Hi Chaz- I started making updates to be able to better support working with extended and custom Principals.
ref: https://github.com/apache/karaf/pull/1946 ref: https://github.com/apache/karaf/pull/1944 NOTE: there is no planned JDK replacement for many of the JAAS operations that you described. The recommended approach is to build in your own guard around operations that you to secure with roles. -Matt Pavlovich > On Jun 10, 2025, at 10:08 AM, apache-karaf-...@pyr3x.com.invalid > <apache-karaf-...@pyr3x.com.INVALID> wrote: > > On Tue, Jun 10, 2025 at 10:47:34AM -0400, apache-karaf-...@pyr3x.com wrote: >> Hello, >> >> I'm using Karaf Service Guard to centralize authc/authz between karaf >> commands and my REST interface. Everything is working an expected, >> however, using a role with a colon in it is not matching. >> >> On the REST side I use Apache Shiro and I have realms that authenticate >> to some backend systems who set roles like "group:blah". I convert these >> to Karaf JAAS RolePrincipal which works for simple names like "blah". >> I have a CXF Interceptor to execute REST methods inside a Subject.doAs >> for my DS injected service. However, in the service acl when I have >> something like this it fails: >> >> service.guard = (objectClass=com.example.MyInterface) >> >> * = * >> myMethod = admin, viewer, group:blah >> >> -- >> Chaz > > Update: > > Looking at the code for: > > https://github.com/apache/karaf/blob/main/util/src/main/java/org/apache/karaf/util/jaas/JaasHelper.java > > It looks at the first colon to separate a custom role principal name. > > This hack seems to work: > > org.apache.karaf.jaas.boot.principal.RolePrincipal:group:blah > > When reviewing the code I realized there are likely to be some issues in > Java 21, specifically the replacement of Subject.doAs with callAs, and > the new Subject.current(). > > Is this on the roadmap? Also, any thoughts on what to do with > Conditional Permission Admin past Java 17? In my module system I like to > lock down bundles to where they are allowed to write on the filesystem > for example. > > -- > Chaz
