Examples with SecurityContext com.sun.enterprise.security.SecurityContext used on opensource projects

Example 11 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class InvocationContext method readObject.

private void readObject(java.io.ObjectInputStream in) throws IOException, ClassNotFoundException {
    useTransactionOfExecutionThread = in.readBoolean();
    // reconstruct invocation
    String componentId = (String) in.readObject();
    String appName = (String) in.readObject();
    String moduleName = (String) in.readObject();
    invocation = createComponentInvocation(componentId, appName, moduleName);
    // reconstruct securityContext
    String principalName = (String) in.readObject();
    boolean defaultSecurityContext = in.readBoolean();
    Subject subject = (Subject) in.readObject();
    if (principalName != null) {
        if (defaultSecurityContext) {
            securityContext = SecurityContext.getDefaultSecurityContext();
        } else {
            securityContext = new SecurityContext(principalName, subject, null);
        }
    }
    // reconstruct contextClassLoader
    ApplicationRegistry applicationRegistry = ConcurrentRuntime.getRuntime().getApplicationRegistry();
    if (appName != null) {
        ApplicationInfo applicationInfo = applicationRegistry.get(appName);
        if (applicationInfo != null) {
            contextClassLoader = applicationInfo.getAppClassLoader();
        }
    }
}

Example 12 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class ContextSetupProviderImpl method setup.

@Override
public ContextHandle setup(ContextHandle contextHandle) throws IllegalStateException {
    if (!(contextHandle instanceof InvocationContext)) {
        logger.log(Level.SEVERE, LogFacade.UNKNOWN_CONTEXT_HANDLE);
        return null;
    }
    InvocationContext handle = (InvocationContext) contextHandle;
    String appName = null;
    ClassLoader backupClassLoader = null;
    if (handle.getInvocation() != null) {
        appName = handle.getInvocation().getRegistrationName();
        if (appName == null && handle.getInvocation().getJNDIEnvironment() != null) {
            appName = DOLUtils.getApplicationFromEnv((JndiNameEnvironment) handle.getInvocation().getJNDIEnvironment()).getRegistrationName();
        }
        if (appName == null) {
            // try to get environment from component ID
            if (handle.getInvocation().getComponentId() != null && compEnvMgr != null) {
                JndiNameEnvironment currJndiEnv = compEnvMgr.getJndiNameEnvironment(handle.getInvocation().getComponentId());
                if (currJndiEnv != null) {
                    com.sun.enterprise.deployment.Application appInfo = DOLUtils.getApplicationFromEnv(currJndiEnv);
                    if (appInfo != null) {
                        appName = appInfo.getRegistrationName();
                        // cache JNDI environment
                        handle.getInvocation().setJNDIEnvironment(currJndiEnv);
                        backupClassLoader = appInfo.getClassLoader();
                    }
                }
            }
        }
    }
    // Check whether the application component submitting the task is still running. Throw IllegalStateException if not.
    if (appName != null && !isApplicationEnabled(appName)) {
        // appName == null in case of the server context
        throw new IllegalStateException("Module " + appName + " is disabled");
    }
    ClassLoader resetClassLoader = null;
    SecurityContext resetSecurityContext = null;
    if (handle.getContextClassLoader() != null) {
        resetClassLoader = Utility.setContextClassLoader(handle.getContextClassLoader());
    } else if (backupClassLoader != null) {
        resetClassLoader = Utility.setContextClassLoader(backupClassLoader);
    }
    if (handle.getSecurityContext() != null) {
        resetSecurityContext = SecurityContext.getCurrent();
        SecurityContext.setCurrent(handle.getSecurityContext());
    }
    ComponentInvocation invocation = handle.getInvocation();
    if (invocation != null && !handle.isUseTransactionOfExecutionThread()) {
        // Each invocation needs a ResourceTableKey that returns a unique hashCode for TransactionManager
        invocation.setResourceTableKey(new PairKey(invocation.getInstance(), Thread.currentThread()));
        invocationManager.preInvoke(invocation);
    }
    // Ensure that there is no existing transaction in the current thread
    if (transactionManager != null) {
        transactionManager.clearThreadTx();
    }
    if (requestTracing != null && requestTracing.isRequestTracingEnabled()) {
        startConcurrentContextSpan(invocation, handle);
    }
    if (stuckThreads != null) {
        stuckThreads.registerThread(Thread.currentThread().getId());
    }
    return new InvocationContext(invocation, resetClassLoader, resetSecurityContext, handle.isUseTransactionOfExecutionThread());
}

