karaf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From l...@code-house.org
Subject Re: Using a custom JAAS LoginModule with karaf
Date Fri, 06 Apr 2018 09:52:17 GMT
Hey Martin,
You raised an interesting scenario - have you tried to debug JAAS code from JRE which gets
called after ShiroJaasIntegration module returns? Your configuration seems fine, if shiro
fails properties login module is used as fallback. If it doesn’t get called then we need
to check what is happening in LoginContext.

Please try adding java.security.debug=logincontext,configfile,configparser,policy to your
system properties and check if you get anything useful from this debug. If you see to little
- switching this debug flag to all will print a lot of debug information.

Cheers,
Łukasz
--
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org

> On 5 Apr 2018, at 14:40, Martin Nielsen <mnybon@gmail.com> wrote:
> 
> One problem down, one to go. I had he rank set to 0, upon setting it to 1 i can succesfully
override the default karaf realm.
> 
> The new problem is that the PropertiesLoginModule is no longer called.
> 
> My blueprint is below. What i am trying to accomplish is for JAAS to look in either module
in order to authenticate a user. But right now i cannot login with karaf/karaf, as it seems
that the PropertiesLoginModule is ignored. I can login with anything from the ShiroJaasIntegration
module without issue.
> 
> <?xml version="1.0" encoding="UTF-8"?> 
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0 <http://www.osgi.org/xmlns/blueprint/v1.0.0>"
>            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 <http://karaf.apache.org/xmlns/jaas/v1.0.0>"
>            xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>">
> 
>     
>     <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
> 
>     <jaas:config name="karaf" rank="1">
>         <jaas:module className="dk.netdesign.common.security.karaf.ShiroJaasIntegration"

>                      flags="sufficient">
>         </jaas:module>
>         <jaas:module className="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule"
>                      flags="sufficient">
>             users = $[karaf.base]/etc/users.properties
>         </jaas:module>
>     </jaas:config>
> 
> </blueprint>
> 
> 
> 
> 
> 
> On Thu, Apr 5, 2018 at 12:04 PM, Martin Nielsen <mnybon@gmail.com <mailto:mnybon@gmail.com>>
wrote:
> The only way my module is called is if I force stop  Apache Karaf :: JAAS :: Modulesorg.apache.karaf.jaas.modules
<http://localhost:8181/system/console/bundles/148>. Is this intended behavior?
> 
> On Wed, Apr 4, 2018 at 9:28 AM, Martin Nielsen <mnybon@gmail.com <mailto:mnybon@gmail.com>>
wrote:
> I now tried changing the blueprint to this:
> <?xml version="1.0" encoding="UTF-8"?> 
> <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0 <http://www.osgi.org/xmlns/blueprint/v1.0.0>"
>            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 <http://karaf.apache.org/xmlns/jaas/v1.0.0>"
>            xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>">
> 
>     
>     <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
> 
>     <jaas:config name="karaf" rank="0">
>         <jaas:module className="my.test.common.security.karaf.ShiroJaasIntegration"

>                      flags="sufficient">
>         </jaas:module>
>     </jaas:config>
> 
> </blueprint>
> 
> That changes the realm list command to this
> 
> karaf@root()> jaas:realm-list                                                    
                                      
