[jboss-jira] [JBoss JIRA] (SECURITY-789) Credential stored in Subject is not propagated to the CredentialIdentity

Paul Moore (JIRA) issues at jboss.org
Tue Feb 11 05:19:28 EST 2014 

Paul Moore created SECURITY-789:
-----------------------------------

             Summary: Credential stored in Subject is not propagated to the CredentialIdentity
                 Key: SECURITY-789
                 URL: https://issues.jboss.org/browse/SECURITY-789
             Project: PicketBox 
          Issue Type: Enhancement
      Security Level: Public (Everyone can see)
          Components: JBossSX
    Affects Versions: PicketBox_4_0_20.Final
         Environment: Darwin 13.0.2 Darwin Kernel Version 13.0.2: Sun Sep 29 19:38:57 PDT 2013; root:xnu-2422.75.4~1/RELEASE_X86_64

java version "1.7.0_15"
Java(TM) SE Runtime Environment (build 1.7.0_15-b03)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)

Wildfly-8.0.0.Final-SNAPSHOT
            Reporter: Paul Moore
            Assignee: Stefan Guilhen


h4. Use case
JASPI ServerAuthModule authenticates user in web layer (OAuth 2 Bearer token) and stores a "BearerCredential" in the Subject. Authentication works in the Servlet container, but fails at the service tier (EJB) because the credential is not part of the CredentialIdentity.

h4. Root cause
[JBossCallbackHandler|http://anonsvn.jboss.org/repos/picketbox/tags/4.0.20.Final/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/callback/JASPICallbackHandler.java] manages the mapping of Subject to Identity, but does not use credentials stored in Subject as part of the Identity creation process (PasswordValidationCallback uses callback properties directly).

Authentication at the EJB (service) tier fails because the Credential is not stored in the CredentialIdentity and is therefore unavailable to JBossSecurityContextUtil.getCredential().

h4. Approach
In discussion with asaldhan and sguilhen on IRC (#picketbox), it was agreed that:
# PicketBox source code would be (re)migrated to GitHub - asaldhan
# JASPICallbackHandler would be modified to obtain a Credential from the Subject (if available) during the CallerPrincipalCallback handling - paulkmoore

h4. Note(s)
# There is inherent tension in the mapping between Subject and Identity (SecurityContext) which may require a larger piece of work to resolve (i.e. Subject can have many Principals, many public credentials and many private credentials). 

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the jboss-jira mailing list