karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject karaf git commit: [KARAF-4439] Prevent user authentication if the user doesn't have any role defined
Date Mon, 27 Mar 2017 15:19:50 GMT
Repository: karaf
Updated Branches:
  refs/heads/karaf-4.0.x 25b707f1c -> 0e88e07b4


[KARAF-4439] Prevent user authentication if the user doesn't have any role defined


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/0e88e07b
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/0e88e07b
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/0e88e07b

Branch: refs/heads/karaf-4.0.x
Commit: 0e88e07b4d88e350ea09aa2be6b5a0a2800e9e9b
Parents: 25b707f
Author: Jean-Baptiste Onofré <jbonofre@apache.org>
Authored: Mon Mar 27 17:18:50 2017 +0200
Committer: Jean-Baptiste Onofré <jbonofre@apache.org>
Committed: Mon Mar 27 17:19:43 2017 +0200

----------------------------------------------------------------------
 .../karaf/management/JaasAuthenticator.java     | 15 +++++++++---
 .../karaf/shell/ssh/KarafJaasAuthenticator.java | 25 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/0e88e07b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
index 6e91196..a2280e4 100644
--- a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
+++ b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
@@ -16,7 +16,10 @@
  */
 package org.apache.karaf.management;
 
+import org.apache.karaf.jaas.boot.principal.RolePrincipal;
+
 import java.io.IOException;
+import java.security.Principal;
 
 import javax.management.remote.JMXAuthenticator;
 import javax.security.auth.Subject;
@@ -68,9 +71,15 @@ public class JaasAuthenticator implements JMXAuthenticator {
             });
             loginContext.login();
 
-            if (subject.getPrincipals().size() == 0) {
-                // there must be some Principals, but which ones required are tested later
-                throw new FailedLoginException("User does not have the required role");
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
             }
 
             return subject;

http://git-wip-us.apache.org/repos/asf/karaf/blob/0e88e07b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index 632cb98..8bb10bc 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -19,6 +19,7 @@
 package org.apache.karaf.shell.ssh;
 
 import java.io.IOException;
+import java.security.Principal;
 import java.security.PublicKey;
 
 import javax.security.auth.Subject;
@@ -27,8 +28,10 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.FailedLoginException;
 import javax.security.auth.login.LoginContext;
 
+import org.apache.karaf.jaas.boot.principal.RolePrincipal;
 import org.apache.karaf.jaas.modules.publickey.PublickeyCallback;
 import org.apache.sshd.common.Session;
 import org.apache.sshd.server.PasswordAuthenticator;
@@ -77,6 +80,17 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA
             });
             loginContext.login();
 
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
+            }
+
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;
         } catch (Exception e) {
@@ -103,6 +117,17 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator,
PublickeyA
             });
             loginContext.login();
 
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
+            }
+
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;
         } catch (Exception e) {


Mime
View raw message