> Index | Realm Name | Login Module Class Name                                        
                                   
> ------+------------+--------------------------------------------------------        
                                   
> 1     | karaf      | dk.netdesign.common.security.karaf.ShiroJaasIntegration  
> 
> But i can still log in with karaf/karaf, and my module is STILL not called. I do not
understand this. How can i still log in through the property module when it is no longer listed?
> 
> 
> On Tue, Apr 3, 2018 at 6:40 PM, Martin Nielsen <mnybon@gmail.com <mailto:mnybon@gmail.com>>
wrote:
> No you understood completely. I obviously didn't though. So if i want the loginmodule
i made to be usable through the webconsole, I must place it in the karaf realm, is that correct?
> 
> Second question: what if i want to disable one of the current modules, for example the
properties module?
> 
> On Tue, 3 Apr 2018, 18:18 Jean-Baptiste Onofré, <jb@nanthrax.net <mailto:jb@nanthrax.net>>
wrote:
> Hi,
> 
> Maybe I don't understand what you want to do.
> 
> You added your login module in a new realm (ShiroBridge). So, it means that it
> will be used only for applications that will use this realm.
> 
> It's not possible to remove the karaf realm easily today as core part of Karaf
> use it (shell, MBeanServer, ...).
> 
> So:
> 1. If you want to use your login module in the core Karaf part (like the shell
> or ssh), then, your login module as to be in the karaf realm
> 2. No problem to create new realms and plug third party applications using this
> realm
> 
> Regards
> JB
> 
> On 04/03/2018 05:42 PM, Martin Nielsen wrote:
> > Hello everyone
> >
> > I am trying to create a new karaf JAAS module and preferably override the
> > current karaf JAAS domain.
> >
> > I have my login module which basically just delegates everything to shiro, as
> > well as a blueprint to add it to the JAAS config.
> >
> > My JAAS config xml from OSGI-INF\blueprint folder in the jar:
> >
> > <?xml version="1.0" encoding="UTF-8"?> 
> > <blueprint xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0 <http://www.osgi.org/xmlns/blueprint/v1.0.0>
> > <http://www.osgi.org/xmlns/blueprint/v1.0.0 <http://www.osgi.org/xmlns/blueprint/v1.0.0>>"
> >            xmlns:jaas="http://karaf.apache.org/xmlns/jaas/v1.0.0 <http://karaf.apache.org/xmlns/jaas/v1.0.0>
> > <http://karaf.apache.org/xmlns/jaas/v1.0.0 <http://karaf.apache.org/xmlns/jaas/v1.0.0>>"
> >          
> >  xmlns:ext="http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>
> > <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0 <http://aries.apache.org/blueprint/xmlns/blueprint-ext/v1.0.0>>">
> >
> >     
> >     <ext:property-placeholder placeholder-prefix="$[" placeholder-suffix="]"/>
> >
> >     <jaas:config name="ShiroBridge" rank="-1">
> >         <jaas:module className="my.test.security.karaf.ShiroJaasIntegration"