Example 13 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class WebServiceSecurity method secureResponse.

private static void secureResponse(SOAPMessage response, HashMap sharedState, ServerAuthContext sAC) throws AuthException {
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Container Auth: ServerAuthContext.secureResponse");
    }
    // subject may change if runAs identity differs from caller's.
    // Therefore, session state is saved in sharedState not subject
    SecurityContext sc = SecurityContext.getCurrent();
    Subject subject = sc.getSubject();
    SOAPAuthParam param = new SOAPAuthParam(null, response);
    try {
        sAC.secureResponse(param, subject, sharedState);
    } finally {
        sAC.disposeSubject(subject, sharedState);
    }
    return;
}

Example 14 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class WebServiceSecurity method secureRequest.

private static void secureRequest(SOAPMessage request, HashMap sharedState, ClientAuthContext cAC, boolean isAppClient) throws AuthException {
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Container Auth: ClientAuthContext.secureRequest");
    }
    SOAPAuthParam param = new SOAPAuthParam(request, null);
    Subject subject = null;
    if (isAppClient) {
        ClientSecurityContext sc = ClientSecurityContext.getCurrent();
        if (sc != null) {
            subject = sc.getSubject();
        }
    } else {
        SecurityContext sc = SecurityContext.getCurrent();
        if (sc != null && !sc.didServerGenerateCredentials()) {
            // make sure we don't use default unauthenticated subject,
            // so that module cannot change this important (constant)
            // subject.
            subject = sc.getSubject();
        }
    }
    if (subject == null)
        subject = new Subject();
    cAC.secureRequest(param, subject, sharedState);
}

Example 15 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class WebProgrammaticLoginImpl method login.

/**
 * Login and set up principal in request and session. This implements programmatic login for servlets.
 *
 * <P>
 * Due to a number of bugs in RI the security context is not shared between web container and ejb container. In order
 * for an identity established by programmatic login to be known to both containers, it needs to be set not only in the
 * security context but also in the current request and, if applicable, the session object. If a session does not exist
 * this method does not create one.
 *
 * <P>
 * See bugs 4646134, 4688449 and other referenced bugs for more background.
 *
 * <P>
 * Note also that this login does not hook up into SSO.
 *
 * @param user User name to login.
 * @param password User password.
 * @param request HTTP request object provided by caller application. It should be an instance of HttpRequestFacade.
 * @param response HTTP response object provided by called application. It should be an instance of HttpServletResponse.
 * This is not used currently.
 * @param realm the realm name to be authenticated to. If the realm is null, authentication takes place in default realm
 * @returns A Boolean object; true if login succeeded, false otherwise.
 * @see com.sun.enterprise.security.ee.auth.login.ProgrammaticLogin
 * @throws Exception on login failure.
 */
@Override
public Boolean login(String user, char[] password, String realm, HttpServletRequest request, HttpServletResponse response) {
    // Need real request object not facade
    Request unwrappedCoyoteRequest = getUnwrappedCoyoteRequest(request);
    if (unwrappedCoyoteRequest == null) {
        return false;
    }
    // Try to login - this will set up security context on success
    WebAndEjbToJaasBridge.login(user, password, realm);
    // Create a WebPrincipal for tomcat and store in current request
    // This will allow programmatic authorization later in this request
    // to work as expected.
    SecurityContext securityContext = SecurityContext.getCurrent();
    WebPrincipal principal = new WebPrincipal(user, password, securityContext);
    unwrappedCoyoteRequest.setUserPrincipal(principal);
    unwrappedCoyoteRequest.setAuthType(WEBAUTH_PROGRAMMATIC);
    if (logger.isLoggable(FINE)) {
        logger.log(FINE, "Programmatic login set principal in http request to: " + user);
    }
    // Try to retrieve a Session object (not the facade); if it exists
    // store the principal there as well. This will allow web container
    // authorization to work in subsequent requests in this session.
    Session realSession = getSession(unwrappedCoyoteRequest);
    if (realSession != null) {
        realSession.setPrincipal(principal);
        realSession.setAuthType(WEBAUTH_PROGRAMMATIC);
        logger.fine("Programmatic login set principal in session.");
    } else {
        logger.fine("Programmatic login: No session available.");
    }
    return true;
}