Search in sources :

Example 1 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecClientRequestInterceptor method send_request.

/**
 * send_request() interception point adds the security context to the service context field.
 */
@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
    /**
     * CSIV2 level 0 implementation only requires stateless clients. Client context id is therefore
     * always set to 0.
     */
    // CSIV2 requires type to be long
    long cContextId = 0;
    // XXX: Workaround for non-null connection object ri for local invocation.
    ConnectionExecutionContext.removeClientThreadID();
    /**
     * CSIV2 level 0 implementation does not require any authorization tokens to be sent over the wire.
     * So set cAuthzElem to empty.
     */
    AuthorizationElement[] cAuthzElem = {};
    /* Client identity token to be added to the service context field */
    IdentityToken cIdentityToken = null;
    /* Client authentication token to be added to the service context field */
    byte[] cAuthenticationToken = {};
    /* CDR encoded Security Attribute Service element */
    byte[] cdr_encoded_saselm = null;
    // A single JAAS credential
    java.lang.Object cred = null;
    if (_logger.isLoggable(Level.FINE))
        _logger.log(Level.FINE, "++++ Entered " + prname + "send_request" + "()");
    // SecurityContext to be sent
    SecurityContext secctxt = null;
    ORB orb = orbHelper.getORB();
    org.omg.CORBA.Object effective_target = ri.effective_target();
    try {
        secctxt = secContextUtil.getSecurityContext(effective_target);
    } catch (InvalidMechanismException ime) {
        _logger.log(Level.SEVERE, "iiop.sec_context_exception", ime);
        throw new RuntimeException(ime.getMessage());
    } catch (InvalidIdentityTokenException iite) {
        _logger.log(Level.SEVERE, "iiop.runtime_exception", iite);
        throw new RuntimeException(iite.getMessage());
    }
    /**
     * In an unprotected invocation, there is nothing to be sent to the service context field. Check for
     * this case.
     */
    if (secctxt == null) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Security context is null (nothing to add to service context)");
        }
        return;
    }
    final SecurityContext sCtx = secctxt;
    /* Construct an authentication token */
    if (secctxt.authcls != null) {
        cred = AccessController.doPrivileged(new PrivilegedAction() {

            @Override
            public java.lang.Object run() {
                return getCred(sCtx.subject.getPrivateCredentials(sCtx.authcls), sCtx.authcls);
            }
        });
        try {
            SecurityMechanismSelector sms = Lookups.getSecurityMechanismSelector();
            ConnectionContext cc = sms.getClientConnectionContext();
            CompoundSecMech mech = cc.getMechanism();
            cAuthenticationToken = createAuthToken(cred, secctxt.authcls, orb, mech);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createauthtoken_exception", e);
            throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_authtok_create", "Error while constructing an authentication token."));
        }
    }
    /* Construct an identity token */
    if (secctxt.identcls != null) {
        cred = getCred(secctxt.subject.getPublicCredentials(secctxt.identcls), secctxt.identcls);
        try {
            cIdentityToken = createIdToken(cred, secctxt.identcls, orb);
        } catch (Exception e) {
            _logger.log(Level.SEVERE, "iiop.createidtoken_exception", e);
            throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_idtok_create", "Error while constructing an identity token."));
        }
    } else {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Constructing an Absent Identity Token");
        }
        cIdentityToken = new IdentityToken();
        cIdentityToken.absent(true);
    }
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Creating an EstablishContext message");
    }
    EstablishContext ec = new EstablishContext(cContextId, cAuthzElem, cIdentityToken, cAuthenticationToken);
    SASContextBody sasctxbody = new SASContextBody();
    sasctxbody.establish_msg(ec);
    /* CDR encode the SASContextBody */
    Any SasAny = orb.create_any();
    SASContextBodyHelper.insert(SasAny, sasctxbody);
    try {
        cdr_encoded_saselm = codec.encode_value(SasAny);
    } catch (Exception e) {
        _logger.log(Level.SEVERE, "iiop.encode_exception", e);
        throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_cdr_encode", "CDR Encoding error for a SAS context element."));
    }
    /* add SAS element to service context list */
    ServiceContext sc = new ServiceContext();
    sc.context_id = SECURITY_ATTRIBUTE_SERVICE_ID;
    sc.context_data = cdr_encoded_saselm;
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Adding EstablishContext message to service context list");
    }
    boolean no_replace = false;
    ri.add_request_service_context(sc, no_replace);
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Added EstablishContext message to service context list");
    }
}
Also used : Any(org.omg.CORBA.Any) PrivilegedAction(java.security.PrivilegedAction) EstablishContext(com.sun.corba.ee.org.omg.CSI.EstablishContext) MTCompleteEstablishContext(com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext) CompoundSecMech(com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) SASContextBody(com.sun.corba.ee.org.omg.CSI.SASContextBody) AuthorizationElement(com.sun.corba.ee.org.omg.CSI.AuthorizationElement) IdentityToken(com.sun.corba.ee.org.omg.CSI.IdentityToken) SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext) ORB(org.omg.CORBA.ORB)

