On Tue, Jun 10, 2025 at 10:47:34AM -0400, apache-karaf-...@pyr3x.com wrote: > Hello, > > I'm using Karaf Service Guard to centralize authc/authz between karaf > commands and my REST interface. Everything is working an expected, > however, using a role with a colon in it is not matching. > > On the REST side I use Apache Shiro and I have realms that authenticate > to some backend systems who set roles like "group:blah". I convert these > to Karaf JAAS RolePrincipal which works for simple names like "blah". > I have a CXF Interceptor to execute REST methods inside a Subject.doAs > for my DS injected service. However, in the service acl when I have > something like this it fails: > > service.guard = (objectClass=com.example.MyInterface) > > * = * > myMethod = admin, viewer, group:blah > > -- > Chaz
Update: Looking at the code for: https://github.com/apache/karaf/blob/main/util/src/main/java/org/apache/karaf/util/jaas/JaasHelper.java It looks at the first colon to separate a custom role principal name. This hack seems to work: org.apache.karaf.jaas.boot.principal.RolePrincipal:group:blah When reviewing the code I realized there are likely to be some issues in Java 21, specifically the replacement of Subject.doAs with callAs, and the new Subject.current(). Is this on the roadmap? Also, any thoughts on what to do with Conditional Permission Admin past Java 17? In my module system I like to lock down bundles to where they are allowed to write on the filesystem for example. -- Chaz
