Examples with SecurityContext com.sun.enterprise.security.SecurityContext used on opensource projects

Example 6 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class LoginContextDriver method setSecurityContext.

/**
 * This method sets the security context on the current Thread Local
 * Storage
 * @param String username is the user who authenticated
 * @param Subject is the subject representation of the user
 * @param Credentials the credentials that the server associated with it
 */
private static void setSecurityContext(String userName, Subject subject, String realm) {
    SecurityContext securityContext = new SecurityContext(userName, subject, realm);
    SecurityContext.setCurrent(securityContext);
}

Example 7 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class CertificateRealm method authenticate.

/**
 * Returns name of JAAS context used by this realm. Overrides default
 * Realm behavior of this method. The certificate realm does not
 * require (or support) a LoginModule. This method should never get
 * called unless there is a configuration error, so this overloading
 * is provided to log an error message.  See class documentation.
 *
 * @return null
 */
/*public String getJAASContext()
    {
    _logger.warning("certrealm.nojaas");
    return null;
    }*/
/**
 * Complete authentication of certificate user.
 *
 * <P>As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This method
 * simply sets up the security context for the user in order to
 * properly complete the authentication processing.
 *
 * <P>If any groups have been assigned to cert-authenticated users
 * through the assign-groups property these groups are added to
 * the security context for the current user.
 *
 * @param subject The Subject object for the authentication request.
 * @param x500name The X500Name object from the user certificate.
 *
 *    public void authenticate(Subject subject, X500Name x500name)
 *    {
 *        // It is important to use x500name.getName() in order to be
 *        // consistent with web containers view of the name - see bug
 *        // 4646134 for reasons why this matters.
 *
 *        String name = x500name.getName();
 *
 *        if (_logger.isLoggable(Level.FINEST)) {
 *            _logger.finest(
 *                "Certificate realm setting up security context for: "+ name);
 *        }
 *
 *        if (defaultGroups != null) {
 *	    Set principalSet = subject.getPrincipals();
 *	    Enumeration e = defaultGroups.elements();
 *	    while (e.hasMoreElements()) {
 *		principalSet.add(new Group((String) e.nextElement()));
 *	    }
 *	}
 *
 *        SecurityContext securityContext =
 *	    new SecurityContext(name, subject);
 *
 *	SecurityContext.setCurrent(securityContext);
 *    }
 */
/**
 * Complete authentication of certificate user.
 *
 * <P>As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This method
 * simply sets up the security context for the user in order to
 * properly complete the authentication processing.
 *
 * <P>If any groups have been assigned to cert-authenticated users
 * through the assign-groups property these groups are added to
 * the security context for the current user.
 *
 * @param subject The Subject object for the authentication request.
 * @param x500name The X500Name object from the user certificate.
 */
public void authenticate(Subject subject, X500Name x500name) {
    // It is important to use x500name.getName() in order to be
    // consistent with web containers view of the name - see bug
    // 4646134 for reasons why this matters.
    String name = x500name.getName();
    if (_logger.isLoggable(Level.FINEST)) {
        _logger.finest("Certificate realm setting up security context for: " + name);
    }
    if (defaultGroups != null) {
        Set<Principal> principalSet = subject.getPrincipals();
        Enumeration<String> e = defaultGroups.elements();
        while (e.hasMoreElements()) {
            principalSet.add(new Group(e.nextElement()));
        }
    }
    if (!subject.getPrincipals().isEmpty()) {
        DistinguishedPrincipalCredential dpc = new DistinguishedPrincipalCredential(x500name);
        subject.getPublicCredentials().add(dpc);
    }
    SecurityContext securityContext = new SecurityContext(name, subject);
    SecurityContext.setCurrent(securityContext);
/*AppServSecurityContext secContext = Util.getDefaultHabitat().getByContract(AppServSecurityContext.class);
        AppServSecurityContext securityContext = secContext.newInstance(name, subject);
        securityContext.setCurrentSecurityContext(securityContext);*/
}

Example 8 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class BaseContainerCallbackHandler method reuseWebPrincipal.

