Example 1 with IdentityToken
use of com.sun.corba.ee.org.omg.CSI.IdentityToken in project Payara by payara.
the class SecClientRequestInterceptor method send_request.
/**
* send_request() interception point adds the security context to the service context field.
*/
@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
/**
* CSIV2 level 0 implementation only requires stateless clients. Client context id is therefore
* always set to 0.
*/
// CSIV2 requires type to be long
long cContextId = 0;
// XXX: Workaround for non-null connection object ri for local invocation.
ConnectionExecutionContext.removeClientThreadID();
/**
* CSIV2 level 0 implementation does not require any authorization tokens to be sent over the wire.
* So set cAuthzElem to empty.
*/
AuthorizationElement[] cAuthzElem = {};
/* Client identity token to be added to the service context field */
IdentityToken cIdentityToken = null;
/* Client authentication token to be added to the service context field */
byte[] cAuthenticationToken = {};
/* CDR encoded Security Attribute Service element */
byte[] cdr_encoded_saselm = null;
// A single JAAS credential
java.lang.Object cred = null;
if (_logger.isLoggable(Level.FINE))
_logger.log(Level.FINE, "++++ Entered " + prname + "send_request" + "()");
// SecurityContext to be sent
SecurityContext secctxt = null;
ORB orb = orbHelper.getORB();
org.omg.CORBA.Object effective_target = ri.effective_target();
try {
secctxt = secContextUtil.getSecurityContext(effective_target);
} catch (InvalidMechanismException ime) {
_logger.log(Level.SEVERE, "iiop.sec_context_exception", ime);
throw new RuntimeException(ime.getMessage());
} catch (InvalidIdentityTokenException iite) {
_logger.log(Level.SEVERE, "iiop.runtime_exception", iite);
throw new RuntimeException(iite.getMessage());
}
/**
* In an unprotected invocation, there is nothing to be sent to the service context field. Check for
* this case.
*/
if (secctxt == null) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Security context is null (nothing to add to service context)");
}
return;
}
final SecurityContext sCtx = secctxt;
/* Construct an authentication token */
if (secctxt.authcls != null) {
cred = AccessController.doPrivileged(new PrivilegedAction() {
@Override
public java.lang.Object run() {
return getCred(sCtx.subject.getPrivateCredentials(sCtx.authcls), sCtx.authcls);
}
});
try {
SecurityMechanismSelector sms = Lookups.getSecurityMechanismSelector();
ConnectionContext cc = sms.getClientConnectionContext();
CompoundSecMech mech = cc.getMechanism();
cAuthenticationToken = createAuthToken(cred, secctxt.authcls, orb, mech);
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.createauthtoken_exception", e);
throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_authtok_create", "Error while constructing an authentication token."));
}
}
/* Construct an identity token */
if (secctxt.identcls != null) {
cred = getCred(secctxt.subject.getPublicCredentials(secctxt.identcls), secctxt.identcls);
try {
cIdentityToken = createIdToken(cred, secctxt.identcls, orb);
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.createidtoken_exception", e);
throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_idtok_create", "Error while constructing an identity token."));
}
} else {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Constructing an Absent Identity Token");
}
cIdentityToken = new IdentityToken();
cIdentityToken.absent(true);
}
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Creating an EstablishContext message");
}
EstablishContext ec = new EstablishContext(cContextId, cAuthzElem, cIdentityToken, cAuthenticationToken);
SASContextBody sasctxbody = new SASContextBody();
sasctxbody.establish_msg(ec);
/* CDR encode the SASContextBody */
Any SasAny = orb.create_any();
SASContextBodyHelper.insert(SasAny, sasctxbody);
try {
cdr_encoded_saselm = codec.encode_value(SasAny);
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.encode_exception", e);
throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_cdr_encode", "CDR Encoding error for a SAS context element."));
}
/* add SAS element to service context list */
ServiceContext sc = new ServiceContext();
sc.context_id = SECURITY_ATTRIBUTE_SERVICE_ID;
sc.context_data = cdr_encoded_saselm;
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Adding EstablishContext message to service context list");
}
boolean no_replace = false;
ri.add_request_service_context(sc, no_replace);
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Added EstablishContext message to service context list");
}
}
Also used :
Any(org.omg.CORBA.Any)
PrivilegedAction(java.security.PrivilegedAction)
EstablishContext(com.sun.corba.ee.org.omg.CSI.EstablishContext)
MTCompleteEstablishContext(com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext)
CompoundSecMech(com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech)
ServiceContext(org.omg.IOP.ServiceContext)
SASContextBody(com.sun.corba.ee.org.omg.CSI.SASContextBody)
AuthorizationElement(com.sun.corba.ee.org.omg.CSI.AuthorizationElement)
IdentityToken(com.sun.corba.ee.org.omg.CSI.IdentityToken)
SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)
ORB(org.omg.CORBA.ORB)
Example 2 with IdentityToken
use of com.sun.corba.ee.org.omg.CSI.IdentityToken in project Payara by payara.
the class SecClientRequestInterceptor method createIdToken.
