Re: Security in Module

[Christian Schneider]

Jaas only sets the context inside the PriviledgedAction call.
So after the call it is normal that you can not get the context anymore. 
If you try AccessController.getContext(); inside the run() method it 
should work.

The problem is that the way the HttpContex-authenticated works you can 
not call the rest of the code inside the Priviledged Action. So honestly 
I am not sure
how to approach this.

Christian


On 25.06.2015 12:50, kuvalda wrote:
Hi, Christian!
I've found a post about this problem here.
http://stackoverflow.com/questions/26592821/configure-authentication-for-servlets-in-osgi
<http://stackoverflow.com/questions/26592821/configure-authentication-for-servlets-in-osgi>

Achim answered here, that the only way to authenticate in Servlets,
registered by OSGi way (whiteboard in our case), is to use specific
HttpContext with Servlet.
I tried to use AuthHttpContext from Pax Web Samples with modified method for
JAAS Login:

protected boolean authenticated(HttpServletRequest request) {
        request.setAttribute(AUTHENTICATION_TYPE, 
HttpServletRequest.BASIC_AUTH);
        try {
                LoginContext lc = new LoginContext(realm,
                                new BasicAuthCallbackHandler(
                                                
request.getHeader("Authorization")));
                lc.login();
                Subject.doAs(lc.getSubject(), new PrivilegedAction<Void>() {
                        @Override
                        public Void run() {
                                return null;
                        }
                });
                AccessControlContext acc = AccessController.getContext();
                Subject subject = Subject.getSubject(acc);
                System.out.println(subject == null);
                request.setAttribute(REMOTE_USER, "test");
                return true;
        } catch (LoginException e) {
                return false;
        }
}

There's a mock PrivilegedAction, doing notihng.
But subject is null again in AccessController.getContext() even after
Subject.doAs().

What's the problem can be?

Thanks in advance!
Pavel


cschneider wrote
A JAAS login is not enough. You also need to call subject.doAs(handler);
Inside this call the AccessControlContext will then contain your subject.

For web there should be a better way to establish a JAAS context. Maybe
you can make pax web or jetty check the authentication and
already establish a JAAS context for you. I forwarded to Achim. He might
know if that works.

Christian




-----
Pavel
--
View this message in context: 
http://karaf.922171.n3.nabble.com/Security-in-Module-tp4039307p4041072.html
Sent from the Karaf - User mailing list archive at Nabble.com.


--
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
http://www.talend.com