Example 1 with GSSUPName
use of com.sun.enterprise.common.iiop.security.GSSUPName in project Payara by payara.
the class LoginContextDriver method loginPrincipal.
/**
* This method is used for logging in a run As principal. It creates
* a JAAS subject whose credential is to type GSSUPName.
* This is used primarily for runas
*/
public static void loginPrincipal(String username, String realmName) throws LoginException {
// no realm provided, assuming default
if (realmName == null || realmName.length() == 0) {
realmName = Realm.getDefaultRealm();
}
final Subject s = new Subject();
final org.glassfish.security.common.PrincipalImpl p = new org.glassfish.security.common.PrincipalImpl(username);
final GSSUPName name = new GSSUPName(username, realmName);
AppservAccessController.doPrivileged(new PrivilegedAction() {
public java.lang.Object run() {
s.getPrincipals().add(p);
s.getPublicCredentials().add(name);
return null;
}
});
try {
Realm realm = Realm.getInstance(realmName);
Enumeration en = realm.getGroupNames(username);
Set<Principal> principalSet = s.getPrincipals();
while (en.hasMoreElements()) {
principalSet.add(new Group((String) en.nextElement()));
}
} catch (InvalidOperationException ex) {
_logger.log(Level.WARNING, SecurityLoggerInfo.invalidOperationForRealmError, new Object[] { username, realmName, ex.toString() });
} catch (NoSuchUserException ex) {
_logger.log(Level.WARNING, SecurityLoggerInfo.noSuchUserInRealmError, new Object[] { username, realmName, ex.toString() });
} catch (NoSuchRealmException ex) {
LoginException lex = new LoginException(ex.toString());
lex.initCause(ex);
throw lex;
}
setSecurityContext(username, s, realmName);
}
Also used :
Group(org.glassfish.security.common.Group)
Enumeration(java.util.Enumeration)
NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)
Subject(javax.security.auth.Subject)
NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException)
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
PrivilegedAction(java.security.PrivilegedAction)
InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
Realm(com.sun.enterprise.security.auth.realm.Realm)
CertificateRealm(com.sun.enterprise.security.auth.realm.certificate.CertificateRealm)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
Example 2 with GSSUPName
use of com.sun.enterprise.common.iiop.security.GSSUPName in project Payara by payara.
the class SecurityMechanismSelector method getIdentity.
/**
* Get the principal/distinguished name from thread local storage.
*
* @return the security context.
*/
private SecurityContext getIdentity() throws SecurityMechanismException {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Getting PRINCIPAL/DN from TLS");
}
SecurityContext ctx = new SecurityContext();
final SecurityContext sCtx = ctx;
// get stuff from the SecurityContext class
com.sun.enterprise.security.SecurityContext scontext = com.sun.enterprise.security.SecurityContext.getCurrent();
if ((scontext == null) || scontext.didServerGenerateCredentials()) {
// a default guest/guest123 was created
sCtx.identcls = AnonCredential.class;
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public java.lang.Object run() {
// remove all the public and private credentials
Subject sub = new Subject();
sCtx.subject = sub;
sCtx.subject.getPublicCredentials().add(new AnonCredential());
return null;
}
});
return sCtx;
}
Subject s = getSubjectFromSecurityCurrent();
ctx.subject = s;
// Figure out the credential class
final Subject sub = s;
Set<PasswordCredential> credSet = AccessController.doPrivileged(new PrivilegedAction<Set>() {
@Override
public Set run() {
return sub.getPrivateCredentials(PasswordCredential.class);
}
});
if (credSet.size() == 1) {
ctx.identcls = GSSUPName.class;
final Set cs = credSet;
