[QPID-7562] Ensure that HTTP threads always carry a ManagementConnectionPrincipal - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: qpid-java-broker-7.0.0
Component/s: Broker-J
Labels:
None

Description

~~QPID-7549~~ exposed a defect that HTTP threads are not always carrying a Subject.

We should ensure that HTTP threads always carry a Subject. If the user is not yet authenticated, this will simple be a Subject containing a ManagementConnectionPrincipal. If think this is best done once in a filter, towards the front of the filter chain. The management thread, working on behalf of the user must also ensure that the task executor subject is not inherited,.

Is there a reason why AuthenticationResultCacher should not consider all SocketConnectionPrincipal rather than just ConnectionPrincipal. I realise that if Qpid were to be behind a web proxy, then there would be not uniqueness added (as the end point would be same), but the same argument could be made about AMQP if it were using a AMQP proxy.

I think the responsibilities for preemptive authentication and possibly sasl authentication should be refactored into filters. I think the current code is hard to follow (separate JIRA).

The simply fix for qpid-java-6.1.x will be carried out under ~~QPID-7549~~.

Attachments

Issue Links

relates to

QPID-7549 [Java Broker] Authentication using SimpleLDAP authentication provider fails with NPE when caching of authentication results is enabled(by default)

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Keith Wall

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 01/Dec/16 19:44

Updated:: 14/Nov/17 21:59

Resolved:: 15/Dec/16 09:58