Re: Using a custom JAAS LoginModule with karaf

[luke]

Hey Martin,
You raised an interesting scenario - have you tried to debug JAAS code from JRE 
which gets called after ShiroJaasIntegration module returns? Your configuration 
seems fine, if shiro fails properties login module is used as fallback. If it 
doesn’t get called then we need to check what is happening in LoginContext.

Please try adding 
java.security.debug=logincontext,configfile,configparser,policy to your system 
properties and check if you get anything useful from this debug. If you see to 
little - switching this debug flag to all will print a lot of debug information.

Cheers,
Łukasz
--
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org

> On 5 Apr 2018, at 14:40, Martin Nielsen  wrote:
> 
> One problem down, one to go. I had he rank set to 0, upon setting it to 1 i 
> can succesfully override the default karaf realm.
> 
> The new problem is that the PropertiesLoginModule is no longer called.
> 
> My blueprint is below. What i am trying to accomplish is for JAAS to look in 
> either module in order to authenticate a user. But right now i cannot login 
> with karaf/karaf, as it seems that the PropertiesLoginModule is ignored. I 
> can login with anything from the ShiroJaasIntegration module without issue.
> 
>  
> http://www.osgi.org/xmlns/blueprint/v1.0.0 
> "
>xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 
> "
>
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 
> ">
> 
> 
> 
> 
> 
>  className="dk.netdesign.common.security.karaf.ShiroJaasIntegration" 
>  flags="sufficient">
> 
>  className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
>  flags="sufficient">
> users = $[karaf.base]/etc/users.properties
> 
> 
> 
> 
> 
> 
> 
> 
> 
> On Thu, Apr 5, 2018 at 12:04 PM, Martin Nielsen  > wrote:
> The only way my module is called is if I force stop  Apache Karaf :: JAAS :: 
> Modulesorg.apache.karaf.jaas.modules 
> . Is this intended behavior?
> 
> On Wed, Apr 4, 2018 at 9:28 AM, Martin Nielsen  > wrote:
> I now tried changing the blueprint to this:
>  
> http://www.osgi.org/xmlns/blueprint/v1.0.0 
> "
>xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 
> "
>
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 
> ">
> 
> 
> 
> 
> 
>  className="my.test.common.security.karaf.ShiroJaasIntegration" 
>  flags="sufficient">
> 
> 
> 
> 
> 
> That changes the realm list command to this
> 
> karaf@root()> jaas:realm-list 
>   
> Index | Realm Name | Login Module Class Name  
>   
> --++  
>   
> 1 | karaf  | dk.netdesign.common.security.karaf.ShiroJaasIntegration  
> 
> But i can still log in with karaf/karaf, and my module is STILL not called. I 
> do not understand this. How can i still log in through the property module 
> when it is no longer listed?
> 
> 
> On Tue, Apr 3, 2018 at 6:40 PM, Martin Nielsen  > wrote:
> No you understood completely. I obviously didn't though. So if i want the 
> loginmodule i made to be usable through the webconsole, I must place it in 
> the karaf realm, is that correct?
> 
> Second question: what if i want to disable one of the current modules, for 
> example the properties module?
> 
> On Tue, 3 Apr 2018, 18:18 Jean-Baptiste Onofré,  > wrote:
> Hi,
> 
> Maybe I don't understand what you want to do.
> 
> You added your login module in a new realm (ShiroBridge). So, it means that it
> will be used only for applications that will use this realm.
> 
> It's not possible to remove the karaf realm easily today as core part of Karaf
> use it (shell, MBeanServer, ...).
> 
> So:
> 1. If you want to use your login module in the core Karaf part (like the shell
> or ssh), then, your login module as to be in the karaf realm
> 2. No problem to create new realms and plug third party applications using 
> this
> realm
> 
> Regards
> JB
> 
> On 04/03/2018 05:42 PM, Martin Nielsen wrote:
> > Hello everyone
> >
> > I am trying to create a new karaf JAAS module and preferably 

Re: Using a custom JAAS LoginModule with karaf

[Martin Nielsen]

I found the problem.
The blueprint configuration works as intended.

