Example 1 with SecurityContext
use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.
the class SecClientRequestInterceptor method send_request.
/**
* send_request() interception point adds the security context to the service context field.
*/
@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
/**
* CSIV2 level 0 implementation only requires stateless clients. Client context id is therefore
* always set to 0.
*/
// CSIV2 requires type to be long
long cContextId = 0;
// XXX: Workaround for non-null connection object ri for local invocation.
ConnectionExecutionContext.removeClientThreadID();
/**
* CSIV2 level 0 implementation does not require any authorization tokens to be sent over the wire.
* So set cAuthzElem to empty.
*/
AuthorizationElement[] cAuthzElem = {};
/* Client identity token to be added to the service context field */
IdentityToken cIdentityToken = null;
/* Client authentication token to be added to the service context field */
byte[] cAuthenticationToken = {};
/* CDR encoded Security Attribute Service element */
byte[] cdr_encoded_saselm = null;
// A single JAAS credential
java.lang.Object cred = null;
if (_logger.isLoggable(Level.FINE))
_logger.log(Level.FINE, "++++ Entered " + prname + "send_request" + "()");
// SecurityContext to be sent
SecurityContext secctxt = null;
ORB orb = orbHelper.getORB();
org.omg.CORBA.Object effective_target = ri.effective_target();
try {
secctxt = secContextUtil.getSecurityContext(effective_target);
} catch (InvalidMechanismException ime) {
_logger.log(Level.SEVERE, "iiop.sec_context_exception", ime);
throw new RuntimeException(ime.getMessage());
} catch (InvalidIdentityTokenException iite) {
_logger.log(Level.SEVERE, "iiop.runtime_exception", iite);
throw new RuntimeException(iite.getMessage());
}
/**
* In an unprotected invocation, there is nothing to be sent to the service context field. Check for
* this case.
*/
if (secctxt == null) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Security context is null (nothing to add to service context)");
}
return;
}
final SecurityContext sCtx = secctxt;
/* Construct an authentication token */
if (secctxt.authcls != null) {
cred = AccessController.doPrivileged(new PrivilegedAction() {
@Override
public java.lang.Object run() {
return getCred(sCtx.subject.getPrivateCredentials(sCtx.authcls), sCtx.authcls);
}
});
try {
SecurityMechanismSelector sms = Lookups.getSecurityMechanismSelector();
ConnectionContext cc = sms.getClientConnectionContext();
CompoundSecMech mech = cc.getMechanism();
cAuthenticationToken = createAuthToken(cred, secctxt.authcls, orb, mech);
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.createauthtoken_exception", e);
throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_authtok_create", "Error while constructing an authentication token."));
}
}
/* Construct an identity token */
if (secctxt.identcls != null) {
cred = getCred(secctxt.subject.getPublicCredentials(secctxt.identcls), secctxt.identcls);
try {
cIdentityToken = createIdToken(cred, secctxt.identcls, orb);
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.createidtoken_exception", e);
throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_idtok_create", "Error while constructing an identity token."));
}
} else {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Constructing an Absent Identity Token");
}
cIdentityToken = new IdentityToken();
cIdentityToken.absent(true);
}
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Creating an EstablishContext message");
}
EstablishContext ec = new EstablishContext(cContextId, cAuthzElem, cIdentityToken, cAuthenticationToken);
SASContextBody sasctxbody = new SASContextBody();
sasctxbody.establish_msg(ec);
/* CDR encode the SASContextBody */
Any SasAny = orb.create_any();
SASContextBodyHelper.insert(SasAny, sasctxbody);
try {
cdr_encoded_saselm = codec.encode_value(SasAny);
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.encode_exception", e);
throw new SecurityException(localStrings.getLocalString("secclientreqinterceptor.err_cdr_encode", "CDR Encoding error for a SAS context element."));
}
/* add SAS element to service context list */
ServiceContext sc = new ServiceContext();
sc.context_id = SECURITY_ATTRIBUTE_SERVICE_ID;
sc.context_data = cdr_encoded_saselm;
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Adding EstablishContext message to service context list");
}
boolean no_replace = false;
ri.add_request_service_context(sc, no_replace);
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Added EstablishContext message to service context list");
}
}
Also used :
Any(org.omg.CORBA.Any)
PrivilegedAction(java.security.PrivilegedAction)
EstablishContext(com.sun.corba.ee.org.omg.CSI.EstablishContext)
MTCompleteEstablishContext(com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext)
CompoundSecMech(com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech)
ServiceContext(org.omg.IOP.ServiceContext)
SASContextBody(com.sun.corba.ee.org.omg.CSI.SASContextBody)
AuthorizationElement(com.sun.corba.ee.org.omg.CSI.AuthorizationElement)
IdentityToken(com.sun.corba.ee.org.omg.CSI.IdentityToken)
SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)
ORB(org.omg.CORBA.ORB)
Example 2 with SecurityContext
use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.
the class Counter method receive_request.
