Search in sources :

Example 16 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class RealmAdapter method preSetRunAsIdentity.

/**
 * Set the run-as principal into the SecurityContext when needed.
 *
 * <P>
 * This method will attempt to obtain the name of the servlet from the ComponentInvocation. Note that there may not be
 * one since this gets called also during internal processing (not clear..) not just part of servlet requests. However,
 * if it is not a servlet request there is no need (or possibility) to have a run-as setting so no further action is
 * taken.
 *
 * <P>
 * If the servlet name is present the runAsPrincipals cache is checked to find the run-as principal to use (if any). If
 * one is set, the SecurityContext is switched to this principal.
 *
 * <p>
 * See IASRI 4747594
 *
 * @param inv The invocation object to process.
 */
public void preSetRunAsIdentity(ComponentInvocation inv) {
    if (runAsPrincipals != null && runAsPrincipals.isEmpty()) {
        return;
    }
    String servletName = this.getServletName(inv);
    if (servletName == null) {
        return;
    }
    String runAs = runAsPrincipals.get(servletName);
    if (runAs != null) {
        // The existing SecurityContext is saved - however, this seems
        // meaningless - see bug 4757733. For now, keep it unchanged
        // in case there are some dependencies elsewhere in RI.
        SecurityContext old = getSecurityContext();
        inv.setOldSecurityContext(old);
        // Set the run-as principal into SecurityContext
        loginForRunAs(runAs);
        LOG.fine(() -> "run-as principal for " + servletName + " set to: " + runAs);
    }
}
Also used : SecurityContext(com.sun.enterprise.security.SecurityContext)

Example 17 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class JaspicRealm method handleSamAuthenticated.

private void handleSamAuthenticated(Subject subject, MessageInfo messageInfo, HttpRequest request, HttpResponse response, LoginConfig config, Authenticator authenticator) throws IOException {
    SecurityContext securityContext = new SecurityContext(subject);
    // Assuming no null principal here
    WebPrincipal webPrincipal = new WebPrincipal(securityContext.getCallerPrincipal(), securityContext);
    // TODO: check Java SE SecurityManager access
    SecurityContext.setCurrent(securityContext);
    try {
        String authType = getAuthType(messageInfo, config);
        if (shouldRegisterSession(messageInfo)) {
            // Besides authenticating, the SAM has indicated that the new principal should
            // be stored in a session. This means that when the SAM is called again in a next request
            // it can opt to continue this session.
            new AuthenticatorProxy(authenticator, webPrincipal, authType).authenticate(request, response, config);
        } else {
            request.setAuthType(authType == null ? AuthenticatorProxy.PROXY_AUTH_TYPE : authType);
            request.setUserPrincipal(webPrincipal);
        }
    } catch (LifecycleException le) {
        logger.log(SEVERE, "[Web-Security] unable to register session", le);
    }
}
Also used : LifecycleException(org.apache.catalina.LifecycleException) SecurityContext(com.sun.enterprise.security.SecurityContext) WebPrincipal(com.sun.enterprise.security.web.integration.WebPrincipal)

Example 18 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class ConnectionManagerImpl method allocateConnection.