/**
 * This method will distinguish the initiator principal (of the SecurityContext obtained from the
 * WebPrincipal) as the caller principal, and copy all the other principals into the subject....
 *
 * It is assumed that the input WebPrincipal is coming from a SAM, and that it was created either by
 * the SAM (as described below) or by calls to the JaspicToJaasBridge made by an Authenticator.
 *
 * A WebPrincipal constructed by the RealmAdapter will include a DPC; other constructions may not;
 * this method interprets the absence of a DPC as evidence that the resulting WebPrincipal was not
 * constructed by the RealmAdapter as described below. Note that presence of a DPC does not
 * necessarily mean that the resulting WebPrincipal was constructed by the RealmAdapter... since
 * some authenticators also add the credential).
 *
 * A. handling of CPCB by CBH:
 *
 * 1. handling of CPC by CBH modifies subject a. constructs principalImpl if called by name b. uses
 * JaspicToJaasBridge to add group principals for name c. puts principal in principal set, and DPC
 * in public credentials
 *
 * B. construction of WebPrincipal by RealmAdapter (occurs after SAM uses CBH to set other than an
 * unauthenticated result in the subject:
 *
 * a. SecurityContext construction done with subject (returned by SAM). Construction sets
 * initiator/caller principal within SC from DPC set by CBH in public credentials of subject
 *
 * b WebPrincipal is constructed with initiator principal and SecurityContext
 *
 * @param fs receiving Subject
 * @param wp WebPrincipal
 *
 * @return true when Security Context has been obtained from webPrincipal, and CB is finished.
 * returns false when more CB processing is required.
 */
private boolean reuseWebPrincipal(final Subject fs, final WebPrincipal wp) {
    SecurityContext sc = wp.getSecurityContext();
    final Subject wps = sc != null ? sc.getSubject() : null;
    final Principal callerPrincipal = sc != null ? sc.getCallerPrincipal() : null;
    final Principal defaultPrincipal = SecurityContext.getDefaultCallerPrincipal();
    return ((Boolean) AppservAccessController.doPrivileged(new PrivilegedAction() {

        /**
         * this method uses 4 (numbered) criteria to determine if the argument WebPrincipal can be reused
         */
        @Override
        public Boolean run() {
            /*
                 * 1. WebPrincipal must contain a SecurityContext and SC must have a non-null, non-default
                 * callerPrincipal and a Subject
                 */
            if (callerPrincipal == null || callerPrincipal.equals(defaultPrincipal) || wps == null) {
                return Boolean.FALSE;
            }
            boolean hasObject = false;
            Set<DistinguishedPrincipalCredential> distinguishedCreds = wps.getPublicCredentials(DistinguishedPrincipalCredential.class);
            if (distinguishedCreds.size() == 1) {
                for (DistinguishedPrincipalCredential cred : distinguishedCreds) {
                    if (cred.getPrincipal().equals(callerPrincipal)) {
                        hasObject = true;
                    }
                }
            }
            /**
             * 2. Subject within SecurityContext must contain a single DPC that identifies the Caller Principal
             */
            if (!hasObject) {
                return Boolean.FALSE;
            }
            hasObject = wps.getPrincipals().contains(callerPrincipal);
            /**
             * 3. Subject within SecurityContext must contain the caller principal
             */
            if (!hasObject) {
                return Boolean.FALSE;
            }
            /**
             * 4. The webPrincipal must have a non null name that equals the name of the callerPrincipal.
             */
            if (wp.getName() == null || !wp.getName().equals(callerPrincipal.getName())) {
                return Boolean.FALSE;
            }
            /*
                 * remove any existing DistinguishedPrincipalCredentials from receiving Subject
                 *
                 */
            Iterator iter = fs.getPublicCredentials().iterator();
            while (iter.hasNext()) {
                Object obj = iter.next();
                if (obj instanceof DistinguishedPrincipalCredential) {
                    iter.remove();
                }
            }
            for (Principal p : wps.getPrincipals()) {
                fs.getPrincipals().add(p);
            }
            /**
             * Copy public credentials from Subject within SecurityContext to receiving Subject
             */
            for (Object publicCred : wps.getPublicCredentials()) {
                fs.getPublicCredentials().add(publicCred);
            }
            /**
             * Copy private credentials from Subject within SecurityContext to receiving Subject
             */
            for (Object privateCred : wps.getPrivateCredentials()) {
                fs.getPrivateCredentials().add(privateCred);
            }
            return Boolean.TRUE;
        }
    })).booleanValue();
}

