[jira] [Commented] (KARAF-7805) Add JAAS Subject to Karaf shell session

Thu, 08 May 2025 09:08:30 -0700 


    [ 
https://issues.apache.org/jira/browse/KARAF-7805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950330#comment-17950330
 ] 

ASF GitHub Bot commented on KARAF-7805:
---------------------------------------

mattrpav commented on code in PR #1946:
URL: https://github.com/apache/karaf/pull/1946#discussion_r2080024456


##########
shell/ssh/src/main/java/org/apache/karaf/shell/ssh/ShellFactoryImpl.java:
##########
@@ -108,6 +108,7 @@ public void start(ChannelSession channelSession, 
Environment environment) throws
                 for (Map.Entry<String, String> e : 
environment.getEnv().entrySet()) {
                     shell.put(e.getKey(), e.getValue());
                 }
+                shell.put(Subject.class.getName(), subject);

Review Comment:
   The JDK is deprecating for _removal_ the AccessController and 
AccessControlContext classes and newer JDK builds are starting to have those 
classes unavailable.
   
   The solution is to start passing around the Subject in-session, so we can 
safely start removing the AccessController references in parts of Karaf.
   
   To ensure any Karaf command or other module using the Subject do not modify 
the contents, the Subject should be created with the readOnly flag set to 
'true'.
   
   Places like here will need to by modified to set the readOnly flag:
   
   ref: 
https://github.com/apache/karaf/blob/a021c6b4c22a0678b82cdf18ae2567e64b8add1c/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java#L87
   
   Deprecation:
   ref: 
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/AccessController.html





> Add JAAS Subject to Karaf shell session
> ---------------------------------------
>
>                 Key: KARAF-7805
>                 URL: https://issues.apache.org/jira/browse/KARAF-7805
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf
>            Reporter: Matt Pavlovich
>            Assignee: Jean-Baptiste Onofré
>            Priority: Minor
>
> JDK deprecation (for removal) of SecurityManager is going take 
> AcccessController and AccessControlContext classes with it. 
> We need to stick the JAAS Subject on the Karaf Shell Session to allow 
> commands and other utilities the ability to get the current logged in user.
> karaf/shell/console ShellUtil:
> {noformat}
> AccessControlContext acc = AccessController.getContext();
> final Subject subject = Subject.getSubject(acc);
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to