public Object allocateConnection(ManagedConnectionFactory mcf, ConnectionRequestInfo cxRequestInfo, String jndiNameToUse, Object conn) throws ResourceException {
    validateResourceAndPool();
    PoolManager poolmgr = ConnectorRuntime.getRuntime().getPoolManager();
    boolean resourceShareable = true;
    ResourceReferenceDescriptor ref = poolmgr.getResourceReference(jndiNameToUse, logicalName);
    if (ref != null) {
        String shareableStr = ref.getSharingScope();
        if (shareableStr.equals(ref.RESOURCE_UNSHAREABLE)) {
            resourceShareable = false;
        }
    }
    // TODO V3 refactor all the 3 cases viz, no res-ref, app-auth, cont-auth.
    if (ref == null) {
        if (getLogger().isLoggable(Level.FINE)) {
            getLogger().log(Level.FINE, "poolmgr.no_resource_reference", jndiNameToUse);
        }
        return internalGetConnection(mcf, defaultPrin, cxRequestInfo, resourceShareable, jndiNameToUse, conn, true);
    }
    String auth = ref.getAuthorization();
    if (auth.equals(ResourceReferenceDescriptor.APPLICATION_AUTHORIZATION)) {
        if (cxRequestInfo == null) {
            String msg = getLocalStrings().getString("con_mgr.null_userpass");
            throw new ResourceException(msg);
        }
        ConnectorRuntime.getRuntime().switchOnMatching(rarName, poolInfo);
        return internalGetConnection(mcf, null, cxRequestInfo, resourceShareable, jndiNameToUse, conn, false);
    } else {
        ResourcePrincipal prin = null;
        Set principalSet = null;
        Principal callerPrincipal = null;
        SecurityContext securityContext = null;
        ConnectorRuntime connectorRuntime = ConnectorRuntime.getRuntime();
        // TODO V3 is SecurityContext.getCurrent() the right way ? Does it need to be injected ?
        if (connectorRuntime.isServer() && (securityContext = SecurityContext.getCurrent()) != null && (callerPrincipal = securityContext.getCallerPrincipal()) != null && (principalSet = securityContext.getPrincipalSet()) != null) {
            AuthenticationService authService = connectorRuntime.getAuthenticationService(rarName, poolInfo);
            if (authService != null) {
                prin = (ResourcePrincipal) authService.mapPrincipal(callerPrincipal, principalSet);
            }
        }
        if (prin == null) {
            prin = ref.getResourcePrincipal();
            if (prin == null) {
                if (getLogger().isLoggable(Level.FINE)) {
                    getLogger().log(Level.FINE, "default-resource-principal not" + "specified for " + jndiNameToUse + ". Defaulting to" + " user/password specified in the pool");
                }
                prin = defaultPrin;
            } else if (!prin.equals(defaultPrin)) {
                ConnectorRuntime.getRuntime().switchOnMatching(rarName, poolInfo);
            }
        }
        return internalGetConnection(mcf, prin, cxRequestInfo, resourceShareable, jndiNameToUse, conn, false);
    }
}
Also used : Set(java.util.Set) SecurityContext(com.sun.enterprise.security.SecurityContext) ResourcePrincipal(com.sun.enterprise.deployment.ResourcePrincipal) ResourceException(javax.resource.ResourceException) ResourceReferenceDescriptor(com.sun.enterprise.deployment.ResourceReferenceDescriptor) PoolManager(com.sun.enterprise.resource.pool.PoolManager) AuthenticationService(com.sun.enterprise.connectors.authentication.AuthenticationService) ResourcePrincipal(com.sun.enterprise.deployment.ResourcePrincipal) Principal(java.security.Principal)

Example 19 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class EJBSecurityManager method getCallerPrincipal.

/**
 * This method returns the Client Principal who initiated the current Invocation.
 *
 * @return A Principal object of the client who made this invocation. or null if the SecurityContext has not been
 * established by the client.
 */
@Override
public Principal getCallerPrincipal() {
    SecurityContext securityContext = null;
    if (runAs != null) {
        // Run As
        // return the principal associated with the old security context
        ComponentInvocation componentInvocation = invocationManager.getCurrentInvocation();
        if (componentInvocation == null) {
            // 4646060
            throw new InvocationException();
        }
        securityContext = (SecurityContext) componentInvocation.getOldSecurityContext();
    } else {
        // Lets optimize a little. No need to look up oldsecctx
        // its the same as the new one
        securityContext = SecurityContext.getCurrent();
    }
    if (securityContext != null) {
        return securityContext.getCallerPrincipal();
    }
    return SecurityContext.getDefaultCallerPrincipal();
}
Also used : ComponentInvocation(org.glassfish.api.invocation.ComponentInvocation) InvocationException(org.glassfish.api.invocation.InvocationException) SecurityContext(com.sun.enterprise.security.SecurityContext)

Example 20 with SecurityContext

use of com.sun.enterprise.security.SecurityContext in project Payara by payara.

the class EJBSecurityManager method authorize.

