Glassfish, Jackrabbit and JAAS

Question

I'm running Jackrabbit 2.6.4 in Glassfish 4. I have deployed Jackrabbit as a connector resource using the provided rar.

I have got it up and running so that I can call the Jackrabbit repository from inside stateless EJB's and can create nodes etc.. I am now trying to replace the Default LoginModule Mechanism that is provided out of the box with my own custom LoginModule.

So far I have:

• Created a Custom Realm and LoginModule that returns a users Principles (currently String values e.g. admin, read, write) and deployed this to the domain/lib directory

• Configured my web.xml and sun-web.xml files with the roles to group mappings and enabled basic authentication. This is all working as expected and I can enforce roles on my EJBs.

• Got Jackrabbit to use my Custom Login module instead of it's own (I removed the login module configuration from repository.xml and changed the security app name to match my realm name)

I am now running into the following problems:

• Jackrabbit does not find the existing subject created by the application container when I login. This appears to be a problem with the way Jackrabbit looks up the Subject:

      AccessControlContext acc = AccessController.getContext();
      subject = Subject.getSubject(acc);
  

  This returns null in Glassfish. Instead it appears you need to use:

       Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
  

  I worked round this issue by getting the subject using the above code and then logging in to a repository inside a Subject.doAs block e.g.

   Subject.doAs(subject, new PrivilegedAction<String>() {
          @Override public String run() {
              Session session = null;
              try {
                  session = repository.login();
               } catch (RepositoryException e) {
                  log.error("Failed", e);
              } finally {
                  if (session != null) {
                      session.logout();
                  }
              }
  

• This now works but the next problem is that the JackRabbit DefaultAccessManager expects the Subject to contain JackRabbit typed principles e.g. org.apache.jackrabbit.core.security.SystemPrincipal which I can not return from my custom login module as it does not have access to the JackRabbit classes.

• My first attempt to work around this was to create my own AccessManager but JackRabbit can't instantiate this as it is in my WAR and is not available to the JackRabbit code inside the connector resource.

• My next attempt was to programmatically add the principle to the Subject inside my EJB before passing it to Jackrabbit, this worked but then I discovered running Subject.doAs inside an EJB in glassfish causes a number of issues and does not appear to be supported. There are also background threads inside Jackrabbit that need a subject with the JackRabbit typed principles in it.

I am now completely stumped on how to get a custom JAAS glassfish login module to work with Jackrabbit inside Glassfish and am wondering if anyone out there has figured this out.

In the mean time I am currently considering giving up on JackRabbit security and handling it all in my application layer and just using the default login module under the covers to log into Jackrabbit.

Answer 1

I've finally got Glassfish, JackRabbit and JAAS working together so that I can create a Subject using my custom LoginModule that JackRabbit then uses to create a session. Below are the steps that I took to resolve this issues described in my original question:

1. Instead of using the JackRabbit RAR (Model 2) I now include the JackRabbit Jars inside my war (Model 1). This allowed me to implement my own custom AccessManager that does not rely on the JackRabbit typed principles. The biggest disadvantage of this approach is that I now have to create and shutdown the repository myself. The solution I went with was an ApplicationScoped CDI Producer that creates the repo and the shuts it down in the dispose method. This makes it easy to inject the repo into the classes.

2. I solved the issue with JackRabbit finding the Subject in Glassfish by patching jackrabbit-core. It appears this issue has been around for some time see (JCR-3188), and a patch has been provided but never included in the source code. I applied the patch to 2.6.4 and JackRabbit is now able to find and use the Subject in Glassfish.