[jira] Created: (JCR-1584) JAAS login fails with javax.jcr.LoginException: CallbackHandler does not support: javax.security.auth.callback.NameCallback

JAAS login fails with javax.jcr.LoginException: CallbackHandler does not support: javax.security.auth.callback.NameCallback
---------------------------------------------------------------------------------------------------------------------------

                 Key: JCR-1584
                 URL: https://issues.apache.org/jira/browse/JCR-1584
             Project: Jackrabbit
          Issue Type: Bug
    Affects Versions: 1.4
         Environment: jackrabbit-jca-1.4.rar
JBoss-4.0.5.GA
jdk1.6
            Reporter: Michal Borowiecki


Security configured according to http://wiki.apache.org/jackrabbit/JackrabbitOnJbossSecurity

login() is invoked on Repository with no Credentials in order to use JAAS (according to JCR specification section 6.9.1 JAAS), like this:
Session session = repository.login();

An exception is thrown:
javax.resource.ResourceException: Failed to create session: CallbackHandler does not support: javax.security.auth.callback.NameCallback@1b012c1: CallbackHandler does not support: javax.security.auth.callback.NameCallback@1b012c1
        at org.apache.jackrabbit.jca.JCAManagedConnectionFactory.openSession(JCAManagedConnectionFactory.java:145)
        at org.apache.jackrabbit.jca.JCAManagedConnectionFactory.createManagedConnection(JCAManagedConnectionFactory.java:176)
        at org.apache.jackrabbit.jca.JCAManagedConnectionFactory.createManagedConnection(JCAManagedConnectionFactory.java:168)
        at org.jboss.resource.connectionmanager.InternalManagedConnectionPool.createConnectionEventListener(InternalManagedConnectionPool.java:565)
        at org.jboss.resource.connectionmanager.InternalManagedConnectionPool.getConnection(InternalManagedConnectionPool.java:250)
        at org.jboss.resource.connectionmanager.JBossManagedConnectionPool$BasePool.getConnection(JBossManagedConnectionPool.java:529)
        at org.jboss.resource.connectionmanager.BaseConnectionManager2.getManagedConnection(BaseConnectionManager2.java:341)
        at org.jboss.resource.connectionmanager.TxConnectionManager.getManagedConnection(TxConnectionManager.java:301)
        at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:396)
        at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:842)
        at org.apache.jackrabbit.jca.JCARepositoryHandle.login(JCARepositoryHandle.java:98)
        at org.apache.jackrabbit.jca.JCARepositoryHandle.login(JCARepositoryHandle.java:89)
        at org.apache.jackrabbit.jca.JCARepositoryHandle.login(JCARepositoryHandle.java:65)
...
Caused by: javax.jcr.LoginException: CallbackHandler does not support: javax.security.auth.callback.NameCallback@1b012c1: CallbackHandler does not support: javax.security.auth.callback.NameCallback@1b012c1: CallbackHandler does not support: javax.security.auth.callback.NameCallback@1b012c1
        at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1240)
        at org.apache.jackrabbit.jca.JCAManagedConnectionFactory.openSession(JCAManagedConnectionFactory.java:140)
        ... 139 more
Caused by: javax.security.auth.login.LoginException: CallbackHandler does not support: javax.security.auth.callback.NameCallback@1b012c1
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.getUsernameAndPassword(UsernamePasswordLoginModule.java:299)
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:181)
        at sun.reflect.GeneratedMethodAccessor324.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
        at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
        at org.apache.jackrabbit.core.security.AuthContext$JAAS.login(AuthContext.java:88)
        at org.apache.jackrabbit.core.RepositoryImpl.login(RepositoryImpl.java:1232)
        ... 140 more
Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback
        at org.apache.jackrabbit.core.security.CredentialsCallbackHandler.handle(CredentialsCallbackHandler.java:68)
        at javax.security.auth.login.LoginContext$SecureCallbackHandler$1.run(LoginContext.java:955)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.login.LoginContext$SecureCallbackHandler.handle(LoginContext.java:951)
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.getUsernameAndPassword(UsernamePasswordLoginModule.java:280)
        ... 152 more






--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/JCR-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596028#action_12596028 ]

Michal Borowiecki commented on JCR-1584:
----------------------------------------

CredentialsCallbackHandler.handle(Callback callbacks[]) method does such a check:

if((callbacks[i] instanceof NameCallback) && (credentials instanceof SimpleCredentials))

since credentials are null instanceof returns false and the callback is not recognized and the exception is thrown : throw new UnsupportedCallbackException(callbacks[i], "Unrecognized Callback");

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/JCR-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596358#action_12596358 ]

Michal Borowiecki commented on JCR-1584:
----------------------------------------

I have narrowed this down to the code in the login method od RepositoryImpl:

 if (credentials == null) {
                // null credentials, obtain the identity of the already-authenticated
                // subject from access control context
                AccessControlContext acc = AccessController.getContext();
                Subject subject = Subject.getSubject(acc);
                if (subject != null) {
                    return createSession(subject, workspaceName);
                }
            }
            // login either using JAAS or our own LoginModule
            AuthContext authCtx;
            LoginModuleConfig lmc = repConfig.getLoginModuleConfig();
            if (lmc == null) {
                authCtx = new AuthContext.JAAS(repConfig.getAppName(), credentials);
            } else {
                authCtx = new AuthContext.Local(
                        lmc.getLoginModule(), lmc.getParameters(), credentials);
            }
            authCtx.login();

AuthContext.JAAS.login() is only called if Subject.getSubject(acc) returns null.

I verifed it and in fact is returns null in my code as well.
The code using the repository is in an ejb module.
The security-domain is configured in jboss.xml and works correctly.

Perhaps some more configuration is required?
I'll try to investigate.


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/JCR-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596373#action_12596373 ]

Michal Borowiecki commented on JCR-1584:
----------------------------------------

What I have googled indicates that obtaining the subject by calling Subject.getSubject() is not supported by the majority of application servers - it simply returns null.
It seems there is no portable mechanism to obtain the subject in j2ee environment.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/JCR-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596375#action_12596375 ]

Michal Borowiecki commented on JCR-1584:
----------------------------------------

A working workaround is to obtain the Subject in a server-specific way and invoke repository operations inside a PrivilegedAction passed to the Subject.doAs method.
This is however not portable.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/JCR-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12596378#action_12596378 ]

Michal Borowiecki commented on JCR-1584:
----------------------------------------

This issue can be closed, since this is not really a Jackrabbit issue.
Unless you think it's worth adding some portable mechanism to obtain the Subject at Jackrabbit level.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/JCR-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Marcel Reutegger resolved JCR-1584.
-----------------------------------

    Resolution: Invalid

I don't think there is much we can do. Using Subject.doAs() is the standard mechanism to perform actions with an authenticated subject.

See also: http://markmail.org/message/txlboy6pcg23m3bo

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.