Hey Martin,
You raised an interesting scenario - have you tried to debug JAAS code from JRE 
which gets called after ShiroJaasIntegration module returns? Your configuration 
seems fine, if shiro fails properties login module is used as fallback. If it 
doesn’t get called then we need to check what is happening in LoginContext.

Please try adding 
java.security.debug=logincontext,configfile,configparser,policy to your system 
properties and check if you get anything useful from this debug. If you see to 
little - switching this debug flag to all will print a lot of debug information.

Cheers,
Łukasz
--
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org

> On 5 Apr 2018, at 14:40, Martin Nielsen <mny...@gmail.com> wrote:
> 
> One problem down, one to go. I had he rank set to 0, upon setting it to 1 i 
> can succesfully override the default karaf realm.
> 
> The new problem is that the PropertiesLoginModule is no longer called.
> 
> My blueprint is below. What i am trying to accomplish is for JAAS to look in 
> either module in order to authenticate a user. But right now i cannot login 
> with karaf/karaf, as it seems that the PropertiesLoginModule is ignored. I 
> can login with anything from the ShiroJaasIntegration module without issue.
> 
> <?xml version="1.0" encoding="UTF-8"?> 
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0 
> <http://www.osgi.org/xmlns/blueprint/v1.0.0>"
>            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 
> <http://karaf.apache.org/xmlns/jaas/v1.0.0>"
>            
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 
> <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>">
> 
>     
>     <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
> 
>     <jaas:config name="karaf" rank="1">
>         <jaas:module 
> className="dk.netdesign.common.security.karaf.ShiroJaasIntegration" 
>                      flags="sufficient">
>         </jaas:module>
>         <jaas:module 
> className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
>                      flags="sufficient">
>             users = $[karaf.base]/etc/users.properties
>         </jaas:module>
>     </jaas:config>
> 
> </blueprint>
> 
> 
> 
> 
> 
> On Thu, Apr 5, 2018 at 12:04 PM, Martin Nielsen <mny...@gmail.com 
> <mailto:mny...@gmail.com>> wrote:
> The only way my module is called is if I force stop  Apache Karaf :: JAAS :: 
> Modulesorg.apache.karaf.jaas.modules 
> <http://localhost:8181/system/console/bundles/148>. Is this intended behavior?
> 
> On Wed, Apr 4, 2018 at 9:28 AM, Martin Nielsen <mny...@gmail.com 
> <mailto:mny...@gmail.com>> wrote:
> I now tried changing the blueprint to this:
> <?xml version="1.0" encoding="UTF-8"?> 
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0 
> <http://www.osgi.org/xmlns/blueprint/v1.0.0>"
>            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 
> <http://karaf.apache.org/xmlns/jaas/v1.0.0>"
>            
> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 
> <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>">
> 
>     
>     <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
> 
>     <jaas:config name="karaf" rank="0">
>         <jaas:module 
> className="my.test.common.security.karaf.ShiroJaasIntegration" 
>                      flags="sufficient">
>         </jaas:module>
>     </jaas:config>
> 
> </blueprint>
> 
> That changes the realm list command to this
> 
> karaf@root()> jaas:realm-list                                                 
>                                           
> Index | Realm Name | Login Module Class Name                                  
>                                           
> ------+------------+--------------------------------------------------------  
>                                           
> 1     | karaf      | dk.netdesign.common.security.karaf.ShiroJaasIntegration  
> 
> But i can still log in with karaf/karaf, and my module is STILL not called. I 
> do not understand this. How can i still log in through the property module 
> when it is no longer listed?
> 
> 
> On Tue, Apr 3, 2018 at 6:40 PM, Martin Nielsen <mny...@gmail.com 
> <mailto:mny...@gmail.com>> wrote:
> No you understood completely. I obviously didn't though. So if i want the 
> loginmodule i made to be usable through the webconsole, I must place it in 
> the karaf realm, is that correct?
> 
> Second question: what if i want to disable one of the current modules, for 
> example the properties module?
> 
> On Tue, 3 Apr 2018, 18:18 Jean-Baptiste Onofré, <j...@nanthrax.net 
> <mailto:j...@nanthrax.net>> wrote:
> Hi,
> 
> Maybe I don't understand what you want to do.
> 
> You added your login module in a new realm (ShiroBridge). So, it means that it
> will be used only for applications that will use this realm.
> 
> It's not possible to remove the karaf realm easily today as core part of Karaf
> use it (shell, MBeanServer, ...).
> 
> So:
> 1. If you want to use your login module in the core Karaf part (like the shell
> or ssh), then, your login module as to be in the karaf realm
> 2. No problem to create new realms and plug third party applications using 
> this
> realm
> 
> Regards
> JB
> 
> On 04/03/2018 05:42 PM, Martin Nielsen wrote:
> > Hello everyone
> >
> > I am trying to create a new karaf JAAS module and preferably override the
> > current karaf JAAS domain.
> >
> > I have my login module which basically just delegates everything to shiro, 
> > as
> > well as a blueprint to add it to the JAAS config.
> >
> > My JAAS config xml from OSGI-INF\blueprint folder in the jar:
> >
> > <?xml version="1.0" encoding="UTF-8"?> 
> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0 
> > <http://www.osgi.org/xmlns/blueprint/v1.0.0>
> > <http://www.osgi.org/xmlns/blueprint/v1.0.0 
> > <http://www.osgi.org/xmlns/blueprint/v1.0.0>>"
> >            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 
> > <http://karaf.apache.org/xmlns/jaas/v1.0.0>
> > <http://karaf.apache.org/xmlns/jaas/v1.0.0 
> > <http://karaf.apache.org/xmlns/jaas/v1.0.0>>"
> >          
> >  xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 
> > <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>
