[jboss-jira] [JBoss JIRA] (WFLY-9212) Cannot control what principal JAASIdentityManagerImpl for SecurityContextUtil#createSubjectInfo(Principal, Object, Subject)

Scott Stark (JIRA) issues at jboss.org
Wed Aug 9 00:55:00 EDT 2017 

Scott Stark created WFLY-9212:
---------------------------------

             Summary: Cannot control what principal JAASIdentityManagerImpl for SecurityContextUtil#createSubjectInfo(Principal, Object,Subject)
                 Key: WFLY-9212
                 URL: https://issues.jboss.org/browse/WFLY-9212
             Project: WildFly
          Issue Type: Feature Request
          Components: Security
    Affects Versions: 10.1.0.Final
            Reporter: Scott Stark
            Assignee: Darran Lofthouse


I have a custom JWT based auth method and JAAS login module that I'm testing with swarm which is using WFLY 10.1.0.Final. I am not able to install a custom Principal instance for retrieval via the JAX-RS javax.ws.rs.core.SecurityContext#getUserPrincipal() because of how the JAASIdentityManagerImpl#verifyCredential(final AccountImpl account, final Object credential) method populates the SecurityContext.SecurityContextUtil SubjectInfo.

The following line:
https://github.com/wildfly/wildfly/blob/c3332cec0c9bc5dc57899c2ae7ba26dd0c627686/undertow/src/main/java/org/wildfly/extension/undertow/security/JAASIdentityManagerImpl.java#L130

                sc.getUtil().createSubjectInfo(incomingPrincipal, credential, subject);

Is using the incomingPrincipal, which is derived from the simple AccountImpl wrapping of the incoming String id. In my call path, this is the user id before any authentication has happened as there is no originalPrincipal value on the AccountImpl, so it is not the best representation of the authenticated caller, and the wrapping Principal instance does not exist amongst the authenticated Subject#getPrincipals().

I see this is due to a CallerPrincipal issue:
https://issues.jboss.org/browse/WFLY-3626

but one needs to be able to control what form of the authenticated userPrincipal that is returned by the  user face container getUserPrincipal() call

See the getPrincipalClass() unit test in this repo for an example of what is being tested:
https://github.com/MicroProfileJWT/microprofile-jwt-auth-wfswarm/blob/f39537db573ea813559548bc42d74ef1f581024f/src/test/java/org/eclipse/microprofile/jwt/test/jaxrs/RolesAllowedTest.java#L169

I can work around this by overriding the SubjectInfo by immediately after the auth mechanism has called the SecurityContext#authenticationComplete(...) using:

// Workaround authenticated JWTPrincipal not being installed as user principal
org.jboss.security.SecurityContext jbSC = SecurityContextAssociation.getSecurityContext();
Subject subject = jbSC.getUtil().getSubject();
jbSC.getUtil().createSubjectInfo(jwtPrincipal, bearerToken, subject);

I have tried wrapping the Account passed into SecurityContext#authenticationComplete(...) and that has not worked so far, but I'll look again to see if there is something else I can override to achieve the desired behavior.




--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

More information about the jboss-jira mailing list