Subject subj = AccessController.doPrivileged(new PrivilegedAction<Subject>() {
@Override
public Subject run() {
Subject ss = new Subject();
Iterator<PasswordCredential> iter = cs.iterator();
PasswordCredential pc = iter.next();
GSSUPName gssname = new GSSUPName(pc.getUser(), pc.getRealm());
ss.getPublicCredentials().add(gssname);
return ss;
}
});
ctx.subject = subj;
return ctx;
}
Set pubCredSet = s.getPublicCredentials();
if (pubCredSet.size() != 1) {
_logger.log(Level.SEVERE, "iiop.principal_error");
return null;
} else {
Iterator credIter = pubCredSet.iterator();
if (credIter.hasNext()) {
Object o = credIter.next();
if (o instanceof GSSUPName) {
ctx.identcls = GSSUPName.class;
} else if (o instanceof X500Principal) {
ctx.identcls = X500Principal.class;
} else if (o instanceof DistinguishedPrincipalCredential) {
ctx.identcls = DistinguishedPrincipalCredential.class;
} else {
ctx.identcls = X509CertificateCredential.class;
}
} else {
_logger.log(Level.SEVERE, "iiop.credential_error");
return null;
}
}
return ctx;
}
Also used :
PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential)
DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)
Subject(javax.security.auth.Subject)
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext)
SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)
X500Principal(javax.security.auth.x500.X500Principal)
AnonCredential(com.sun.enterprise.common.iiop.security.AnonCredential)
Example 3 with GSSUPName
use of com.sun.enterprise.common.iiop.security.GSSUPName in project Payara by payara.
the class WebAndEjbToJaasBridge method loginPrincipal.
/**
* This method is used for logging in a run As principal. It creates a JAAS subject whose credential
* is to type GSSUPName. This is used primarily for runas
*
* @throws LoginException if login fails
*/
public static void loginPrincipal(String username, String realmName) {
if (realmName == null || realmName.length() == 0) {
// No realm provided, assuming default
realmName = Realm.getDefaultRealm();
}
Subject subject = new Subject();
PrincipalImpl callerPrincipal = new PrincipalImpl(username);
GSSUPName name = new GSSUPName(username, realmName);
privileged(() -> {
subject.getPrincipals().add(callerPrincipal);
subject.getPublicCredentials().add(name);
});
try {
Enumeration<String> groupNames = Realm.getInstance(realmName).getGroupNames(username);
Set<Principal> principalSet = subject.getPrincipals();
while (groupNames.hasMoreElements()) {
principalSet.add(new Group(groupNames.nextElement()));
}
} catch (InvalidOperationException ex) {
LOGGER.log(WARNING, invalidOperationForRealmError, new Object[] { username, realmName, ex.toString() });
} catch (NoSuchUserException ex) {
LOGGER.log(WARNING, noSuchUserInRealmError, new Object[] { username, realmName, ex.toString() });
} catch (NoSuchRealmException ex) {
throw (LoginException) new LoginException(ex.toString()).initCause(ex);
}
setSecurityContext(username, subject, realmName);
}
Also used :
Group(org.glassfish.security.common.Group)
NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)
Subject(javax.security.auth.Subject)
NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException)
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException)
LoginContextDriver.throwLoginException(com.sun.enterprise.security.auth.login.LoginContextDriver.throwLoginException)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
PrincipalImpl(org.glassfish.security.common.PrincipalImpl)
X500Principal(javax.security.auth.x500.X500Principal)
Principal(java.security.Principal)
Example 4 with GSSUPName
use of com.sun.enterprise.common.iiop.security.GSSUPName in project Payara by payara.
the class SecClientRequestInterceptor method createIdToken.
/**
* create and return an identity token from the credential. The identity token is cdr encoded.
