karaf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jbono...@apache.org
Subject karaf git commit: [KARAF-4439] Prevent user authentication if the user doesn't have any role defined
Date Mon, 27 Mar 2017 15:19:33 GMT
Repository: karaf
Updated Branches:
  refs/heads/master d2c79f0a4 -> 60b19f82f


[KARAF-4439] Prevent user authentication if the user doesn't have any role defined


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/60b19f82
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/60b19f82
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/60b19f82

Branch: refs/heads/master
Commit: 60b19f82fe2dbd35a31c6b2c36a7c784651efad0
Parents: d2c79f0
Author: Jean-Baptiste Onofré <jbonofre@apache.org>
Authored: Mon Mar 27 17:18:50 2017 +0200
Committer: Jean-Baptiste Onofré <jbonofre@apache.org>
Committed: Mon Mar 27 17:18:50 2017 +0200

----------------------------------------------------------------------
 .../karaf/management/JaasAuthenticator.java     | 15 +++++++++---
 .../karaf/shell/ssh/KarafJaasAuthenticator.java | 25 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/60b19f82/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
index 6e91196..a2280e4 100644
--- a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
+++ b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
@@ -16,7 +16,10 @@
  */
 package org.apache.karaf.management;
 
+import org.apache.karaf.jaas.boot.principal.RolePrincipal;
+
 import java.io.IOException;
+import java.security.Principal;
 
 import javax.management.remote.JMXAuthenticator;
 import javax.security.auth.Subject;
@@ -68,9 +71,15 @@ public class JaasAuthenticator implements JMXAuthenticator {
             });
             loginContext.login();
 
-            if (subject.getPrincipals().size() == 0) {
-                // there must be some Principals, but which ones required are tested later
-                throw new FailedLoginException("User does not have the required role");
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
             }
 
             return subject;

http://git-wip-us.apache.org/repos/asf/karaf/blob/60b19f82/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index 8d75c41..20a769e 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -19,6 +19,7 @@
 package org.apache.karaf.shell.ssh;
 
 import java.io.IOException;
+import java.security.Principal;
 import java.security.PublicKey;
 
 import javax.security.auth.Subject;
@@ -27,8 +28,10 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.FailedLoginException;
 import javax.security.auth.login.LoginContext;
 
+import org.apache.karaf.jaas.boot.principal.RolePrincipal;
 import org.apache.karaf.jaas.modules.publickey.PublickeyCallback;
 import org.apache.sshd.common.session.Session;
 import org.apache.sshd.server.auth.password.PasswordAuthenticator;
@@ -77,6 +80,17 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA
             });
             loginContext.login();
 
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
+            }
+
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;
         } catch (Exception e) {
@@ -103,6 +117,17 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator,
PublickeyA
             });
             loginContext.login();
 
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
+            }
+
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;
         } catch (Exception e) {


Mime
View raw message