Example 21 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class DRPCTest method testStrict.
@Test
public void testStrict() throws Exception {
ReqContext jt = new ReqContext(new Subject());
SingleUserPrincipal jumpTopo = new SingleUserPrincipal("jump_topo");
jt.subject().getPrincipals().add(jumpTopo);
ReqContext jc = new ReqContext(new Subject());
SingleUserPrincipal jumpClient = new SingleUserPrincipal("jump_client");
jc.subject().getPrincipals().add(jumpClient);
ReqContext other = new ReqContext(new Subject());
SingleUserPrincipal otherUser = new SingleUserPrincipal("other");
other.subject().getPrincipals().add(otherUser);
Map<String, AclFunctionEntry> acl = new HashMap<>();
acl.put("jump", new AclFunctionEntry(Arrays.asList(jumpClient.getName()), jumpTopo.getName()));
Map<String, Object> conf = new HashMap<>();
conf.put(Config.DRPC_AUTHORIZER_ACL_STRICT, true);
conf.put(Config.STORM_PRINCIPAL_TO_LOCAL_PLUGIN, DefaultPrincipalToLocal.class.getName());
DRPCSimpleACLAuthorizer auth = new DRPCSimpleACLAuthorizer() {
@Override
protected Map<String, AclFunctionEntry> readAclFromConfig() {
return acl;
}
};
auth.prepare(conf);
//JUMP
DRPC.checkAuthorization(jt, auth, "fetchRequest", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "fetchRequest", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "fetchRequest", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jt, auth, "result", "jump");
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "result", "jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "execute", "jump"), AuthorizationException.class);
DRPC.checkAuthorization(jc, auth, "execute", "jump");
assertThrows(() -> DRPC.checkAuthorization(other, auth, "execute", "jump"), AuthorizationException.class);
//not_jump (closed in strict mode)
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "fetchRequest", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "fetchRequest", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "fetchRequest", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "result", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "result", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "result", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jt, auth, "execute", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(jc, auth, "execute", "not_jump"), AuthorizationException.class);
assertThrows(() -> DRPC.checkAuthorization(other, auth, "execute", "not_jump"), AuthorizationException.class);
}
Also used :
HashMap(java.util.HashMap)
AclFunctionEntry(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer.AclFunctionEntry)
DRPCSimpleACLAuthorizer(org.apache.storm.security.auth.authorizer.DRPCSimpleACLAuthorizer)
ReqContext(org.apache.storm.security.auth.ReqContext)
SingleUserPrincipal(org.apache.storm.security.auth.SingleUserPrincipal)
Subject(javax.security.auth.Subject)
DefaultPrincipalToLocal(org.apache.storm.security.auth.DefaultPrincipalToLocal)
Test(org.junit.Test)
Example 22 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class AuthUtilsTest method populateSubjectTest.
@Test
public void populateSubjectTest() {
AuthUtilsTestMock autoCred = Mockito.mock(AuthUtilsTestMock.class);
Subject subject = new Subject();
Map<String, String> cred = new HashMap<String, String>();
Collection<IAutoCredentials> autos = Arrays.asList(new IAutoCredentials[] { autoCred });
AuthUtils.populateSubject(subject, autos, cred);
Mockito.verify(autoCred, Mockito.times(1)).populateSubject(subject, cred);
}Example 23 with Subject
use of javax.security.auth.Subject in project storm by apache.
the class AuthUtilsTest method updateSubjectWithNullAutosTest.
@Test
public void updateSubjectWithNullAutosTest() {
AuthUtilsTestMock mock = Mockito.mock(AuthUtilsTestMock.class);
Collection<IAutoCredentials> autos = Arrays.asList(new IAutoCredentials[] { mock });
Subject s = new Subject();
AuthUtils.updateSubject(s, autos, null);
Mockito.verify(mock, Mockito.times(1)).updateSubject(s, null);
}Example 24 with Subject
use of javax.security.auth.Subject in project tomcat by apache.
the class SpnegoAuthenticator method doAuthenticate.
@Override
protected boolean doAuthenticate(Request request, HttpServletResponse response) throws IOException {
if (checkForCachedAuthentication(request, response, true)) {
return true;
}
MessageBytes authorization = request.getCoyoteRequest().getMimeHeaders().getValue("authorization");
if (authorization == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("authenticator.noAuthHeader"));
}
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
authorization.toBytes();
ByteChunk authorizationBC = authorization.getByteChunk();
if (!authorizationBC.startsWithIgnoreCase("negotiate ", 0)) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.authHeaderNotNego"));
}
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
authorizationBC.setOffset(authorizationBC.getOffset() + 10);
byte[] decoded = Base64.decodeBase64(authorizationBC.getBuffer(), authorizationBC.getOffset(), authorizationBC.getLength());
if (getApplyJava8u40Fix()) {
SpnegoTokenFixer.fix(decoded);
}
if (decoded.length == 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.authHeaderNoToken"));
}
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
LoginContext lc = null;
GSSContext gssContext = null;
byte[] outToken = null;
Principal principal = null;
try {
try {
lc = new LoginContext(getLoginConfigName());
lc.login();
} catch (LoginException e) {
log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e);
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return false;
}
Subject subject = lc.getSubject();
// Assume the GSSContext is stateless
// TODO: Confirm this assumption
final GSSManager manager = GSSManager.getInstance();
// IBM JDK only understands indefinite lifetime
final int credentialLifetime;
if (JreVendor.IS_IBM_JVM) {
credentialLifetime = GSSCredential.INDEFINITE_LIFETIME;
} else {
credentialLifetime = GSSCredential.DEFAULT_LIFETIME;
}
final PrivilegedExceptionAction<GSSCredential> action = new PrivilegedExceptionAction<GSSCredential>() {
@Override
public GSSCredential run() throws GSSException {
return manager.createCredential(null, credentialLifetime, new Oid("1.3.6.1.5.5.2"), GSSCredential.ACCEPT_ONLY);
}
};
gssContext = manager.createContext(Subject.doAs(subject, action));
outToken = Subject.doAs(lc.getSubject(), new AcceptAction(gssContext, decoded));
if (outToken == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"));
}
// Start again
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
principal = Subject.doAs(subject, new AuthenticateAction(context.getRealm(), gssContext, storeDelegatedCredential));
} catch (GSSException e) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.ticketValidateFail"), e);
}
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
} catch (PrivilegedActionException e) {
Throwable cause = e.getCause();
if (cause instanceof GSSException) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("spnegoAuthenticator.serviceLoginFail"), e);
}
} else {
log.error(sm.getString("spnegoAuthenticator.serviceLoginFail"), e);
}
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE);
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
} finally {
if (gssContext != null) {
try {
gssContext.dispose();
} catch (GSSException e) {
// Ignore
}
}
if (lc != null) {
try {
lc.logout();
} catch (LoginException e) {
// Ignore
}
}
}
// Send response token on success and failure
response.setHeader(AUTH_HEADER_NAME, AUTH_HEADER_VALUE_NEGOTIATE + " " + Base64.encodeBase64String(outToken));
if (principal != null) {
register(request, response, principal, Constants.SPNEGO_METHOD, principal.getName(), null);
Pattern p = noKeepAliveUserAgents;
if (p != null) {
MessageBytes ua = request.getCoyoteRequest().getMimeHeaders().getValue("user-agent");
if (ua != null && p.matcher(ua.toString()).matches()) {
response.setHeader("Connection", "close");
}
}
return true;
}
response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return false;
}
Also used :
Pattern(java.util.regex.Pattern)
ByteChunk(org.apache.tomcat.util.buf.ByteChunk)
PrivilegedActionException(java.security.PrivilegedActionException)
MessageBytes(org.apache.tomcat.util.buf.MessageBytes)
PrivilegedExceptionAction(java.security.PrivilegedExceptionAction)
Oid(org.ietf.jgss.Oid)
Subject(javax.security.auth.Subject)
LoginContext(javax.security.auth.login.LoginContext)
GSSException(org.ietf.jgss.GSSException)
GSSCredential(org.ietf.jgss.GSSCredential)
GSSContext(org.ietf.jgss.GSSContext)
GSSManager(org.ietf.jgss.GSSManager)
LoginException(javax.security.auth.login.LoginException)
Principal(java.security.Principal)
Example 25 with Subject
use of javax.security.auth.Subject in project tomcat by apache.
