Hi Christian,
yes I did give cxf 3.0.3 on Karaf 2.3.9 a try without the desired outcome.
After some digging, it appears that the AccessControlContext does not have
the combiner field populated after a sucessful authentication. There are a
few AccessControlContext instances in the heap that have a valid combiner
set. These contexts appear to be from the Karaf shell.
The point at which subject retrieval fails is
injavax.security.auth.Subject.getSubject(AccessControlContext
acc) line 300 on JDK 1.7.0_71. Here it expects the AccessControlContext to
return a SubjectDomainCombiner but the actual combiner on the
AccessControlContext is null and hence it is not able to retieve the
security context.
// return the Subject from the DomainCombiner of the provided
contextreturn AccessController.doPrivileged
(new java.security.PrivilegedAction<Subject>() {
public Subject run() {
DomainCombiner dc = acc.getDomainCombiner();
if (!(dc instanceof SubjectDomainCombiner))
return null;
SubjectDomainCombiner sdc = (SubjectDomainCombiner)dc;
return sdc.getSubject();
}
});
Now I am not sure but I would expect this context to be set by the JAAS
framework and not the CXF interceptor. I had a quick look at
the authorization blueprint extension but not sure I understand the
workings of this test. All I am after is to get the Subject in a simple
authenticated REST service call.
Any thoughts or pointers on the above? Looks to me as if something is
broken in either Karaf JAAS or the CXF interceptor.
Many thanks,
Niels
On Sun, Jan 18, 2015 at 11:25 PM, Christian Schneider <
ch...@die-schneider.net> wrote:
> Did you try with CXF 3.0.2 ? The older versions of CXF did not set the
> AccessControlContext.
>
> Btw. if you use Blueprint you can also try the jaas authorization
> blueprint extension.
> See
> https://github.com/apache/aries/blob/trunk/blueprint/blueprint-itests/src/test/java/org/apache/aries/blueprint/itests/authz/AuthorizationTest.java
>
> Christian
>
> Am 18.01.2015 um 13:29 schrieb Niels Bertram:
>
> I am trying to get the contexts Principal from the AccessControlContext
> as documented on stackexchange
> <http://stackoverflow.com/questions/20970380/get-current-user-in-an-osgi-context-fuse-karaf>
> .
>
> Unfortunately whenever I retrieve the subject using the current
> AccessControlContext, the subject is null.
>
> I basically create a very simple jaxrs server and register the CXF
> JAASAuthenticationFilter with the server:
>
> <bean id="authenticationFilter" class="org.apache.cxf.jaxrs.security.JAASAuth
> enticationFilter">
> <property name="contextName" value="karaf" />
> </bean>
>
> <jaxrs:server id="echoResource" address="/rest/echo">
> <jaxrs:serviceBeans>
> <bean
> class="org.apache.karaf.jaas.modules.mongo.test.EchoServiceImpl" />
> </jaxrs:serviceBeans>
> <jaxrs:providers>
> <ref component-id="authenticationFilter" />
> </jaxrs:providers>
> </jaxrs:server>
>
> When I execute the REST service, I try to get the Subject in the code as
> below but it is always null:
>
> AccessControlContext acc = AccessController.getContext();if (acc == null) {
> throw new RuntimeException("access control context is null");
> }
> Subject subject = Subject.getSubject(acc);if (subject == null) {
> throw new RuntimeException("subject is null");
> }
>
> Interestingly if I inject the javax.ws.rs.core.SecurityContext into the
> CXF REST service, I do get a security principal.
>
> public Response echo(@Context SecurityContext context) {
> Principal user = context.getUserPrincipal();
> }
>
> Is there another configuration required in Karaf or is this a bug in
> either Karaf or CXF? Would love to hear if anyone else came across this.
>
> Cheers, Niels
>
> BTW: I tried the same in karaf 2.3.9, 2.4.1 and 3.0.2 with exact same
> result.
>
>
>
> --
>
> Christian Schneiderhttp://www.liquid-reality.de
>
> Open Source Architect
> Talend Application Integration Division http://www.talend.com
>
>
