ? It's causing noise for nothing (this class is 
not actually chaanged in the PR).



##########
shell/ssh/src/main/java/org/apache/karaf/shell/ssh/ShellFactoryImpl.java:
##########
@@ -108,6 +108,7 @@ public void start(ChannelSession channelSession, 
Environment environment) throws
                 for (Map.Entry<String, String> e : 
environment.getEnv().entrySet()) {
                     shell.put(e.getKey(), e.getValue());
                 }
+                shell.put(Subject.class.getName(), subject);

Review Comment:
   Is it not potentially a security "issue" ? I'm fine adding the `Subject` in 
the session, but wonder if it's very useful.





> Add JAAS Subject to Karaf shell session
> ---------------------------------------
>
>                 Key: KARAF-7805
>                 URL: https://issues.apache.org/jira/browse/KARAF-7805
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf
>            Reporter: Matt Pavlovich
>            Assignee: Jean-Baptiste Onofré
>            Priority: Minor
>
> JDK deprecation (for removal) of SecurityManager is going take 
> AcccessController and AccessControlContext classes with it. 
> We need to stick the JAAS Subject on the Karaf Shell Session to allow 
> commands and other utilities the ability to get the current logged in user.
> karaf/shell/console ShellUtil:
> {noformat}
> AccessControlContext acc = AccessController.getContext();
> final Subject subject = Subject.getSubject(acc);
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to