Return-Path: <commits-return-30637-archive-asf-public=cust-asf.ponee.io@karaf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id DE484200C44
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 27 Mar 2017 17:19:34 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id DCCA5160B85; Mon, 27 Mar 2017 15:19:34 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 2EC27160B5D
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 27 Mar 2017 17:19:34 +0200 (CEST)
Received: (qmail 74754 invoked by uid 500); 27 Mar 2017 15:19:33 -0000
Mailing-List: contact commits-help@karaf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@karaf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@karaf.apache.org>
List-Post: <mailto:commits@karaf.apache.org>
List-Id: <commits.karaf.apache.org>
Reply-To: dev@karaf.apache.org
Delivered-To: mailing list commits@karaf.apache.org
Received: (qmail 74745 invoked by uid 99); 27 Mar 2017 15:19:33 -0000
Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Mar 2017 15:19:33 +0000
Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33)
	id 47F3CDFBCA; Mon, 27 Mar 2017 15:19:33 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: jbonofre@apache.org
To: commits@karaf.apache.org
Message-Id: <a67a6043442c4414a065d32640d6e0a8@git.apache.org>
X-Mailer: ASF-Git Admin Mailer
Subject: karaf git commit: [KARAF-4439] Prevent user authentication if the
 user doesn't have any role defined
Date: Mon, 27 Mar 2017 15:19:33 +0000 (UTC)
archived-at: Mon, 27 Mar 2017 15:19:35 -0000

Repository: karaf
Updated Branches:
  refs/heads/master d2c79f0a4 -> 60b19f82f


[KARAF-4439] Prevent user authentication if the user doesn't have any role defined


Project: http://git-wip-us.apache.org/repos/asf/karaf/repo
Commit: http://git-wip-us.apache.org/repos/asf/karaf/commit/60b19f82
Tree: http://git-wip-us.apache.org/repos/asf/karaf/tree/60b19f82
Diff: http://git-wip-us.apache.org/repos/asf/karaf/diff/60b19f82

Branch: refs/heads/master
Commit: 60b19f82fe2dbd35a31c6b2c36a7c784651efad0
Parents: d2c79f0
Author: Jean-Baptiste Onofré <jbonofre@apache.org>
Authored: Mon Mar 27 17:18:50 2017 +0200
Committer: Jean-Baptiste Onofré <jbonofre@apache.org>
Committed: Mon Mar 27 17:18:50 2017 +0200

----------------------------------------------------------------------
 .../karaf/management/JaasAuthenticator.java     | 15 +++++++++---
 .../karaf/shell/ssh/KarafJaasAuthenticator.java | 25 ++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/karaf/blob/60b19f82/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
index 6e91196..a2280e4 100644
--- a/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
+++ b/management/server/src/main/java/org/apache/karaf/management/JaasAuthenticator.java
@@ -16,7 +16,10 @@
  */
 package org.apache.karaf.management;
 
+import org.apache.karaf.jaas.boot.principal.RolePrincipal;
+
 import java.io.IOException;
+import java.security.Principal;
 
 import javax.management.remote.JMXAuthenticator;
 import javax.security.auth.Subject;
@@ -68,9 +71,15 @@ public class JaasAuthenticator implements JMXAuthenticator {
             });
             loginContext.login();
 
-            if (subject.getPrincipals().size() == 0) {
-                // there must be some Principals, but which ones required are tested later
-                throw new FailedLoginException("User does not have the required role");
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
             }
 
             return subject;

http://git-wip-us.apache.org/repos/asf/karaf/blob/60b19f82/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
----------------------------------------------------------------------
diff --git a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
index 8d75c41..20a769e 100644
--- a/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
+++ b/shell/ssh/src/main/java/org/apache/karaf/shell/ssh/KarafJaasAuthenticator.java
@@ -19,6 +19,7 @@
 package org.apache.karaf.shell.ssh;
 
 import java.io.IOException;
+import java.security.Principal;
 import java.security.PublicKey;
 
 import javax.security.auth.Subject;
@@ -27,8 +28,10 @@ import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.NameCallback;
 import javax.security.auth.callback.PasswordCallback;
 import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.FailedLoginException;
 import javax.security.auth.login.LoginContext;
 
+import org.apache.karaf.jaas.boot.principal.RolePrincipal;
 import org.apache.karaf.jaas.modules.publickey.PublickeyCallback;
 import org.apache.sshd.common.session.Session;
 import org.apache.sshd.server.auth.password.PasswordAuthenticator;
@@ -77,6 +80,17 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA
             });
             loginContext.login();
 
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
+            }
+
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;
         } catch (Exception e) {
@@ -103,6 +117,17 @@ public class KarafJaasAuthenticator implements PasswordAuthenticator, PublickeyA
             });
             loginContext.login();
 
+            int roleCount = 0;
+            for (Principal principal : subject.getPrincipals()) {
+                if (principal instanceof RolePrincipal) {
+                    roleCount++;
+                }
+            }
+
+            if (roleCount == 0) {
+                throw new FailedLoginException("User doesn't have role defined");
+            }
+
             session.setAttribute(SUBJECT_ATTRIBUTE_KEY, subject);
             return true;
         } catch (Exception e) {