Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Anonymous user comes in secured endpoint when calling over doAs() #11

Open
viktarbelski opened this issue Aug 27, 2021 · 1 comment
Open

Anonymous user comes in secured endpoint when calling over doAs() #11

viktarbelski opened this issue Aug 27, 2021 · 1 comment

Comments

@viktarbelski
Copy link

Hello @ceharris , I've just noticed a strange behaviour by calling a secured method in doAs() way.

  1. I have built a DelegatingUserPrincipal with all claims I need.
  2. I have made a callback

`class TContextCallbackHandler implements CallbackHandler {
private final JwtCredential credential;

    private TContextCallbackHandler(JwtCredential credential) {
        this.credential = credential;
    }

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (Callback current : callbacks) {
            if (current instanceof ObjectCallback) {
                ((ObjectCallback) current).setCredential(credential);
            } else {
                throw new UnsupportedCallbackException(current);
            }
        }
    }
}`

  1. And a config entry
    `static class JBossJaasConfiguration extends Configuration {
    private final String configurationName;

     JBossJaasConfiguration(String configurationName) {
     this.configurationName = configurationName;
 }

 @Override
 public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
     if (!configurationName.equals(name)) {
         throw new IllegalArgumentException("Unexpected configuration name '" + name + "'");
     }

     return new AppConfigurationEntry[] {createLoginModuleConfigEntry()};
 }

 private AppConfigurationEntry createLoginModuleConfigEntry() {
     Map<String, String> options = new HashMap<String, String>();
     options.put("role-claims", EClaim.AFL.getValue());
     return new AppConfigurationEntry(JwtLoginModule.class.getName(),
             AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
 }

    }`

  2. And a LoginContext
    `Subject subj = new Subject();
    subj.getPrincipals().add(credential.getPrincipal());
    subj.getPublicCredentials().add(credential);
    subj.getPrivateCredentials().add(credential);

     return new LoginContext(CONFIGURATION_NAME, subj, callbackHandler, config);`

  3. And finally I call a secured method
    loginContext.login(); try { res = Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Object>() { @Override public Object run() { return documentController.findUnused(); } }); } finally { loginContext.logout(); }

Well, the call comes through the JwtLoginModule as expected, but later in DocumentController sessionContext.getCallerPrincipal() returns 'anonymous' instead of DelegatingUserPrincipal.

Callind the same method directly makes sessionContext.getCallerPrincipal() to return DelegatingUserPrincipal as expected.

@ceharris Do I miss any configuration?
@ceharris
Copy link
Member

Just a guess really, but I don't see where you are using/configuring your TContextCallbackHandler.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ceharris @viktarbelski