Karaf integration removes JBoss JAAS configuration
dastraub Jan 9, 2013 11:28 AMIf we use karaf/servicemix as described in various threads, we note that login-module definitions from standalone.xml were removed from the JAAS configuration.
That means, the karaf login works but not the login for web applications etc.
The following example uses a secure web application with a JSP that displays the current JAAS configuration:
~ /as/bin $ curl --user test:test localhost:8080/login-test/
javax.security.auth.login.Configuration = org.jboss.security.auth.login.XMLLoginConfigImpl
~/as/bin $ ./jboss-cli.sh -c "/subsystem=osgi:activate"
{"outcome" => "success"}
~/as/bin $ ./jboss-cli.sh -c "/subsystem=security/security-domain=login-test:flush-cache"
{"outcome" => "success"}
~/as/bin $ curl --user test:test localhost:8080/login-test/
ERROR: javax.security.auth.login.Configuration = org.apache.karaf.jaas.config.impl.OsgiConfiguration
The reason is that the bundle "org.apache.karaf.jaas.config" installs his own JAAS configuration :
org.apache.karaf.jaas.config.impl.OsgiConfiguration
public void init() {
Configuration.setConfiguration(this);
}
This removes the existing configuration, which was set previously by org.jboss.as.security.service.JaasConfigurationService.
For a demonstration I use the following workaround:
- configure karaf loginmodule in standalone.xml :
<security-domain name="karaf" cache-type="default">
<authentication>
<login-module code="org.apache.karaf.jaas.modules.properties.PropertiesLoginModule" flag="required">
<module-option name="users" value="${jboss.home.dir}/karaf/etc/users.properties"/>
</login-module>
</authentication>
</security-domain>
- modify blueprint-xml of bundle "org.apache.karaf.jaas.config", disable init- and destroy-method of org.apache.karaf.jaas.config.impl.OsgiConfiguration :
<!--
<bean id="config"
class="org.apache.karaf.jaas.config.impl.OsgiConfiguration"
init-method="init"
destroy-method="close"/>
-->
<bean id="config" class="org.apache.karaf.jaas.config.impl.OsgiConfiguration" />
- modify bundle "org.apache.karaf.shell.ssh" :
- add "org.apache.karaf.jaas.modules.properties" as import-package in pom.xml (maven-bundle-plugin)
- set the correct TCL in KarafJaasPasswordAuthenticator :
public boolean authenticate(final String username, final String password, final ServerSession session) {
ClassLoader tcl = Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(getClass().getClassLoader());
try {
...
} finally {
Thread.currentThread().setContextClassLoader(tcl);
}
With this fiddling I was able to use the karaf and all other logins which were defined in the security-subsystem.
~/as/bin $ ssh -p 8101 smx@localhost
Warning: Permanently added '[localhost]:8101' (DSA) to the list of known hosts.
smx@localhost's password:
____ _ __ __ _
/ ___| ___ _ ____ _(_) ___ ___| \/ (_)_ __
\___ \ / _ \ '__\ \ / / |/ __/ _ \ |\/| | \ \/ /
___) | __/ | \ V /| | (_| __/ | | | |> <
|____/ \___|_| \_/ |_|\___\___|_| |_|_/_/\_\ @ JBoss AS
Apache ServiceMix (4.4.2)
-
login-sample.zip 6.8 KB