search

soulwing / wildfly-jwt-extension

JAAS module for JWT authentication and authorization in Wildfly
Other
2 stars 4 forks source link

Anonymous user comes in secured endpoint when calling over doAs() #11

Open viktarbelski opened 3 years ago

viktarbelski commented 3 years ago

Hello @ceharris , I've just noticed a strange behaviour by calling a secured method in doAs() way.

  1. I have built a DelegatingUserPrincipal with all claims I need.
  2. I have made a callback

`class TContextCallbackHandler implements CallbackHandler { private final JwtCredential credential;

    private TContextCallbackHandler(JwtCredential credential) {
        this.credential = credential;
    }

    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        for (Callback current : callbacks) {
            if (current instanceof ObjectCallback) {
                ((ObjectCallback) current).setCredential(credential);
            } else {
                throw new UnsupportedCallbackException(current);
            }
        }
    }
}`

  1. And a config entry `static class JBossJaasConfiguration extends Configuration { private final String configurationName;

    JBossJaasConfiguration(String configurationName) {
    this.configurationName = configurationName;
}

@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
    if (!configurationName.equals(name)) {
        throw new IllegalArgumentException("Unexpected configuration name '" + name + "'");
    }

    return new AppConfigurationEntry[] {createLoginModuleConfigEntry()};
}

private AppConfigurationEntry createLoginModuleConfigEntry() {
    Map<String, String> options = new HashMap<String, String>();
    options.put("role-claims", EClaim.AFL.getValue());
    return new AppConfigurationEntry(JwtLoginModule.class.getName(),
            AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options);
}

    }`

  2. And a LoginContext `Subject subj = new Subject(); subj.getPrincipals().add(credential.getPrincipal()); subj.getPublicCredentials().add(credential); subj.getPrivateCredentials().add(credential);

    return new LoginContext(CONFIGURATION_NAME, subj, callbackHandler, config);`

  3. And finally I call a secured method loginContext.login(); try { res = Subject.doAs(loginContext.getSubject(), new PrivilegedAction<Object>() { @Override public Object run() { return documentController.findUnused(); } }); } finally { loginContext.logout(); }

Well, the call comes through the JwtLoginModule as expected, but later in DocumentController sessionContext.getCallerPrincipal() returns 'anonymous' instead of DelegatingUserPrincipal.

Callind the same method directly makes sessionContext.getCallerPrincipal() to return DelegatingUserPrincipal as expected.

@ceharris Do I miss any configuration?

ceharris commented 3 years ago

Just a guess really, but I don't see where you are using/configuring your TContextCallbackHandler.