Examples with SecurityContext com.sun.enterprise.security.SecurityContext used on opensource projects

Example 1 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class EJBSecurityManager method postInvoke.

/**
 * This method is used by Message Driven Bean Container to remove
 * the run-as identity information that was set up using the
 * preSetRunAsIdentity method
 */
public void postInvoke(ComponentInvocation inv) {
    if (runAs != null && inv.isPreInvokeDone()) {
        final ComponentInvocation finv = inv;
        AppservAccessController.doPrivileged(new PrivilegedAction() {

            public Object run() {
                SecurityContext.setCurrent((SecurityContext) finv.getOldSecurityContext());
                return null;
            }
        });
    }
}

Example 2 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class WebSecurityManager method getSecurityContext.

/**
 * This is an private method for transforming principal into a SecurityContext
 *
 * @param principal expected to be a WebPrincipal
 * @return SecurityContext
 */
private SecurityContext getSecurityContext(Principal principal) {
    SecurityContext secContext = null;
    if (principal != null) {
        if (principal instanceof WebPrincipal) {
            WebPrincipal wp = (WebPrincipal) principal;
            secContext = wp.getSecurityContext();
        } else {
            secContext = SecurityContext.getCurrent();
        }
    }
    if (secContext == null) {
        secContext = SecurityContext.getDefaultSecurityContext();
    }
    return secContext;
}

Example 3 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class WebSecurityManager method hasResourcePermission.

/**
 * Perform access control based on the <code>HttpServletRequest</code>. Return <code>true</code> if this constraint is
 * satisfied and processing should continue, or <code>false</code> otherwise.
 *
 * @return true is the resource is granted, false if denied
 */
public boolean hasResourcePermission(HttpServletRequest httpsr) {
    SecurityContext sc = getSecurityContext(httpsr.getUserPrincipal());
    WebResourcePermission perm = createWebResourcePermission(httpsr);
    setSecurityInfo(httpsr);
    boolean isGranted = checkPermission(perm, sc.getPrincipalSet());
    SecurityContext.setCurrent(sc);
    if (logger.isLoggable(Level.FINE)) {
        logger.log(Level.FINE, "[Web-Security] hasResource isGranted: {0}", isGranted);
        logger.log(Level.FINE, "[Web-Security] hasResource perm: {0}", perm);
    }
    recordWebInvocation(httpsr, RESOURCE, isGranted);
    return isGranted;
}

Example 4 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class RealmAdapter method validate.

private boolean validate(HttpRequest request, HttpResponse response, LoginConfig config, Authenticator authenticator, boolean calledFromAuthenticate) throws IOException {
    HttpServletRequest servletRequest = (HttpServletRequest) request.getRequest();
    HttpServletResponse servletResponse = (HttpServletResponse) response.getResponse();
    Subject subject = new Subject();
    MessageInfo messageInfo = new HttpMessageInfo(servletRequest, servletResponse);
    boolean isValidateSuccess = false;
    boolean isMandatory = true;
    try {
        isMandatory = !getWebSecurityManager(true).permitAll(servletRequest);
        // Issue - 9578 - produce user challenge if call originates from HttpServletRequest.authenticate
        if (isMandatory || calledFromAuthenticate) {
            setMandatory(messageInfo);
        }
        ServerAuthContext authContext = getServerAuthContext(messageInfo);
        // Call the JASPIC ServerAuthContext which should eventually call the ServerAuthModule (SAM)
        // Notice a null is passed in as the service subject
        // Additionally notice we only care about SUCCESS being returned or not and ignore
        // all other JASPIC AuthStatus values.
        isValidateSuccess = SUCCESS.equals(authContext.validateRequest(messageInfo, subject, null));
        if (isValidateSuccess) {
            // store it only if validateRequest = true
            storeInRequest(servletRequest, messageInfo, authContext);
        }
    } catch (AuthException ae) {
        logger.log(WARNING, "JMAC: http msg authentication fail", ae);
        servletResponse.setStatus(SC_INTERNAL_SERVER_ERROR);
    } catch (RuntimeException e) {
        logger.log(WARNING, "JMAC: Exception during validateRequest", e);
        servletResponse.sendError(SC_INTERNAL_SERVER_ERROR);
    }
    if (isValidateSuccess) {
        Set<Principal> principalSet = subject.getPrincipals();
        // Must be at least one new principal to establish non-default security context
        if (hasNewPrincipal(principalSet)) {
            SecurityContext securityContext = new SecurityContext(subject);
            // Assuming no null principal here
            Principal callerPrincipal = securityContext.getCallerPrincipal();
            WebPrincipal webPrincipal = new WebPrincipal(callerPrincipal, securityContext);
            // TODO: check Java SE SecurityManager access
            SecurityContext.setCurrent(securityContext);
            try {
                String authType = getAuthType(messageInfo, config);
                if (shouldRegisterSession(messageInfo)) {
                    new AuthenticatorProxy(authenticator, webPrincipal, authType).authenticate(request, response, config);
                } else {
                    request.setAuthType(authType == null ? PROXY_AUTH_TYPE : authType);
                    request.setUserPrincipal(webPrincipal);
                }
            } catch (LifecycleException le) {
                logger.log(SEVERE, "[Web-Security] unable to register session", le);
            }
        } else {
            // GLASSFISH-20930. Set null for the case when SAM does not indicate that it needs the session
            if (hasRequestPrincipal(messageInfo)) {
                request.setUserPrincipal(null);
                request.setAuthType(null);
            }
            // If authentication is mandatory, we must have a non-anonymous principal
            if (isMandatory) {
                isValidateSuccess = false;
            }
        }
        if (isValidateSuccess) {
            // Check if the SAM instructed us to wrap the request and response
            HttpServletRequest wrappedServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
            if (wrappedServletRequest != servletRequest) {
                request.setNote(WRAPPED_REQUEST, new HttpRequestWrapper(request, wrappedServletRequest));
            }
            HttpServletResponse wrappedServletResponse = (HttpServletResponse) messageInfo.getResponseMessage();
            if (wrappedServletResponse != servletResponse) {
                request.setNote(WRAPPED_RESPONSE, new HttpResponseWrapper(response, wrappedServletResponse));
            }
        }
    }
    return isValidateSuccess;
}

Example 5 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class RealmAdapter method getSecurityContextForPrincipal.

// Moved from J2EEInstanceListener.java
private SecurityContext getSecurityContextForPrincipal(final Principal p) {
    if (p == null) {
        return null;
    } else if (p instanceof WebPrincipal) {
        return ((WebPrincipal) p).getSecurityContext();
    } else {
        return AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() {

            @Override
            public SecurityContext run() {
                Subject s = new Subject();
                s.getPrincipals().add(p);
                return new SecurityContext(p.getName(), s);
            }
        });
    }
}