[
https://issues.apache.org/jira/browse/ARTEMIS-4263?focusedWorklogId=859593&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-859593
]
ASF GitHub Bot logged work on ARTEMIS-4263:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 28/Apr/23 10:04
Start Date: 28/Apr/23 10:04
Worklog Time Spent: 10m
Work Description: gemmellr commented on code in PR #4458:
URL: https://github.com/apache/activemq-artemis/pull/4458#discussion_r1180167688
##########
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java:
##########
@@ -0,0 +1,128 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.activemq.artemis.spi.core.security.jaas;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.StringTokenizer;
+
+import com.sun.net.httpserver.Authenticator;
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpPrincipal;
+import com.sun.net.httpserver.HttpsExchange;
+
+// delegate to our JAAS login modules by adapting our handlers to httpExchange
+// allow the jolokia jvm agent to integrate with our auth
+public class AuthenticatorAdapter extends Authenticator {
Review Comment:
I think I would give this a more targeted name than just
AuthenticatorAdapter, that seems a bit of an 'general/obvious/primary name',
whereas this seems like its actually going to be more of a niche class used to
satisfy a specific use case. Perhaps HttpServerAuthenticatorAdapter since its
so tied to com.sun.net.httpserver (which I was initially concerned at seeing,
but it does seem to be a public JDK-supported API...albeit still not a Java SE
API)?
##########
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java:
##########
@@ -0,0 +1,128 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.activemq.artemis.spi.core.security.jaas;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.StringTokenizer;
+
+import com.sun.net.httpserver.Authenticator;
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpPrincipal;
+import com.sun.net.httpserver.HttpsExchange;
+
+// delegate to our JAAS login modules by adapting our handlers to httpExchange
+// allow the jolokia jvm agent to integrate with our auth
+public class AuthenticatorAdapter extends Authenticator {
+
+ static final String REALM_PROPERTY_NAME = "jolokiaJvmAgent.realm";
+ static final String REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME =
"jolokiaJvmAgent.requestSubjectAttribute";
+ static String DEFAULT_SUBJECT_ATTRIBUTE = "org.jolokia.jaasSubject";
+ static final String DEFAULT_REALM = "jolokia_jvm_agent";
Review Comment:
You commented this isnt Jolokia specific, but this actually seems more like
it is.
##########
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java:
##########
@@ -0,0 +1,128 @@
+/**
Review Comment:
Should be a comment rather than javadoc. Can lose the needless space after
also.
##########
artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas/AuthenticatorAdapter.java:
##########
@@ -0,0 +1,128 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ * <p>
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * <p>
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.activemq.artemis.spi.core.security.jaas;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.login.LoginContext;
+
+import java.security.Principal;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Arrays;
+import java.util.Base64;
+import java.util.StringTokenizer;
+
+import com.sun.net.httpserver.Authenticator;
+import com.sun.net.httpserver.HttpExchange;
+import com.sun.net.httpserver.HttpPrincipal;
+import com.sun.net.httpserver.HttpsExchange;
+
+// delegate to our JAAS login modules by adapting our handlers to httpExchange
+// allow the jolokia jvm agent to integrate with our auth
+public class AuthenticatorAdapter extends Authenticator {
+
+ static final String REALM_PROPERTY_NAME = "jolokiaJvmAgent.realm";
+ static final String REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME =
"jolokiaJvmAgent.requestSubjectAttribute";
+ static String DEFAULT_SUBJECT_ATTRIBUTE = "org.jolokia.jaasSubject";
+ static final String DEFAULT_REALM = "jolokia_jvm_agent";
+ static final String AUTHORIZATION_HEADER_NAME = "Authorization";
+
+ final String realm = System.getProperty(REALM_PROPERTY_NAME, DEFAULT_REALM);
+ final String subjectRequestAttribute =
System.getProperty(REQUEST_SUBJECT_ATTRIBUTE_PROPERTY_NAME,
DEFAULT_SUBJECT_ATTRIBUTE);
+
+ @Override
+ public Result authenticate(HttpExchange httpExchange) {
+
+ try {
+ LoginContext loginContext = new LoginContext(realm, callbacks -> {
+ for (Callback callback : callbacks) {
+ if (callback instanceof PasswordCallback) {
+ PasswordCallback passwordCallback = (PasswordCallback)
callback;
+
+ StringTokenizer stringTokenizer = new
StringTokenizer(extractAuthHeader(httpExchange));
+ String method = stringTokenizer.nextToken();
+ if ("Basic".equalsIgnoreCase(method)) {
+ byte[] authHeaderBytes =
Base64.getDecoder().decode(stringTokenizer.nextToken());
+
+ // :pass
+ byte[] password = Arrays.copyOfRange(authHeaderBytes,
Arrays.binarySearch(authHeaderBytes, (byte) ':') + 1, authHeaderBytes.length);
+ passwordCallback.setPassword(new
String(password).toCharArray());
Review Comment:
I'd wonder if this (and others elsewhere) shouldnt be defining a charset,
rather than relying on the variable platform default (at least up to JDK18 when
it was finally defaulted to UTF-8: https://openjdk.org/jeps/400) ?
Issue Time Tracking
-------------------
Worklog Id: (was: 859593)
Time Spent: 40m (was: 0.5h)
> support access to our JaasCallbackhandler from a jdk http Authenticator
> -----------------------------------------------------------------------
>
> Key: ARTEMIS-4263
> URL: https://issues.apache.org/jira/browse/ARTEMIS-4263
> Project: ActiveMQ Artemis
> Issue Type: Improvement
> Components: JAAS
> Affects Versions: 2.28.0
> Reporter: Gary Tully
> Assignee: Gary Tully
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> To allow the jolokia jvm agent to utilise jaas with our callback handler, it
> is necessary to provide a wrapper that is aware of the capabilities of the
> various artemis login modules and provide the necessary callback
> implementation
> httpserver supports an extension point in the form of a
> {{com.sun.net.httpserver.Authenticator}} that we can use. the jolokia jvm
> agent has an authenticator that does jaas but is limited to plain
> credentials. We can plug in a similar Artemis jaas delegating authenticator
> and do proper rbac when the jolokia jvm agent is in play.
> This will allow us to reduce the surface are that we expose to support
> jolokia, avoiding the need for jetty.
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
