use of com.sun.enterprise.security.SecurityContext in project Payara by payara.
the class RealmAdapter method preSetRunAsIdentity.
/**
* Set the run-as principal into the SecurityContext when needed.
*
* <P>
* This method will attempt to obtain the name of the servlet from the ComponentInvocation. Note that there may not be
* one since this gets called also during internal processing (not clear..) not just part of servlet requests. However,
* if it is not a servlet request there is no need (or possibility) to have a run-as setting so no further action is
* taken.
*
* <P>
* If the servlet name is present the runAsPrincipals cache is checked to find the run-as principal to use (if any). If
* one is set, the SecurityContext is switched to this principal.
*
* <p>
* See IASRI 4747594
*
* @param inv The invocation object to process.
*/
public void preSetRunAsIdentity(ComponentInvocation inv) {
if (runAsPrincipals != null && runAsPrincipals.isEmpty()) {
return;
}
String servletName = this.getServletName(inv);
if (servletName == null) {
return;
}
String runAs = runAsPrincipals.get(servletName);
if (runAs != null) {
// The existing SecurityContext is saved - however, this seems
// meaningless - see bug 4757733. For now, keep it unchanged
// in case there are some dependencies elsewhere in RI.
SecurityContext old = getSecurityContext();
inv.setOldSecurityContext(old);
// Set the run-as principal into SecurityContext
loginForRunAs(runAs);
LOG.fine(() -> "run-as principal for " + servletName + " set to: " + runAs);
}
}
use of com.sun.enterprise.security.SecurityContext in project Payara by payara.
the class JaspicRealm method handleSamAuthenticated.
private void handleSamAuthenticated(Subject subject, MessageInfo messageInfo, HttpRequest request, HttpResponse response, LoginConfig config, Authenticator authenticator) throws IOException {
SecurityContext securityContext = new SecurityContext(subject);
// Assuming no null principal here
WebPrincipal webPrincipal = new WebPrincipal(securityContext.getCallerPrincipal(), securityContext);
// TODO: check Java SE SecurityManager access
SecurityContext.setCurrent(securityContext);
try {
String authType = getAuthType(messageInfo, config);
if (shouldRegisterSession(messageInfo)) {
// Besides authenticating, the SAM has indicated that the new principal should
// be stored in a session. This means that when the SAM is called again in a next request
// it can opt to continue this session.
new AuthenticatorProxy(authenticator, webPrincipal, authType).authenticate(request, response, config);
} else {
request.setAuthType(authType == null ? AuthenticatorProxy.PROXY_AUTH_TYPE : authType);
request.setUserPrincipal(webPrincipal);
}
} catch (LifecycleException le) {
logger.log(SEVERE, "[Web-Security] unable to register session", le);
}
}
use of com.sun.enterprise.security.SecurityContext in project Payara by payara.
the class ConnectionManagerImpl method allocateConnection.
public Object allocateConnection(ManagedConnectionFactory mcf, ConnectionRequestInfo cxRequestInfo, String jndiNameToUse, Object conn) throws ResourceException {
validateResourceAndPool();
PoolManager poolmgr = ConnectorRuntime.getRuntime().getPoolManager();
boolean resourceShareable = true;
ResourceReferenceDescriptor ref = poolmgr.getResourceReference(jndiNameToUse, logicalName);
if (ref != null) {
String shareableStr = ref.getSharingScope();
if (shareableStr.equals(ref.RESOURCE_UNSHAREABLE)) {
resourceShareable = false;
}
}
// TODO V3 refactor all the 3 cases viz, no res-ref, app-auth, cont-auth.
if (ref == null) {
if (getLogger().isLoggable(Level.FINE)) {
getLogger().log(Level.FINE, "poolmgr.no_resource_reference", jndiNameToUse);
}
return internalGetConnection(mcf, defaultPrin, cxRequestInfo, resourceShareable, jndiNameToUse, conn, true);
}
String auth = ref.getAuthorization();
if (auth.equals(ResourceReferenceDescriptor.APPLICATION_AUTHORIZATION)) {
if (cxRequestInfo == null) {
String msg = getLocalStrings().getString("con_mgr.null_userpass");
throw new ResourceException(msg);
}
ConnectorRuntime.getRuntime().switchOnMatching(rarName, poolInfo);
return internalGetConnection(mcf, null, cxRequestInfo, resourceShareable, jndiNameToUse, conn, false);
} else {
ResourcePrincipal prin = null;
Set principalSet = null;
Principal callerPrincipal = null;
SecurityContext securityContext = null;
ConnectorRuntime connectorRuntime = ConnectorRuntime.getRuntime();
// TODO V3 is SecurityContext.getCurrent() the right way ? Does it need to be injected ?
