1 Reply Latest reply on Mar 12, 2013 3:55 AM by thomas.diesler

    Karaf integration removes JBoss JAAS configuration

    dastraub
    dastraub Jan 9, 2013 11:28 AM

      If we use karaf/servicemix as described in various threads, we note that login-module definitions from standalone.xml were removed from the JAAS configuration.

      That means, the karaf login works but not the login for web applications etc.

       

      The following example uses a secure web application with a JSP that displays the current JAAS configuration:

       

      ~ /as/bin $ curl --user test:test localhost:8080/login-test/

       

      javax.security.auth.login.Configuration = org.jboss.security.auth.login.XMLLoginConfigImpl

       

      ~/as/bin $ ./jboss-cli.sh -c "/subsystem=osgi:activate"

      {"outcome" => "success"}

      ~/as/bin $ ./jboss-cli.sh -c "/subsystem=security/security-domain=login-test:flush-cache"

      {"outcome" => "success"}

      ~/as/bin $ curl --user test:test localhost:8080/login-test/

       

      ERROR: javax.security.auth.login.Configuration = org.apache.karaf.jaas.config.impl.OsgiConfiguration

       

      The reason is that the bundle "org.apache.karaf.jaas.config" installs his own JAAS configuration :

      org.apache.karaf.jaas.config.impl.OsgiConfiguration

       

          public void init() {

              Configuration.setConfiguration(this);

          }

       

      This removes the existing configuration, which was set previously by  org.jboss.as.security.service.JaasConfigurationService.

       

      For a demonstration I use the following workaround:

       

      • configure karaf loginmodule in standalone.xml :

      <security-domain name="karaf" cache-type="default">

          <authentication>

              <login-module code="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" flag="required">

                  <module-option name="users" value="${jboss.home.dir}/karaf/etc/users.properties"/>

              </login-module>

          </authentication>

      </security-domain>


      • modify blueprint-xml of bundle  "org.apache.karaf.jaas.config", disable init- and destroy-method of org.apache.karaf.jaas.config.impl.OsgiConfiguration :

          <!-- 

          <bean id="config"

                class="org.apache.karaf.jaas.config.impl.OsgiConfiguration"

                init-method="init"

                destroy-method="close"/>

          -->

       

          <bean id="config" class="org.apache.karaf.jaas.config.impl.OsgiConfiguration" />

       

      • modify bundle "org.apache.karaf.shell.ssh" :
        • add "org.apache.karaf.jaas.modules.properties" as import-package in pom.xml (maven-bundle-plugin)
        • set the correct TCL in KarafJaasPasswordAuthenticator :

          

          public boolean authenticate(final String username, final String password, final ServerSession session) {

                    ClassLoader tcl = Thread.currentThread().getContextClassLoader();

                    Thread.currentThread().setContextClassLoader(getClass().getClassLoader());

       

                    try {

                     ...

       

                    } finally {

                        Thread.currentThread().setContextClassLoader(tcl);

                    }

       

      With this fiddling I was able to use the karaf and all other logins which were defined in the security-subsystem.

       

      ~/as/bin $ ssh -p 8101 smx@localhost

      Warning: Permanently added '[localhost]:8101' (DSA) to the list of known hosts.

      smx@localhost's password:

      ____                  _          __  __ _     

      / ___|  ___ _ ____   _(_) ___ ___|  \/  (_)_  __

      \___ \ / _ \ '__\ \ / / |/ __/ _ \ |\/| | \ \/ /

      ___) |  __/ |   \ V /| | (_|  __/ |  | | |>  <

      |____/ \___|_|    \_/ |_|\___\___|_|  |_|_/_/\_\ @ JBoss AS

       

       

        Apache ServiceMix (4.4.2)

      • 845 Views
      • Tags: