Search in sources :

Example 1 with SecurityContext.getDefaultCallerPrincipal

use of com.sun.enterprise.security.SecurityContext.getDefaultCallerPrincipal in project Payara by payara.

the class BaseContainerCallbackHandler method reuseWebPrincipal.

/**
 * This method will distinguish the initiator principal (of the SecurityContext obtained from the
 * WebPrincipal) as the caller principal, and copy all the other principals into the subject....
 *
 * It is assumed that the input WebPrincipal is coming from a SAM, and that it was created either by
 * the SAM (as described below) or by calls to the JaspicToJaasBridge made by an Authenticator.
 *
 * A WebPrincipal constructed by the RealmAdapter will include a DPC; other constructions may not;
 * this method interprets the absence of a DPC as evidence that the resulting WebPrincipal was not
 * constructed by the RealmAdapter as described below. Note that presence of a DPC does not
 * necessarily mean that the resulting WebPrincipal was constructed by the RealmAdapter... since
 * some authenticators also add the credential).
 *
 * A. handling of CPCB by CBH:
 *
 * 1. handling of CPC by CBH modifies subject a. constructs principalImpl if called by name b. uses
 * JaspicToJaasBridge to add group principals for name c. puts principal in principal set, and DPC
 * in public credentials
 *
 * B. construction of WebPrincipal by RealmAdapter (occurs after SAM uses CBH to set other than an
 * unauthenticated result in the subject:
 *
 * a. SecurityContext construction done with subject (returned by SAM). Construction sets
 * initiator/caller principal within SC from DPC set by CBH in public credentials of subject
 *
 * b WebPrincipal is constructed with initiator principal and SecurityContext
 *
 * @param fs receiving Subject
 * @param wp WebPrincipal
 *
 * @return true when Security Context has been obtained from webPrincipal, and CB is finished.
 * returns false when more CB processing is required.
 */
private boolean reuseWebPrincipal(final Subject fs, final WebPrincipal wp) {
    SecurityContext sc = wp.getSecurityContext();
    final Subject wps = sc != null ? sc.getSubject() : null;
    final Principal callerPrincipal = sc != null ? sc.getCallerPrincipal() : null;
    final Principal defaultPrincipal = SecurityContext.getDefaultCallerPrincipal();
    return ((Boolean) AppservAccessController.doPrivileged(new PrivilegedAction() {

        /**
         * this method uses 4 (numbered) criteria to determine if the argument WebPrincipal can be reused
         */
        @Override
        public Boolean run() {
            /*
                 * 1. WebPrincipal must contain a SecurityContext and SC must have a non-null, non-default
                 * callerPrincipal and a Subject
                 */
            if (callerPrincipal == null || callerPrincipal.equals(defaultPrincipal) || wps == null) {
                return Boolean.FALSE;
            }
            boolean hasObject = false;
            Set<DistinguishedPrincipalCredential> distinguishedCreds = wps.getPublicCredentials(DistinguishedPrincipalCredential.class);
            if (distinguishedCreds.size() == 1) {
                for (DistinguishedPrincipalCredential cred : distinguishedCreds) {
                    if (cred.getPrincipal().equals(callerPrincipal)) {
                        hasObject = true;
                    }
                }
            }
            /**
             * 2. Subject within SecurityContext must contain a single DPC that identifies the Caller Principal
             */
            if (!hasObject) {
                return Boolean.FALSE;
            }
            hasObject = wps.getPrincipals().contains(callerPrincipal);
            /**
             * 3. Subject within SecurityContext must contain the caller principal
             */
            if (!hasObject) {
                return Boolean.FALSE;
            }
            /**
             * 4. The webPrincipal must have a non null name that equals the name of the callerPrincipal.
             */
            if (wp.getName() == null || !wp.getName().equals(callerPrincipal.getName())) {
                return Boolean.FALSE;
            }
            /*
                 * remove any existing DistinguishedPrincipalCredentials from receiving Subject
                 *
                 */
            Iterator iter = fs.getPublicCredentials().iterator();
            while (iter.hasNext()) {
                Object obj = iter.next();
                if (obj instanceof DistinguishedPrincipalCredential) {
                    iter.remove();
                }
            }
            for (Principal p : wps.getPrincipals()) {
                fs.getPrincipals().add(p);
            }
            /**
             * Copy public credentials from Subject within SecurityContext to receiving Subject
             */
            for (Object publicCred : wps.getPublicCredentials()) {
                fs.getPublicCredentials().add(publicCred);
            }
            /**
             * Copy private credentials from Subject within SecurityContext to receiving Subject
             */
            for (Object privateCred : wps.getPrivateCredentials()) {
                fs.getPrivateCredentials().add(privateCred);
            }
            return Boolean.TRUE;
        }
    })).booleanValue();
}
Also used : PrivilegedAction(java.security.PrivilegedAction) SecurityContext(com.sun.enterprise.security.SecurityContext) Iterator(java.util.Iterator) DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential) Subject(javax.security.auth.Subject) WebPrincipal(com.sun.enterprise.security.web.integration.WebPrincipal) Principal(java.security.Principal) X500Principal(javax.security.auth.x500.X500Principal) SecurityContext.getDefaultCallerPrincipal(com.sun.enterprise.security.SecurityContext.getDefaultCallerPrincipal)

