Re: Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter

Mon, 19 Jan 2015 05:13:03 -0800 

Have you tried to use only the |JAASAuthenticationFeature|
together with blueprint authz for Rest?

Maybe it works better.

Christian

On 19.01.2015 13:43, Niels Bertram wrote:
Actually I was too quick declaring victory. I read through the code of |JAASAuthenticationFeature| and also the JAXRS specific|JAASAuthenticationFilter| I have been using. Both actually delegate to the |JAASLoginInterceptor| and hence one should use one OR the other.
Adding both will simply make the |JAASLoginInterceptor| registered as a provider in the |JAASAuthenticationFeature| take precedence over the REST |JAASAuthenticationFilter|. The |JAASLoginInterceptor| will not redirect with a 401 in REST style but just fail with an awful error message.
Interestingly the secret to the |JAASAuthenticationFilter| not being able to set the underlying security context is this line in the constructor of the REST filter (JAASAuthenticationFilter.java:66 3.0.2): 

interceptor.setUseDoAs(false);
This will effectively disable the execution of the remainder of the exchange under a privileged action that creates the AccessControlContext as per |JAASLoginInterceptor.java:139|. 

if  (useDoAs) {
   Subject.doAs(subject,new  PrivilegedAction<Void>() {
   ...
When I sheepishly change the value of the |setUseDoAs| to true during the object instantiation in the filter, the whole execution fails with below stack trace. So something in the CXF JAXRS filtering mechanism is broken that would set parameter|org.apache.cxf.jaxrs.model.OperationResourceInfo| on the exchange. 

The line that fails with the NPE is |JAXRSInvoker.java:358|

OperationResourceInfo  ori=  exchange.get(OperationResourceInfo.class);
Looks like a bug in the CXF JAXRS implementation if you ask me. Or it is inherently not possible due to the JAXRS filter being executed inside the `JAXRSInInterceptor` itself. I think I need to move this discussion to the CXF mailing list. 

|2015-01-19 22:05:24,527 | INFO  | qtp2023231351-73 | LoggingInInterceptor      
       | 80 - org.apache.cxf.cxf-core - 3.0.2 | Inbound Message
----------------------------
ID: 51
Address:http://localhost:8181/cxf/echo/jaas/t1
Http-Method  <http://localhost:8181/cxf/echo/jaas/t1%0AHttp-Method>: GET
Content-Type:
Headers: {Accept=[*/*], Authorization=[Basic a2FyYWY6a2FyYWY=], 
Content-Type=[null], Host=[localhost:8181], User-Agent=[curl/7.28.1]}
--------------------------------------
2015-01-19 22:05:48,066 | WARN  | qtp2023231351-73 | PhaseInterceptorChain            
| 80 - org.apache.cxf.cxf-core - 3.0.2 | Interceptor for 
{http://test.jaas.fleurida.com/}EchoServiceImpl  
<http://test.jaas.fleurida.com/%7DEchoServiceImpl>  has throw
n exception, unwinding now
java.lang.NullPointerException
         at 
org.apache.cxf.jaxrs.JAXRSInvoker.getResourceProvider(JAXRSInvoker.java:358)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
         at 
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:92)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
         at 
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)[80:org.apache.cxf.cxf-core:3.0.2]
         at 
org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)[80:org.apache.cxf.cxf-core:3.0.2]
         at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)[80:org.apache.cxf.cxf-core:3.0.2]
         at 
org.apache.cxf.interceptor.security.JAASLoginInterceptor$1.run(JAASLoginInterceptor.java:146)[80:org.apache.cxf.cxf-core:3.0.2]
         at 
org.apache.cxf.interceptor.security.JAASLoginInterceptor$1.run(JAASLoginInterceptor.java:140)[80:org.apache.cxf.cxf-core:3.0.2]
         at java.security.AccessController.doPrivileged(Native 
Method)[:1.7.0_71]
         at javax.security.auth.Subject.doAs(Subject.java:356)[:1.7.0_71]
         at 
org.apache.cxf.interceptor.security.JAASLoginInterceptor.handleMessage(JAASLoginInterceptor.java:140)[80:org.apache.cxf.cxf-core:3.0.2]
         at 
org.apache.cxf.jaxrs.security.JAASAuthenticationFilter.filter(JAASAuthenticationFilter.java:111)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
         at 
org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1624)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
         at 
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
         at 
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
         at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)[80:org.apache.cxf.cxf-core:3.0.2]
         at 
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[80:org.apache.cxf.cxf-core:3.0.2]
         at 
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:243)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:197)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:149)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:290)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
javax.servlet.http.HttpServlet.service(HttpServlet.java:575)[84:org.apache.geronimo.specs.geronimo-servlet_3.0_spec:1.0]
         at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
         at 
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411]
         at 
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:503)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411]
         at 
org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)[98:org.ops4j.pax.web.pax-web-jetty:3.1.2]
         at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411]|
On Mon, Jan 19, 2015 at 8:16 PM, Niels Bertram <[email protected] <mailto:[email protected]>> wrote: 

    Hi Christian,

    oh yes I can see, adding the JAASAuthenticationFeature to the cxf
    bus is required _in addition _to adding the JAASLoginInterceptor.
    I was not getting desired result after Phase 1 so that makes sense.

    I added a very simple example to GitHub
    <https://github.com/bertramn/jaas-auth-rest-example> for anyone
    interested.

    Thanks a lot for help, much appreciated!

    Kind Regards,
    Niels




--
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
http://www.talend.com

Reply via email to