/**
* create and return an identity token from the credential. The identity token is cdr encoded.
*/
private IdentityToken createIdToken(java.lang.Object cred, Class cls, ORB orb) throws Exception {
IdentityToken idtok = null;
// byte[] cdrval ; // CDR encoding buffer
Any any = orb.create_any();
idtok = new IdentityToken();
if (X500Principal.class.isAssignableFrom(cls)) {
_logger.log(Level.FINE, "Constructing an X500 DN Identity Token");
X500Principal credname = (X500Principal) cred;
X501DistinguishedNameHelper.insert(any, credname.getEncoded());
/* IdentityToken with CDR encoded X500 principal */
idtok.dn(codec.encode_value(any));
} else if (X509CertificateCredential.class.isAssignableFrom(cls)) {
_logger.log(Level.FINE, "Constructing an X509 Certificate Chain Identity Token");
/* create a DER encoding */
X509CertificateCredential certcred = (X509CertificateCredential) cred;
X509Certificate[] certchain = certcred.getX509CertificateChain();
_logger.log(Level.FINE, "Certchain length = " + certchain.length);
byte[] certBytes = CertificateFactory.getInstance("X.509").generateCertPath(asList(certchain)).getEncoded();
X509CertificateChainHelper.insert(any, certBytes);
/* IdentityToken with CDR encoded certificate chain */
idtok.certificate_chain(codec.encode_value(any));
} else if (AnonCredential.class.isAssignableFrom(cls)) {
_logger.log(Level.FINE, "Constructing an Anonymous Identity Token");
idtok.anonymous(true);
} else if (GSSUPName.class.isAssignableFrom(cls)) {
/* GSSAPI Exported name */
_logger.log(Level.FINE, "Constructing a GSS Exported name Identity Token");
/* create a DER encoding */
GSSUPName gssname = (GSSUPName) cred;
byte[] expname = gssname.getExportedName();
GSS_NT_ExportedNameHelper.insert(any, expname);
/* IdentityToken with CDR encoded GSSUPName */
idtok.principal_name(codec.encode_value(any));
} else if (DistinguishedPrincipalCredential.class.isAssignableFrom(cls)) {
// If authenticated via OIDC rather than any of the above we'll have a DistinguishedPrincipalCredential
_logger.log(Level.FINE, "Constructing a GSS Exported Name Identity Token from DistinguishedPrincipalCredential");
DistinguishedPrincipalCredential distinguishedPrincipalCredential = (DistinguishedPrincipalCredential) cred;
// Create a DER encoding of the principal name as a GSSUPName - realm is not currently factored into the
// parsing of the principal name from the IdentityToken so is left blank.
GSSUPName gssupName = new GSSUPName(distinguishedPrincipalCredential.getPrincipal().getName(), "");
byte[] expname = gssupName.getExportedName();
GSS_NT_ExportedNameHelper.insert(any, expname);
idtok.principal_name(codec.encode_value(any));
}
return (idtok);
}
Also used :
IdentityToken(com.sun.corba.ee.org.omg.CSI.IdentityToken)
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
X500Principal(javax.security.auth.x500.X500Principal)
DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)
Any(org.omg.CORBA.Any)
Aggregations
IdentityToken (com.sun.corba.ee.org.omg.CSI.IdentityToken)2
Any (org.omg.CORBA.Any)2
AuthorizationElement (com.sun.corba.ee.org.omg.CSI.AuthorizationElement)1
EstablishContext (com.sun.corba.ee.org.omg.CSI.EstablishContext)1
MTCompleteEstablishContext (com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext)1
SASContextBody (com.sun.corba.ee.org.omg.CSI.SASContextBody)1
CompoundSecMech (com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech)1
GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)1
SecurityContext (com.sun.enterprise.common.iiop.security.SecurityContext)1
DistinguishedPrincipalCredential (com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)1
X509CertificateCredential (com.sun.enterprise.security.auth.login.common.X509CertificateCredential)1
PrivilegedAction (java.security.PrivilegedAction)1
X500Principal (javax.security.auth.x500.X500Principal)1
ORB (org.omg.CORBA.ORB)1
ServiceContext (org.omg.IOP.ServiceContext)1