Example 2 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class Counter method receive_request.

@Override
public void receive_request(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
    // SecurityContext to be sent
    SecurityContext securityContext = null;
    // service context
    ServiceContext serviceContext = null;
    int status = 0;
    if (logger.isLoggable(Level.FINE)) {
        logger.log(Level.FINE, "++++ Entered " + prname + "receive_request");
    }
    ORB orb = orbHelper.getORB();
    try {
        serviceContext = serverRequestInfo.get_request_service_context(SECURITY_ATTRIBUTE_SERVICE_ID);
        if (serviceContext == null) {
            handle_null_service_context(serverRequestInfo, orb);
            return;
        }
    } catch (BAD_PARAM e) {
        handle_null_service_context(serverRequestInfo, orb);
        return;
    }
    if (logger.isLoggable(FINE)) {
        logger.log(FINE, "Received a non null SAS context element");
    }
    // Decode the service context field
    Any SasAny;
    try {
        SasAny = codec.decode_value(serviceContext.context_data, SASContextBodyHelper.type());
    } catch (Exception e) {
        logger.log(SEVERE, "iiop.decode_exception", e);
        throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_cdr_decode", "CDR Decoding error for SAS context element."));
    }
    if (logger.isLoggable(FINE)) {
        logger.log(FINE, "Successfully decoded CDR encoded SAS context element.");
    }
    SASContextBody sasctxbody = SASContextBodyHelper.extract(SasAny);
    short sasdiscr = sasctxbody.discriminator();
    if (logger.isLoggable(FINE)) {
        logger.log(FINE, "SAS context element is a/an " + SvcContextUtils.getMsgname(sasdiscr) + " message");
    }
    if (sasdiscr == MTMessageInContext.value) {
        sasctxbody = createContextError(SvcContextUtils.MessageInContextMinor);
        serviceContext = createSvcContext(sasctxbody, orb);
        if (logger.isLoggable(FINE)) {
            logger.log(FINE, "Adding ContextError message to service context list");
            logger.log(FINE, "SecurityContext set to null");
        }
        serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
        throw new NO_PERMISSION();
    }
    if (sasdiscr != MTEstablishContext.value) {
        logger.log(SEVERE, "iiop.not_establishcontext_msg");
        throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_not_ec_msg", "Received message not an EstablishContext message."));
    }
    EstablishContext establishContext = sasctxbody.establish_msg();
    securityContext = new SecurityContext();
    securityContext.subject = new Subject();
    try {
        if (establishContext.client_authentication_token.length != 0) {
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Message contains Client Authentication Token");
            }
            createAuthCredential(securityContext, establishContext.client_authentication_token, orb);
        }
    } catch (Exception e) {
        logger.log(SEVERE, "iiop.authentication_exception", e);
        throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
    }
    try {
        if (establishContext.identity_token != null) {
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "Message contains an Identity Token");
            }
            createIdCred(securityContext, establishContext.identity_token);
        }
    } catch (SecurityException secex) {
        logger.log(SEVERE, "iiop.security_exception", secex);
        sasctxbody = createContextError(INVALID_MECHANISM_MAJOR, INVALID_MECHANISM_MINOR);
        serviceContext = createSvcContext(sasctxbody, orb);
        serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
        throw new NO_PERMISSION();
    } catch (Exception e) {
        logger.log(SEVERE, "iiop.generic_exception", e);
        throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
    }
    if (logger.isLoggable(Level.FINE)) {
        logger.log(Level.FINE, "Invoking setSecurityContext() to set security context");
    }
    status = secContextUtil.setSecurityContext(securityContext, serverRequestInfo.object_id(), serverRequestInfo.operation(), getServerSocket());
    if (logger.isLoggable(Level.FINE)) {
        logger.log(Level.FINE, "setSecurityContext() returned status code " + status);
    }
    /**
     * CSIV2 SPEC NOTE:
     *
     * If ec.client_context_id is non zero, then this is a stateful request. As specified in section
     * 4.2.1, a stateless server must attempt to validate the security tokens in the security context
     * field. If validation succeeds then CompleteEstablishContext message is sent back. If validation
     * fails, a ContextError must be sent back.
     */
    if (status == STATUS_FAILED) {
        if (logger.isLoggable(FINE)) {
            logger.log(FINE, "setSecurityContext() returned STATUS_FAILED");
        }
        sasctxbody = createContextError(status);
        serviceContext = createSvcContext(sasctxbody, orb);
        if (logger.isLoggable(FINE)) {
            logger.log(FINE, "Adding ContextError message to service context list");
        }
        serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
        throw new NO_PERMISSION();
    }
    if (logger.isLoggable(FINE)) {
        logger.log(FINE, "setSecurityContext() returned SUCCESS");
    }
    sasctxbody = createCompleteEstablishContext(status);
    serviceContext = createSvcContext(sasctxbody, orb);
    if (logger.isLoggable(FINE)) {
        logger.log(FINE, "Adding CompleteEstablisContext message to service context list");
    }
    serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
}
Also used : NO_PERMISSION(org.omg.CORBA.NO_PERMISSION) ServiceContext(org.omg.IOP.ServiceContext) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(com.sun.corba.ee.org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) Subject(javax.security.auth.Subject) SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext) CompleteEstablishContext(com.sun.corba.ee.org.omg.CSI.CompleteEstablishContext) MTEstablishContext(com.sun.corba.ee.org.omg.CSI.MTEstablishContext) EstablishContext(com.sun.corba.ee.org.omg.CSI.EstablishContext) ORB(org.omg.CORBA.ORB)

Example 3 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityMechanismSelector method getIdentity.

/**
 * Get the principal/distinguished name from thread local storage.
 *
 * @return the security context.
 */
private SecurityContext getIdentity() throws SecurityMechanismException {
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Getting PRINCIPAL/DN from TLS");
    }
    SecurityContext ctx = new SecurityContext();
    final SecurityContext sCtx = ctx;
    // get stuff from the SecurityContext class
    com.sun.enterprise.security.SecurityContext scontext = com.sun.enterprise.security.SecurityContext.getCurrent();
    if ((scontext == null) || scontext.didServerGenerateCredentials()) {
        // a default guest/guest123 was created
        sCtx.identcls = AnonCredential.class;
        AccessController.doPrivileged(new PrivilegedAction<Object>() {

            @Override
            public java.lang.Object run() {
                // remove all the public and private credentials
                Subject sub = new Subject();
                sCtx.subject = sub;
                sCtx.subject.getPublicCredentials().add(new AnonCredential());
                return null;
            }
        });
        return sCtx;
    }
    Subject s = getSubjectFromSecurityCurrent();
    ctx.subject = s;
    // Figure out the credential class
    final Subject sub = s;
    Set<PasswordCredential> credSet = AccessController.doPrivileged(new PrivilegedAction<Set>() {

        @Override
        public Set run() {
            return sub.getPrivateCredentials(PasswordCredential.class);
        }
    });
    if (credSet.size() == 1) {
        ctx.identcls = GSSUPName.class;
        final Set cs = credSet;
        Subject subj = AccessController.doPrivileged(new PrivilegedAction<Subject>() {

            @Override
            public Subject run() {
                Subject ss = new Subject();
                Iterator<PasswordCredential> iter = cs.iterator();
                PasswordCredential pc = iter.next();
                GSSUPName gssname = new GSSUPName(pc.getUser(), pc.getRealm());
                ss.getPublicCredentials().add(gssname);
                return ss;
            }
        });
        ctx.subject = subj;
        return ctx;
    }
    Set pubCredSet = s.getPublicCredentials();
    if (pubCredSet.size() != 1) {
        _logger.log(Level.SEVERE, "iiop.principal_error");
        return null;
    } else {
        Iterator credIter = pubCredSet.iterator();
        if (credIter.hasNext()) {
            Object o = credIter.next();
            if (o instanceof GSSUPName) {
                ctx.identcls = GSSUPName.class;
            } else if (o instanceof X500Principal) {
                ctx.identcls = X500Principal.class;
            } else if (o instanceof DistinguishedPrincipalCredential) {
                ctx.identcls = DistinguishedPrincipalCredential.class;
            } else {
                ctx.identcls = X509CertificateCredential.class;
            }
        } else {
            _logger.log(Level.SEVERE, "iiop.credential_error");
            return null;
        }
    }
    return ctx;
}
Also used : PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential) DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential) Subject(javax.security.auth.Subject) GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName) ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext) SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext) X500Principal(javax.security.auth.x500.X500Principal) AnonCredential(com.sun.enterprise.common.iiop.security.AnonCredential)

Example 4 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityMechanismSelector method sendUsernameAndPassword.

/**
 * Get the security context to send username and password in the service context.
 *
 * @param whether username/password will be sent over plain IIOP or over IIOP/SSL.
 * @return the security context.
 * @exception SecurityMechanismException if there was an error.
 */
private SecurityContext sendUsernameAndPassword(ComponentInvocation ci, boolean sslUsed, boolean clientAuthOccurred, CompoundSecMech mechanism) throws SecurityMechanismException {
    SecurityContext ctx = null;
    if (mechanism == null) {
        return null;
    }
    AS_ContextSec asContext = mechanism.as_context_mech;
    if (isSet(asContext.target_requires, EstablishTrustInClient.value) || (isSet(mechanism.target_requires, EstablishTrustInClient.value) && !clientAuthOccurred)) {
        ctx = getUsernameAndPassword(ci, mechanism);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Sending Username/Password");
        }
    } else {
        return null;
    }
    return ctx;
}
Also used : ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext) SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)

Example 5 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityMechanismSelector method getUsernameAndPassword.