if (connectorRuntime.isServer() && (securityContext = SecurityContext.getCurrent()) != null && (callerPrincipal = securityContext.getCallerPrincipal()) != null && (principalSet = securityContext.getPrincipalSet()) != null) {
AuthenticationService authService = connectorRuntime.getAuthenticationService(rarName, poolInfo);
if (authService != null) {
prin = (ResourcePrincipal) authService.mapPrincipal(callerPrincipal, principalSet);
}
}
if (prin == null) {
prin = ref.getResourcePrincipal();
if (prin == null) {
if (getLogger().isLoggable(Level.FINE)) {
getLogger().log(Level.FINE, "default-resource-principal not" + "specified for " + jndiNameToUse + ". Defaulting to" + " user/password specified in the pool");
}
prin = defaultPrin;
} else if (!prin.equals(defaultPrin)) {
ConnectorRuntime.getRuntime().switchOnMatching(rarName, poolInfo);
}
}
return internalGetConnection(mcf, prin, cxRequestInfo, resourceShareable, jndiNameToUse, conn, false);
}
}
use of com.sun.enterprise.security.SecurityContext in project Payara by payara.
the class EJBSecurityManager method getCallerPrincipal.
/**
* This method returns the Client Principal who initiated the current Invocation.
*
* @return A Principal object of the client who made this invocation. or null if the SecurityContext has not been
* established by the client.
*/
@Override
public Principal getCallerPrincipal() {
SecurityContext securityContext = null;
if (runAs != null) {
// Run As
// return the principal associated with the old security context
ComponentInvocation componentInvocation = invocationManager.getCurrentInvocation();
if (componentInvocation == null) {
// 4646060
throw new InvocationException();
}
securityContext = (SecurityContext) componentInvocation.getOldSecurityContext();
} else {
// Lets optimize a little. No need to look up oldsecctx
// its the same as the new one
securityContext = SecurityContext.getCurrent();
}
if (securityContext != null) {
return securityContext.getCallerPrincipal();
}
return SecurityContext.getDefaultCallerPrincipal();
}
use of com.sun.enterprise.security.SecurityContext in project Payara by payara.
the class EJBSecurityManager method authorize.
/**
* This method is called by the EJB container to decide whether or not a method specified in the Invocation should be
* allowed.
*
* @param componentInvocation invocation object that contains all the details of the invocation.
* @return A boolean value indicating if the client should be allowed to invoke the EJB.
*/
@Override
public boolean authorize(ComponentInvocation componentInvocation) {
if (!(componentInvocation instanceof EjbInvocation)) {
return false;
}
// FIXME: Param type should be EjbInvocation
EjbInvocation ejbInvocation = (EjbInvocation) componentInvocation;
if (ejbInvocation.getAuth() != null) {
return ejbInvocation.getAuth().booleanValue();
}
boolean isAuthorized = false;
CachedPermission cachedPermission = null;
Permission permission = null;
if (ejbInvocation.invocationInfo == null || ejbInvocation.invocationInfo.cachedPermission == null) {
permission = new EJBMethodPermission(ejbName, ejbInvocation.getMethodInterface(), ejbInvocation.method);
cachedPermission = new CachedPermissionImpl(uncheckedMethodPermissionCache, permission);
if (ejbInvocation.invocationInfo != null) {
ejbInvocation.invocationInfo.cachedPermission = cachedPermission;
if (_logger.isLoggable(FINE)) {
_logger.fine("JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = " + permission.getName() + " (Action) = " + permission.getActions());
}
}
} else {
cachedPermission = ejbInvocation.invocationInfo.cachedPermission;
permission = cachedPermission.getPermission();
}
String caller = null;
SecurityContext securityContext = null;
pcHandlerImpl.getHandlerData().setInvocation(ejbInvocation);
isAuthorized = cachedPermission.checkPermission();
if (!isAuthorized) {
securityContext = SecurityContext.getCurrent();
try {
// Set the policy context in the TLS.
String oldContextId = setPolicyContext(contextId);
try {
isAuthorized = policy.implies(getCachedProtectionDomain(securityContext.getPrincipalSet(), true), permission);
} catch (Throwable t) {
_logger.log(SEVERE, "jacc_access_exception", t);
isAuthorized = false;
} finally {
resetPolicyContext(oldContextId, contextId);
}
} catch (Throwable t) {
_logger.log(SEVERE, "jacc_policy_context_exception", t);
isAuthorized = false;
}
}
ejbInvocation.setAuth(isAuthorized);
if (auditManager.isAuditOn()) {
if (securityContext == null) {
securityContext = SecurityContext.getCurrent();
}
caller = securityContext.getCallerPrincipal().getName();
auditManager.ejbInvocation(caller, ejbName, ejbInvocation.method.toString(), isAuthorized);
}
if (isAuthorized && ejbInvocation.isWebService && !ejbInvocation.isPreInvokeDone()) {
preInvoke(ejbInvocation);
}
if (_logger.isLoggable(FINE)) {
_logger.fine("JACC: Access Control Decision Result: " + isAuthorized + " EJBMethodPermission (Name) = " + permission.getName() + " (Action) = " + permission.getActions() + " (Caller) = " + caller);
}
return isAuthorized;
}
Aggregations