I found the problem.
The blueprint configuration works as intended.

But as i debug my way through
the org.apache.karaf.jaas.boot.ProxyLoginModule i end up in the catch
clause when trying to create the  PropertiesLoginModule.
ClassNotFoundException
org.apache.karaf.jaas.modules.properties.PropertiesLoginModule not found by
dk.netdesign.common.karaf-security [118]

It happens here:

        try {
            target = (LoginModule) bundle.loadClass(module).newInstance();
        } catch (Exception e) {
            throw new IllegalStateException("Can not load or create login
module " + module + " for bundle " + bundleId, e);
        }

So the issue seems to be that the ProxyLoginModule is somehow used by my
bundle, instead of the karaf jaas bundle. And because i don't have any
import statements in my bundle for any jaas modules this happens.

The odd thing is that the exception seems to get swallowed up somewhere, as
it never ends up in the karaf.log. I see some pretty complex errorhandling
in javax.security.auth.login.LoginContext so it might get swallowed up
there?

And i assume that it is intended behavior that the bundle which publishes
the blueprint takes over the full responsibility for the handling modules?

On Fri, Apr 6, 2018 at 11:52 AM, <l...@code-house.org> wrote:

> Hey Martin,
> You raised an interesting scenario - have you tried to debug JAAS code
> from JRE which gets called after ShiroJaasIntegration module returns? Your
> configuration seems fine, if shiro fails properties login module is used as
> fallback. If it doesn’t get called then we need to check what is happening
> in LoginContext.
>
> Please try adding
> *java.security.debug=logincontext,configfile,configparser,policy* to your
> system properties and check if you get anything useful from this debug. If
> you see to little - switching this debug flag to *all* will print a lot
> of debug information.
>
> Cheers,
> Łukasz
> --
> Twitter: ldywicki
> Blog: http://dywicki.pl
> Code-House - http://code-house.org
>
>
> On 5 Apr 2018, at 14:40, Martin Nielsen <mny...@gmail.com> wrote:
>
> One problem down, one to go. I had he rank set to 0, upon setting it to 1
> i can succesfully override the default karaf realm.
>
> The new problem is that the PropertiesLoginModule is no longer called.
>
> My blueprint is below. What i am trying to accomplish is for JAAS to look
> in either module in order to authenticate a user. But right now i cannot
> login with karaf/karaf, as it seems that the PropertiesLoginModule is
> ignored. I can login with anything from the ShiroJaasIntegration module
> without issue.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";
>            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0";
>            xmlns:ext="http://aries.apache.org/blueprint/xmlns/
> blueprint-ext/v1.0.0">
>
>
>     <ext:property-placeholder placeholder-prefix="$["
> placeholder-suffix="]"/>
>
>     <jaas:config name="karaf" rank="1">
>         <jaas:module className="dk.netdesign.common.security.karaf.
> ShiroJaasIntegration"
>                      flags="sufficient">
>         </jaas:module>
>         <jaas:module className="org.apache.karaf.jaas.modules.properties.
> PropertiesLoginModule"
>                      flags="sufficient">
>             users = $[karaf.base]/etc/users.properties
>         </jaas:module>
>     </jaas:config>
>
> </blueprint>
>
>
>
>
>
> On Thu, Apr 5, 2018 at 12:04 PM, Martin Nielsen <mny...@gmail.com> wrote:
>
>> The only way my module is called is if I force stop  Apache Karaf ::
>> JAAS :: Modulesorg.apache.karaf.jaas.modules
>> <http://localhost:8181/system/console/bundles/148>. Is this intended
>> behavior?
>>
>> On Wed, Apr 4, 2018 at 9:28 AM, Martin Nielsen <mny...@gmail.com> wrote:
>>
>>> I now tried changing the blueprint to this:
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0";
>>>            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0";
>>>            
>>> xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0";>
>>>
>>>
>>>     <ext:property-placeholder placeholder-prefix="$[" 
>>> placeholder-suffix="]"/>
>>>
>>>     <jaas:config name="karaf" rank="0">
>>>         <jaas:module 
>>> className="my.test.common.security.karaf.ShiroJaasIntegration"
>>>                      flags="sufficient">
>>>         </jaas:module>
>>>     </jaas:config>
>>>
>>> </blueprint>
>>>
>>>
>>> That changes the realm list command to this
>>>
>>>
>>> karaf@root()> jaas:realm-list
>>> Index | Realm Name | Login Module Class Name
>>> ------+------------+--------------------------------------------------------
>>> 1     | karaf      | dk.netdesign.common.security.karaf.ShiroJaasIntegration
>>>
>>>
>>> But i can still log in with karaf/karaf, and my module is STILL not called. 
>>> I do not understand this. How can i still log in through the property 
>>> module when it is no longer listed?
>>>
>>>
>>>
>>> On Tue, Apr 3, 2018 at 6:40 PM, Martin Nielsen <mny...@gmail.com> wrote:
>>>
>>>> No you understood completely. I obviously didn't though. So if i want
>>>> the loginmodule i made to be usable through the webconsole, I must place it
>>>> in the karaf realm, is that correct?
>>>>
>>>> Second question: what if i want to disable one of the current modules,
>>>> for example the properties module?
>>>>
>>>> On Tue, 3 Apr 2018, 18:18 Jean-Baptiste Onofré, <j...@nanthrax.net>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> Maybe I don't understand what you want to do.
>>>>>
>>>>> You added your login module in a new realm (ShiroBridge). So, it means
>>>>> that it
>>>>> will be used only for applications that will use this realm.
>>>>>
>>>>> It's not possible to remove the karaf realm easily today as core part
>>>>> of Karaf
>>>>> use it (shell, MBeanServer, ...).
>>>>>
>>>>> So:
>>>>> 1. If you want to use your login module in the core Karaf part (like
>>>>> the shell
>>>>> or ssh), then, your login module as to be in the karaf realm
>>>>> 2. No problem to create new realms and plug third party applications
>>>>> using this
>>>>> realm
>>>>>
>>>>> Regards
>>>>> JB
>>>>>
>>>>> On 04/03/2018 05:42 PM, Martin Nielsen wrote:
>>>>> > Hello everyone
>>>>> >
>>>>> > I am trying to create a new karaf JAAS module and preferably
>>>>> override the
>>>>> > current karaf JAAS domain.
>>>>> >
>>>>> > I have my login module which basically just delegates everything to
>>>>> shiro, as
>>>>> > well as a blueprint to add it to the JAAS config.
>>>>> >
>>>>> > My JAAS config xml from OSGI-INF\blueprint folder in the jar:
>>>>> >
>>>>> > <?xml version="1.0" encoding="UTF-8"?>
>>>>> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0
>>>>> > <http://www.osgi.org/xmlns/blueprint/v1.0.0>"
>>>>> >            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0
>>>>> > <http://karaf.apache.org/xmlns/jaas/v1.0.0>"
>>>>> >
>>>>> >  xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprin
>>>>> t-ext/v1.0.0
>>>>> > <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>">
>>>>> >
>>>>> >
>>>>> >     <ext:property-placeholder placeholder-prefix="$["
>>>>> placeholder-suffix="]"/>
>>>>> >
>>>>> >     <jaas:config name="ShiroBridge" rank="-1">
>>>>> >         <jaas:module className="my.test.security.ka
>>>>> raf.ShiroJaasIntegration"
>>>>> >                      flags="sufficient">
>>>>> >         </jaas:module>
>>>>> >     </jaas:config>
>>>>> >
>>>>> > </blueprint>
>>>>> >
>>>>> > My LoginModule:
>>>>> >
>>>>> > public class ShiroJaasIntegration implements LoginModule {
>>>>> >
>>>>> >     public static final Logger LOGGER =
>>>>> > LoggerFactory.getLogger(ShiroJaasIntegration.class);
>>>>> >     private static final Class<org.apache.shiro.session.Session>
>>>>> > shiroSessionClass = org.apache.shiro.session.Session.class;
>>>>> >
>>>>> >     protected Set<Principal> principals = new HashSet<>();
>>>>> >     private Subject subject;
>>>>> >     private org.apache.shiro.session.Session shiroSession;
>>>>> >     private CallbackHandler callbackHandler;
>>>>> >     private Map<String, ?> sharedState;
>>>>> >     private Map<String, ?> options;
>>>>> >     private String user;
>>>>> >     protected BundleContext bundleContext;
>>>>> >     private boolean authenticated = false;
>>>>> >
>>>>> >     @Override
>>>>> >     public void initialize(Subject subject, CallbackHandler
>>>>> callbackHandler,
>>>>> > Map<String, ?> sharedState, Map<String, ?> options) {
>>>>> >         LOGGER.info("initialize "+System.identityHashCode(this));
>>>>> >         this.subject = subject;
>>>>> >         this.callbackHandler = callbackHandler;
>>>>> >         this.sharedState = sharedState;
>>>>> >         this.options = options;
>>>>> >         this.bundleContext = ((BundleReference)
>>>>> > this.getClass().getClassLoader()).getBundle().getBundleContext();
>>>>> >     }