*/
private IdentityToken createIdToken(java.lang.Object cred, Class cls, ORB orb) throws Exception {
IdentityToken idtok = null;
// byte[] cdrval ; // CDR encoding buffer
Any any = orb.create_any();
idtok = new IdentityToken();
if (X500Principal.class.isAssignableFrom(cls)) {
_logger.log(Level.FINE, "Constructing an X500 DN Identity Token");
X500Principal credname = (X500Principal) cred;
X501DistinguishedNameHelper.insert(any, credname.getEncoded());
/* IdentityToken with CDR encoded X500 principal */
idtok.dn(codec.encode_value(any));
} else if (X509CertificateCredential.class.isAssignableFrom(cls)) {
_logger.log(Level.FINE, "Constructing an X509 Certificate Chain Identity Token");
/* create a DER encoding */
X509CertificateCredential certcred = (X509CertificateCredential) cred;
X509Certificate[] certchain = certcred.getX509CertificateChain();
_logger.log(Level.FINE, "Certchain length = " + certchain.length);
byte[] certBytes = CertificateFactory.getInstance("X.509").generateCertPath(asList(certchain)).getEncoded();
X509CertificateChainHelper.insert(any, certBytes);
/* IdentityToken with CDR encoded certificate chain */
idtok.certificate_chain(codec.encode_value(any));
} else if (AnonCredential.class.isAssignableFrom(cls)) {
_logger.log(Level.FINE, "Constructing an Anonymous Identity Token");
idtok.anonymous(true);
} else if (GSSUPName.class.isAssignableFrom(cls)) {
/* GSSAPI Exported name */
_logger.log(Level.FINE, "Constructing a GSS Exported name Identity Token");
/* create a DER encoding */
GSSUPName gssname = (GSSUPName) cred;
byte[] expname = gssname.getExportedName();
GSS_NT_ExportedNameHelper.insert(any, expname);
/* IdentityToken with CDR encoded GSSUPName */
idtok.principal_name(codec.encode_value(any));
} else if (DistinguishedPrincipalCredential.class.isAssignableFrom(cls)) {
// If authenticated via OIDC rather than any of the above we'll have a DistinguishedPrincipalCredential
_logger.log(Level.FINE, "Constructing a GSS Exported Name Identity Token from DistinguishedPrincipalCredential");
DistinguishedPrincipalCredential distinguishedPrincipalCredential = (DistinguishedPrincipalCredential) cred;
// Create a DER encoding of the principal name as a GSSUPName - realm is not currently factored into the
// parsing of the principal name from the IdentityToken so is left blank.
GSSUPName gssupName = new GSSUPName(distinguishedPrincipalCredential.getPrincipal().getName(), "");
byte[] expname = gssupName.getExportedName();
GSS_NT_ExportedNameHelper.insert(any, expname);
idtok.principal_name(codec.encode_value(any));
}
return (idtok);
}
Also used :
IdentityToken(com.sun.corba.ee.org.omg.CSI.IdentityToken)
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
X500Principal(javax.security.auth.x500.X500Principal)
DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)
Any(org.omg.CORBA.Any)
Example 5 with GSSUPName
use of com.sun.enterprise.common.iiop.security.GSSUPName in project Payara by payara.
the class Counter method createIdCred.
/**
* Create an identity from an Identity Token and stores it as a public credential in the JAAS
* subject in a security context.
*
* Set the identcls field in the security context.