Example 9 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class BaseContainerCallbackHandler method processCallerPrincipal.

private void processCallerPrincipal(CallerPrincipalCallback callerPrincipalCallback) {
    Subject subject = callerPrincipalCallback.getSubject();
    Principal principal = callerPrincipalCallback.getPrincipal();
    // the same custom principal within it
    if (principal != null && !(principal instanceof WebPrincipal)) {
        Principal additional = SecurityContext.getCurrent().getAdditionalPrincipal();
        if ((additional != null) && (additional instanceof WebPrincipal) && ((WebPrincipal) additional).getCustomPrincipal() == principal) {
            principal = additional;
        }
    }
    if (principal instanceof WebPrincipal) {
        WebPrincipal webPrincipal = (WebPrincipal) principal;
        /**
         * Check if the WebPrincipal satisfies the criteria for reuse. If it does, the CBH will have already
         * copied its contents into the Subject, and established the caller principal.
         */
        if (reuseWebPrincipal(subject, webPrincipal)) {
            return;
        }
        /**
         * Otherwise the webPrincipal must be distinguished as the callerPrincipal, but the contents of its
         * internal SecurityContext will not be copied. For the special case where the WebPrincipal
         * represents the defaultCallerPrincipal, the argument principal is set to null to cause the handler
         * to assign its representation of the unauthenticated caller in the Subject.
         */
        Principal defaultCallerPrincipal = SecurityContext.getDefaultCallerPrincipal();
        SecurityContext securityContext = webPrincipal.getSecurityContext();
        Principal callerPrincipal = securityContext != null ? securityContext.getCallerPrincipal() : null;
        if (webPrincipal.getName() == null || webPrincipal.equals(defaultCallerPrincipal) || callerPrincipal == null || callerPrincipal.equals(defaultCallerPrincipal)) {
            principal = null;
        }
    }
    String realmName = null;
    if (handlerContext != null) {
        realmName = handlerContext.getRealmName();
    }
    boolean isCertRealm = CertificateRealm.AUTH_TYPE.equals(realmName);
    if (principal == null) {
        if (callerPrincipalCallback.getName() != null) {
            if (isCertRealm) {
                principal = new X500Principal(callerPrincipalCallback.getName());
            } else {
                principal = new PrincipalImpl(callerPrincipalCallback.getName());
            }
        } else {
            // JASPIC/196 unauthenticated caller principal
            principal = getDefaultCallerPrincipal();
        }
    }
    if (isCertRealm) {
        if (principal instanceof X500Principal) {
            JaspicToJaasBridge.jaasX500Login(subject, (X500Principal) principal);
        }
    } else {
        if (!principal.equals(getDefaultCallerPrincipal())) {
            JaspicToJaasBridge.addRealmGroupsToSubject(subject, principal.getName(), realmName);
        }
    }
    final Principal finalPrincipal = principal;
    DistinguishedPrincipalCredential distinguishedPrincipalCredential = new DistinguishedPrincipalCredential(principal);
    privileged(() -> {
        subject.getPrincipals().add(finalPrincipal);
        Iterator<Object> publicCredentials = subject.getPublicCredentials().iterator();
        while (publicCredentials.hasNext()) {
            if (publicCredentials.next() instanceof DistinguishedPrincipalCredential) {
                publicCredentials.remove();
            }
        }
        subject.getPublicCredentials().add(distinguishedPrincipalCredential);
    });
}

Example 10 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class JaccWebAuthorizationManager method getSecurityContext.

/**
 * This is an private method for transforming principal into a SecurityContext
 *
 * @param principal expected to be a WebPrincipal
 * @return SecurityContext
 */
private SecurityContext getSecurityContext(Principal principal) {
    SecurityContext securityContext = null;
    if (principal != null) {
        if (principal instanceof WebPrincipal) {
            WebPrincipal webPrincipal = (WebPrincipal) principal;
            securityContext = webPrincipal.getSecurityContext();
        } else {
            securityContext = SecurityContext.getCurrent();
        }
    }
    if (securityContext == null) {
        securityContext = SecurityContext.getDefaultSecurityContext();
    }
    return securityContext;
}