New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WindowsLoginModule version 1.8.x and later does not work with Tomcat JAASRealm to identify roles from Windows securitygroups #1114
Comments
I am a bit new to this. How do I determine the process for fixing this bug? I can fix it, but need to understand the process
|
Let's not focus too much on which line to add/remove. This is a bug and we should do (2) and do our best to not break someone else. |
The existing code for WindowsLoginModule (since October 2016) does not bind the Windows (or Active DIrectory) group (names) to the Subject. It binds an object named "Roles" to the Subject. It therefore does not fulfill the basic function required of a JAAS WindowsLoginModule. Refer to Issue Waffle#1114. The packaging into a GroupPrincipal (which did not exist before the breaking change), was made to get it to work with WildFly (earlier versions as it does not work with latest versions in any case). Every Windows Group to which the User belongs, was placed into a new list of Principals (named "Roles") which was then packaged as a Principal (the GroupPrincipal) and added to the Subject.Principals list. This is just plain wrong, as it assumes that any user of the subject will know about the custom "Roles", and be able to extract the Principals from this list, This assumption is obviously invalid. The JAAS specified way is to obtain it from the Subject.Principles.getName(). The code modification also removed the ability to obtain the Windows Group (or JAAS roles) from the Subject.Principles.getName() as specified by JAAS.
…d Windows Groups as Principles The existing code for WindowsLoginModule (since October 2016) does not bind the Windows (or Active DIrectory) group (names) to the Subject. It binds an object named "Roles" to the Subject. It therefore does not fulfill the basic function required of a JAAS WindowsLoginModule. Refer to Issue Waffle#1114 The packaging into a GroupPrincipal (which did not exist before the breaking change), was made to get it to work with WildFly (earlier versions as it does not work with latest versions in any case). Every Windows Group to which the User belongs, was placed into a new list of Principals (named "Roles") which was then packaged as a Principal (the GroupPrincipal) and added to the Subject.Principals list. This is just plain wrong, as it assumes that any user of the subject will know about the custom "Roles", and be able to extract the Principals from this list, This assumption is obviously invalid. The JAAS specified way is to obtain it from the Subject.Principles.getName(). The code modification also removed the ability to obtain the Windows Group (or JAAS roles) from the Subject.Principles.getName() as specified by JAAS.
Fixed in 3.0.0 and released tonight. The binaries should show up in central in 2 hours. |
The existing code for WindowsLoginModule (since October 2016) does not bind the Windows (or Active DIrectory) group (names) to the Subject. It binds an object named "Roles" to the Subject. It therefore does not fulfill the basic function required of a JAAS WindowsLoginModule. Refer to Issue Waffle#1114. The packaging into a GroupPrincipal (which did not exist before the breaking change), was made to get it to work with WildFly (earlier versions as it does not work with latest versions in any case). Every Windows Group to which the User belongs, was placed into a new list of Principals (named "Roles") which was then packaged as a Principal (the GroupPrincipal) and added to the Subject.Principals list. This is just plain wrong, as it assumes that any user of the subject will know about the custom "Roles", and be able to extract the Principals from this list, This assumption is obviously invalid. The JAAS specified way is to obtain it from the Subject.Principles.getName(). The code modification also removed the ability to obtain the Windows Group (or JAAS roles) from the Subject.Principles.getName() as specified by JAAS.
* Removed the incorrect GroupPrincipal "Roles" from the code The existing code for WindowsLoginModule (since October 2016) does not bind the Windows (or Active DIrectory) group (names) to the Subject. It binds an object named "Roles" to the Subject. It therefore does not fulfill the basic function required of a JAAS WindowsLoginModule. Refer to Issue #1114. The packaging into a GroupPrincipal (which did not exist before the breaking change), was made to get it to work with WildFly (earlier versions as it does not work with latest versions in any case). Every Windows Group to which the User belongs, was placed into a new list of Principals (named "Roles") which was then packaged as a Principal (the GroupPrincipal) and added to the Subject.Principals list. This is just plain wrong, as it assumes that any user of the subject will know about the custom "Roles", and be able to extract the Principals from this list, This assumption is obviously invalid. The JAAS specified way is to obtain it from the Subject.Principles.getName(). The code modification also removed the ability to obtain the Windows Group (or JAAS roles) from the Subject.Principles.getName() as specified by JAAS. * Fixed the tests to exclude the incorrect GroupPrinciple named "Roles" * Update WindowsLoginModuleTest.java * Corrected the tests to accept Windows groups as (Role)Principles Refer to issue #1114. * Fixed the changed name in the assert. * Fixed the failing tests * Delete GroupPrincipal.java GroupPrincipal breaks the JAAS Principal and should be removed. * Delete the GroupPrincipal tests as as the GroupPrincipal was deleted * Removed the incorrect GroupPrincipal "Roles" from the code The existing code for WindowsLoginModule (since October 2016) does not bind the Windows (or Active DIrectory) group (names) to the Subject. It binds an object named "Roles" to the Subject. It therefore does not fulfill the basic function required of a JAAS WindowsLoginModule. Refer to Issue #1114. The packaging into a GroupPrincipal (which did not exist before the breaking change), was made to get it to work with WildFly (earlier versions as it does not work with latest versions in any case). Every Windows Group to which the User belongs, was placed into a new list of Principals (named "Roles") which was then packaged as a Principal (the GroupPrincipal) and added to the Subject.Principals list. This is just plain wrong, as it assumes that any user of the subject will know about the custom "Roles", and be able to extract the Principals from this list, This assumption is obviously invalid. The JAAS specified way is to obtain it from the Subject.Principles.getName(). The code modification also removed the ability to obtain the Windows Group (or JAAS roles) from the Subject.Principles.getName() as specified by JAAS. * Fixed the tests to exclude the incorrect GroupPrinciple named "Roles" * Removed the warnings on specific desrialization tests. * Disabled dserialization ban on serializable test. * Suppressed warnings when testing specifically for Serializability. Co-authored-by: Frederick Peter Eek <48279754+FreekEek@users.noreply.github.com>
The documented configuration for Tomcat with the JAASRealm and WindowsLoginModule does not work. No RolePrincipal(s) are found in the JAASRealm. This is due to the fact that the WindowsLoginModule packages all Windows Groups as RolePrincipals in a list which is then added as a GroupPrincipal.
The JAASRealm (configured to accept waffle.jaas.RolePrinciple as RolePrinciples), fails to identify any roles.
Tomcat 9. Waffle for Tomcat 9 (and earliers). It seems the problem was introduced in version 1.8.x according to the code, as it was not there in 1.7.x.
The bug was introduced in by devnullpointer on October 16 2016. He removed the line which added the RolePrinciples when he added code to add a GroupPrincipal with all the RolePrinciples.
The text was updated successfully, but these errors were encountered: