Search in sources :

Example 1 with IdentityToken

use of com.sun.corba.ee.org.omg.CSI.IdentityToken in project Payara by payara.

the class SecClientRequestInterceptor method send_request.

/**
 * send_request() interception point adds the security context to the service context field.
 */
@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
    /**
     * CSIV2 level 0 implementation only requires stateless clients. Client context id is therefore
     * always set to 0.
     */
    // CSIV2 requires type to be long
    long cContextId = 0;
    // XXX: Workaround for non-null connection object ri for local invocation.
    ConnectionExecutionContext.removeClientThreadID();
    /**
     * CSIV2 level 0 implementation does not require any authorization tokens to be sent over the wire.
     * So set cAuthzElem to empty.
     */
    AuthorizationElement[] cAuthzElem = {};
    /* Client identity token to be added to the service context field */
    IdentityToken cIdentityToken = null;
    /* Client authentication token to be added to the service context field */
    byte[] cAuthenticationToken = {};
    /* CDR encoded Security Attribute Service element */
    byte[] cdr_encoded_saselm = null;
    // A single JAAS credential
    java.lang.Object cred = null;
    if (_logger.isLoggable(Level.FINE))
        _logger.log(Level.FINE, "++++ Entered " + prname + "send_request" + "()");
    // SecurityContext to be sent
    SecurityContext secctxt = null;
    ORB orb = orbHelper.getORB();
    org.omg.CORBA.Object effective_target = ri.effective_target();
    try {
        secctxt = secContextUtil.getSecurityContext(effective_target);
    } catch (InvalidMechanismException ime) {
        _logger.log(Level.SEVERE, "iiop.sec_context_exception", ime);
        throw new RuntimeException(ime.getMessage());
    } catch (InvalidIdentityTokenException iite) {
        _logger.log(Level.SEVERE, "iiop.runtime_exception", iite);
        throw new RuntimeException(iite.getMessage());
    }
    /**
     * In an unprotected invocation, there is nothing to be sent to the service context field. Check for
     * this case.
     */
    if (secctxt == null) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Security context is null (nothing to add to service context)");
        }
        return;
    }
    final SecurityContext sCtx = secctxt;
    /* Construct an authentication token */
    if (secctxt.authcls != null) {
        cred = AccessController.doPrivileged(new PrivilegedAction() {

            @Override
            public java.lang.Object run() {
                return getCred(sCtx.subject.getPrivateCredentials(sCtx.authcls), sCtx.authcls);
            }
        });
        try {
            SecurityMechanismSelector sms = Lookups.getSecurityMechanismSelector();
            ConnectionContext cc = sms.getClientConnectionContext();
            CompoundSecMech mech = cc.getMechanism();
            cAuthenticationToken = createAuthToken(cred, secctxt.authcls, orb, mech);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createauthtoken_exception", e);
            throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_authtok_create", "Error while constructing an authentication token."));
        }
    }
    /* Construct an identity token */
    if (secctxt.identcls != null) {
        cred = getCred(secctxt.subject.getPublicCredentials(secctxt.identcls), secctxt.identcls);
        try {
            cIdentityToken = createIdToken(cred, secctxt.identcls, orb);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createidtoken_exception", e);
            throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_idtok_create", "Error while constructing an identity token."));
        }
    } else {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Constructing an Absent Identity Token");
        }
        cIdentityToken = new IdentityToken();
        cIdentityToken.absent(true);
    }
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Creating an EstablishContext message");
    }
    EstablishContext ec = new EstablishContext(cContextId, cAuthzElem, cIdentityToken, cAuthenticationToken);
    SASContextBody sasctxbody = new SASContextBody();
    sasctxbody.establish_msg(ec);
    /* CDR encode the SASContextBody */
    Any SasAny = orb.create_any();
    SASContextBodyHelper.insert(SasAny, sasctxbody);
    try {
        cdr_encoded_saselm = codec.encode_value(SasAny);
    } catch (Exception e) {
        _logger.log(Level.SEVERE, "iiop.encode_exception", e);
        throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_cdr_encode", "CDR Encoding error for a SAS context element."));
    }
    /* add SAS element to service context list */
    ServiceContext sc = new ServiceContext();
    sc.context_id = SECURITY_ATTRIBUTE_SERVICE_ID;
    sc.context_data = cdr_encoded_saselm;
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Adding EstablishContext message to service context list");
    }
    boolean no_replace = false;
    ri.add_request_service_context(sc, no_replace);
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Added EstablishContext message to service context list");
    }
}
Also used : Any(org.omg.CORBA.Any) PrivilegedAction(java.security.PrivilegedAction) EstablishContext(com.sun.corba.ee.org.omg.CSI.EstablishContext) MTCompleteEstablishContext(com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext) CompoundSecMech(com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) SASContextBody(com.sun.corba.ee.org.omg.CSI.SASContextBody) AuthorizationElement(com.sun.corba.ee.org.omg.CSI.AuthorizationElement) IdentityToken(com.sun.corba.ee.org.omg.CSI.IdentityToken) SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext) ORB(org.omg.CORBA.ORB)

Example 2 with IdentityToken

use of com.sun.corba.ee.org.omg.CSI.IdentityToken in project Payara by payara.

the class SecClientRequestInterceptor method createIdToken.

