[jboss-jira] [JBoss JIRA] (WFLY-5739) Subject not populated with groups/roles when authenticated via JASPIC

Arjan t (JIRA) issues at jboss.org
Thu Nov 26 11:10:00 EST 2015 

Arjan t created WFLY-5739:
-----------------------------

             Summary: Subject not populated with groups/roles when authenticated via JASPIC
                 Key: WFLY-5739
                 URL: https://issues.jboss.org/browse/WFLY-5739
             Project: WildFly
          Issue Type: Bug
          Components: Security
    Affects Versions: 10.0.0.CR4
            Reporter: Arjan t
            Assignee: Darran Lofthouse


After having authenticated via JASPIC, requesting the current {{Subject}} via JACC and then using that for permission checks fails.

For instance the following code will always set {{hasAccess}} to false given that "/protected/*" requires a role and the authenticated user is in that role:

{code:java}
Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
 
boolean hasAccess = Policy.getPolicy().implies(
    new ProtectionDomain(
        new CodeSource(null, (Certificate[]) null),
        null, null, 
        subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()])
    ),
    new WebResourcePermission("/protected/Servlet", "GET"))
;
{code}

As it appears, the problem originates from the fact that {{subject.getPrincipals()}} does not contain the roles.

This can be traced back to {{org.jboss.security.auth.callback.JASPICallbackHandler.handleCallBack}}, where it becomes clear that the roles are only put into the "util", but not in the "authenticatedSubject":

{code:java}
String[] rolesArray = groupPrincipalCallback.getGroups();
int sizeOfRoles = rolesArray != null ? rolesArray.length : 0;
 
if( sizeOfRoles > 0 )
{
  List<Role> rolesList = new ArrayList<Role>();
  for( int i = 0; i < sizeOfRoles ; i++ )
  {
     Role role = new SimpleRole( rolesArray[ i ] );
     rolesList.add( role );
  }
  RoleGroup roles = new SimpleRoleGroup( SecurityConstants.ROLES_IDENTIFIER, rolesList );

  // if the current security context already has roles, we merge them with the incoming roles.
  RoleGroup currentRoles = currentSC.getUtil().getRoles();

  // *** ROLES ARE ONLY SET HERE ***
  if (currentRoles != null) {
      currentRoles.addAll(roles.getRoles());
  }
  else {
      currentSC.getUtil().setRoles( roles );
  }
} 

// *** BELOW THIS LINE ROLES ARE NOT REFERENCED ANYMORE
// *** SUBJECT IS NOT POPULATED WITH ANY ROLE INFO 

Subject subject = groupPrincipalCallback.getSubject();
if( subject != null )
{
   // if the current security context already has an associated subject, we merge it with the incoming subject.
   Subject currentSubject = currentSC.getSubjectInfo().getAuthenticatedSubject();
   if (currentSubject != null) {
       subject.getPrincipals().addAll(currentSubject.getPrincipals());
       subject.getPublicCredentials().addAll(currentSubject.getPublicCredentials());
       subject.getPrivateCredentials().addAll(currentSubject.getPrivateCredentials());
   }
   currentSC.getSubjectInfo().setAuthenticatedSubject(subject);
}
{code}




--
This message was sent by Atlassian JIRA
(v6.4.11#64026)

More information about the jboss-jira mailing list