*/
private void createIdCred(SecurityContext securityContext, IdentityToken identityToken) throws Exception {
// used to hold DER encodings
byte[] derEncoding;
// Any object returned from codec.decode_value()
Any any;
switch(identityToken.discriminator()) {
case ITTAbsent.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is Absent");
}
securityContext.identcls = null;
break;
case ITTAnonymous.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is Anonymous");
logger.log(FINE, "Adding AnonyCredential to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(new AnonCredential());
securityContext.identcls = AnonCredential.class;
break;
case ITTDistinguishedName.value:
// Construct a X500Principal
derEncoding = identityToken.dn();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(derEncoding)) {
any = codec.decode_value(derEncoding, X501DistinguishedNameHelper.type());
// Extract CDR encoding
derEncoding = X501DistinguishedNameHelper.extract(any);
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Create an X500Principal object from identity token");
}
X500Principal xname = new X500Principal(derEncoding);
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity to be asserted is {0}", xname.toString());
logger.log(FINE, "Adding X500Principal to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(xname);
securityContext.identcls = X500Principal.class;
break;
case ITTX509CertChain.value:
// Construct a X509CertificateChain
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is a X509 Certificate Chain");
}
derEncoding = identityToken.certificate_chain();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(derEncoding)) {
// Decode CDR encoding
any = codec.decode_value(derEncoding, X509CertificateChainHelper.type());
// Extract DER encoding
derEncoding = X509CertificateChainHelper.extract(any);
}
List<? extends Certificate> certificates = CertificateFactory.getInstance("X.509").generateCertPath(new ByteArrayInputStream(derEncoding)).getCertificates();
X509Certificate[] certchain = new X509Certificate[certificates.size()];
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "Content of X509 Certificate chain:");
}
for (int i = 0; i < certchain.length; i++) {
certchain[i] = (X509Certificate) certificates.get(i);
if (logger.isLoggable(FINE)) {
logger.log(FINE, " " + certchain[i].getSubjectX500Principal().getName(X500Principal.RFC2253, OID.getOIDMap()));
}
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Creating a X509CertificateCredential object from certchain");
}
// The alias field in the X509CertificateCredential is currently ignored by the RI.
// So it is set to "dummy".
X509CertificateCredential cred = new X509CertificateCredential(certchain, certchain[0].getSubjectX500Principal().getName(X500Principal.RFC2253, OID.getOIDMap()), "default");
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Adding X509CertificateCredential to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(cred);
securityContext.identcls = X509CertificateCredential.class;
break;
case ITTPrincipalName.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is GSS Exported Name");
}
byte[] expname = identityToken.principal_name();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(expname)) {
// Decode CDR encoding
any = codec.decode_value(expname, GSS_NT_ExportedNameHelper.type());
expname = GSS_NT_ExportedNameHelper.extract(any);
}
if (!verifyMechOID(GSSUP_MECH_OID, expname)) {
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
}
GSSUPName gssname = new GSSUPName(expname);
securityContext.subject.getPublicCredentials().add(gssname);
securityContext.identcls = GSSUPName.class;
logger.log(FINE, "Adding GSSUPName credential to subject");
break;
default:
logger.log(SEVERE, "iiop.unknown_identity");
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
}
}
Also used :
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
ByteArrayInputStream(java.io.ByteArrayInputStream)
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
X500Principal(javax.security.auth.x500.X500Principal)
Any(org.omg.CORBA.Any)
AnonCredential(com.sun.enterprise.common.iiop.security.AnonCredential)
X509Certificate(java.security.cert.X509Certificate)
Aggregations
GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)5
X500Principal (javax.security.auth.x500.X500Principal)5
Subject (javax.security.auth.Subject)3
AnonCredential (com.sun.enterprise.common.iiop.security.AnonCredential)2
DistinguishedPrincipalCredential (com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)2
LoginException (com.sun.enterprise.security.auth.login.common.LoginException)2
X509CertificateCredential (com.sun.enterprise.security.auth.login.common.X509CertificateCredential)2
InvalidOperationException (com.sun.enterprise.security.auth.realm.InvalidOperationException)2
NoSuchRealmException (com.sun.enterprise.security.auth.realm.NoSuchRealmException)2
NoSuchUserException (com.sun.enterprise.security.auth.realm.NoSuchUserException)2
Principal (java.security.Principal)2
Group (org.glassfish.security.common.Group)2
Any (org.omg.CORBA.Any)2
IdentityToken (com.sun.corba.ee.org.omg.CSI.IdentityToken)1
SecurityContext (com.sun.enterprise.common.iiop.security.SecurityContext)1
LoginContextDriver.throwLoginException (com.sun.enterprise.security.auth.login.LoginContextDriver.throwLoginException)1
PasswordCredential (com.sun.enterprise.security.auth.login.common.PasswordCredential)1
Realm (com.sun.enterprise.security.auth.realm.Realm)1
CertificateRealm (com.sun.enterprise.security.auth.realm.certificate.CertificateRealm)1
ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)1
