Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FISH-5769 RFC2253 format with Certificate HAM, fix role verification #5515

Merged
merged 1 commit into from
Dec 3, 2021
Merged

FISH-5769 RFC2253 format with Certificate HAM, fix role verification #5515

merged 1 commit into from
Dec 3, 2021

Conversation

OndroMih
Copy link
Contributor

@OndroMih OndroMih commented Dec 3, 2021

Description

This is a bug fix.

The problem: When authenticated using @CertificateAuthenticationMechanismDefinition and IdentityStore @CertificateIdentityStoreDefinition, and when a role is mapped to a particular certificate principal in payara-web.xml, the role isn't assigned to the authenticated user. The role is applied if CLIENT_CERT login config mechanism is defined in web.xml.

Proposed solution in this PR:

  • in JaccWebAuthorizationManager, if the role isn’t granted (potentially because of the mismatch between PrincipalImpl and CallerPrincipal), check if the current principal class is CallerPrincipal. If that's true, convert it to PrincipalImpl and check for the role again
  • In CertificateCredentialImpl, change how the CallerPrincipal is created so that it contains the name in the same RFC2253 that PrincipalImpl uses so that it’s equal with the one in the policy. This will ensure that the PrincipalImpl created from CallerPrincipal is equal to the one in the policy

Important Info

Testing

Manually tested with the reproducer attached to FISH-5769

Testing Environment

Ubuntu

Notes for Reviewers

The policy in JaccWebAuthorizationManager contains the same role policies as in the working case (when using Servlet authentication). These are stored in the file generated/policy/payara-certificate-realm/payara-certificate-realm/granted.policy. These policies are for principal class PrincipalImpl but, if Jakarta Security authentication is used, the passed ProtectionDomain with the authenticated user contains a principal of type CallerPrincipal from Jakarta Security API. The policy object then refuses to add a policy for the role because it doesn’t match the authenticated user principal.

There are more observations:

  • Jakarta Security CallerPrincipal class doesn’t override hashCode and equals methods, therefore even 2 instances with the same principal name are not equal. So it doesn’t help if an additional role policy for CallerPrincipal is added to the granted.policy file
  • The CallerPrincipal has a slightly different name than the PrincipalImpl. Both contain the certificate's distinguished name but it's in RFC2253 format for PrincipalImpl and in RFC1779 format for CallerPrincipal. For this reason, even if we somehow converted CallerPrincipal to PrincipalImpl, they wouldn't be equal unless we also convert the format of the principal's name. The RFC1779 format contains more spaces between attributes and is obsolete.

@OndroMih
Copy link
Contributor Author

OndroMih commented Dec 3, 2021

Jenkins test please

@kalinchan kalinchan force-pushed the Community-FISH-5769-CertificateIS-ignores-role-mappings branch from d42247d to 1fa3cea Compare December 3, 2021 15:45
@kalinchan
Copy link
Member

jenkins test please

breakponchito
breakponchito approved these changes Dec 3, 2021
View reviewed changes
Copy link
Contributor

@breakponchito breakponchito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kalinchan kalinchan merged commit 22fbe22 into payara:master Dec 3, 2021
@OndroMih OndroMih deleted the Community-FISH-5769-CertificateIS-ignores-role-mappings branch December 3, 2021 20:40
JamesHillyard pushed a commit to JamesHillyard/Payara that referenced this pull request Jan 24, 2022
@kalinchan @JamesHillyard
Merge pull request payara#5515 from OndroMih/Community-FISH-5769-Cert…
1bba58f 
…ificateIS-ignores-role-mappings

FISH-5769 RFC2253 format with Certificate HAM, fix role verification

Signed-off-by: JamesHillyard <james.hillyard@payara.fish>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kalinchan kalinchan kalinchan approved these changes

@breakponchito breakponchito breakponchito approved these changes

@pdudits pdudits Awaiting requested review from pdudits

@aubi aubi Awaiting requested review from aubi

@jGauravGupta jGauravGupta Awaiting requested review from jGauravGupta

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@OndroMih @kalinchan @breakponchito