>>>>> >
>>>>> >     @Override
>>>>> >     public boolean login() throws LoginException {
>>>>> >         LOGGER.debug("login "+System.identityHashCode(this));
>>>>> >         if (callbackHandler == null) {
>>>>> >             throw new LoginException("No CallbackHandler found");
>>>>> >         }
>>>>> >
>>>>> >         Callback[] callbacks = new Callback[2];
>>>>> >
>>>>> >         callbacks[0] = new NameCallback("Username: ");
>>>>> >         callbacks[1] = new PasswordCallback("Password: ", false);
>>>>> >         if (callbackHandler != null) {
>>>>> >             try {
>>>>> >                 callbackHandler.handle(callbacks);
>>>>> >             } catch (IOException ioe) {
>>>>> >                 throw new LoginException(ioe.getMessage());
>>>>> >             } catch (UnsupportedCallbackException uce) {
>>>>> >                 throw new LoginException(uce.getMessage() + " not
>>>>> available to
>>>>> > obtain information from user");
>>>>> >             }
>>>>> >         }
>>>>> >
>>>>> >         // user callback get value
>>>>> >         if (((NameCallback) callbacks[0]).getName() == null) {
>>>>> >             throw new LoginException("Username can not be null");
>>>>> >         }
>>>>> >         user = ((NameCallback) callbacks[0]).getName();
>>>>> >
>>>>> >         // password callback get value
>>>>> >         if (((PasswordCallback) callbacks[1]).getPassword() == null)
>>>>> {
>>>>> >             throw new LoginException("Password can not be null");
>>>>> >         }
>>>>> >         String password = new String(((PasswordCallback)
>>>>> > callbacks[1]).getPassword());
>>>>> >
>>>>> >         org.apache.shiro.subject.Subject shiroSubject = null;
>>>>> >
>>>>> > //Do lots of shiro stuff to get the UserPrincipal and RolePrincipal
>>>>> objects
>>>>> >
>>>>> >         return authenticated;
>>>>> >
>>>>> >     }
>>>>> >
>>>>> >     @Override
>>>>> >     public boolean commit() throws LoginException {
>>>>> >         LOGGER.debug("commit "+System.identityHashCode(this));
>>>>> >         subject.getPrincipals().addAll(principals);
>>>>> >         return authenticated;
>>>>> >     }
>>>>> >
>>>>> >     @Override
>>>>> >     public boolean abort() throws LoginException {
>>>>> >         user = null;
>>>>> >         principals.clear();
>>>>> >         user = null;
>>>>> >         LOGGER.debug("abort "+System.identityHashCode(this));
>>>>> >         return true;
>>>>> >     }
>>>>> >
>>>>> >     @Override
>>>>> >     public boolean logout() throws LoginException {
>>>>> >         user = null;
>>>>> >         subject.getPrincipals().removeAll(principals);
>>>>> >         principals.clear();
>>>>> >         LOGGER.debug("logout "+System.identityHashCode(this));
>>>>> >         return true;
>>>>> >     }
>>>>> >
>>>>> > }
>>>>> >
>>>>> > I have tried setting the rank inside the blueprint to -1, 0, and 1
>>>>> and the
>>>>> > ShiroBridge does move up and down the list, but no log statements
>>>>> from the
>>>>> > ShiroJaasIntegration LoginModule are ever called, and in all cases i
>>>>> can still
>>>>> > login with karaf/karaf.
>>>>> >
>>>>> > karaf@root()> jaas:realm-list
>>>>>
>>>>> >
>>>>> > Index | Realm Name  | Login Module Class Name
>>>>>
>>>>> >
>>>>> > ------+-------------+---------------------------------------
>>>>> ------------------------
>>>>> >
>>>>> > 1     | ShiroBridge | my.test.security.karaf.ShiroJaasIntegration
>>>>>
>>>>> >
>>>>> > 2     | karaf       |
>>>>> > org.apache.karaf.jaas.modules.properties.PropertiesLoginModule
>>>>>
>>>>> >
>>>>> > 3     | karaf       |
>>>>> > org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule
>>>>>
>>>>> >
>>>>> > 4     | karaf       | org.apache.karaf.jaas.modules.
>>>>> audit.FileAuditLoginModule
>>>>> >
>>>>> > 5     | karaf       | 
>>>>> > org.apache.karaf.jaas.modules.audit.LogAuditLoginModule
>>>>>
>>>>> >
>>>>> > 6     | karaf       |
>>>>> > org.apache.karaf.jaas.modules.audit.EventAdminAuditLoginModule
>>>>> >
>>>>> >
>>>>> > So my module never seems to be called, and i can't really disable
>>>>> the karaf realm.
>>>>> >
>>>>> >
>>>>> > Can someone help with this? My objective is to add my own
>>>>> LoginModule and
>>>>> > preferably replace the current karaf Realm
>>>>> >
>>>>>
>>>>> --
>>>>> Jean-Baptiste Onofré
>>>>> jbono...@apache.org
>>>>> http://blog.nanthrax.net
>>>>> Talend - http://www.talend.com
>>>>>
>>>>
>>>
>>
>
>

Reply via email to