[ https://issues.apache.org/jira/browse/ARTEMIS-4263?focusedWorklogId=859593&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-859593 ]
ASF GitHub Bot logged work on ARTEMIS-4263: ------------------------------------------- Author: ASF GitHub Bot Created on: 28/Apr/23 10:04 Start Date: 28/Apr/23 10:04 Worklog Time Spent: 10m Work Description: gemmellr commented on code in PR #4458: URL: https://github.com/apache/activemq-artemis/pull/4458#discussion_r1180167688 ########## artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java: ########## @@ -0,0 +1,128 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.artemis.spi.core.security.jaas; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; + +import java.security.Principal; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Base64; +import java.util.StringTokenizer; + +import com.sun.net.httpserver.Authenticator; +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpPrincipal; +import com.sun.net.httpserver.HttpsExchange; + +// delegate to our JAAS login modules by adapting our handlers to httpExchange +// allow the jolokia jvm agent to integrate with our auth +public class AuthenticatorAdapter extends Authenticator { Review Comment: I think I would give this a more targeted name than just AuthenticatorAdapter, that seems a bit of an 'general/obvious/primary name', whereas this seems like its actually going to be more of a niche class used to satisfy a specific use case. Perhaps HttpServerAuthenticatorAdapter since its so tied to com.sun.net.httpserver (which I was initially concerned at seeing, but it does seem to be a public JDK-supported API...albeit still not a Java SE API)? ########## artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java: ########## @@ -0,0 +1,128 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.artemis.spi.core.security.jaas; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; + +import java.security.Principal; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Base64; +import java.util.StringTokenizer; + +import com.sun.net.httpserver.Authenticator; +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpPrincipal; +import com.sun.net.httpserver.HttpsExchange; + +// delegate to our JAAS login modules by adapting our handlers to httpExchange +// allow the jolokia jvm agent to integrate with our auth +public class AuthenticatorAdapter extends Authenticator { + + static final String REALM_PROPERTY_NAME = "jolokiaJvmAgent.realm"; + static final String REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME = "jolokiaJvmAgent.requestSubjectAttribute"; + static String DEFAULT_SUBJECT_ATTRIBUTE = "org.jolokia.jaasSubject"; + static final String DEFAULT_REALM = "jolokia_jvm_agent"; Review Comment: You commented this isnt Jolokia specific, but this actually seems more like it is. ########## artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java: ########## @@ -0,0 +1,128 @@ +/** Review Comment: Should be a comment rather than javadoc. Can lose the needless space after also. ########## artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java: ########## @@ -0,0 +1,128 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.activemq.artemis.spi.core.security.jaas; + +import javax.security.auth.Subject; +import javax.security.auth.callback.Callback; +import javax.security.auth.callback.NameCallback; +import javax.security.auth.callback.PasswordCallback; +import javax.security.auth.callback.UnsupportedCallbackException; +import javax.security.auth.login.LoginContext; + +import java.security.Principal; +import java.security.cert.Certificate; +import java.security.cert.X509Certificate; +import java.util.Arrays; +import java.util.Base64; +import java.util.StringTokenizer; + +import com.sun.net.httpserver.Authenticator; +import com.sun.net.httpserver.HttpExchange; +import com.sun.net.httpserver.HttpPrincipal; +import com.sun.net.httpserver.HttpsExchange; + +// delegate to our JAAS login modules by adapting our handlers to httpExchange +// allow the jolokia jvm agent to integrate with our auth +public class AuthenticatorAdapter extends Authenticator { + + static final String REALM_PROPERTY_NAME = "jolokiaJvmAgent.realm"; + static final String REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME = "jolokiaJvmAgent.requestSubjectAttribute"; + static String DEFAULT_SUBJECT_ATTRIBUTE = "org.jolokia.jaasSubject"; + static final String DEFAULT_REALM = "jolokia_jvm_agent"; + static final String AUTHORIZATION_HEADER_NAME = "Authorization"; + + final String realm = System.getProperty(REALM_PROPERTY_NAME, DEFAULT_REALM); + final String subjectRequestAttribute = System.getProperty(REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME, DEFAULT_SUBJECT_ATTRIBUTE); + + @Override + public Result authenticate(HttpExchange httpExchange) { + + try { + LoginContext loginContext = new LoginContext(realm, callbacks -> { + for (Callback callback : callbacks) { + if (callback instanceof PasswordCallback) { + PasswordCallback passwordCallback = (PasswordCallback) callback; + + StringTokenizer stringTokenizer = new StringTokenizer(extractAuthHeader(httpExchange)); + String method = stringTokenizer.nextToken(); + if ("Basic".equalsIgnoreCase(method)) { + byte[] authHeaderBytes = Base64.getDecoder().decode(stringTokenizer.nextToken()); + + // :pass + byte[] password = Arrays.copyOfRange(authHeaderBytes, Arrays.binarySearch(authHeaderBytes, (byte) ':') + 1, authHeaderBytes.length); + passwordCallback.setPassword(new String(password).toCharArray()); Review Comment: I'd wonder if this (and others elsewhere) shouldnt be defining a charset, rather than relying on the variable platform default (at least up to JDK18 when it was finally defaulted to UTF-8: https://openjdk.org/jeps/400) ? Issue Time Tracking ------------------- Worklog Id: (was: 859593) Time Spent: 40m (was: 0.5h) > support access to our JaasCallbackhandler from a jdk http Authenticator > ----------------------------------------------------------------------- > > Key: ARTEMIS-4263 > URL: https://issues.apache.org/jira/browse/ARTEMIS-4263 > Project: ActiveMQ Artemis > Issue Type: Improvement > Components: JAAS > Affects Versions: 2.28.0 > Reporter: Gary Tully > Assignee: Gary Tully > Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > To allow the jolokia jvm agent to utilise jaas with our callback handler, it > is necessary to provide a wrapper that is aware of the capabilities of the > various artemis login modules and provide the necessary callback > implementation > httpserver supports an extension point in the form of a > {{com.sun.net.httpserver.Authenticator}} that we can use. the jolokia jvm > agent has an authenticator that does jaas but is limited to plain > credentials. We can plug in a similar Artemis jaas delegating authenticator > and do proper rbac when the jolokia jvm agent is in play. > This will allow us to reduce the surface are that we expose to support > jolokia, avoiding the need for jetty. > > -- This message was sent by Atlassian Jira (v8.20.10#820010)