Example 6 with EjbIORConfigurationDescriptor
use of com.sun.enterprise.deployment.EjbIORConfigurationDescriptor in project Payara by payara.
the class SecurityMechanismSelector method evaluateClientConformance.
/**
* Evaluates a client's conformance to the security policies configured on the target. Returns true
* if conformant to the security policies otherwise return false.
*
* Conformance checking is done as follows: First, the object_id is mapped to the set of
* EjbIORConfigurationDescriptor. Each EjbIORConfigurationDescriptor corresponds to a single
* CompoundSecMechanism of the CSIv2 spec. A client is considered to be conformant if a
* CompoundSecMechanism consistent with the client's actions is found i.e. transport_mech,
* as_context_mech and sas_context_mech must all be consistent.
*/
private boolean evaluateClientConformance(SecurityContext ctx, byte[] objectId, boolean sslUsed, X509Certificate[] certchain) {
// If objectId is null then nothing to evaluate. This is a sanity check - the objectId should never be null.
if (objectId == null) {
return true;
}
if (protocolMgr == null) {
protocolMgr = orbHelper.getProtocolManager();
}
// is on a callback object in the client VM.
if (protocolMgr == null) {
return true;
}
EjbDescriptor ejbDesc = protocolMgr.getEjbDescriptor(objectId);
Set<EjbIORConfigurationDescriptor> iorDescSet = null;
if (ejbDesc != null) {
iorDescSet = ejbDesc.getIORConfigurationDescriptors();
} else {
// Probably a non-EJB CORBA object.
// Create a temporary EjbIORConfigurationDescriptor.
iorDescSet = getCorbaIORDescSet();
}
if (_logger.isLoggable(FINE)) {
_logger.log(FINE, "SecurityMechanismSelector.evaluate_client_conformance: iorDescSet: " + iorDescSet);
}
/*
* if there are no IORConfigurationDescriptors configured, then no security policy is configured. So
* consider the client to be conformant.
*/
if (iorDescSet.isEmpty()) {
return true;
}
// Go through each EjbIORConfigurationDescriptor trying to find
// a find a CompoundSecMechanism that matches client's actions.
boolean checkSkipped = false;
for (Iterator itr = iorDescSet.iterator(); itr.hasNext(); ) {
EjbIORConfigurationDescriptor iorDesc = (EjbIORConfigurationDescriptor) itr.next();
if (skip_client_conformance(iorDesc)) {
_logger.log(Level.FINE, "SecurityMechanismSelector.evaluate_client_conformance: skip_client_conformance");
checkSkipped = true;
continue;
}
if (!GlassFishORBManager.disableSSLCheck()) {
if (!evaluate_client_conformance_ssl(iorDesc, sslUsed, certchain)) {
_logger.log(FINE, "SecurityMechanismSelector.evaluate_client_conformance: evaluate_client_conformance_ssl");
checkSkipped = false;
continue;
}
}
String realmName = "default";
if (ejbDesc != null && ejbDesc.getApplication() != null) {
realmName = ejbDesc.getApplication().getRealm();
}
if (realmName == null) {
realmName = iorDesc.getRealmName();
}
if (realmName == null) {
realmName = "default";
}
if (!evaluate_client_conformance_ascontext(ctx, iorDesc, realmName)) {
_logger.log(FINE, "SecurityMechanismSelector.evaluate_client_conformance: evaluate_client_conformance_ascontext");
checkSkipped = false;
continue;
}
if (!evaluate_client_conformance_sascontext(ctx, iorDesc)) {
_logger.log(FINE, "SecurityMechanismSelector.evaluate_client_conformance: evaluate_client_conformance_sascontext");
checkSkipped = false;
continue;
}
// security policy matched.
return true;
}
if (checkSkipped) {
return true;
}
// No matching security policy found
return false;
}
Also used :
EjbDescriptor(com.sun.enterprise.deployment.EjbDescriptor)
EjbIORConfigurationDescriptor(com.sun.enterprise.deployment.EjbIORConfigurationDescriptor)
Example 7 with EjbIORConfigurationDescriptor
use of com.sun.enterprise.deployment.EjbIORConfigurationDescriptor in project Payara by payara.
the class CSIV2TaggedComponentInfo method getIORConfigurationDescriptors.
private Set<EjbIORConfigurationDescriptor> getIORConfigurationDescriptors(EjbDescriptor ejbDescriptor) {
if (ejbDescriptor == null) {
return null;
}
Set<EjbIORConfigurationDescriptor> iorDescriptors = ejbDescriptor.getIORConfigurationDescriptors();
int size = iorDescriptors.size();
if (size == 0) {
// No IOR config descriptors:
// Either none were configured or 1.2.x app.
