How to access the Subject or user/password data from a CRaSH command - CRaSH with java security enabled?

[Tom Vleminckx]

After having written a plugin to integrate with the websphere authentication infrastructure, I'm left with the following question:

* How can I get access to the authenticated user (Subject preferably, or the raw user/password data) from custom commands (so I can issue 'runAs' code blocks)?

=> looking at the code I can see that in .java the user & password are stored in the SSHSession (but I don't see a way to access this from my scripts/commands)

* does someone have experience running CRaSH in an application server with 'java/j2ee security' enabled?

My suggestion would be to bind the authenticated Subject to the CRaSH session or even execute automatically every command in a runAs block...

What are you thoughts?

[Julien Viet]

Hi,

sorry for the delay, I am at the moment at a conf (devoxx) with limited internet access :-)

On Thursday 17 April 2014 at 10:44, Tom Vleminckx wrote:

> After having written a plugin to integrate with the websphere authentication infrastructure, I'm left with the following question:
> * How can I get access to the authenticated user (Subject preferably, or the raw user/password data) from custom commands (so I can issue 'runAs' code blocks)?
> => looking at the code I can see that in .java the user & password are stored in the SSHSession (but I don't see a way to access this from my scripts/commands)

Indeed, today this is only available for the SSH specific commands (like SCP, see an example here https://github.com/gatein/gatein-management/blob/master/cli/src/main/java/org/gatein/management/cli/crash/commands/scp/SCPCommand.java)

I believe the username/password could also be made available via the org.crsh.shell.InteractionContext interface implemented by SSH and provide such information as generic properties (via the getProperty(String propertyName) method implemented by SSHInlineShellProcessContext).

If believe this is fairly easy and natural to implement in the SSHInlineShellProcessContext as this object could also reference those are created by the SSHInlineCommand that has a reference to the ServerSession.

would you mind to give a try ?

> * does someone have experience running CRaSH in an application server with 'java/j2ee security' enabled?

I believe this can be used with a custom authenticator that would delegate to the underlying java/j2ee implementation.

There is an existing “jaas” authenticator, it can be used most of the time, given that you configure the proper domain to authenticate.

>
> My suggestion would be to bind the authenticated Subject to the CRaSH session or even execute automatically every command in a runAs block...
>
> What are you thoughts?
>

> --
> Vous recevez ce message, car vous êtes abonné au groupe Google Groupes "CRaSH User Group".
> Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse crash-users...@googlegroups.com (mailto:crash-users...@googlegroups.com).
> Pour obtenir davantage d'options, consultez la page https://groups.google.com/d/optout.


Julien Viet
julienviet.com

[Tom Vleminckx]

thx for your answer

Regarding the Jaas Module => I wrote a specific one for websphere.  Hence my question about the propagation of the obtained Subject (or user/password).

I'll have a look at your suggestions & will (hopefully) come back soon with some feedback

I guess you would be ok to pull in the websphere & Subject support once they work fine?  For the moment I'm planning to release the websphere specific support as a (new) crash.websphere module.  It also includes the necessary 'hacks' to get access to websphere's clustered jmx mbeanserver.

Op vrijdag 18 april 2014 11:06:24 UTC+2 schreef Julien Viet:

> Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse crash-users...@googlegroups.com (mailto:crash-users+unsub...@googlegroups.com).

[Julien Viet]

we welcome all contributions :-) , just check that using the webpshere API is possible regarding the license and that it can be built without requiring a specific env setup.


Julien Viet
julienviet.com

> > > Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse crash-users...@googlegroups.com (javascript:) (mailto:crash-users...@googlegroups.com (javascript:)).

> > > Pour obtenir davantage d'options, consultez la page https://groups.google.com/d/optout.
> >
> >
> >
> > Julien Viet

> > julienviet.com (http://julienviet.com)

>
> --
> Vous recevez ce message, car vous êtes abonné au groupe Google Groupes "CRaSH User Group".

> Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse crash-users...@googlegroups.com (mailto:crash-users...@googlegroups.com).

[Tom Vleminckx]

there wil be no compile time dependency (will use reflection to avoid this)

Op vrijdag 18 april 2014 15:39:02 UTC+2 schreef Julien Viet:

> > > Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse crash-users...@googlegroups.com (javascript:) (mailto:crash-users+unsub...@googlegroups.com (javascript:)).  

> > > Pour obtenir davantage d'options, consultez la page https://groups.google.com/d/optout.  
> >  
> >  
> >  
> > Julien Viet  
> > julienviet.com (http://julienviet.com)  
>  
> --  
> Vous recevez ce message, car vous êtes abonné au groupe Google Groupes "CRaSH User Group".

> Pour vous désabonner de ce groupe et ne plus recevoir d'e-mails le concernant, envoyez un e-mail à l'adresse crash-users...@googlegroups.com (mailto:crash-users+unsub...@googlegroups.com).

[Naz]

Hi all,

Do anyone have update on this?

 I'm also trying to get auth information (username will be quite enough) directly from Command. I can see it in CRaSHSession but it seems that there is no way to get it from there.

In my scenario I want to check if authenticated user has permission to actually run requested Command.

Best regards,

Naz