Re: Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter
Hi Christian, yes I did give cxf 3.0.3 on Karaf 2.3.9 a try without the desired outcome. After some digging, it appears that the AccessControlContext does not have the combiner field populated after a sucessful authentication. There are a few AccessControlContext instances in the heap that have a valid combiner set. These contexts appear to be from the Karaf shell. The point at which subject retrieval fails is injavax.security.auth.Subject.getSubject(AccessControlContext acc) line 300 on JDK 1.7.0_71. Here it expects the AccessControlContext to return a SubjectDomainCombiner but the actual combiner on the AccessControlContext is null and hence it is not able to retieve the security context. // return the Subject from the DomainCombiner of the provided contextreturn AccessController.doPrivileged (new java.security.PrivilegedActionSubject() { public Subject run() { DomainCombiner dc = acc.getDomainCombiner(); if (!(dc instanceof SubjectDomainCombiner)) return null; SubjectDomainCombiner sdc = (SubjectDomainCombiner)dc; return sdc.getSubject(); } }); Now I am not sure but I would expect this context to be set by the JAAS framework and not the CXF interceptor. I had a quick look at the authorization blueprint extension but not sure I understand the workings of this test. All I am after is to get the Subject in a simple authenticated REST service call. Any thoughts or pointers on the above? Looks to me as if something is broken in either Karaf JAAS or the CXF interceptor. Many thanks, Niels On Sun, Jan 18, 2015 at 11:25 PM, Christian Schneider ch...@die-schneider.net wrote: Did you try with CXF 3.0.2 ? The older versions of CXF did not set the AccessControlContext. Btw. if you use Blueprint you can also try the jaas authorization blueprint extension. See https://github.com/apache/aries/blob/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java Christian Am 18.01.2015 um 13:29 schrieb Niels Bertram: I am trying to get the contexts Principal from the AccessControlContext as documented on stackexchange http://stackoverflow.com/questions/20970380/get-current-user-in-an-osgi-context-fuse-karaf . Unfortunately whenever I retrieve the subject using the current AccessControlContext, the subject is null. I basically create a very simple jaxrs server and register the CXF JAASAuthenticationFilter with the server: bean id=authenticationFilter class=org.apache.cxf.jaxrs.security.JAASAuth enticationFilter property name=contextName value=karaf / /bean jaxrs:server id=echoResource address=/rest/echo jaxrs:serviceBeans bean class=org.apache.karaf.jaas.modules.mongo.test.EchoServiceImpl / /jaxrs:serviceBeans jaxrs:providers ref component-id=authenticationFilter / /jaxrs:providers /jaxrs:server When I execute the REST service, I try to get the Subject in the code as below but it is always null: AccessControlContext acc = AccessController.getContext();if (acc == null) { throw new RuntimeException(access control context is null); } Subject subject = Subject.getSubject(acc);if (subject == null) { throw new RuntimeException(subject is null); } Interestingly if I inject the javax.ws.rs.core.SecurityContext into the CXF REST service, I do get a security principal. public Response echo(@Context SecurityContext context) { Principal user = context.getUserPrincipal(); } Is there another configuration required in Karaf or is this a bug in either Karaf or CXF? Would love to hear if anyone else came across this. Cheers, Niels BTW: I tried the same in karaf 2.3.9, 2.4.1 and 3.0.2 with exact same result. -- Christian Schneiderhttp://www.liquid-reality.de Open Source Architect Talend Application Integration Division http://www.talend.com
Re: Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter
Did you try with CXF 3.0.2 ? The older versions of CXF did not set the AccessControlContext. Btw. if you use Blueprint you can also try the jaas authorization blueprint extension. See https://github.com/apache/aries/blob/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java Christian Am 18.01.2015 um 13:29 schrieb Niels Bertram: I am trying to get the contexts Principal from the AccessControlContext as documented on stackexchange http://stackoverflow.com/questions/20970380/get-current-user-in-an-osgi-context-fuse-karaf. Unfortunately whenever I retrieve the subject using the current AccessControlContext, the subject is null. I basically create a very simple jaxrs server and register the CXF JAASAuthenticationFilter with the server: bean id=authenticationFilter class=org.apache.cxf.jaxrs.security.JAASAuthenticationFilter property name=contextName value=karaf / /bean jaxrs:server id=echoResource address=/rest/echo jaxrs:serviceBeans bean class=org.apache.karaf.jaas.modules.mongo.test.EchoServiceImpl / /jaxrs:serviceBeans jaxrs:providers ref component-id=authenticationFilter / /jaxrs:providers /jaxrs:server When I execute the REST service, I try to get the Subject in the code as below but it is always null: AccessControlContext acc= AccessController.getContext(); if (acc== null) { throw new RuntimeException(access control context is null); } Subject subject= Subject.getSubject(acc); if (subject== null) { throw new RuntimeException(subject is null); } Interestingly if I inject the javax.ws.rs.core.SecurityContext into the CXF REST service, I do get a security principal. public Response echo(@Context SecurityContext context) { Principal user= context.getUserPrincipal(); } Is there another configuration required in Karaf or is this a bug in either Karaf or CXF? Would love to hear if anyone else came across this. Cheers, Niels BTW: I tried the same in karaf 2.3.9, 2.4.1 and 3.0.2 with exact same result. -- Christian Schneider http://www.liquid-reality.de Open Source Architect Talend Application Integration Division http://www.talend.com
Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter
I am trying to get the contexts Principal from the AccessControlContext as documented on stackexchange http://stackoverflow.com/questions/20970380/get-current-user-in-an-osgi-context-fuse-karaf . Unfortunately whenever I retrieve the subject using the current AccessControlContext, the subject is null. I basically create a very simple jaxrs server and register the CXF JAASAuthenticationFilter with the server: bean id=authenticationFilter class=org.apache.cxf.jaxrs.security.JAASAuthenticationFilter property name=contextName value=karaf / /bean jaxrs:server id=echoResource address=/rest/echo jaxrs:serviceBeans bean class=org.apache.karaf.jaas.modules.mongo.test.EchoServiceImpl / /jaxrs:serviceBeans jaxrs:providers ref component-id=authenticationFilter / /jaxrs:providers /jaxrs:server When I execute the REST service, I try to get the Subject in the code as below but it is always null: AccessControlContext acc = AccessController.getContext();if (acc == null) { throw new RuntimeException(access control context is null); } Subject subject = Subject.getSubject(acc);if (subject == null) { throw new RuntimeException(subject is null); } Interestingly if I inject the javax.ws.rs.core.SecurityContext into the CXF REST service, I do get a security principal. public Response echo(@Context SecurityContext context) { Principal user = context.getUserPrincipal(); } Is there another configuration required in Karaf or is this a bug in either Karaf or CXF? Would love to hear if anyone else came across this. Cheers, Niels BTW: I tried the same in karaf 2.3.9, 2.4.1 and 3.0.2 with exact same result.