Example 2 with SecurityContext.getDefaultCallerPrincipal

use of com.sun.enterprise.security.SecurityContext.getDefaultCallerPrincipal in project Payara by payara.

the class BaseContainerCallbackHandler method processCallerPrincipal.

private void processCallerPrincipal(CallerPrincipalCallback callerPrincipalCallback) {
    Subject subject = callerPrincipalCallback.getSubject();
    Principal principal = callerPrincipalCallback.getPrincipal();
    // the same custom principal within it
    if (principal != null && !(principal instanceof WebPrincipal)) {
        Principal additional = SecurityContext.getCurrent().getAdditionalPrincipal();
        if ((additional != null) && (additional instanceof WebPrincipal) && ((WebPrincipal) additional).getCustomPrincipal() == principal) {
            principal = additional;
        }
    }
    if (principal instanceof WebPrincipal) {
        WebPrincipal webPrincipal = (WebPrincipal) principal;
        /**
         * Check if the WebPrincipal satisfies the criteria for reuse. If it does, the CBH will have already
         * copied its contents into the Subject, and established the caller principal.
         */
        if (reuseWebPrincipal(subject, webPrincipal)) {
            return;
        }
        /**
         * Otherwise the webPrincipal must be distinguished as the callerPrincipal, but the contents of its
         * internal SecurityContext will not be copied. For the special case where the WebPrincipal
         * represents the defaultCallerPrincipal, the argument principal is set to null to cause the handler
         * to assign its representation of the unauthenticated caller in the Subject.
         */
        Principal defaultCallerPrincipal = SecurityContext.getDefaultCallerPrincipal();
        SecurityContext securityContext = webPrincipal.getSecurityContext();
        Principal callerPrincipal = securityContext != null ? securityContext.getCallerPrincipal() : null;
        if (webPrincipal.getName() == null || webPrincipal.equals(defaultCallerPrincipal) || callerPrincipal == null || callerPrincipal.equals(defaultCallerPrincipal)) {
            principal = null;
        }
    }
    String realmName = null;
    if (handlerContext != null) {
        realmName = handlerContext.getRealmName();
    }
    boolean isCertRealm = CertificateRealm.AUTH_TYPE.equals(realmName);
    if (principal == null) {
        if (callerPrincipalCallback.getName() != null) {
            if (isCertRealm) {
                principal = new X500Principal(callerPrincipalCallback.getName());
            } else {
                principal = new PrincipalImpl(callerPrincipalCallback.getName());
            }
        } else {
            // JASPIC/196 unauthenticated caller principal
            principal = getDefaultCallerPrincipal();
        }
    }
    if (isCertRealm) {
        if (principal instanceof X500Principal) {
            JaspicToJaasBridge.jaasX500Login(subject, (X500Principal) principal);
        }
    } else {
        if (!principal.equals(getDefaultCallerPrincipal())) {
            JaspicToJaasBridge.addRealmGroupsToSubject(subject, principal.getName(), realmName);
        }
    }
    final Principal finalPrincipal = principal;
    DistinguishedPrincipalCredential distinguishedPrincipalCredential = new DistinguishedPrincipalCredential(principal);
    privileged(() -> {
        subject.getPrincipals().add(finalPrincipal);
        Iterator<Object> publicCredentials = subject.getPublicCredentials().iterator();
        while (publicCredentials.hasNext()) {
            if (publicCredentials.next() instanceof DistinguishedPrincipalCredential) {
                publicCredentials.remove();
            }
        }
        subject.getPublicCredentials().add(distinguishedPrincipalCredential);
    });
}
Also used : SecurityContext(com.sun.enterprise.security.SecurityContext) X500Principal(javax.security.auth.x500.X500Principal) DistinguishedPrincipalCredential(com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential) WebPrincipal(com.sun.enterprise.security.web.integration.WebPrincipal) Subject(javax.security.auth.Subject) WebPrincipal(com.sun.enterprise.security.web.integration.WebPrincipal) Principal(java.security.Principal) X500Principal(javax.security.auth.x500.X500Principal) SecurityContext.getDefaultCallerPrincipal(com.sun.enterprise.security.SecurityContext.getDefaultCallerPrincipal) PrincipalImpl(org.glassfish.security.common.PrincipalImpl)

Aggregations

SecurityContext (com.sun.enterprise.security.SecurityContext)2 SecurityContext.getDefaultCallerPrincipal (com.sun.enterprise.security.SecurityContext.getDefaultCallerPrincipal)2 DistinguishedPrincipalCredential (com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)2 WebPrincipal (com.sun.enterprise.security.web.integration.WebPrincipal)2 Principal (java.security.Principal)2 Subject (javax.security.auth.Subject)2 X500Principal (javax.security.auth.x500.X500Principal)2 PrivilegedAction (java.security.PrivilegedAction)1 Iterator (java.util.Iterator)1 PrincipalImpl (org.glassfish.security.common.PrincipalImpl)1