Examples with SecurityContext com.sun.enterprise.common.iiop.security.SecurityContext used on opensource projects

Example 6 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityContextUtil method getSecurityContext.

/**
 * This is called by the CSIv2 interceptor on the client before sending the IIOP message.
 *
 * @param the effective_target field of the PortableInterceptor ClientRequestInfo object.
 * @return a SecurityContext which is marshalled into the IIOP msg by the CSIv2 interceptor.
 */
public SecurityContext getSecurityContext(org.omg.CORBA.Object effective_target) throws InvalidMechanismException, InvalidIdentityTokenException {
    SecurityContext context = null;
    assert (orbHelper != null);
    IOR ior = ((com.sun.corba.ee.spi.orb.ORB) orbHelper.getORB()).getIOR(effective_target, false);
    if (StubAdapter.isStub(effective_target)) {
        if (StubAdapter.isLocal(effective_target)) {
            // XXX: Workaround for non-null connection object ri for local invocation.
            ConnectionExecutionContext.setClientThreadID(Thread.currentThread().getId());
            return null;
        }
    }
    try {
        context = sms.selectSecurityContext(ior);
    } catch (InvalidMechanismException ime) {
        // let this pass ahead
        _logger.log(Level.SEVERE, "iiop.invalidmechanism_exception", ime);
        throw new InvalidMechanismException(ime.getMessage());
    } catch (InvalidIdentityTokenException iite) {
        _logger.log(Level.SEVERE, "iiop.invalididtoken_exception", iite);
        throw new InvalidIdentityTokenException(iite.getMessage());
    // let this pass ahead
    } catch (SecurityMechanismException sme) {
        _logger.log(Level.SEVERE, "iiop.secmechanism_exception", sme);
        throw new RuntimeException(sme.getMessage());
    }
    return context;
}

Example 7 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityContextUtil method setSecurityContext.

/**
 * This is called by the CSIv2 interceptor on the server after receiving the IIOP message. If
 * authentication fails a FAILED status is returned. If a FAILED status is returned the CSIV2
 * Intercepter will marshal the MessageError service context and throw the NO_PERMISSION exception.
 *
 * @param the SecurityContext which arrived in the IIOP message.
 * @return the status
 */
public int setSecurityContext(SecurityContext context, byte[] objectId, String method, Socket socket) {
    _logger.log(Level.FINE, "ABOUT TO EVALUATE TRUST");
    try {
        // First check if the client sent the credentials as required by the object's CSIv2 policy.
        // EvaluateTrust will throw an exception if client did not conform to security policy.
        SecurityContext securityContext = securityMechanismSelector.evaluateTrust(context, objectId, socket);
        if (securityContext == null) {
            return STATUS_PASSED;
        }
        // Authenticate the client. An Exception is thrown if login fails.
        // SecurityContext is set on current thread if login succeeds.
        authenticate(securityContext.getSubject(), securityContext.getCredentialClass());
        // Auth for EJB objects is done in BaseContainer.preInvoke().
        if (authorizeCORBA(objectId, method)) {
            return STATUS_PASSED;
        }
        return STATUS_FAILED;
    } catch (Exception e) {
        if (!method.equals(IS_A)) {
            if (_logger.isLoggable(FINE)) {
                _logger.log(FINE, "iiop.authenticate_exception", e.toString());
            }
            _logger.log(Level.FINE, "Authentication Exception", e);
        }
        return STATUS_FAILED;
    }
}

Example 8 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityMechanismSelector method propagateIdentity.

/**
 * Get the security context to propagate principal/distinguished name in the service context.
 *
 * @param clientAuth whether SSL client authentication has happened.
 * @return the security context.
 * @exception SecurityMechanismException if there was an error.
 */
private SecurityContext propagateIdentity(boolean clientAuth, ComponentInvocation ci, CompoundSecMech mechanism) throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
    SecurityContext ctx = null;
    if (mechanism == null) {
        return null;
    }
    AS_ContextSec asContext = mechanism.as_context_mech;
    SAS_ContextSec sasContext = mechanism.sas_context_mech;
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "SAS CONTEXT's target_requires=" + sasContext.target_requires);
        _logger.log(Level.FINE, "SAS CONTEXT's target_supports=" + sasContext.target_supports);
    }
    if (isSet(asContext.target_requires, EstablishTrustInClient.value)) {
        ctx = getUsernameAndPassword(ci, mechanism);
        if (ctx.authcls == null) {
            // run as mode cannot send password
            String errmsg = localStrings.getLocalString("securitymechansimselector.runas_cannot_propagate_username_password", "Cannot propagate username/password required by target when using run as identity");
            _logger.log(Level.SEVERE, "iiop.runas_error", errmsg);
            throw new SecurityMechanismException(errmsg);
        }
    } else if (isSet(sasContext.target_supports, IdentityAssertion.value) || isSet(sasContext.target_requires, IdentityAssertion.value)) {
        // mechanisms and the identity token supported
        if (!isIdentityTypeSupported(sasContext)) {
            String errmsg = localStrings.getLocalString("securitymechanismselector.invalid_identity_type", "The given identity token is unsupported.");
            throw new InvalidIdentityTokenException(errmsg);
        }
        if (sasContext.target_supports == IdentityAssertion.value) {
            if (!isMechanismSupported(sasContext)) {
                String errmsg = localStrings.getLocalString("securitymechanismselector.invalid_mechanism", "The given mechanism type is unsupported.");
                _logger.log(Level.SEVERE, "iiop.unsupported_type_error", errmsg);
                throw new InvalidMechanismException(errmsg);
            }
        }
        // propagate principal/certificate/distinguished name
        ctx = getIdentity();
    } else if (isSet(asContext.target_supports, EstablishTrustInClient.value)) {
        if (clientAuth) {
            // client auth done we can send password
            ctx = getUsernameAndPassword(ci, mechanism);
            if (ctx.authcls == null) {
                // runas mode dont have username/password
                return null;
            // dont really need to send it too
            }
        } else {
            // not sending anything for unauthenticated client
            return null;
        }
    } else {
        // will never come here
        return null;
    }
    return ctx;
}

