Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-5739

Subject not populated with groups/roles when authenticated via JASPIC

    XMLWordPrintable

Details

    Description

      After having authenticated via JASPIC, requesting the current Subject via JACC and then using that for permission checks fails.

      For instance the following code will always set hasAccess to false given that "/protected/*" requires a role and the authenticated user is in that role:

      Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
 
boolean hasAccess = Policy.getPolicy().implies(
    new ProtectionDomain(
        new CodeSource(null, (Certificate[]) null),
        null, null, 
        subject.getPrincipals().toArray(new Principal[subject.getPrincipals().size()])
    ),
    new WebResourcePermission("/protected/Servlet", "GET"))
;

      As it appears, the problem originates from the fact that subject.getPrincipals() does not contain the roles.

      This can be traced back to org.jboss.security.auth.callback.JASPICallbackHandler.handleCallBack, where it becomes clear that the roles are only put into the "util", but not in the "authenticatedSubject":

      String[] rolesArray = groupPrincipalCallback.getGroups();
int sizeOfRoles = rolesArray != null ? rolesArray.length : 0;
 
if( sizeOfRoles > 0 )
{
  List<Role> rolesList = new ArrayList<Role>();
  for( int i = 0; i < sizeOfRoles ; i++ )
  {
     Role role = new SimpleRole( rolesArray[ i ] );
     rolesList.add( role );
  }
  RoleGroup roles = new SimpleRoleGroup( SecurityConstants.ROLES_IDENTIFIER, rolesList );

  // if the current security context already has roles, we merge them with the incoming roles.
  RoleGroup currentRoles = currentSC.getUtil().getRoles();

  // *** ROLES ARE ONLY SET HERE ***
  if (currentRoles != null) {
      currentRoles.addAll(roles.getRoles());
  }
  else {
      currentSC.getUtil().setRoles( roles );
  }
} 

// *** BELOW THIS LINE ROLES ARE NOT REFERENCED ANYMORE
// *** SUBJECT IS NOT POPULATED WITH ANY ROLE INFO 

Subject subject = groupPrincipalCallback.getSubject();
if( subject != null )
{
   // if the current security context already has an associated subject, we merge it with the incoming subject.
   Subject currentSubject = currentSC.getSubjectInfo().getAuthenticatedSubject();
   if (currentSubject != null) {
       subject.getPrincipals().addAll(currentSubject.getPrincipals());
       subject.getPublicCredentials().addAll(currentSubject.getPublicCredentials());
       subject.getPrivateCredentials().addAll(currentSubject.getPrivateCredentials());
   }
   currentSC.getSubjectInfo().setAuthenticatedSubject(subject);
}

      Attachments

        1. picketbox.zip
          871 kB
        2. CustomAuth.zip
          9 kB

        Issue Links

          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-5330 Subject not populated with groups/roles when authenticated via JASPIC

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              arjant_jira Arjan t (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: