I’m currently using a proxy to authenticate the user with a JSON Web Token and pass the X-Forwarded-User header to a ‘proxy_auth’ configured ES server.
It would be great if a new rule were implemented to cover this use case
And I believe I could give a try to this. Looks easy enough.
Example
The config would look something like this:
jwt_auth:
# For symmetric encryption
secret: "string"
# The JWT claim used as replacement of
# the @user placeholder
user_claim: "user.claim"
I think that covers my current needs. But some other features like asymmetric JWT would be cool too.
The token may also include extra information that could be made available to subsequent rules. That would be awesome.
I’ve submitted PR 218 Mainly to see if the integration tests are OK, I still need to setup docker.
Also, there were some issues with the transitive dependencies (jackson-databind) of the JWT library I’ve used. For some reason they were not included in the classpath unless I listed them explicitly in build.gradle. Not sure why…
So, today I’ve set up docker and newman. But I’m having an issue with Java security stuff. Apparently jackson-databind wants the “accessDeclaredMembers” runtime permission and the JVM is not granting it access.
I’ve checked src/main/plugin-metadata/plugin-security.policy and the permission is already requested there. @sscarduzio, do you know what’s going on?
[2017-05-19T03:44:24,396][WARN ][r.suppressed ] path: /_cat/indices, params: {}
java.security.AccessControlException: access denied ("java.lang.RuntimePermission" "accessDeclaredMembers")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) ~[?:1.8.0_131]
at java.security.AccessController.checkPermission(AccessController.java:884) ~[?:1.8.0_131]
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) ~[?:1.8.0_131]
at java.lang.Class.checkMemberAccess(Class.java:2348) ~[?:1.8.0_131]
at java.lang.Class.getDeclaredConstructors(Class.java:2019) ~[?:1.8.0_131]
at com.fasterxml.jackson.databind.util.ClassUtil$ClassMetadata.getConstructors(ClassUtil.java:1186) ~[?:?]
...
at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:541) ~[?:?]
at org.elasticsearch.plugin.readonlyrest.acl.blocks.rules.impl.JwtAuthSyncRule.match(JwtAuthSyncRule.java:64) ~[?:?]
...