Re: Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter

2015-01-18 Thread Niels Bertram 
Hi Christian,

yes I did give cxf 3.0.3 on Karaf 2.3.9 a try without the desired outcome.
After some digging, it appears that the AccessControlContext does not have
the combiner field populated after a sucessful authentication. There are a
few AccessControlContext instances in the heap that have a valid combiner
set. These contexts appear to be from the Karaf shell.

The point at which subject retrieval fails is
injavax.security.auth.Subject.getSubject(AccessControlContext
acc) line 300 on JDK 1.7.0_71. Here it expects the AccessControlContext to
return a SubjectDomainCombiner but the actual combiner on the
AccessControlContext is null and hence it is not able to retieve the
security context.

// return the Subject from the DomainCombiner of the provided
contextreturn AccessController.doPrivileged
(new java.security.PrivilegedActionSubject() {
public Subject run() {
DomainCombiner dc = acc.getDomainCombiner();
if (!(dc instanceof SubjectDomainCombiner))
return null;
SubjectDomainCombiner sdc = (SubjectDomainCombiner)dc;
return sdc.getSubject();
}
});

Now I am not sure but I would expect this context to be set by the JAAS
framework and not the CXF interceptor. I had a quick look at
the authorization blueprint extension but not sure I understand the
workings of this test. All I am after is to get the Subject in a simple
authenticated REST service call.

Any thoughts or pointers on the above? Looks to me as if something is
broken in either Karaf JAAS or the CXF interceptor.

Many thanks,
Niels

On Sun, Jan 18, 2015 at 11:25 PM, Christian Schneider 
ch...@die-schneider.net wrote:

  Did you try with CXF 3.0.2 ? The older versions of CXF did not set the
 AccessControlContext.

 Btw. if you use Blueprint you can also try the jaas authorization
 blueprint extension.
 See
 https://github.com/apache/aries/blob/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java

 Christian

 Am 18.01.2015 um 13:29 schrieb Niels Bertram:

  I am trying to get the contexts Principal from the AccessControlContext
 as documented on stackexchange
 http://stackoverflow.com/questions/20970380/get-current-user-in-an-osgi-context-fuse-karaf
 .

 Unfortunately whenever I retrieve the subject using the current
 AccessControlContext, the subject is null.

 I basically create a very simple jaxrs server and register the CXF
 JAASAuthenticationFilter with the server:

 bean id=authenticationFilter class=org.apache.cxf.jaxrs.security.JAASAuth
 enticationFilter
 property name=contextName value=karaf /
 /bean

 jaxrs:server id=echoResource address=/rest/echo
 jaxrs:serviceBeans
 bean 
 class=org.apache.karaf.jaas.modules.mongo.test.EchoServiceImpl /
 /jaxrs:serviceBeans
 jaxrs:providers
 ref component-id=authenticationFilter /
 /jaxrs:providers
 /jaxrs:server

  When I execute the REST service, I try to get the Subject in the code as
 below but it is always null:

 AccessControlContext acc = AccessController.getContext();if (acc == null) {
   throw new RuntimeException(access control context is null);
 }
 Subject subject = Subject.getSubject(acc);if (subject == null) {
   throw new RuntimeException(subject is null);
 }

  Interestingly if I inject the javax.ws.rs.core.SecurityContext into the
 CXF REST service, I do get a security principal.

 public Response echo(@Context SecurityContext context) {
Principal user = context.getUserPrincipal();
 }

  Is there another configuration required in Karaf or is this a bug in
 either Karaf or CXF? Would love to hear if anyone else came across this.

 Cheers, Niels

 BTW: I tried the same in karaf 2.3.9, 2.4.1 and 3.0.2 with exact same
 result.



 --

 Christian Schneiderhttp://www.liquid-reality.de

 Open Source Architect
 Talend Application Integration Division http://www.talend.com

Re: Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter

2015-01-18 Thread Christian Schneider 
Did you try with CXF 3.0.2 ? The older versions of CXF did not set the 
AccessControlContext.


Btw. if you use Blueprint you can also try the jaas authorization 
blueprint extension.
See 
https://github.com/apache/aries/blob/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java


Christian

Am 18.01.2015 um 13:29 schrieb Niels Bertram:


I am trying to get the contexts Principal from the 
AccessControlContext as documented on stackexchange 
http://stackoverflow.com/questions/20970380/get-current-user-in-an-osgi-context-fuse-karaf.


Unfortunately whenever I retrieve the subject using the current 
AccessControlContext, the subject is null.


I basically create a very simple jaxrs server and register the CXF 
JAASAuthenticationFilter with the server:


bean  id=authenticationFilter  
class=org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
 property  name=contextName  value=karaf  /
/bean

jaxrs:server  id=echoResource  address=/rest/echo
 jaxrs:serviceBeans
 bean  class=org.apache.karaf.jaas.modules.mongo.test.EchoServiceImpl  
/
 /jaxrs:serviceBeans
 jaxrs:providers
 ref  component-id=authenticationFilter  /
 /jaxrs:providers
/jaxrs:server

When I execute the REST service, I try to get the Subject in the code 
as below but it is always null:


AccessControlContext  acc=  AccessController.getContext();
if  (acc==  null) {
   throw  new  RuntimeException(access control context is null);
}

Subject  subject=  Subject.getSubject(acc);
if  (subject==  null) {
   throw  new  RuntimeException(subject is null);
}

Interestingly if I inject the javax.ws.rs.core.SecurityContext into 
the CXF REST service, I do get a security principal.


public  Response  echo(@Context  SecurityContext  context) {
Principal  user=  context.getUserPrincipal();
}

Is there another configuration required in Karaf or is this a bug in 
either Karaf or CXF? Would love to hear if anyone else came across this.


Cheers, Niels

BTW: I tried the same in karaf 2.3.9, 2.4.1 and 3.0.2 with exact same 
result.





--
 
Christian Schneider

http://www.liquid-reality.de

Open Source Architect
Talend Application Integration Division http://www.talend.com

Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter

2015-01-18 Thread Niels Bertram 
I am trying to get the contexts Principal from the AccessControlContext as
documented on stackexchange
http://stackoverflow.com/questions/20970380/get-current-user-in-an-osgi-context-fuse-karaf
.

Unfortunately whenever I retrieve the subject using the current
AccessControlContext, the subject is null.

I basically create a very simple jaxrs server and register the CXF
JAASAuthenticationFilter with the server:

bean id=authenticationFilter
class=org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
property name=contextName value=karaf /
/bean

jaxrs:server id=echoResource address=/rest/echo
jaxrs:serviceBeans
bean class=org.apache.karaf.jaas.modules.mongo.test.EchoServiceImpl
/
/jaxrs:serviceBeans
jaxrs:providers
ref component-id=authenticationFilter /
/jaxrs:providers
/jaxrs:server

When I execute the REST service, I try to get the Subject in the code as
below but it is always null:

AccessControlContext acc = AccessController.getContext();if (acc == null) {
  throw new RuntimeException(access control context is null);
}
Subject subject = Subject.getSubject(acc);if (subject == null) {
  throw new RuntimeException(subject is null);
}

Interestingly if I inject the javax.ws.rs.core.SecurityContext into the CXF
REST service, I do get a security principal.

public Response echo(@Context SecurityContext context) {
   Principal user = context.getUserPrincipal();
}

Is there another configuration required in Karaf or is this a bug in either
Karaf or CXF? Would love to hear if anyone else came across this.

Cheers, Niels

BTW: I tried the same in karaf 2.3.9, 2.4.1 and 3.0.2 with exact same
result.