But as i debug my way through
the org.apache.karaf.jaas.boot.ProxyLoginModule i end up in the catch
clause when trying to create the  PropertiesLoginModule.
ClassNotFoundException
org.apache.karaf.jaas.modules.properties.PropertiesLoginModule not found by
dk.netdesign.common.karaf-security [118]

It happens here:

try {
target = (LoginModule) bundle.loadClass(module).newInstance();
} catch (Exception e) {
throw new IllegalStateException("Can not load or create login
module " + module + " for bundle " + bundleId, e);
}

So the issue seems to be that the ProxyLoginModule is somehow used by my
bundle, instead of the karaf jaas bundle. And because i don't have any
import statements in my bundle for any jaas modules this happens.

The odd thing is that the exception seems to get swallowed up somewhere, as
it never ends up in the karaf.log. I see some pretty complex errorhandling
in javax.security.auth.login.LoginContext so it might get swallowed up
there?

And i assume that it is intended behavior that the bundle which publishes
the blueprint takes over the full responsibility for the handling modules?

On Fri, Apr 6, 2018 at 11:52 AM,  wrote:

> Hey Martin,
> You raised an interesting scenario - have you tried to debug JAAS code
> from JRE which gets called after ShiroJaasIntegration module returns? Your
> configuration seems fine, if shiro fails properties login module is used as
> fallback. If it doesn’t get called then we need to check what is happening
> in LoginContext.
>
> Please try adding
> *java.security.debug=logincontext,configfile,configparser,policy* to your
> system properties and check if you get anything useful from this debug. If
> you see to little - switching this debug flag to *all* will print a lot
> of debug information.
>
> Cheers,
> Łukasz
> --
> Twitter: ldywicki
> Blog: http://dywicki.pl
> Code-House - http://code-house.org
>
>
> On 5 Apr 2018, at 14:40, Martin Nielsen  wrote:
>
> One problem down, one to go. I had he rank set to 0, upon setting it to 1
> i can succesfully override the default karaf realm.
>
> The new problem is that the PropertiesLoginModule is no longer called.
>
> My blueprint is below. What i am trying to accomplish is for JAAS to look
> in either module in order to authenticate a user. But right now i cannot
> login with karaf/karaf, as it seems that the PropertiesLoginModule is
> ignored. I can login with anything from the ShiroJaasIntegration module
> without issue.
>
> 
> http://www.osgi.org/xmlns/blueprint/v1.0.0;
>xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0;
>xmlns:ext="http://aries.apache.org/blueprint/xmlns/
> blueprint-ext/v1.0.0">
>
>
>  placeholder-suffix="]"/>
>
> 
>   flags="sufficient">
> 
>   flags="sufficient">
> users = $[karaf.base]/etc/users.properties
> 
> 
>
> 
>
>
>
>
>
> On Thu, Apr 5, 2018 at 12:04 PM, Martin Nielsen  wrote:
>
>> The only way my module is called is if I force stop  Apache Karaf ::
>> JAAS :: Modulesorg.apache.karaf.jaas.modules
>> . Is this intended
>> behavior?
>>
>> On Wed, Apr 4, 2018 at 9:28 AM, Martin Nielsen  wrote:
>>
>>> I now tried changing the blueprint to this:
>>>
>>> 
>>> http://www.osgi.org/xmlns/blueprint/v1.0.0;
>>>xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0;
>>>
>>> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0;>
>>>
>>>
>>> >> placeholder-suffix="]"/>
>>>
>>> 
>>> >> className="my.test.common.security.karaf.ShiroJaasIntegration"
>>>  flags="sufficient">
>>> 
>>> 
>>>
>>> 
>>>
>>>
>>> That changes the realm list command to this
>>>
>>>
>>> karaf@root()> jaas:realm-list
>>> Index | Realm Name | Login Module Class Name
>>> --++
>>> 1 | karaf  | dk.netdesign.common.security.karaf.ShiroJaasIntegration
>>>
>>>
>>> But i can still log in with karaf/karaf, and my module is STILL not called. 
>>> I do not understand this. How can i still log in through the property 
>>> module when it is no longer listed?
>>>
>>>
>>>
>>> On Tue, Apr 3, 2018 at 6:40 PM, Martin Nielsen  wrote:
>>>
 No you understood completely. I obviously didn't though. So if i want
 the loginmodule i made to be usable through the webconsole, I must place it
 in the karaf realm, is that correct?

 Second question: what if i want to disable one of the current modules,
 for example the properties module?