@Override
public void receive_request(ServerRequestInfo serverRequestInfo) throws ForwardRequest {
// SecurityContext to be sent
SecurityContext securityContext = null;
// service context
ServiceContext serviceContext = null;
int status = 0;
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "++++ Entered " + prname + "receive_request");
}
ORB orb = orbHelper.getORB();
try {
serviceContext = serverRequestInfo.get_request_service_context(SECURITY_ATTRIBUTE_SERVICE_ID);
if (serviceContext == null) {
handle_null_service_context(serverRequestInfo, orb);
return;
}
} catch (BAD_PARAM e) {
handle_null_service_context(serverRequestInfo, orb);
return;
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Received a non null SAS context element");
}
// Decode the service context field
Any SasAny;
try {
SasAny = codec.decode_value(serviceContext.context_data, SASContextBodyHelper.type());
} catch (Exception e) {
logger.log(SEVERE, "iiop.decode_exception", e);
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_cdr_decode", "CDR Decoding error for SAS context element."));
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Successfully decoded CDR encoded SAS context element.");
}
SASContextBody sasctxbody = SASContextBodyHelper.extract(SasAny);
short sasdiscr = sasctxbody.discriminator();
if (logger.isLoggable(FINE)) {
logger.log(FINE, "SAS context element is a/an " + SvcContextUtils.getMsgname(sasdiscr) + " message");
}
if (sasdiscr == MTMessageInContext.value) {
sasctxbody = createContextError(SvcContextUtils.MessageInContextMinor);
serviceContext = createSvcContext(sasctxbody, orb);
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Adding ContextError message to service context list");
logger.log(FINE, "SecurityContext set to null");
}
serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
throw new NO_PERMISSION();
}
if (sasdiscr != MTEstablishContext.value) {
logger.log(SEVERE, "iiop.not_establishcontext_msg");
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_not_ec_msg", "Received message not an EstablishContext message."));
}
EstablishContext establishContext = sasctxbody.establish_msg();
securityContext = new SecurityContext();
securityContext.subject = new Subject();
try {
if (establishContext.client_authentication_token.length != 0) {
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Message contains Client Authentication Token");
}
createAuthCredential(securityContext, establishContext.client_authentication_token, orb);
}
} catch (Exception e) {
logger.log(SEVERE, "iiop.authentication_exception", e);
throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
}
try {
if (establishContext.identity_token != null) {
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "Message contains an Identity Token");
}
createIdCred(securityContext, establishContext.identity_token);
}
} catch (SecurityException secex) {
logger.log(SEVERE, "iiop.security_exception", secex);
sasctxbody = createContextError(INVALID_MECHANISM_MAJOR, INVALID_MECHANISM_MINOR);
serviceContext = createSvcContext(sasctxbody, orb);
serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
throw new NO_PERMISSION();
} catch (Exception e) {
logger.log(SEVERE, "iiop.generic_exception", e);
throw new SecurityException(localStrings.getLocalString("secsercverreqinterceptor.err_cred_create", "Error while creating a JAAS subject credential."));
}
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "Invoking setSecurityContext() to set security context");
}
status = secContextUtil.setSecurityContext(securityContext, serverRequestInfo.object_id(), serverRequestInfo.operation(), getServerSocket());
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "setSecurityContext() returned status code " + status);
}
/**
* CSIV2 SPEC NOTE:
*
* If ec.client_context_id is non zero, then this is a stateful request. As specified in section
* 4.2.1, a stateless server must attempt to validate the security tokens in the security context
* field. If validation succeeds then CompleteEstablishContext message is sent back. If validation
* fails, a ContextError must be sent back.
