You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@servicemix.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2010/12/19 16:18:01 UTC
[jira] Resolved: (SM-1823) JaasAuthenticationService not properly
authenticating certificate chains.
[ https://issues.apache.org/jira/browse/SM-1823?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré resolved SM-1823.
--------------------------------------
Resolution: Fixed
Fix Version/s: 3.3.3
Revision 1041297.
> JaasAuthenticationService not properly authenticating certificate chains.
> -------------------------------------------------------------------------
>
> Key: SM-1823
> URL: https://issues.apache.org/jira/browse/SM-1823
> Project: ServiceMix
> Issue Type: Bug
> Components: servicemix-core
> Affects Versions: 3.2.2
> Reporter: Kurt Eisenzopf
> Assignee: Jean-Baptiste Onofré
> Fix For: 3.3.3
>
>
> When authenticating a certificate chain, the CallbackHandler defined in the provided JaasAuthenticationService throws an UnsupportedCallbackException. The implementation checks for credentials that are an instance of X509Certificate, but should also include a check for instance of X509Certificate[] in order to properly handle a certificate chain. To fix this, the CallbackHandler can be defined as follows:
> /*
> * Licensed to the Apache Software Foundation (ASF) under one or more
> * contributor license agreements. See the NOTICE file distributed with
> * this work for additional information regarding copyright ownership.
> * The ASF licenses this file to You under the Apache License, Version 2.0
> * (the "License"); you may not use this file except in compliance with
> * the License. You may obtain a copy of the License at
> *
> * http://www.apache.org/licenses/LICENSE-2.0
> *
> * Unless required by applicable law or agreed to in writing, software
> * distributed under the License is distributed on an "AS IS" BASIS,
> * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
> * See the License for the specific language governing permissions and
> * limitations under the License.
> */
> package org.apache.servicemix.jbi.security.auth.impl;
> import java.io.IOException;
> import java.security.GeneralSecurityException;
> import java.security.cert.X509Certificate;
> import javax.security.auth.Subject;
> import javax.security.auth.callback.Callback;
> import javax.security.auth.callback.CallbackHandler;
> import javax.security.auth.callback.NameCallback;
> import javax.security.auth.callback.PasswordCallback;
> import javax.security.auth.callback.UnsupportedCallbackException;
> import javax.security.auth.login.LoginContext;
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
> import org.apache.servicemix.jbi.security.auth.AuthenticationService;
> import org.apache.servicemix.jbi.security.login.CertificateCallback;
> /**
> * Implementation of the authentication service using JAAS.
> *
> * @org.apache.xbean.XBean element="authenticationService"
> */
> public class JAASAuthenticationService implements AuthenticationService {
> private static final Log LOG = LogFactory.getLog(JAASAuthenticationService.class);
>
> public void authenticate(Subject subject,
> String domain,
> final String user,
> final Object credentials) throws GeneralSecurityException {
> if (LOG.isDebugEnabled()) {
> LOG.debug("Authenticating '" + user + "' with '" + credentials + "'");
> }
> LoginContext loginContext = new LoginContext(domain, subject, new CallbackHandler() {
> public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++) {
> if (callbacks[i] instanceof NameCallback) {
> ((NameCallback) callbacks[i]).setName(user);
> } else if (callbacks[i] instanceof PasswordCallback && credentials instanceof String) {
> ((PasswordCallback) callbacks[i]).setPassword(((String) credentials).toCharArray());
> } else if (callbacks[i] instanceof CertificateCallback && credentials instanceof X509Certificate) {
> ((CertificateCallback) callbacks[i]).setCertificate((X509Certificate) credentials);
> } {color: red}else if (callbacks[i] instanceof CertificateCallback && credentials instanceof X509Certificate[]) {
> ((Certificatecallback) callbacks[i]).setCertificate((X509Certificate) credentials[0]);
> } {color}else {
> throw new UnsupportedCallbackException(callbacks[i]);
> }
> }
> }
> });
> loginContext.login();
> if (LOG.isDebugEnabled()) {
> LOG.debug("Authenticating " + user + " successfully");
> }
> }
> }
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.