[jboss-jira] [JBoss JIRA] (SECURITY-744) WebJASPIAuthenticator doesn't populate Subject when building JBossGenericPrincipal

RH Bugzilla Integration (JIRA) issues at jboss.org
Tue Aug 4 03:03:07 EDT 2015 

    [ https://issues.jboss.org/browse/SECURITY-744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095240#comment-13095240 ] 

RH Bugzilla Integration commented on SECURITY-744:
--------------------------------------------------

Jitka Kozana <jkudrnac at redhat.com> changed the Status of [bug 1245353|https://bugzilla.redhat.com/show_bug.cgi?id=1245353] from ON_QA to ASSIGNED

> WebJASPIAuthenticator doesn't populate Subject when building JBossGenericPrincipal
> ----------------------------------------------------------------------------------
>
>                 Key: SECURITY-744
>                 URL: https://issues.jboss.org/browse/SECURITY-744
>             Project: PicketBox 
>          Issue Type: Feature Request
>            Reporter: arjan tijms
>            Assignee: Stefan Guilhen
>              Labels: authentication, ejb, jaspi, jaspic, security
>
> {{WebJASPIAuthenticator}} creates a new Subject that it passes to the JASPIC Auth Module (SAM):
> {code}
> Subject clientSubject = new Subject();
> if (sam != null) {
>     result = sam.isValid(messageInfo, clientSubject, messageLayer, appContext, cbh);
> }
> {code}
> [Source|https://github.com/wildfly/wildfly/blob/master/web/src/main/java/org/jboss/as/web/security/jaspi/WebJASPIAuthenticator.java#L115]
> Afterwards this Subject instance is put into the {{JBossGenericPrincipal}} when this is being build:
> {code}
> protected Principal buildJBossPrincipal(Subject subject, Principal principal, GroupPrincipalCallback gpc) {
>     // ...
>     // build and return the JBossGenericPrincipal.
>     return new JBossGenericPrincipal(realm, principal.getName(), null, roles, principal, null, null, null, subject);
> }
> {code}
> [Source|https://github.com/wildfly/wildfly/blob/master/web/src/main/java/org/jboss/as/web/security/jaspi/WebJASPIAuthenticator.java#L314]
> This seems to assume that the JASPIC Auth Module has populated the Subject (as happens with JAAS login modules), but this is not what happens. JASPIC Auth Modules unlike JAAS login modules are universal and have no knowledge of the container specific Subject layout.
> The container should thus populate the Subject based on the callbacks.
> {{WebJASPIAuthenticator}} does uses the callbacks to store the caller/user principal and roles directly into the {{JBossGenericPrincipal}}. Calls like {{HttpServletRequest#getUserPrincipal}} directly return {{JBossGenericPrincipal#getUserPrincipal}} and thus work.
> However, {{EJBContext#getCallerPrincipal()}} which is implemented by {{org.jboss.as.security.service.SimpleSecurityManager#getCallerPrincipal}} works with {{securityContext.getSubjectInfo().getAuthenticatedSubject}} and does _not_ work.
> This {{SubjectInfo}} is initialized in {{org.jboss.as.web.security.SecurityContextAssociationValve}} via the following code:
> {code}
> sc.getUtil().createSubjectInfo(new SimplePrincipal(
>     principal.getName()), 
>     principal.getCredentials(),
>     principal.getSubject() // clientSubject from JASPIC SAM
> );
> {code}
> (principal here is the {{JBossGenericPrincipal}} that's returned by {{WebJASPIAuthenticator}})
> Because the Subject instance used here is still the empty instance, the authenticated identity will not be available in EJB beans. {{EJBContext#getCallerPrincipal()}} will always return the anonymous principal and every check for a role will return false.
> Adding something like the following code to {{buildJBossPrincipal}} seems to propagate the authenticated identity correctly to the EJB module:
> {code}
> Subject authenticatedSubject = new Subject();
> // Add the caller principal to the Subject
> Group callerPrincipalGroup = new SimpleGroup("CallerPrincipal");
> callerPrincipalGroup.addMember(principal);
> authenticatedSubject.getPrincipals().add(callerPrincipalGroup);
>         
> // Add the roles to the Subject
> if (!roles.isEmpty()) {
>     Group rolesGroup = new SimpleGroup("Roles");
>     for (String role : roles) {
>         rolesGroup.addMember(new SimplePrincipal(role));
>     }
>     authenticatedSubject.getPrincipals().add(rolesGroup);
> }
> return new JBossGenericPrincipal(realm, principal.getName(), null, roles, principal, null, null, null, authenticatedSubject);
> {code}
> I've tested [locally|https://github.com/javaeekickoff/jboss-as-jaspic-patch/commit/31b746ba2de4a3dc8a73ff8b5ebdb390169a2f46] with this patch and it indeed seems to work.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

More information about the jboss-jira mailing list