/**
 * This method is called by the EJB container to decide whether or not a method specified in the Invocation should be
 * allowed.
 *
 * @param componentInvocation invocation object that contains all the details of the invocation.
 * @return A boolean value indicating if the client should be allowed to invoke the EJB.
 */
@Override
public boolean authorize(ComponentInvocation componentInvocation) {
    if (!(componentInvocation instanceof EjbInvocation)) {
        return false;
    }
    // FIXME: Param type should be EjbInvocation
    EjbInvocation ejbInvocation = (EjbInvocation) componentInvocation;
    if (ejbInvocation.getAuth() != null) {
        return ejbInvocation.getAuth().booleanValue();
    }
    boolean isAuthorized = false;
    CachedPermission cachedPermission = null;
    Permission permission = null;
    if (ejbInvocation.invocationInfo == null || ejbInvocation.invocationInfo.cachedPermission == null) {
        permission = new EJBMethodPermission(ejbName, ejbInvocation.getMethodInterface(), ejbInvocation.method);
        cachedPermission = new CachedPermissionImpl(uncheckedMethodPermissionCache, permission);
        if (ejbInvocation.invocationInfo != null) {
            ejbInvocation.invocationInfo.cachedPermission = cachedPermission;
            if (_logger.isLoggable(FINE)) {
                _logger.fine("JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = " + permission.getName() + " (Action) = " + permission.getActions());
            }
        }
    } else {
        cachedPermission = ejbInvocation.invocationInfo.cachedPermission;
        permission = cachedPermission.getPermission();
    }
    String caller = null;
    SecurityContext securityContext = null;
    pcHandlerImpl.getHandlerData().setInvocation(ejbInvocation);
    isAuthorized = cachedPermission.checkPermission();
    if (!isAuthorized) {
        securityContext = SecurityContext.getCurrent();
        try {
            // Set the policy context in the TLS.
            String oldContextId = setPolicyContext(contextId);
            try {
                isAuthorized = policy.implies(getCachedProtectionDomain(securityContext.getPrincipalSet(), true), permission);
            } catch (Throwable t) {
                _logger.log(SEVERE, "jacc_access_exception", t);
                isAuthorized = false;
            } finally {
                resetPolicyContext(oldContextId, contextId);
            }
        } catch (Throwable t) {
            _logger.log(SEVERE, "jacc_policy_context_exception", t);
            isAuthorized = false;
        }
    }
    ejbInvocation.setAuth(isAuthorized);
    if (auditManager.isAuditOn()) {
        if (securityContext == null) {
            securityContext = SecurityContext.getCurrent();
        }
        caller = securityContext.getCallerPrincipal().getName();
        auditManager.ejbInvocation(caller, ejbName, ejbInvocation.method.toString(), isAuthorized);
    }
    if (isAuthorized && ejbInvocation.isWebService && !ejbInvocation.isPreInvokeDone()) {
        preInvoke(ejbInvocation);
    }
    if (_logger.isLoggable(FINE)) {
        _logger.fine("JACC: Access Control Decision Result: " + isAuthorized + " EJBMethodPermission (Name) = " + permission.getName() + " (Action) = " + permission.getActions() + " (Caller) = " + caller);
    }
    return isAuthorized;
}
Also used : EjbInvocation(com.sun.ejb.EjbInvocation) CachedPermission(com.sun.enterprise.security.jacc.cache.CachedPermission) CachedPermissionImpl(com.sun.enterprise.security.jacc.cache.CachedPermissionImpl) CachedPermission(com.sun.enterprise.security.jacc.cache.CachedPermission) SecurityContext(com.sun.enterprise.security.SecurityContext)

Aggregations

SecurityContext (com.sun.enterprise.security.SecurityContext)34 Subject (javax.security.auth.Subject)15 Principal (java.security.Principal)11 WebPrincipal (com.sun.enterprise.security.web.integration.WebPrincipal)10 DistinguishedPrincipalCredential (com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)6 ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)6 ComponentInvocation (org.glassfish.api.invocation.ComponentInvocation)6 PrivilegedAction (java.security.PrivilegedAction)5 X500Principal (javax.security.auth.x500.X500Principal)5 Iterator (java.util.Iterator)3 Set (java.util.Set)3 AuthException (javax.security.auth.message.AuthException)3 HttpServletRequest (javax.servlet.http.HttpServletRequest)3 Group (org.glassfish.security.common.Group)3 EjbDescriptor (com.sun.enterprise.deployment.EjbDescriptor)2 WebServiceEndpoint (com.sun.enterprise.deployment.WebServiceEndpoint)2 SecurityContext.getDefaultCallerPrincipal (com.sun.enterprise.security.SecurityContext.getDefaultCallerPrincipal)2 SOAPAuthParam (com.sun.enterprise.security.jauth.jaspic.provider.SOAPAuthParam)2 JavaMethod (com.sun.xml.ws.api.model.JavaMethod)2 Method (java.lang.reflect.Method)2