Examples with DistinguishedPrincipalCredential com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential used on opensource projects

Example 1 with DistinguishedPrincipalCredential

use of com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential in project Payara by payara.

the class CertificateRealm method authenticate.

/**
 * Returns name of JAAS context used by this realm. Overrides default
 * Realm behavior of this method. The certificate realm does not
 * require (or support) a LoginModule. This method should never get
 * called unless there is a configuration error, so this overloading
 * is provided to log an error message.  See class documentation.
 *
 * @return null
 */
/*public String getJAASContext()
    {
    _logger.warning("certrealm.nojaas");
    return null;
    }*/
/**
 * Complete authentication of certificate user.
 *
 * <P>As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This method
 * simply sets up the security context for the user in order to
 * properly complete the authentication processing.
 *
 * <P>If any groups have been assigned to cert-authenticated users
 * through the assign-groups property these groups are added to
 * the security context for the current user.
 *
 * @param subject The Subject object for the authentication request.
 * @param x500name The X500Name object from the user certificate.
 *
 *    public void authenticate(Subject subject, X500Name x500name)
 *    {
 *        // It is important to use x500name.getName() in order to be
 *        // consistent with web containers view of the name - see bug
 *        // 4646134 for reasons why this matters.
 *
 *        String name = x500name.getName();
 *
 *        if (_logger.isLoggable(Level.FINEST)) {
 *            _logger.finest(
 *                "Certificate realm setting up security context for: "+ name);
 *        }
 *
 *        if (defaultGroups != null) {
 *	    Set principalSet = subject.getPrincipals();
 *	    Enumeration e = defaultGroups.elements();
 *	    while (e.hasMoreElements()) {
 *		principalSet.add(new Group((String) e.nextElement()));
 *	    }
 *	}
 *
 *        SecurityContext securityContext =
 *	    new SecurityContext(name, subject);
 *
 *	SecurityContext.setCurrent(securityContext);
 *    }
 */
/**
 * Complete authentication of certificate user.
 *
 * <P>As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This method
 * simply sets up the security context for the user in order to
 * properly complete the authentication processing.
 *
 * <P>If any groups have been assigned to cert-authenticated users
 * through the assign-groups property these groups are added to
 * the security context for the current user.
 *
 * @param subject The Subject object for the authentication request.
 * @param x500name The X500Name object from the user certificate.
 */
public void authenticate(Subject subject, X500Name x500name) {
    // It is important to use x500name.getName() in order to be
    // consistent with web containers view of the name - see bug
    // 4646134 for reasons why this matters.
    String name = x500name.getName();
    if (_logger.isLoggable(Level.FINEST)) {
        _logger.finest("Certificate realm setting up security context for: " + name);
    }
    if (defaultGroups != null) {
        Set<Principal> principalSet = subject.getPrincipals();
        Enumeration<String> e = defaultGroups.elements();
        while (e.hasMoreElements()) {
            principalSet.add(new Group(e.nextElement()));
        }
    }
    if (!subject.getPrincipals().isEmpty()) {
        DistinguishedPrincipalCredential dpc = new DistinguishedPrincipalCredential(x500name);
        subject.getPublicCredentials().add(dpc);
    }
    SecurityContext securityContext = new SecurityContext(name, subject);
    SecurityContext.setCurrent(securityContext);
/*AppServSecurityContext secContext = Util.getDefaultHabitat().getByContract(AppServSecurityContext.class);
        AppServSecurityContext securityContext = secContext.newInstance(name, subject);
        securityContext.setCurrentSecurityContext(securityContext);*/
}

Example 2 with DistinguishedPrincipalCredential

use of com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential in project Payara by payara.

the class BaseContainerCallbackHandler method processCallerPrincipal.

