Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-2219

Add option to jaas LoginModules to skip checking the credentials

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0
    • Fix Version/s: None
    • Component/s: karaf-core
    • Labels:
      None

      Description

      In some cases the user is already authenticated in some other way and a JAAS LoginModule should only retrieve the roles of a user.

      For this case it makes sense to introduce an option like "checkCredentials" or "authenticate" with default to true. If it is set to false in a jaas realm module config then the credentials should not be validated.

        Activity

        Hide
        nannou9 Piotr Klimczak added a comment -

        Just started to work with it.
        My idea was to create an option like: allowTlsAuthentication=true/false.
        The thing is to not to break it's current functionality and to let it work with tls authenticated contexts and username/password context in parallel.
        That is because of JAASLoginModules nature- those modules are often shared.
        Hopefully final solution will be beautiful enough. If not, then there will be no other choice than just to separate them.
        We will see. I am starting to code

        BTW. Do we really want to fix it in 4.0.0, not in 2.3. 3.0, 3.1?

        Show
        nannou9 Piotr Klimczak added a comment - Just started to work with it. My idea was to create an option like: allowTlsAuthentication=true/false. The thing is to not to break it's current functionality and to let it work with tls authenticated contexts and username/password context in parallel. That is because of JAASLoginModules nature- those modules are often shared. Hopefully final solution will be beautiful enough. If not, then there will be no other choice than just to separate them. We will see. I am starting to code BTW. Do we really want to fix it in 4.0.0, not in 2.3. 3.0, 3.1?
        Hide
        chris@die-schneider.net Christian Schneider added a comment -

        4.0.0 is just the marker for master. We can and should then backport. The problem with adding the versions earlier is that people doing a release have to shuffle more issues to the next one. This is why I only set 4.0.0 for now.

        Show
        chris@die-schneider.net Christian Schneider added a comment - 4.0.0 is just the marker for master. We can and should then backport. The problem with adding the versions earlier is that people doing a release have to shuffle more issues to the next one. This is why I only set 4.0.0 for now.
        Hide
        nannou9 Piotr Klimczak added a comment -

        Due to CXF-5118 is this issue still "in force"?

        Show
        nannou9 Piotr Klimczak added a comment - Due to CXF-5118 is this issue still "in force"?
        Hide
        chris@die-schneider.net Christian Schneider added a comment -

        This is a quite old issue. As far as I recall there was some pushback on offering this option on the dev list and I did not follow this path further.

        Show
        chris@die-schneider.net Christian Schneider added a comment - This is a quite old issue. As far as I recall there was some pushback on offering this option on the dev list and I did not follow this path further.

          People

          • Assignee:
            chris@die-schneider.net Christian Schneider
            Reporter:
            chris@die-schneider.net Christian Schneider
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development