Example 9 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityMechanismSelector method selectSecurityContext.

/**
 * Select the security context to be used by the CSIV2 layer based on whether the current component
 * is an application client or a web/EJB component.
 */
public SecurityContext selectSecurityContext(IOR ior) throws InvalidIdentityTokenException, InvalidMechanismException, SecurityMechanismException {
    SecurityContext context = null;
    ConnectionContext cc = new ConnectionContext();
    // print CSIv2 mechanism definition in IOR
    if (traceIORs()) {
        _logger.info("\nCSIv2 Mechanism List:" + getSecurityMechanismString(ctc, ior));
    }
    getSSLPort(ior, cc);
    setClientConnectionContext(cc);
    CompoundSecMech mechanism = cc.getMechanism();
    if (mechanism == null) {
        return null;
    }
    boolean sslUsed = cc.getSSLUsed();
    boolean clientAuthOccurred = cc.getSSLClientAuthenticationOccurred();
    // Standalone client
    if (isNotServerOrACC()) {
        context = getSecurityContextForAppClient(null, sslUsed, clientAuthOccurred, mechanism);
        return context;
    }
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "SSL used:" + sslUsed + " SSL Mutual auth:" + clientAuthOccurred);
    }
    ComponentInvocation ci = null;
    if (isACC()) {
        context = getSecurityContextForAppClient(ci, sslUsed, clientAuthOccurred, mechanism);
    } else {
        context = getSecurityContextForWebOrEJB(ci, sslUsed, clientAuthOccurred, mechanism);
    }
    return context;
}

Example 10 with SecurityContext

use of com.sun.enterprise.common.iiop.security.SecurityContext in project Payara by payara.

the class SecurityMechanismSelector method evaluateTrust.

/**
 * Called by the target to interpret client credentials after validation.
 */
public SecurityContext evaluateTrust(SecurityContext securityContext, byte[] objectId, Socket socket) throws SecurityMechanismException {
    // sslUsed is true if SSL was used.
    boolean sslUsed = false;
    // X509 Certificicate chain is non null if client has authenticated at the SSL level.
    X509Certificate[] certChain = null;
    // If the test for client conformance passes, then set the security context.
    if (socket instanceof SSLSocket) {
        // SSL was used
        sslUsed = true;
        // Check if there is a transport principal
        SSLSocket sslSock = (SSLSocket) socket;
        SSLSession sslSession = sslSock.getSession();
        try {
            certChain = (X509Certificate[]) sslSession.getPeerCertificates();
        } catch (Exception e) {
            _logger.log(FINE, "iiop.cannot_get_peercert", e);
        }
    }
    // For a local invocation - we don't need to check the security
    // policies. The following condition guarantees the call is local
    // and thus bypassing policy checks.
    // XXX: Workaround for non-null connection object ri for local invocation.
    Long clientID = ConnectionExecutionContext.readClientThreadID();
    if (clientID != null && clientID == Thread.currentThread().getId() && securityContext == null) {
        return null;
    }
    if (!evaluateClientConformance(securityContext, objectId, sslUsed, certChain)) {
        throw new SecurityMechanismException("Trust evaluation failed because " + "client does not conform to configured security policies");
    }
    if (securityContext == null) {
        if (socket == null || !sslUsed || certChain == null) {
            // Note: if the target object is not an EJB, no security ctx is needed.
            return null;
        } else {
            // Set the transport principal in subject and
            // return the X500Principal class
            securityContext = new SecurityContext();
            X500Principal x500principal = certChain[0].getSubjectX500Principal();
            securityContext.subject = new Subject();
            securityContext.subject.getPublicCredentials().add(x500principal);
            securityContext.identcls = X500Principal.class;
            securityContext.authcls = null;
            return securityContext;
        }
    }
    Class<?> authCls = securityContext.authcls;
    Class<?> identCls = securityContext.identcls;
    securityContext.authcls = null;
    securityContext.identcls = null;
    if (identCls != null) {
        securityContext.identcls = identCls;
    } else if (authCls != null) {
        securityContext.authcls = authCls;
    } else {
        securityContext.identcls = AnonCredential.class;
    }
    return securityContext;
}