// Create an IOR config desc with SSL supported
EjbIORConfigurationDescriptor iorDescriptor = new EjbIORConfigurationDescriptor();
iorDescriptor.setIntegrity(SUPPORTED);
iorDescriptor.setConfidentiality(SUPPORTED);
iorDescriptor.setEstablishTrustInClient(SUPPORTED);
iorDescriptors.add(iorDescriptor);
// Check if method permissions are set on the descriptor.
// If they are then enable username_password mechanism in as_context
Set<Role> permissions = ejbDescriptor.getPermissionedRoles();
if (permissions.size() > 0) {
if (logger.isLoggable(FINE)) {
logger.log(FINE, "IIOP:Application has protected methods");
}
iorDescriptor.setAuthMethodRequired(true);
String realmName = DEFAULT_REALM;
if (ejbDescriptor.getApplication() != null) {
realmName = ejbDescriptor.getApplication().getRealm();
}
if (realmName == null) {
realmName = DEFAULT_REALM;
}
iorDescriptor.setRealmName(realmName);
// methods should still happen later, this is simply to allow lookup)
for (MethodPermission methodPermission : ejbDescriptor.getMethodPermissionsFromDD().keySet()) {
if (methodPermission.isUnchecked()) {
EjbIORConfigurationDescriptor uncheckedDescriptor = new EjbIORConfigurationDescriptor();
uncheckedDescriptor.setIntegrity(SUPPORTED);
uncheckedDescriptor.setConfidentiality(SUPPORTED);
uncheckedDescriptor.setEstablishTrustInClient(SUPPORTED);
uncheckedDescriptor.setRealmName(realmName);
iorDescriptors.add(uncheckedDescriptor);
break;
}
}
}
}
return iorDescriptors;
}
Also used :
Role(org.glassfish.security.common.Role)
EjbIORConfigurationDescriptor(com.sun.enterprise.deployment.EjbIORConfigurationDescriptor)
MethodPermission(com.sun.enterprise.deployment.MethodPermission)
Example 8 with EjbIORConfigurationDescriptor
use of com.sun.enterprise.deployment.EjbIORConfigurationDescriptor in project Payara by payara.
the class CSIV2TaggedComponentInfo method allMechanismsRequireSSL.
/**
* This method determines if all the mechanisms defined in the CSIV2 CompoundSecMechList structure
* require protected invocations.
*/
public boolean allMechanismsRequireSSL(Set iorDescSet) {
int size = iorDescSet.size();
if (size == 0) {
return false;
}
Iterator<EjbIORConfigurationDescriptor> itr = iorDescSet.iterator();
for (int i = 0; i < size; i++) {
EjbIORConfigurationDescriptor iorDesc = itr.next();
int target_requires = getTargetRequires(iorDesc);
if (target_requires == 0) {
return false;
}
}
return true;
}
Also used :
EjbIORConfigurationDescriptor(com.sun.enterprise.deployment.EjbIORConfigurationDescriptor)
Aggregations
EjbIORConfigurationDescriptor (com.sun.enterprise.deployment.EjbIORConfigurationDescriptor)8
EjbDescriptor (com.sun.enterprise.deployment.EjbDescriptor)3
MethodPermission (com.sun.enterprise.deployment.MethodPermission)2
RunAsIdentityDescriptor (com.sun.enterprise.deployment.RunAsIdentityDescriptor)2
Role (org.glassfish.security.common.Role)2
AS_ContextSec (com.sun.corba.ee.org.omg.CSIIOP.AS_ContextSec)1
CompoundSecMech (com.sun.corba.ee.org.omg.CSIIOP.CompoundSecMech)1
SAS_ContextSec (com.sun.corba.ee.org.omg.CSIIOP.SAS_ContextSec)1
EjbBundleDescriptor (com.sun.enterprise.deployment.EjbBundleDescriptor)1
EjbSessionDescriptor (com.sun.enterprise.deployment.EjbSessionDescriptor)1
MethodDescriptor (com.sun.enterprise.deployment.MethodDescriptor)1
WebBundleDescriptor (com.sun.enterprise.deployment.WebBundleDescriptor)1
WebComponentDescriptor (com.sun.enterprise.deployment.WebComponentDescriptor)1
DeploymentDescriptorNode (com.sun.enterprise.deployment.node.DeploymentDescriptorNode)1
XMLElement (com.sun.enterprise.deployment.node.XMLElement)1
EjbRefNode (com.sun.enterprise.deployment.node.runtime.EjbRefNode)1
MessageDestinationRefNode (com.sun.enterprise.deployment.node.runtime.MessageDestinationRefNode)1
ResourceEnvRefNode (com.sun.enterprise.deployment.node.runtime.ResourceEnvRefNode)1
ResourceRefNode (com.sun.enterprise.deployment.node.runtime.ResourceRefNode)1
RuntimeDescriptorNode (com.sun.enterprise.deployment.node.runtime.RuntimeDescriptorNode)1
