Re: Security Subject from AccessControlContext is null when using JAAS and CXF JAASAuthenticationFilter

Mon, 19 Jan 2015 04:45:07 -0800 

Actually I was too quick declaring victory. I read through the code of
JAASAuthenticationFeature and also the JAXRS specific
JAASAuthenticationFilter I have been using. Both actually delegate to the
JAASLoginInterceptor and hence one should use one OR the other.

Adding both will simply make the JAASLoginInterceptor registered as a
provider in the JAASAuthenticationFeature take precedence over the REST
JAASAuthenticationFilter. The JAASLoginInterceptor will not redirect with a
401 in REST style but just fail with an awful error message.

Interestingly the secret to the JAASAuthenticationFilter not being able to
set the underlying security context is this line in the constructor of the
REST filter (JAASAuthenticationFilter.java:66 3.0.2):

interceptor.setUseDoAs(false);

This will effectively disable the execution of the remainder of the
exchange under a privileged action that creates the AccessControlContext as
per JAASLoginInterceptor.java:139.

if (useDoAs) {
  Subject.doAs(subject, new PrivilegedAction<Void>() {
  ...

When I sheepishly change the value of the setUseDoAs to true during the
object instantiation in the filter, the whole execution fails with below
stack trace. So something in the CXF JAXRS filtering mechanism is broken
that would set parameterorg.apache.cxf.jaxrs.model.OperationResourceInfo on
the exchange.

The line that fails with the NPE is JAXRSInvoker.java:358

OperationResourceInfo ori = exchange.get(OperationResourceInfo.class);

Looks like a bug in the CXF JAXRS implementation if you ask me. Or it is
inherently not possible due to the JAXRS filter being executed inside the
`JAXRSInInterceptor` itself. I think I need to move this discussion to the
CXF mailing list.

2015-01-19 22:05:24,527 | INFO  | qtp2023231351-73 |
LoggingInInterceptor             | 80 - org.apache.cxf.cxf-core -
3.0.2 | Inbound Message
----------------------------
ID: 51
Address: http://localhost:8181/cxf/echo/jaas/t1
Http-Method: GET
Content-Type:
Headers: {Accept=[*/*], Authorization=[Basic a2FyYWY6a2FyYWY=],
Content-Type=[null], Host=[localhost:8181], User-Agent=[curl/7.28.1]}
--------------------------------------
2015-01-19 22:05:48,066 | WARN  | qtp2023231351-73 |
PhaseInterceptorChain            | 80 - org.apache.cxf.cxf-core -
3.0.2 | Interceptor for
{http://test.jaas.fleurida.com/}EchoServiceImpl has throw
n exception, unwinding now
java.lang.NullPointerException
        at 
org.apache.cxf.jaxrs.JAXRSInvoker.getResourceProvider(JAXRSInvoker.java:358)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
        at 
org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:92)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
        at 
org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:59)[80:org.apache.cxf.cxf-core:3.0.2]
        at 
org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:96)[80:org.apache.cxf.cxf-core:3.0.2]
        at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)[80:org.apache.cxf.cxf-core:3.0.2]
        at 
org.apache.cxf.interceptor.security.JAASLoginInterceptor$1.run(JAASLoginInterceptor.java:146)[80:org.apache.cxf.cxf-core:3.0.2]
        at 
org.apache.cxf.interceptor.security.JAASLoginInterceptor$1.run(JAASLoginInterceptor.java:140)[80:org.apache.cxf.cxf-core:3.0.2]
        at java.security.AccessController.doPrivileged(Native Method)[:1.7.0_71]
        at javax.security.auth.Subject.doAs(Subject.java:356)[:1.7.0_71]
        at 
org.apache.cxf.interceptor.security.JAASLoginInterceptor.handleMessage(JAASLoginInterceptor.java:140)[80:org.apache.cxf.cxf-core:3.0.2]
        at 
org.apache.cxf.jaxrs.security.JAASAuthenticationFilter.filter(JAASAuthenticationFilter.java:111)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
        at 
org.apache.cxf.jaxrs.utils.JAXRSUtils.runContainerRequestFilters(JAXRSUtils.java:1624)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
        at 
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.processRequest(JAXRSInInterceptor.java:106)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
        at 
org.apache.cxf.jaxrs.interceptor.JAXRSInInterceptor.handleMessage(JAXRSInInterceptor.java:77)[108:org.apache.cxf.cxf-rt-frontend-jaxrs:3.0.2]
        at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)[80:org.apache.cxf.cxf-core:3.0.2]
        at 
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[80:org.apache.cxf.cxf-core:3.0.2]
        at 
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:243)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:197)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:149)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:290)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
javax.servlet.http.HttpServlet.service(HttpServlet.java:575)[84:org.apache.geronimo.specs.geronimo-servlet_3.0_spec:1.0]
        at 
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)[103:org.apache.cxf.cxf-rt-transports-http:3.0.2]
        at 
org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:684)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411]
        at 
org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:503)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411]
        at 
org.ops4j.pax.web.service.jetty.internal.HttpServiceServletHandler.doHandle(HttpServiceServletHandler.java:69)[98:org.ops4j.pax.web.pax-web-jetty:3.1.2]
        at 
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:137)[89:org.eclipse.jetty.aggregate.jetty-all-server:8.1.15.v20140411]




On Mon, Jan 19, 2015 at 8:16 PM, Niels Bertram <niels...@gmail.com> wrote:

> Hi Christian,
>
> oh yes I can see, adding the JAASAuthenticationFeature to the cxf bus is
> required *in addition *to adding the JAASLoginInterceptor. I was not
> getting desired result after Phase 1 so that makes sense.
>
> I added a very simple example to GitHub
> <https://github.com/bertramn/jaas-auth-rest-example> for anyone
> interested.
>
> Thanks a lot for help, much appreciated!
>
> Kind Regards,
> Niels
>

Reply via email to