You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@karaf.apache.org by "Freeman Fang (JIRA)" <ji...@apache.org> on 2013/06/21 02:21:21 UTC

[jira] [Commented] (KARAF-2364) org.apache.karaf.jaas.boot.principal.RolePrincipal class should implement Group, not Principal

    [ https://issues.apache.org/jira/browse/KARAF-2364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13689888#comment-13689888 ] 

Freeman Fang commented on KARAF-2364:
-------------------------------------

Hi,

This is a known question and solution is available.
By default CXF will assume that role Principals are represented by javax.security.acl.Group instances.

However in some cases objects representing a user principal and roles are implementing the same marker interface such as Principal, Karaf is in this case.

In this case we can configure "roleClassifier" & "roleClassifierType" property for CXF, which is needed by the CXF SecurityContext in order to differentiate between user and role Principals.

Just add
       <property name="roleClassifier" value="RolePrincipal"/>
       <property name="roleClassifierType" value="classname"/>
Take a look at [1] to get more details.

AFAIK, Activemq has similar mechanism to let you specify the Role class name.
[1]http://cxf.apache.org/docs/security.html

Freeman
                
> org.apache.karaf.jaas.boot.principal.RolePrincipal class should implement Group, not Principal
> ----------------------------------------------------------------------------------------------
>
>                 Key: KARAF-2364
>                 URL: https://issues.apache.org/jira/browse/KARAF-2364
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 2.3.1
>            Reporter: Scott Tustison
>            Assignee: Freeman Fang
>
> When using the Karaf JAAS LDAPLoginModule in combination with Apache CXF (or a similar product), there is no way to determine whether the Principal obtained from the Subject corresponds to a user or a role(group). CXF (org.apache.cxf.interceptor.security.DefaultSecurityContext.findPrincipal()) will attempt to pull out a Principal which is not a java.security.acl.Group. However, since the JAAS login module does not make use of the java.security.acl.Group interface for its RolePrincipal, there is no way to determine the correct Principal to use. This can end up with Apache CXF generating a SAML assertion for a group that belongs to a user instead of the user itself, which is obviously invalid.
> If RolePrincipal implemented Group instead of Principal it would fix this issue.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira