You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@servicemix.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2010/12/01 09:07:11 UTC

[jira] Assigned: (SM-1823) JaasAuthenticationService not properly authenticating certificate chains.

     [ https://issues.apache.org/jira/browse/SM-1823?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré reassigned SM-1823:
----------------------------------------

    Assignee: Jean-Baptiste Onofré

> JaasAuthenticationService not properly authenticating certificate chains.
> -------------------------------------------------------------------------
>
>                 Key: SM-1823
>                 URL: https://issues.apache.org/jira/browse/SM-1823
>             Project: ServiceMix
>          Issue Type: Bug
>          Components: servicemix-core
>    Affects Versions: 3.2.2
>            Reporter: Kurt Eisenzopf
>            Assignee: Jean-Baptiste Onofré
>
> When authenticating a certificate chain, the CallbackHandler defined in the provided JaasAuthenticationService throws an UnsupportedCallbackException.  The implementation checks for credentials that are an instance of X509Certificate, but should also include a check for instance of X509Certificate[] in order to properly handle a certificate chain.  To fix this, the CallbackHandler can be defined as follows:
> /*
>  * Licensed to the Apache Software Foundation (ASF) under one or more
>  * contributor license agreements.  See the NOTICE file distributed with
>  * this work for additional information regarding copyright ownership.
>  * The ASF licenses this file to You under the Apache License, Version 2.0
>  * (the "License"); you may not use this file except in compliance with
>  * the License.  You may obtain a copy of the License at
>  *
>  *      http://www.apache.org/licenses/LICENSE-2.0
>  *
>  * Unless required by applicable law or agreed to in writing, software
>  * distributed under the License is distributed on an "AS IS" BASIS,
>  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
>  * See the License for the specific language governing permissions and
>  * limitations under the License.
>  */
> package org.apache.servicemix.jbi.security.auth.impl;
> import java.io.IOException;
> import java.security.GeneralSecurityException;
> import java.security.cert.X509Certificate;
> import javax.security.auth.Subject;
> import javax.security.auth.callback.Callback;
> import javax.security.auth.callback.CallbackHandler;
> import javax.security.auth.callback.NameCallback;
> import javax.security.auth.callback.PasswordCallback;
> import javax.security.auth.callback.UnsupportedCallbackException;
> import javax.security.auth.login.LoginContext;
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
> import org.apache.servicemix.jbi.security.auth.AuthenticationService;
> import org.apache.servicemix.jbi.security.login.CertificateCallback;
> /**
>  * Implementation of the authentication service using JAAS. 
>  *  
>  * @org.apache.xbean.XBean element="authenticationService"
>  */
> public class JAASAuthenticationService implements AuthenticationService {
>     private static final Log LOG = LogFactory.getLog(JAASAuthenticationService.class);
>     
>     public void authenticate(Subject subject,
>                              String domain,
>                              final String user, 
>                              final Object credentials) throws GeneralSecurityException {
>         if (LOG.isDebugEnabled()) {
>             LOG.debug("Authenticating '" + user + "' with '" + credentials + "'");
>         }
>         LoginContext loginContext = new LoginContext(domain, subject, new CallbackHandler() {
>             public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
>                 for (int i = 0; i < callbacks.length; i++) {
>                     if (callbacks[i] instanceof NameCallback) {
>                         ((NameCallback) callbacks[i]).setName(user);
>                     } else if (callbacks[i] instanceof PasswordCallback && credentials instanceof String) {
>                         ((PasswordCallback) callbacks[i]).setPassword(((String) credentials).toCharArray());
>                     } else if (callbacks[i] instanceof CertificateCallback && credentials instanceof X509Certificate) {
>                         ((CertificateCallback) callbacks[i]).setCertificate((X509Certificate) credentials);
>                     } {color: red}else if (callbacks[i] instanceof CertificateCallback && credentials instanceof X509Certificate[]) {
>                         ((Certificatecallback) callbacks[i]).setCertificate((X509Certificate) credentials[0]);
>                     } {color}else {
>                         throw new UnsupportedCallbackException(callbacks[i]);
>                     }
>                 }
>             }
>         });
>         loginContext.login();
>         if (LOG.isDebugEnabled()) {
>             LOG.debug("Authenticating " + user + " successfully");
>         }
>     }
> }

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.