the class AuthenticatorBase method logout.
@Override
public void logout(Request request) {
AuthConfigProvider provider = getJaspicProvider();
if (provider != null) {
MessageInfo messageInfo = new MessageInfoImpl(request, request.getResponse(), true);
Subject client = (Subject) request.getNote(Constants.REQ_JASPIC_SUBJECT_NOTE);
if (client == null) {
return;
}
ServerAuthContext serverAuthContext;
try {
ServerAuthConfig serverAuthConfig = provider.getServerAuthConfig("HttpServlet", jaspicAppContextID, CallbackHandlerImpl.getInstance());
String authContextID = serverAuthConfig.getAuthContextID(messageInfo);
serverAuthContext = serverAuthConfig.getAuthContext(authContextID, null, null);
serverAuthContext.cleanSubject(messageInfo, client);
} catch (AuthException e) {
log.debug(sm.getString("authenticator.jaspicCleanSubjectFail"), e);
}
}
Principal p = request.getPrincipal();
if (p instanceof TomcatPrincipal) {
try {
((TomcatPrincipal) p).logout();
} catch (Throwable t) {
ExceptionUtils.handleThrowable(t);
log.debug(sm.getString("authenticator.tomcatPrincipalLogoutFail"), t);
}
}
register(request, request.getResponse(), null, null, null, null);
}
Also used :
AuthConfigProvider(javax.security.auth.message.config.AuthConfigProvider)
MessageInfoImpl(org.apache.catalina.authenticator.jaspic.MessageInfoImpl)
AuthException(javax.security.auth.message.AuthException)
Subject(javax.security.auth.Subject)
ServerAuthConfig(javax.security.auth.message.config.ServerAuthConfig)
Principal(java.security.Principal)
TomcatPrincipal(org.apache.catalina.TomcatPrincipal)
GenericPrincipal(org.apache.catalina.realm.GenericPrincipal)
MessageInfo(javax.security.auth.message.MessageInfo)
ServerAuthContext(javax.security.auth.message.config.ServerAuthContext)
TomcatPrincipal(org.apache.catalina.TomcatPrincipal)
Aggregations
Subject (javax.security.auth.Subject)669
Test (org.testng.annotations.Test)131
Test (org.junit.Test)122
HashMap (java.util.HashMap)120
Principal (java.security.Principal)114
HashSet (java.util.HashSet)109
Set (java.util.Set)82
EntitlementException (com.sun.identity.entitlement.EntitlementException)64
LoginContext (javax.security.auth.login.LoginContext)62
LoginException (javax.security.auth.login.LoginException)49
ConditionDecision (com.sun.identity.entitlement.ConditionDecision)47
ResourceResponse (org.forgerock.json.resource.ResourceResponse)47
RealmContext (org.forgerock.openam.rest.RealmContext)46
Context (org.forgerock.services.context.Context)41
SSOToken (com.iplanet.sso.SSOToken)40
IOException (java.io.IOException)40
ClientContext (org.forgerock.services.context.ClientContext)40
Map (java.util.Map)38
SSOTokenContext (org.forgerock.openam.rest.resource.SSOTokenContext)38
ResourceException (org.forgerock.json.resource.ResourceException)37
