Bug 1124271 - JaasSecurityService does not utilize JAAS cache for Authentications
Summary: JaasSecurityService does not utilize JAAS cache for Authentications
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: JBoss Enterprise SOA Platform 5
Classification: JBoss
Component: unspecified
Version: 5.3.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: Mark Little
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-29 07:35 UTC by Jason Shepherd
Modified: 2025-02-10 03:42 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-02-10 03:42:38 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
implementation of caching JaasSecurityService (5.81 KB, patch)
2014-08-04 02:14 UTC, Jason Shepherd
no flags Details | Diff

Description Jason Shepherd 2014-07-29 07:35:31 UTC
Description of problem:

JaasSecurityService does not implement JAAS caching, resulting in slow response times with ESB calls that need to be authenticated to a backend, such as LDAP.


Version-Release number of selected component (if applicable):

JBoss ESB JBESP_4_11_CP


How reproducible:

The problem can easily be reproduced with the security_basic quickstart. If I enable TRACE level logging for the 'org.jboss.security' package, and invoke 'and sendesb' a few times, I can see that the login module is validating the user on each request:


2014-07-25 11:17:06,006 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (pool-26-thread-1) initialize
2014-07-25 11:17:06,006 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (pool-26-thread-1) Security domain: jbossesb
...
2014-07-25 11:17:06,007 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (pool-26-thread-1) User 'esbuser' authenticated, loginOk=true
2014-07-25 11:17:06,007 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (pool-26-thread-1) commit, loginOk=true
2014-07-25 11:17:06,007 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (pool-26-thread-1) Checking user: esbuser, roles string: esbrole

As per my understanding, the expectation is that the principal would be obtained from cache instead.


Let's take a look at the underlying ESB classes related to the security integration. First, the security check is done in ActionProcessingPipeline.processPipeline [1]:

    			final SecurityService securityService = SecurityServiceFactory.getSecurityService();

    			final String moduleName = securityConf.getModuleName() ;
		        if (securityContext == null || !securityContext.isValid() || ((moduleName != null) && !moduleName.equals(securityContext.getDomain())))
		        {
		            if (authRequest == null)
		            {
		                throw new SecurityServiceException("Service '" + serviceName + "' has been configured for security but no AuthenticationRequest could be located in the Message Context. Cannot authenticate without an AuthenticationRequest.");
		            }

		             // No existing security context exist or it had expired. Create a new one to drive the autentication.
    		        securityContext = new SecurityContext(new Subject(), getSecurityContextTimeout(securityConf), moduleName);

            		// Authenticate the caller
        			securityService.authenticate(securityConf, securityContext, authRequest);

            		// Store the encrypted security context. Will be re-attached to outgoing messages.
        			SecurityContext.setSecurityContext(SecurityContext.encryptContext(securityContext));
		        }


And the securityService.authenticate in JaasSecurityService is implemented as:

	public void authenticate(final SecurityConfig config, SecurityContext securityContext, final AuthenticationRequest authRequest) throws SecurityServiceException
	{
		AssertArgument.isNotNull(config, "config");

		LoginContext loginContext;
		try
		{
			final EsbCallbackHandler callbackHandler = createCallbackHandler(config, authRequest);
			if (callbackHandler != null)
			{
    			loginContext = new LoginContext(config.getModuleName(), securityContext.getSubject(), callbackHandler);
			}
			else
			{
    			loginContext = new LoginContext(config.getModuleName(), securityContext.getSubject());
			}

    		loginContext.login();

    		//	add a runAs group if specified
    		addRunAs(config.getRunAs(), securityContext.getSubject());

		}
		catch (final LoginException e)
		{
			throw new SecurityServiceException("Exception while trying to login:", e);
		}

	}
 

[1] http://anonsvn.jboss.org/repos/labs/labs/jbossesb/tags/JBESB_4_11_CP2_CR1/product/rosetta/src/org/jboss/soa/esb/listeners/message/ActionProcessingPipeline.java
[2] http://anonsvn.jboss.org/repos/labs/labs/jbossesb/tags/JBESB_4_11_CP2_CR1/product/rosetta/src/org/jboss/internal/soa/esb/services/security/JaasSecurityService.java

Comment 1 Jason Shepherd 2014-08-04 02:14:17 UTC
Created attachment 923726 [details]
implementation of caching JaasSecurityService

Comment 2 Jason Shepherd 2014-08-04 02:15:35 UTC
An initial version of a custom ESB SecurityService implementation example is attached. Tadayoshi Sato tested it locally using the 'security_basic' quickstart and confirmed that the login module was invoked only once even calls were made twice.

The following Maven command under the custom-security-service project will build a JAR:

    $ mvn clean package

Then simply copy the JAR into $PROFILE/lib/ and rewrite $PROFILE/deployers/esb.deployer/jbossesb-properties.xml as follows:


    <properties name="security">
        <!--property name="org.jboss.soa.esb.services.security.implementationClass" value="org.jboss.internal.soa.esb.services.security.JaasSecurityService"/-->
        <property name="org.jboss.soa.esb.services.security.implementationClass" value="com.redhat.samples.esb.SampleSecurityService"/>
        ...

Comment 3 Red Hat Bugzilla 2025-02-10 03:42:38 UTC
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.


Note You need to log in before you can comment on or make changes to this bug.