*/
if (status == STATUS_FAILED) {
if (logger.isLoggable(FINE)) {
logger.log(FINE, "setSecurityContext() returned STATUS_FAILED");
}
sasctxbody = createContextError(status);
serviceContext = createSvcContext(sasctxbody, orb);
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Adding ContextError message to service context list");
}
serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
throw new NO_PERMISSION();
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "setSecurityContext() returned SUCCESS");
}
sasctxbody = createCompleteEstablishContext(status);
serviceContext = createSvcContext(sasctxbody, orb);
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Adding CompleteEstablisContext message to service context list");
}
serverRequestInfo.add_reply_service_context(serviceContext, NO_REPLACE);
}
Also used :
NO_PERMISSION(org.omg.CORBA.NO_PERMISSION)
ServiceContext(org.omg.IOP.ServiceContext)
BAD_PARAM(org.omg.CORBA.BAD_PARAM)
SASContextBody(com.sun.corba.ee.org.omg.CSI.SASContextBody)
Any(org.omg.CORBA.Any)
Subject(javax.security.auth.Subject)
SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)
CompleteEstablishContext(com.sun.corba.ee.org.omg.CSI.CompleteEstablishContext)
MTEstablishContext(com.sun.corba.ee.org.omg.CSI.MTEstablishContext)
EstablishContext(com.sun.corba.ee.org.omg.CSI.EstablishContext)
ORB(org.omg.CORBA.ORB)
Example 3 with SecurityContext
use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.
the class SecurityMechanismSelector method getIdentity.
/**
* Get the principal/distinguished name from thread local storage.
*
* @return the security context.
*/
private SecurityContext getIdentity() throws SecurityMechanismException {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Getting PRINCIPAL/DN from TLS");
}
SecurityContext ctx = new SecurityContext();
final SecurityContext sCtx = ctx;
// get stuff from the SecurityContext class
com.sun.enterprise.security.SecurityContext scontext = com.sun.enterprise.security.SecurityContext.getCurrent();
if ((scontext == null) || scontext.didServerGenerateCredentials()) {
// a default guest/guest123 was created
sCtx.identcls = AnonCredential.class;
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public java.lang.Object run() {
// remove all the public and private credentials
Subject sub = new Subject();
sCtx.subject = sub;
sCtx.subject.getPublicCredentials().add(new AnonCredential());
return null;
}
});
return sCtx;
}
Subject s = getSubjectFromSecurityCurrent();
ctx.subject = s;
// Figure out the credential class
final Subject sub = s;
Set<PasswordCredential> credSet = AccessController.doPrivileged(new PrivilegedAction<Set>() {
@Override
public Set run() {
return sub.getPrivateCredentials(PasswordCredential.class);
}
});
if (credSet.size() == 1) {
ctx.identcls = GSSUPName.class;
final Set cs = credSet;
Subject subj = AccessController.doPrivileged(new PrivilegedAction<Subject>() {
@Override
public Subject run() {
Subject ss = new Subject();
Iterator<PasswordCredential> iter = cs.iterator();
PasswordCredential pc = iter.next();
GSSUPName gssname = new GSSUPName(pc.getUser(), pc.getRealm());
ss.getPublicCredentials().add(gssname);
return ss;
}
});
ctx.subject = subj;
return ctx;
}
Set pubCredSet = s.getPublicCredentials();
if (pubCredSet.size() != 1) {
_logger.log(Level.SEVERE, "iiop.principal_error");
return null;
} else {
Iterator credIter = pubCredSet.iterator();
if (credIter.hasNext()) {
Object o = credIter.next();
if (o instanceof GSSUPName) {
ctx.identcls = GSSUPName.class;
} else if (o instanceof X500Principal) {
ctx.identcls = X500Principal.class;
} else if (o instanceof DistinguishedPrincipalCredential) {
ctx.identcls = DistinguishedPrincipalCredential.class;
} else {
ctx.identcls = X509CertificateCredential.class;
}
} else {
_logger.log(Level.SEVERE, "iiop.credential_error");
return null;
}
}
return ctx;
}
Also used :
PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential)
DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)
Subject(javax.security.auth.Subject)
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext)
SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)
X500Principal(javax.security.auth.x500.X500Principal)
AnonCredential(com.sun.enterprise.common.iiop.security.AnonCredential)
Example 4 with SecurityContext
use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.
the class SecurityMechanismSelector method sendUsernameAndPassword.
/**
* Get the security context to send username and password in the service context.
*
* @param whether username/password will be sent over plain IIOP or over IIOP/SSL.
* @return the security context.
* @exception SecurityMechanismException if there was an error.
*/
private SecurityContext sendUsernameAndPassword(ComponentInvocation ci, boolean sslUsed, boolean clientAuthOccurred, CompoundSecMech mechanism) throws SecurityMechanismException {
SecurityContext ctx = null;
if (mechanism == null) {
return null;
}
AS_ContextSec asContext = mechanism.as_context_mech;
if (isSet(asContext.target_requires, EstablishTrustInClient.value) || (isSet(mechanism.target_requires, EstablishTrustInClient.value) && !clientAuthOccurred)) {
ctx = getUsernameAndPassword(ci, mechanism);
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Sending Username/Password");
}
} else {
return null;
}
return ctx;
}
Also used :
ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext)
SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)
Example 5 with SecurityContext
use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.
the class SecurityMechanismSelector method getUsernameAndPassword.
/**
* Get the username and password either from the JAAS subject or from thread local storage. For
* appclients if login has'nt happened this method would trigger login and popup a user interface to
* gather authentication information.
*
* @return the security context.
*/
private SecurityContext getUsernameAndPassword(ComponentInvocation ci, CompoundSecMech mechanism) throws SecurityMechanismException {
try {
Subject s = null;
if (isNotServerOrACC()) {
// Standalone client ... Changed the security context
// from which to fetch the subject
ClientSecurityContext sc = ClientSecurityContext.getCurrent();
if (sc == null) {
return null;
}
s = sc.getSubject();
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "SUBJECT:" + s);
}
} else {
if (isACC()) {
// get the subject
ClientSecurityContext sc = ClientSecurityContext.getCurrent();
if (sc == null) {
s = LoginContextDriver.doClientLogin(USERNAME_PASSWORD, SecurityServicesUtil.getInstance().getCallbackHandler());
} else {
s = sc.getSubject();
}
} else {
// web/ejb
s = getSubjectFromSecurityCurrent();
// TODO check if username/password is available
// if not throw exception
}
}
SecurityContext ctx = new SecurityContext();
final Subject sub = s;
ctx.subject = s;
// determining if run-as has been used
Set<PasswordCredential> privateCredSet = AccessController.doPrivileged(new PrivilegedAction<Set>() {
@Override
public Set run() {
return sub.getPrivateCredentials(PasswordCredential.class);
}
});
if (privateCredSet.isEmpty()) {
// this is runas case dont set
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "no private credential run as mode");
}
// the auth class
ctx.authcls = null;
ctx.identcls = GSSUPName.class;
} else {
/**
* lookup the realm name that is required by the server and set it up in the PasswordCredential
* class.
*/
AS_ContextSec asContext = mechanism.as_context_mech;
final byte[] target_name = asContext.target_name;
byte[] _realm = null;
if (target_name == null || target_name.length == 0) {
_realm = Realm.getDefaultRealm().getBytes();
} else {
_realm = GSSUtils.importName(GSSUtils.GSSUP_MECH_OID, target_name);
}
final String realm_name = new String(_realm);
final Iterator it = privateCredSet.iterator();
for (; it.hasNext(); ) {
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public java.lang.Object run() {
PasswordCredential pc = (PasswordCredential) it.next();
pc.setRealm(realm_name);
return null;
}
});
}
ctx.authcls = PasswordCredential.class;
}
return ctx;
} catch (LoginException le) {
throw le;
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.user_password_exception", e);
return null;
}
}
Also used :
ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext)
PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential)
Subject(javax.security.auth.Subject)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext)
SecurityContext(com.sun.enterprise.common.iiop.security.SecurityContext)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
Aggregations
SecurityContext (com.sun.enterprise.common.iiop.security.SecurityContext)10
ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)6
Subject (javax.security.auth.Subject)4
EstablishContext (com.sun.corba.ee.org.omg.CSI.EstablishContext)2
SASContextBody (com.sun.corba.ee.org.omg.CSI.SASContextBody)2
AnonCredential (com.sun.enterprise.common.iiop.security.AnonCredential)2
LoginException (com.sun.enterprise.security.auth.login.common.LoginException)2
PasswordCredential (com.sun.enterprise.security.auth.login.common.PasswordCredential)2
X500Principal (javax.security.auth.x500.X500Principal)2
Any (org.omg.CORBA.Any)2
ORB (org.omg.CORBA.ORB)2
ServiceContext (org.omg.IOP.ServiceContext)2
AuthorizationElement (com.sun.corba.ee.org.omg.CSI.AuthorizationElement)1
CompleteEstablishContext (com.sun.corba.ee.org.omg.CSI.CompleteEstablishContext)1
IdentityToken (com.sun.corba.ee.org.omg.CSI.IdentityToken)1
MTCompleteEstablishContext (com.sun.corba.ee.org.omg.CSI.MTCompleteEstablishContext)1
MTEstablishContext (com.sun.corba.ee.org.omg.CSI.MTEstablishContext)1
CompoundSecMech (com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech)1
IOR (com.sun.corba.ee.spi.ior.IOR)1
GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)1