/**
 * create and return an identity token from the credential. The identity token is cdr encoded.
 */
private IdentityToken createIdToken(java.lang.Object cred, Class cls, ORB orb) throws Exception {
    IdentityToken idtok = null;
    // byte[] cdrval ; // CDR encoding buffer
    Any any = orb.create_any();
    idtok = new IdentityToken();
    if (X500Principal.class.isAssignableFrom(cls)) {
        _logger.log(Level.FINE, "Constructing an X500 DN Identity Token");
        X500Principal credname = (X500Principal) cred;
        X501DistinguishedNameHelper.insert(any, credname.getEncoded());
        /* IdentityToken with CDR encoded X500 principal */
        idtok.dn(codec.encode_value(any));
    } else if (X509CertificateCredential.class.isAssignableFrom(cls)) {
        _logger.log(Level.FINE, "Constructing an X509 Certificate Chain Identity Token");
        /* create a DER encoding */
        X509CertificateCredential certcred = (X509CertificateCredential) cred;
        X509Certificate[] certchain = certcred.getX509CertificateChain();
        _logger.log(Level.FINE, "Certchain length = " + certchain.length);
        byte[] certBytes = CertificateFactory.getInstance("X.509").generateCertPath(asList(certchain)).getEncoded();
        X509CertificateChainHelper.insert(any, certBytes);
        /* IdentityToken with CDR encoded certificate chain */
        idtok.certificate_chain(codec.encode_value(any));
    } else if (AnonCredential.class.isAssignableFrom(cls)) {
        _logger.log(Level.FINE, "Constructing an Anonymous Identity Token");
        idtok.anonymous(true);
    } else if (GSSUPName.class.isAssignableFrom(cls)) {
        /* GSSAPI Exported name */
        _logger.log(Level.FINE, "Constructing a GSS Exported name Identity Token");
        /* create a DER encoding */
        GSSUPName gssname = (GSSUPName) cred;
        byte[] expname = gssname.getExportedName();
        GSS_NT_ExportedNameHelper.insert(any, expname);
        /* IdentityToken with CDR encoded GSSUPName */
        idtok.principal_name(codec.encode_value(any));
    } else if (DistinguishedPrincipalCredential.class.isAssignableFrom(cls)) {
        // If authenticated via OIDC rather than any of the above we'll have a DistinguishedPrincipalCredential
        _logger.log(Level.FINE, "Constructing a GSS Exported Name Identity Token from DistinguishedPrincipalCredential");
        DistinguishedPrincipalCredential distinguishedPrincipalCredential = (DistinguishedPrincipalCredential) cred;
        // Create a DER encoding of the principal name as a GSSUPName - realm is not currently factored into the
        // parsing of the principal name from the IdentityToken so is left blank.
        GSSUPName gssupName = new GSSUPName(distinguishedPrincipalCredential.getPrincipal().getName(), "");
        byte[] expname = gssupName.getExportedName();
        GSS_NT_ExportedNameHelper.insert(any, expname);
        idtok.principal_name(codec.encode_value(any));
    }
    return (idtok);
}
Also used : IdentityToken(com.sun.corba.ee.org.omg.CSI.IdentityToken) GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName) X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) X500Principal(javax.security.auth.x500.X500Principal) DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential) Any(org.omg.CORBA.Any)

Aggregations

IdentityToken (com.sun.corba.ee.org.omg.CSI.IdentityToken)2 Any (org.omg.CORBA.Any)2 AuthorizationElement (com.sun.corba.ee.org.omg.CSI.AuthorizationElement)1 EstablishContext (com.sun.corba.ee.org.omg.CSI.EstablishContext)1 MTCompleteEstablishContext (com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext)1 SASContextBody (com.sun.corba.ee.org.omg.CSI.SASContextBody)1 CompoundSecMech (com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech)1 GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)1 SecurityContext (com.sun.enterprise.common.iiop.security.SecurityContext)1 DistinguishedPrincipalCredential (com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)1 X509CertificateCredential (com.sun.enterprise.security.auth.login.common.X509CertificateCredential)1 PrivilegedAction (java.security.PrivilegedAction)1 X500Principal (javax.security.auth.x500.X500Principal)1 ORB (org.omg.CORBA.ORB)1 ServiceContext (org.omg.IOP.ServiceContext)1