[jira] [Commented] (KARAF-7805) Add JAAS Subject to Karaf shell session

Thu, 08 May 2025 09:31:47 -0700 


    [ 
https://issues.apache.org/jira/browse/KARAF-7805?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17950340#comment-17950340
 ] 

ASF GitHub Bot commented on KARAF-7805:
---------------------------------------

mattrpav commented on code in PR #1946:
URL: https://github.com/apache/karaf/pull/1946#discussion_r2080024456


##########
shell/ssh/src/main/java/org/apache/karaf/shell/ssh/ShellFactoryImpl.java:
##########
@@ -108,6 +108,7 @@ public void start(ChannelSession channelSession, 
Environment environment) throws
                 for (Map.Entry<String, String> e : 
environment.getEnv().entrySet()) {
                     shell.put(e.getKey(), e.getValue());
                 }
+                shell.put(Subject.class.getName(), subject);

Review Comment:
   The JDK is deprecating for _removal_ the SecurityManager, AccessController, 
and AccessControlContext classes and newer JDK builds are starting to have 
those classes unavailable.
   
   The solution is to start passing around the Subject in-session, so we can 
safely start removing the AccessController references in parts of Karaf.
   
   To ensure any Karaf command or other module using the Subject do not modify 
the contents, the Subject should be created with the readOnly flag set to 
'true'.
   
   Places that perform login operations using LoginContext will need to by 
modified to set the readOnly flag via subject.setReadOnly():
   
   ref: 
https://github.com/apache/karaf/blob/a021c6b4c22a0678b82cdf18ae2567e64b8add1c/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java#L87
   
   Deprecation:
   ref: 
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/lang/SecurityManager.html
   
   ref: 
https://docs.oracle.com/en/java/javase/21/docs/api/java.base/java/security/AccessController.html
   





> Add JAAS Subject to Karaf shell session
> ---------------------------------------
>
>                 Key: KARAF-7805
>                 URL: https://issues.apache.org/jira/browse/KARAF-7805
>             Project: Karaf
>          Issue Type: Improvement
>          Components: karaf
>            Reporter: Matt Pavlovich
>            Assignee: Jean-Baptiste Onofré
>            Priority: Minor
>
> JDK deprecation (for removal) of SecurityManager is going take 
> AcccessController and AccessControlContext classes with it. 
> We need to stick the JAAS Subject on the Karaf Shell Session to allow 
> commands and other utilities the ability to get the current logged in user.
> karaf/shell/console ShellUtil:
> {noformat}
> AccessControlContext acc = AccessController.getContext();
> final Subject subject = Subject.getSubject(acc);
> {noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to