 On Tue, 3 Apr 2018, 18:18 Jean-Baptiste Onofré, 
 wrote:

> Hi,
>
> Maybe I don't understand what you want to 

configuration updates

[Leschke, Scott]

I thought changes to a service configuration were propagated to the associated 
.cfg file.  The configuration changes have definitely taken place but I'm not 
seeing the I'm not seeing the changes reflected in the .cfg.  Was I mistaken?  
This is on 4.2.0 M2 on Windows.

Thanks,

Scott

Re: configuration updates

[Jean-Baptiste Onofré]

OK, thanks for the update.

Regards
JB

On 04/06/2018 06:42 PM, Leschke, Scott wrote:
> The initial configuration is created using a .cfg file so it has it, but when 
> I edit the configuration (programmatically), I neglected to carry it over so 
> I see that it's no longer there.  So don't worry about it for now.  I'll fix 
> that and let you know if I still have issues, which I suspect I won't.
> 
> Thanks,
> Scott
> 
> -Original Message-
> From: Jean-Baptiste Onofré [mailto:j...@nanthrax.net] 
> Sent: Friday, April 06, 2018 11:19 AM
> To: user@karaf.apache.org
> Subject: Re: configuration updates
> 
> By the way, just to know, do you have felix.fileinstall.file property on the 
> configuration ?
> 
> Regards
> JB
> 
> On 04/06/2018 05:30 PM, Leschke, Scott wrote:
>> I thought changes to a service configuration were propagated to the 
>> associated .cfg file.  The configuration changes have definitely taken 
>> place but I'm not seeing the I'm not seeing the changes reflected in the 
>> .cfg.  Was I mistaken?
>> This is on 4.2.0 M2 on Windows.
>>
>>  
>>
>> Thanks,
>>
>>  
>>
>> Scott
>>
> 
> --
> Jean-Baptiste Onofré
> jbono...@apache.org
> http://blog.nanthrax.net
> Talend - http://www.talend.com
> 

-- 
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Re: configuration updates

[Jean-Baptiste Onofré]

Hi Scott,

correct, config:update is propagated to cfg file (it's a fix I did on 4.0.x and
4.1.x). Let me check on 4.2.x.

Regards
JB

On 04/06/2018 05:30 PM, Leschke, Scott wrote:
> I thought changes to a service configuration were propagated to the associated
> .cfg file.  The configuration changes have definitely taken place but I’m not
> seeing the I’m not seeing the changes reflected in the .cfg.  Was I mistaken? 
> This is on 4.2.0 M2 on Windows.
> 
>  
> 
> Thanks,
> 
>  
> 
> Scott
> 

-- 
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

Re: configuration updates

[Jean-Baptiste Onofré]

By the way, just to know, do you have felix.fileinstall.file property on the
configuration ?

Regards
JB

On 04/06/2018 05:30 PM, Leschke, Scott wrote:
> I thought changes to a service configuration were propagated to the associated
> .cfg file.  The configuration changes have definitely taken place but I’m not
> seeing the I’m not seeing the changes reflected in the .cfg.  Was I mistaken? 
> This is on 4.2.0 M2 on Windows.
> 
>  
> 
> Thanks,
> 
>  
> 
> Scott
> 

-- 
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com

RE: configuration updates

[Leschke, Scott]

The initial configuration is created using a .cfg file so it has it, but when I 
edit the configuration (programmatically), I neglected to carry it over so I 
see that it's no longer there.  So don't worry about it for now.  I'll fix that 
and let you know if I still have issues, which I suspect I won't.

Thanks,
Scott

-Original Message-
From: Jean-Baptiste Onofré [mailto:j...@nanthrax.net] 
Sent: Friday, April 06, 2018 11:19 AM
To: user@karaf.apache.org
Subject: Re: configuration updates

By the way, just to know, do you have felix.fileinstall.file property on the 
configuration ?

Regards
JB

On 04/06/2018 05:30 PM, Leschke, Scott wrote:
> I thought changes to a service configuration were propagated to the 
> associated .cfg file.  The configuration changes have definitely taken 
> place but I'm not seeing the I'm not seeing the changes reflected in the 
> .cfg.  Was I mistaken?
> This is on 4.2.0 M2 on Windows.
> 
>  
> 
> Thanks,
> 
>  
> 
> Scott
> 

--
Jean-Baptiste Onofré
jbono...@apache.org
http://blog.nanthrax.net
Talend - http://www.talend.com