[JBoss JIRA] (WFLY-5739) Subject not populated with groups/roles when authenticated via JASPIC

Monday, 11 July 2016

    [
https://issues.jboss.org/browse/WFLY-5739?page=com.atlassian.jira.plugin....
] 

Guillermo González de Agüero commented on WFLY-5739:
----------------------------------------------------

Hi [~stoty2]. I don't know too much about WildFly Security internals. I checked my
example application again and it now works as expected. From what I can see, it seems like
a valid approach, but maybe [~atijms] could provide some more insight.

Anyway, I propose you to send the pull request since WF10.1 is around the corner, and this
is our last opportunity to make it into the next release.

...
 Subject not populated with groups/roles when authenticated via
JASPIC
 ---------------------------------------------------------------------

                 Key: WFLY-5739
                 URL: https://issues.jboss.org/browse/WFLY-5739
             Project: WildFly
          Issue Type: Bug
          Components: Security
    Affects Versions: 10.0.0.CR4
            Reporter: Arjan t
            Assignee: Darran Lofthouse
              Labels: jacc, jaspic
         Attachments: CustomAuth.zip, picketbox.zip

 After having authenticated via JASPIC, requesting the current {{Subject}} via JACC and
then using that for permission checks fails.
 For instance the following code will always set {{hasAccess}} to false given that
"/protected/*" requires a role and the authenticated user is in that role:
 {code:java}
 Subject subject = (Subject)
PolicyContext.getContext("javax.security.auth.Subject.container");

 boolean hasAccess = Policy.getPolicy().implies(
     new ProtectionDomain(
         new CodeSource(null, (Certificate[]) null),
         null, null, 
         subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()])
     ),
     new WebResourcePermission("/protected/Servlet", "GET"))
 ;
 {code}
 As it appears, the problem originates from the fact that {{subject.getPrincipals()}} does
not contain the roles.
 This can be traced back to
{{org.jboss.security.auth.callback.JASPICallbackHandler.handleCallBack}}, where it becomes
clear that the roles are only put into the "util", but not in the
"authenticatedSubject":
 {code:java}
 String[] rolesArray = groupPrincipalCallback.getGroups();
 int sizeOfRoles = rolesArray != null ? rolesArray.length : 0;

 if( sizeOfRoles > 0 )
 {
   List<Role> rolesList = new ArrayList<Role>();
   for( int i = 0; i < sizeOfRoles ; i++ )
   {
      Role role = new SimpleRole( rolesArray[ i ] );
      rolesList.add( role );
   }
   RoleGroup roles = new SimpleRoleGroup( SecurityConstants.ROLES_IDENTIFIER, rolesList
);
   // if the current security context already has roles, we merge them with the incoming
roles.
   RoleGroup currentRoles = currentSC.getUtil().getRoles();
   // *** ROLES ARE ONLY SET HERE ***
   if (currentRoles != null) {
       currentRoles.addAll(roles.getRoles());
   }
   else {
       currentSC.getUtil().setRoles( roles );
   }
 } 
 // *** BELOW THIS LINE ROLES ARE NOT REFERENCED ANYMORE
 // *** SUBJECT IS NOT POPULATED WITH ANY ROLE INFO 
 Subject subject = groupPrincipalCallback.getSubject();
 if( subject != null )
 {
    // if the current security context already has an associated subject, we merge it with
the incoming subject.
    Subject currentSubject = currentSC.getSubjectInfo().getAuthenticatedSubject();
    if (currentSubject != null) {
        subject.getPrincipals().addAll(currentSubject.getPrincipals());
        subject.getPublicCredentials().addAll(currentSubject.getPublicCredentials());
        subject.getPrivateCredentials().addAll(currentSubject.getPrivateCredentials());
    }
    currentSC.getSubjectInfo().setAuthenticatedSubject(subject);
 }
 {code} 

--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006