Hi, I would like to remove a login module (PublicKeyLoginModule) from the default jaas karaf realm.
According to the docs: http://karaf.apache.org/manual/latest/developers-guide/security-framework.html “So if you want to override the default security configuration in Karaf (which is used by the ssh shell, web console and JMX layer), you need to deploy a JAAS configuration with the name name="karaf" and rank="1".” However, when I do this new modules are added rather than replacing the existing ones. When the blueprint below is loaded via either the deploy dir or via inclusion in a bundle (created using Maven by including the blueprint from the following path) src\main\resources\OSGI-INF\blueprint\context.xml I get the following: karaf@root()> jaas:realm-list Index | Realm Name | Login Module Class Name ----------------------------------------------------------------------------------- 1 | karaf | org.apache.karaf.jaas.modules.properties.PropertiesLoginModule 2 | karaf | org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule 3 | karaf | org.apache.karaf.jaas.modules.ldap.LDAPLoginModule What I would like to see is either karaf@root()> jaas:realm-list Index | Realm Name | Login Module Class Name ----------------------------------------------------------------------------------- 1 | karaf | org.apache.karaf.jaas.modules.ldap.LDAPLoginModule Or, if there were a way to explicitly delete a module: karaf@root()> jaas:realm-list Index | Realm Name | Login Module Class Name ----------------------------------------------------------------------------------- 1 | karaf | org.apache.karaf.jaas.modules.properties.PropertiesLoginModule 2 | karaf | org.apache.karaf.jaas.modules.ldap.LDAPLoginModule --- <?xml version="1.0" encoding="UTF-8"?> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"; xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0"; xmlns:cm=" http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.1.0"; xmlns:ext=" http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";> <type-converters> <bean class="org.apache.karaf.jaas.modules.properties.PropertiesConverter"/> </type-converters> <!-- Allow usage of System properties, especially the karaf.base property --> <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/> <!-- AdminConfig property place holder for the org.apache.karaf.jaas --> <cm:property-placeholder persistent-id="org.apache.karaf.jaas" update-strategy="none"> <cm:default-properties> <cm:property name="example.group" value="example-group-value"/> </cm:default-properties> </cm:property-placeholder> <jaas:config name="karaf" rank="1"> <jaas:module className="org.apache.karaf.jaas.modules.ldap.LDAPLoginModule" flags="required"> connection.url = ldap://ldap.example.com:389 user.base.dn = o= example.com user.filter = (uid=%u) user.search.subtree = true role.base.dn = ou=applications,l=global,o= example.com role.filter = (&(objectClass=groupOfUniqueNames)(uniqueMember=*uid=%u*)(cn=${ example.group})) role.name.attribute = cn role.search.subtree = true authentication = simple </jaas:module> </jaas:config> </blueprint> --- karaf@root()> shell:info Karaf Karaf version 3.0.0 Karaf home *** Karaf base *** OSGi Framework org.apache.felix.framework - 4.2.1 JVM Java Virtual Machine Java HotSpot(TM) 64-Bit Server VM version 24.0-b56 Version 1.7.0_40 Vendor Oracle Corporation Uptime 23 minutes Total compile time 8.240 seconds Threads Live threads 34 Daemon threads 29 Peak 38 Total started 53 Memory Current heap size 312,681 kbytes Maximum heap size 3,724,800 kbytes Committed heap size 464,384 kbytes Pending objects 0 Garbage collector Name = 'PS Scavenge', Collections = 2, Time = 0.058 seconds Garbage collector Name = 'PS MarkSweep', Collections = 1, Time = 0.137 seconds Classes Current classes loaded 4,772 Total classes loaded 4,773 Total classes unloaded 1 Operating system Name Windows 7 version 6.1 Architecture amd64 Processors 8 karaf@root()> Same issue on Karaf 3.0.1 I'd welcome any suggestions. Creating a whole new realm is a possibility, but for policy reasons I'd prefer not to have the PublicKeyLoginModule visible in the runtime at all. Thanks Donald