private void processCallerPrincipal(CallerPrincipalCallback cpCallback) {
    final Subject fs = cpCallback.getSubject();
    Principal principal = cpCallback.getPrincipal();
    // PAYARA-755 If the SAM has set a custom principal then we check that the original WebPrincipal has the same custom principal within it
    if (principal != null && !(principal instanceof WebPrincipal)) {
        Principal additional = SecurityContext.getCurrent().getAdditionalPrincipal();
        if ((additional != null) && (additional instanceof WebPrincipal) && ((WebPrincipal) additional).getCustomPrincipal() == principal) {
            principal = additional;
        }
    }
    if (principal instanceof WebPrincipal) {
        WebPrincipal wp = (WebPrincipal) principal;
        /**
         * Check if the WebPrincipal satisfies the criteria for reuse. If
         * it does, the CBH will have already copied its contents into the
         * Subject, and established the caller principal.
         */
        if (reuseWebPrincipal(fs, wp)) {
            return;
        }
        /**
         * Otherwise the webPrincipal must be distinguished as the
         * callerPrincipal, but the contents of its internal SecurityContext
         * will not be copied.
         * For the special case where the WebPrincipal represents
         * the defaultCallerPrincipal, the argument principal is set to
         * null to cause the handler to assign its representation of the
         * unauthenticated caller in the Subject.
         */
        Principal dp = SecurityContext.getDefaultCallerPrincipal();
        SecurityContext sc = wp.getSecurityContext();
        Principal cp = sc != null ? sc.getCallerPrincipal() : null;
        if (wp.getName() == null || wp.equals(dp) || cp == null || cp.equals(dp)) {
            principal = null;
        }
    }
    String realmName = null;
    if (handlerContext != null) {
        realmName = handlerContext.getRealmName();
    }
    boolean isCertRealm = CertificateRealm.AUTH_TYPE.equals(realmName);
    if (principal == null) {
        if (cpCallback.getName() != null) {
            if (isCertRealm) {
                principal = new X500Principal(cpCallback.getName());
            } else {
                principal = new PrincipalImpl(cpCallback.getName());
            }
        } else {
            // 196 unauthenticated caller principal
            principal = SecurityContext.getDefaultCallerPrincipal();
        }
    }
    if (isCertRealm) {
        if (principal instanceof X500Principal) {
            LoginContextDriver.jmacLogin(fs, (X500Principal) principal);
        }
    } else {
        if (!principal.equals(SecurityContext.getDefaultCallerPrincipal())) {
            LoginContextDriver.jmacLogin(fs, principal.getName(), realmName);
        }
    }
    final Principal fprin = principal;
    final DistinguishedPrincipalCredential fdpc = new DistinguishedPrincipalCredential(principal);
    AppservAccessController.doPrivileged(new PrivilegedAction() {

        public java.lang.Object run() {
            fs.getPrincipals().add(fprin);
            Iterator iter = fs.getPublicCredentials().iterator();
            while (iter.hasNext()) {
                Object obj = iter.next();
                if (obj instanceof DistinguishedPrincipalCredential) {
                    iter.remove();
                }
            }
            fs.getPublicCredentials().add(fdpc);
            return fs;
        }
    });
}

Example 3 with DistinguishedPrincipalCredential

use of com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential in project Payara by payara.

the class BaseContainerCallbackHandler method reuseWebPrincipal.