/**
 * Get the username and password either from the JAAS subject or from thread local storage. For
 * appclients if login has'nt happened this method would trigger login and popup a user interface to
 * gather authentication information.
 *
 * @return the security context.
 */
private SecurityContext getUsernameAndPassword(ComponentInvocation ci, CompoundSecMech mechanism) throws SecurityMechanismException {
    try {
        Subject s = null;
        if (isNotServerOrACC()) {
            // Standalone client ... Changed the security context
            // from which to fetch the subject
            ClientSecurityContext sc = ClientSecurityContext.getCurrent();
            if (sc == null) {
                return null;
            }
            s = sc.getSubject();
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "SUBJECT:" + s);
            }
        } else {
            if (isACC()) {
                // get the subject
                ClientSecurityContext sc = ClientSecurityContext.getCurrent();
                if (sc == null) {
                    s = LoginContextDriver.doClientLogin(USERNAME_PASSWORD, SecurityServicesUtil.getInstance().getCallbackHandler());
                } else {
                    s = sc.getSubject();
                }
            } else {
                // web/ejb
                s = getSubjectFromSecurityCurrent();
            // TODO check if username/password is available
            // if not throw exception
            }
        }
        SecurityContext ctx = new SecurityContext();
        final Subject sub = s;
        ctx.subject = s;
        // determining if run-as has been used
        Set<PasswordCredential> privateCredSet = AccessController.doPrivileged(new PrivilegedAction<Set>() {

            @Override
            public Set run() {
                return sub.getPrivateCredentials(PasswordCredential.class);
            }
        });
        if (privateCredSet.isEmpty()) {
            // this is runas case dont set
            if (_logger.isLoggable(Level.FINE)) {
                _logger.log(Level.FINE, "no private credential run as mode");
            }
            // the auth class
            ctx.authcls = null;
            ctx.identcls = GSSUPName.class;
        } else {
            /**
             * lookup the realm name that is required by the server and set it up in the PasswordCredential
             * class.
             */
            AS_ContextSec asContext = mechanism.as_context_mech;
            final byte[] target_name = asContext.target_name;
            byte[] _realm = null;
            if (target_name == null || target_name.length == 0) {
                _realm = Realm.getDefaultRealm().getBytes();
            } else {
                _realm = GSSUtils.importName(GSSUtils.GSSUP_MECH_OID, target_name);
            }
            final String realm_name = new String(_realm);
            final Iterator it = privateCredSet.iterator();
            for (; it.hasNext(); ) {
                AccessController.doPrivileged(new PrivilegedAction<Object>() {

                    @Override
                    public java.lang.Object run() {
                        PasswordCredential pc = (PasswordCredential) it.next();
                        pc.setRealm(realm_name);
                        return null;
                    }
                });
            }
            ctx.authcls = PasswordCredential.class;
        }
        return ctx;
    } catch (LoginException le) {
        throw le;
    } catch (Exception e) {
        _logger.log(Level.SEVERE, "iiop.user_password_exception", e);
        return null;
    }
}
Also used : ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext) PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential) Subject(javax.security.auth.Subject) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext) SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext) LoginException(com.sun.enterprise.security.auth.login.common.LoginException)

Aggregations

SecurityContext (com.sun.enterprise.common.iiop.security.SecurityContext)10 ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)6 Subject (javax.security.auth.Subject)4 EstablishContext (com.sun.corba.ee.org.omg.CSI.EstablishContext)2 SASContextBody (com.sun.corba.ee.org.omg.CSI.SASContextBody)2 AnonCredential (com.sun.enterprise.common.iiop.security.AnonCredential)2 LoginException (com.sun.enterprise.security.auth.login.common.LoginException)2 PasswordCredential (com.sun.enterprise.security.auth.login.common.PasswordCredential)2 X500Principal (javax.security.auth.x500.X500Principal)2 Any (org.omg.CORBA.Any)2 ORB (org.omg.CORBA.ORB)2 ServiceContext (org.omg.IOP.ServiceContext)2 AuthorizationElement (com.sun.corba.ee.org.omg.CSI.AuthorizationElement)1 CompleteEstablishContext (com.sun.corba.ee.org.omg.CSI.CompleteEstablishContext)1 IdentityToken (com.sun.corba.ee.org.omg.CSI.IdentityToken)1 MTCompleteEstablishContext (com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext)1 MTEstablishContext (com.sun.corba.ee.org.omg.CSI.MTEstablishContext)1 CompoundSecMech (com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech)1 IOR (com.sun.corba.ee.spi.ior.IOR)1 GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)1