use of com.sun.enterprise.security.auth.login.common.LoginException in project Payara by payara.
the class JDBCLoginModule method authenticate.
/**
* Perform JDBC authentication. Delegates to JDBCRealm.
*
* @throws LoginException If login fails (JAAS login() behavior).
*/
protected void authenticate() throws LoginException {
if (!(_currentRealm instanceof JDBCRealm)) {
String msg = sm.getString("jdbclm.badrealm");
throw new LoginException(msg);
}
final JDBCRealm jdbcRealm = (JDBCRealm) _currentRealm;
// A JDBC user must have a name not null and non-empty.
if ((_username == null) || (_username.length() == 0)) {
String msg = sm.getString("jdbclm.nulluser");
throw new LoginException(msg);
}
String[] grpList = jdbcRealm.authenticate(_username, getPasswordChar());
if (grpList == null) {
// JAAS behavior
String msg = sm.getString("jdbclm.loginfail", _username);
throw new LoginException(msg);
}
if (_logger.isLoggable(Level.FINEST)) {
_logger.finest("JDBC login succeeded for: " + _username + " groups:" + Arrays.toString(grpList));
}
commitAuthentication(_username, getPasswordChar(), _currentRealm, grpList);
}
use of com.sun.enterprise.security.auth.login.common.LoginException in project Payara by payara.
the class BaseContainerCallbackHandler method processPasswordValidation.
private void processPasswordValidation(PasswordValidationCallback pwdCallback) {
// if (Switch.getSwitch().getContainerType() == Switch.APPCLIENT_CONTAINER) {
if (SecurityServicesUtil.getInstance().isACC()) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "JMAC: In PasswordValidationCallback Processor for appclient - will do nothing");
}
pwdCallback.setResult(true);
return;
}
String username = pwdCallback.getUsername();
char[] passwd = pwdCallback.getPassword();
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "JMAC: In PasswordValidationCallback Processor");
}
try {
String realmName = null;
if (handlerContext != null) {
realmName = handlerContext.getRealmName();
}
Subject s = LoginContextDriver.jmacLogin(pwdCallback.getSubject(), username, passwd, realmName);
GFServerConfigProvider.setValidateRequestSubject(s);
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "JMAC: authentication succeeded for user = ", username);
}
// explicitly ditch the password
if (passwd != null) {
for (int i = 0; i < passwd.length; i++) passwd[i] = ' ';
}
pwdCallback.setResult(true);
} catch (LoginException le) {
// login failed
if (_logger.isLoggable(Level.INFO)) {
_logger.log(Level.INFO, "jmac.loginfail", username);
}
pwdCallback.setResult(false);
}
}
use of com.sun.enterprise.security.auth.login.common.LoginException in project Payara by payara.
the class SecurityMechanismSelector method getUsernameAndPassword.
/**
* Return whether the server is trusted or not based on configuration information.
*
* @return true if the server is trusted.
*/
/*
* private boolean isServerTrusted() { String star = "*"; // first check if "*" in trusted - then
* why bother // doing all the processing . We trust everything // System.out.println
* (" In server trusted ??"); for (int i = 0; i < serverTrustedHosts.length; i++){ if
* (serverTrustedHosts[i].length () == 1) { if (serverTrustedHosts[i].equals (star)) return true; }
* } ConnectionContext scc = getClientConnectionContext (); if (scc != null){ Socket skt =
* scc.getSocket (); InetAddress adr = skt.getInetAddress (); // System.out.println
* (" Calling isServerTrusted"); // System.out.println (" addres "+ adr.toString ()); return
* isDomainInTrustedList (adr, serverTrustedHosts); } return false; }
*/
/**
* Checks if a given domain is trusted. e.g. domain = 123.203.1.1 is an IP address trusted list =
* *.com, *.eng should say that the given domain is trusted.
*
* @param the InetAddress of the domain to be checked for
* @param the array of trusted domains
* @return true - if the given domain is trusted
*/
/*
* private boolean isDomainInTrustedList (InetAddress inetAddress, String[] trusted) throws
* SecurityException { boolean isTrusted = false; String domain = null; String star = "*"; String
* dot = "."; // lookup and get domain name try{ domain = inetAddress.getHostName (); } catch
* (Exception e){ _logger.log(Level.SEVERE,"iiop.domain_lookup_failed",inetAddress.getHostAddress
* ()); return false; } if (_logger.isLoggable(Level.FINE)) { _logger.log(Level.FINE,
* " Verifying if domain address ="+ inetAddress.toString () + " is in the Trusted list ");
* _logger.log(Level.FINE, " the domain name is = "+ domain); } String[] domainTok =
* TypeUtil.stringToArray (domain, dot); // now lets go through the list of trusted domains // one
* at a time for (int i=0; i< trusted.length; i++){ // String to compare with String[] toksList =
* TypeUtil.stringToArray (trusted[i], dot); // cannot compare *.eng to *.eng.sun if
* (toksList.length != domainTok.length){ isTrusted = false; continue; } else{ for (int
* j=toksList.length-1; j>=0 ; j--){ // compare com in *.eng.com and abc.eng.com // compare in the
* reverse order if (toksList[j].equals (domainTok[j])){ isTrusted = true; } else { // compare * in
* abc.*.com and abc.eng.com if (toksList[j].equals (star)){ isTrusted = true; } else { // get out
* and try the next domain isTrusted = false; break; } } } // We went through one domain and found a
* match // no need to compare further if (isTrusted) return isTrusted; } } return isTrusted; }
*/
/**
* Get the username and password either from the JAAS subject or from thread local storage. For
* appclients if login has'nt happened this method would trigger login and popup a user interface to
* gather authentication information.