> > <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 
> > <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>>">
> >
> >     
> >     <ext:property-placeholder placeholder-prefix="$[" 
> > placeholder-suffix="]"/>
> >
> >     <jaas:config name="ShiroBridge" rank="-1">
> >         <jaas:module 
> > className="my.test.security.karaf.ShiroJaasIntegration" 
> >                      flags="sufficient">
> >         </jaas:module>
> >     </jaas:config>
> >
> > </blueprint>
> >
> > My LoginModule:
> >
> > public class ShiroJaasIntegration implements LoginModule {
> >
> >     public static final Logger LOGGER =
> > LoggerFactory.getLogger(ShiroJaasIntegration.class);
> >     private static final Class<org.apache.shiro.session.Session>
> > shiroSessionClass = org.apache.shiro.session.Session.class;
> >
> >     protected Set<Principal> principals = new HashSet<>();
> >     private Subject subject;
> >     private org.apache.shiro.session.Session shiroSession;
> >     private CallbackHandler callbackHandler;
> >     private Map<String, ?> sharedState;
> >     private Map<String, ?> options;
> >     private String user;
> >     protected BundleContext bundleContext;
> >     private boolean authenticated = false;
> >
> >     @Override
> >     public void initialize(Subject subject, CallbackHandler callbackHandler,
> > Map<String, ?> sharedState, Map<String, ?> options) {
> >         LOGGER.info("initialize "+System.identityHashCode(this));
> >         this.subject = subject;
> >         this.callbackHandler = callbackHandler;
> >         this.sharedState = sharedState;
> >         this.options = options;
> >         this.bundleContext = ((BundleReference)
> > this.getClass().getClassLoader()).getBundle().getBundleContext();
> >     }
> >
> >     @Override
> >     public boolean login() throws LoginException {
> >         LOGGER.debug("login "+System.identityHashCode(this));
> >         if (callbackHandler == null) {
> >             throw new LoginException("No CallbackHandler found");
> >         }
> >
> >         Callback[] callbacks = new Callback[2];
> >
> >         callbacks[0] = new NameCallback("Username: ");
> >         callbacks[1] = new PasswordCallback("Password: ", false);
> >         if (callbackHandler != null) {
> >             try {
> >                 callbackHandler.handle(callbacks);
> >             } catch (IOException ioe) {
> >                 throw new LoginException(ioe.getMessage());
> >             } catch (UnsupportedCallbackException uce) {
> >                 throw new LoginException(uce.getMessage() + " not available 
> > to
> > obtain information from user");
> >             }
> >         }
> >
> >         // user callback get value
> >         if (((NameCallback) callbacks[0]).getName() == null) {
> >             throw new LoginException("Username can not be null");
> >         }
> >         user = ((NameCallback) callbacks[0]).getName();
> >
> >         // password callback get value
> >         if (((PasswordCallback) callbacks[1]).getPassword() == null) {
> >             throw new LoginException("Password can not be null");
> >         }
> >         String password = new String(((PasswordCallback)
> > callbacks[1]).getPassword());
> >
> >         org.apache.shiro.subject.Subject shiroSubject = null;
> >
> > //Do lots of shiro stuff to get the UserPrincipal and RolePrincipal objects
> >         
> >         return authenticated;
> >
> >     }
> >
> >     @Override
> >     public boolean commit() throws LoginException {
> >         LOGGER.debug("commit "+System.identityHashCode(this));
> >         subject.getPrincipals().addAll(principals);
> >         return authenticated;
> >     }
> >
> >     @Override
> >     public boolean abort() throws LoginException {
> >         user = null;
> >         principals.clear();
> >         user = null;
> >         LOGGER.debug("abort "+System.identityHashCode(this));
> >         return true;
> >     }
> >
> >     @Override
> >     public boolean logout() throws LoginException {
> >         user = null;
> >         subject.getPrincipals().removeAll(principals);
> >         principals.clear();
> >         LOGGER.debug("logout "+System.identityHashCode(this));
> >         return true;
> >     }
> >
> > }
> >
> > I have tried setting the rank inside the blueprint to -1, 0, and 1 and the
> > ShiroBridge does move up and down the list, but no log statements from the
> > ShiroJaasIntegration LoginModule are ever called, and in all cases i can 
> > still
> > login with karaf/karaf.
> >
> > karaf@root()> jaas:realm-list                                               
> >     
> >                                        
> > Index | Realm Name  | Login Module Class Name                               
> >     
> >                                        
> > ------+-------------+---------------------------------------------------------------
> >  
> >                                   
> > 1     | ShiroBridge | my.test.security.karaf.ShiroJaasIntegration           
> >     
> >                            
> > 2     | karaf       |
> > org.apache.karaf.jaas.modules.properties.PropertiesLoginModule              
> >    
> >                   
> > 3     | karaf       |
> > org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule                
> >    
> >                   
> > 4     | karaf       | 
> > org.apache.karaf.jaas.modules.audit.FileAuditLoginModule 
> >                                         
> > 5     | karaf       | 
> > org.apache.karaf.jaas.modules.audit.LogAuditLoginModule   
> >                                        
> > 6     | karaf       |
> > org.apache.karaf.jaas.modules.audit.EventAdminAuditLoginModule   
> >
> >
> > So my module never seems to be called, and i can't really disable the karaf 
> > realm.
> >
> >
> > Can someone help with this? My objective is to add my own LoginModule and
> > preferably replace the current karaf Realm           
> >
> 
> --
> Jean-Baptiste Onofré
> jbono...@apache.org <mailto:jbono...@apache.org>
> http://blog.nanthrax.net <http://blog.nanthrax.net/>
> Talend - http://www.talend.com <http://www.talend.com/>
> 
> 
> 

Reply via email to