/**
 * This method will distinguish the initiator principal (of the
 * SecurityContext obtained from the WebPrincipal) as the caller principal,
 * and copy all the other principals into the subject....
 *
 * It is assumed that the input WebPrincipal is coming from a SAM, and
 * that it was created either by the SAM (as described below) or by
 * calls to the LoginContextDriver made by an Authenticator.
 *
 * A WebPrincipal constructed by the RealmAdapter will include a DPC;
 * other constructions may not; this method interprets the absence of a
 * DPC as evidence that the resulting WebPrincipal was not constructed
 * by the RealmAdapter as described below. Note that presence of a DPC
 * does not necessarily mean that the resulting WebPrincipal was
 * constructed by the RealmAdapter... since some authenticators also
 * add the credential).
 *
 * A. handling of CPCB by CBH:
 *
 *  1. handling of CPC by CBH modifies subject
 *      a. constructs principalImpl if called by name
 *      b. uses LoginContextDriver to add group principals for name
 *      c. puts principal in principal set, and DPC in public credentials
 *
 * B. construction of WebPrincipal by RealmAdapter (occurs after SAM
 * uses CBH to set other than an unauthenticated result in the subject:
 *
 *  a. SecurityContext construction done with subject (returned by SAM).
 *     Construction sets initiator/caller principal within SC from
 *     DPC set by CBH in public credentials of subject
 *
 *  b WebPrincipal is constructed with initiator principal and SecurityContext
 *
 * @param fs receiving Subject
 * @param wp WebPrincipal
 *
 * @return true when Security Context has been obtained from webPrincipal,
 * and CB is finished. returns false when more CB processing is required.
 */
private boolean reuseWebPrincipal(final Subject fs, final WebPrincipal wp) {
    SecurityContext sc = wp.getSecurityContext();
    final Subject wps = sc != null ? sc.getSubject() : null;
    final Principal callerPrincipal = sc != null ? sc.getCallerPrincipal() : null;
    final Principal defaultPrincipal = SecurityContext.getDefaultCallerPrincipal();
    return ((Boolean) AppservAccessController.doPrivileged(new PrivilegedAction() {

        /**
         * this method uses 4 (numbered) criteria to determine if the
         * argument WebPrincipal can be reused
         */
        public Boolean run() {
            /*
                 * 1. WebPrincipal must contain a SecurityContext and SC must
                 * have a non-null, non-default callerPrincipal and a Subject
                 */
            if (callerPrincipal == null || callerPrincipal.equals(defaultPrincipal) || wps == null) {
                return Boolean.FALSE;
            }
            boolean hasObject = false;
            Set<DistinguishedPrincipalCredential> distinguishedCreds = wps.getPublicCredentials(DistinguishedPrincipalCredential.class);
            if (distinguishedCreds.size() == 1) {
                for (DistinguishedPrincipalCredential cred : distinguishedCreds) {
                    if (cred.getPrincipal().equals(callerPrincipal)) {
                        hasObject = true;
                    }
                }
            }
            /**
             * 2. Subject within SecurityContext must contain a single
             * DPC that identifies the Caller Principal
             */
            if (!hasObject) {
                return Boolean.FALSE;
            }
            hasObject = wps.getPrincipals().contains(callerPrincipal);
            /**
             * 3. Subject within SecurityContext must contain the caller
             * principal
             */
            if (!hasObject) {
                return Boolean.FALSE;
            }
            /**
             * 4. The webPrincipal must have a non null name that equals
             * the name of the callerPrincipal.
             */
            if (wp.getName() == null || !wp.getName().equals(callerPrincipal.getName())) {
                return Boolean.FALSE;
            }
            /*
                 * remove any existing DistinguishedPrincipalCredentials from
                 * receiving Subject
                 *
                 */
            Iterator iter = fs.getPublicCredentials().iterator();
            while (iter.hasNext()) {
                Object obj = iter.next();
                if (obj instanceof DistinguishedPrincipalCredential) {
                    iter.remove();
                }
            }
            for (Principal p : wps.getPrincipals()) {
                fs.getPrincipals().add(p);
            }
            /**
             * Copy public credentials from Subject within SecurityContext
             * to receiving Subject
             */
            for (Object publicCred : wps.getPublicCredentials()) {
                fs.getPublicCredentials().add(publicCred);
            }
            /**
             * Copy private credentials from Subject within SecurityContext
             * to receiving Subject
             */
            for (Object privateCred : wps.getPrivateCredentials()) {
                fs.getPrivateCredentials().add(privateCred);
            }
            return Boolean.TRUE;
        }
    })).booleanValue();
}