> >                      flags="sufficient">
> >         </jaas:module>
> >     </jaas:config>
> >
> > </blueprint>
> >
> > My LoginModule:
> >
> > public class ShiroJaasIntegration implements LoginModule {
> >
> >     public static final Logger LOGGER =
> > LoggerFactory.getLogger(ShiroJaasIntegration.class);
> >     private static final Class<org.apache.shiro.session.Session>
> > shiroSessionClass = org.apache.shiro.session.Session.class;
> >
> >     protected Set<Principal> principals = new HashSet<>();
> >     private Subject subject;
> >     private org.apache.shiro.session.Session shiroSession;
> >     private CallbackHandler callbackHandler;
> >     private Map<String, ?> sharedState;
> >     private Map<String, ?> options;
> >     private String user;
> >     protected BundleContext bundleContext;
> >     private boolean authenticated = false;
> >
> >     @Override
> >     public void initialize(Subject subject, CallbackHandler callbackHandler,
> > Map<String, ?> sharedState, Map<String, ?> options) {
> >         LOGGER.info("initialize "+System.identityHashCode(this));
> >         this.subject = subject;
> >         this.callbackHandler = callbackHandler;
> >         this.sharedState = sharedState;
> >         this.options = options;
> >         this.bundleContext = ((BundleReference)
> > this.getClass().getClassLoader()).getBundle().getBundleContext();
> >     }
> >
> >     @Override
> >     public boolean login() throws LoginException {
> >         LOGGER.debug("login "+System.identityHashCode(this));
> >         if (callbackHandler == null) {
> >             throw new LoginException("No CallbackHandler found");
> >         }
> >
> >         Callback[] callbacks = new Callback[2];
> >
> >         callbacks[0] = new NameCallback("Username: ");
> >         callbacks[1] = new PasswordCallback("Password: ", false);
> >         if (callbackHandler != null) {
> >             try {
> >                 callbackHandler.handle(callbacks);
> >             } catch (IOException ioe) {
> >                 throw new LoginException(ioe.getMessage());
> >             } catch (UnsupportedCallbackException uce) {
> >                 throw new LoginException(uce.getMessage() + " not available to
> > obtain information from user");
> >             }
> >         }
> >
> >         // user callback get value
> >         if (((NameCallback) callbacks[0]).getName() == null) {
> >             throw new LoginException("Username can not be null");
> >         }
> >         user = ((NameCallback) callbacks[0]).getName();
> >
> >         // password callback get value
> >         if (((PasswordCallback) callbacks[1]).getPassword() == null) {
> >             throw new LoginException("Password can not be null");
> >         }
> >         String password = new String(((PasswordCallback)
> > callbacks[1]).getPassword());
> >
> >         org.apache.shiro.subject.Subject shiroSubject = null;
> >
> > //Do lots of shiro stuff to get the UserPrincipal and RolePrincipal objects
> >         
> >         return authenticated;
> >
> >     }
> >
> >     @Override
> >     public boolean commit() throws LoginException {
> >         LOGGER.debug("commit "+System.identityHashCode(this));
> >         subject.getPrincipals().addAll(principals);
> >         return authenticated;
> >     }
> >
> >     @Override
> >     public boolean abort() throws LoginException {
> >         user = null;
> >         principals.clear();
> >         user = null;
> >         LOGGER.debug("abort "+System.identityHashCode(this));
> >         return true;
> >     }
> >
> >     @Override
> >     public boolean logout() throws LoginException {
> >         user = null;
> >         subject.getPrincipals().removeAll(principals);
> >         principals.clear();
> >         LOGGER.debug("logout "+System.identityHashCode(this));
> >         return true;
> >     }
> >
> > }
> >
> > I have tried setting the rank inside the blueprint to -1, 0, and 1 and the
> > ShiroBridge does move up and down the list, but no log statements from the
> > ShiroJaasIntegration LoginModule are ever called, and in all cases i can still
> > login with karaf/karaf.
> >
> > karaf@root()> jaas:realm-list                                               
   
> >                                        
> > Index | Realm Name  | Login Module Class Name                                  

> >                                        
> > ------+-------------+---------------------------------------------------------------

> >                                   
> > 1     | ShiroBridge | my.test.security.karaf.ShiroJaasIntegration              

> >                            
> > 2     | karaf       |
> > org.apache.karaf.jaas.modules.properties.PropertiesLoginModule                 
> >                   
> > 3     | karaf       |
> > org.apache.karaf.jaas.modules.publickey.PublickeyLoginModule                   
> >                   
> > 4     | karaf       | org.apache.karaf.jaas.modules.audit.FileAuditLoginModule 
> >                                         
> > 5     | karaf       | org.apache.karaf.jaas.modules.audit.LogAuditLoginModule  

> >                                        
> > 6     | karaf       |
> > org.apache.karaf.jaas.modules.audit.EventAdminAuditLoginModule   
> >
> >
> > So my module never seems to be called, and i can't really disable the karaf realm.
> >
> >
> > Can someone help with this? My objective is to add my own LoginModule and
> > preferably replace the current karaf Realm           
> >
> 
> --
> Jean-Baptiste Onofré
> jbonofre@apache.org <mailto:jbonofre@apache.org>
> http://blog.nanthrax.net <http://blog.nanthrax.net/>
> Talend - http://www.talend.com <http://www.talend.com/>
> 
> 
> 


Mime
View raw message