*
* @return the security context.
*/
private SecurityContext getUsernameAndPassword(ComponentInvocation ci, CompoundSecMech mechanism) throws SecurityMechanismException {
try {
Subject s = null;
// if(ci == null) {
if (isNotServerOrACC()) {
// Standalone client ... Changed the security context
// from which to fetch the subject
ClientSecurityContext sc = ClientSecurityContext.getCurrent();
if (sc == null) {
return null;
}
s = sc.getSubject();
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "SUBJECT:" + s);
}
} else {
// if(obj instanceof AppContainer) {
if (isACC()) {
// get the subject
ClientSecurityContext sc = ClientSecurityContext.getCurrent();
if (sc == null) {
s = LoginContextDriver.doClientLogin(SecurityConstants.USERNAME_PASSWORD, SecurityServicesUtil.getInstance().getCallbackHandler());
} else {
s = sc.getSubject();
}
} else {
// web/ejb
s = getSubjectFromSecurityCurrent();
// TODO check if username/password is available
// if not throw exception
}
}
SecurityContext ctx = new SecurityContext();
final Subject sub = s;
ctx.subject = s;
// determining if run-as has been used
Set<PasswordCredential> privateCredSet = AccessController.doPrivileged(new PrivilegedAction<Set>() {
@Override
public Set run() {
return sub.getPrivateCredentials(PasswordCredential.class);
}
});
if (privateCredSet.isEmpty()) {
// this is runas case dont set
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "no private credential run as mode");
}
// the auth class
ctx.authcls = null;
ctx.identcls = GSSUPName.class;
} else {
/**
* lookup the realm name that is required by the server and set it up in the PasswordCredential
* class.
*/
AS_ContextSec asContext = mechanism.as_context_mech;
final byte[] target_name = asContext.target_name;
byte[] _realm = null;
if (target_name == null || target_name.length == 0) {
_realm = Realm.getDefaultRealm().getBytes();
} else {
_realm = GSSUtils.importName(GSSUtils.GSSUP_MECH_OID, target_name);
}
final String realm_name = new String(_realm);
final Iterator it = privateCredSet.iterator();
for (; it.hasNext(); ) {
AccessController.doPrivileged(new PrivilegedAction<Object>() {
@Override
public java.lang.Object run() {
PasswordCredential pc = (PasswordCredential) it.next();
pc.setRealm(realm_name);
return null;
}
});
}
ctx.authcls = PasswordCredential.class;
}
return ctx;
} catch (LoginException le) {
throw le;
} catch (Exception e) {
_logger.log(Level.SEVERE, "iiop.user_password_exception", e);
return null;
}
}
use of com.sun.enterprise.security.auth.login.common.LoginException in project Payara by payara.
the class LoginContextDriver method jmacLogin.
public static Subject jmacLogin(Subject subject, X500Principal x500Principal) throws LoginException {
if (subject == null) {
subject = new Subject();
}
final Subject fs = subject;
String userName = "";
try {
final X500Name x500Name = new X500Name(x500Principal.getName(X500Principal.RFC1779));
userName = x500Name.toString();
AppservAccessController.doPrivileged(new PrivilegedAction() {
public java.lang.Object run() {
fs.getPublicCredentials().add(x500Name);
return fs;
}
});
Realm realm = Realm.getInstance(CertificateRealm.AUTH_TYPE);
CertificateRealm certRealm = (CertificateRealm) realm;
String jaasCtx = certRealm.getJAASContext();
if (jaasCtx != null) {
// The subject has the Cretificate Credential.
LoginContext lg = new LoginContext(jaasCtx, fs, dummyCallback);
lg.login();
}
certRealm.authenticate(fs, x500Name);
} catch (Exception ex) {
if (_logger.isLoggable(Level.INFO)) {
_logger.log(Level.INFO, SecurityLoggerInfo.auditAtnRefusedError, userName);
}
if (getAuditManager().isAuditOn()) {
getAuditManager().authentication(userName, CertificateRealm.AUTH_TYPE, false);
}
if (ex instanceof LoginException) {
throw (LoginException) ex;
} else {
throw (LoginException) new LoginException(ex.toString()).initCause(ex);
}
}
if (_logger.isLoggable(Level.FINE)) {
_logger.fine("jmac cert login succeeded for: " + userName);
}
if (getAuditManager().isAuditOn()) {
getAuditManager().authentication(userName, CertificateRealm.AUTH_TYPE, true);
}
return subject;
}
use of com.sun.enterprise.security.auth.login.common.LoginException in project Payara by payara.
the class LoginContextDriver method login.
/**
* Performs Digest authentication based on RFC 2617. It
*
* @param digestCred DigestCredentials
*/
public static void login(DigestCredentials digestCred) throws javax.security.auth.login.LoginException {
Subject subject = new Subject();
subject.getPrivateCredentials().add(digestCred);
String jaasCtx = null;
try {
jaasCtx = Realm.getInstance(digestCred.getRealmName()).getJAASContext();
} catch (Exception ex) {
if (ex instanceof LoginException) {
throw (LoginException) ex;
} else {
throw (LoginException) new LoginException(ex.toString()).initCause(ex);
}
}
try {
// A dummyCallback is used to satisfy JAAS but it is never used.
// name/pwd info is already contained in Subject's Credential
LoginContext lg = new LoginContext(jaasCtx, subject, dummyCallback);
lg.login();
} catch (Exception e) {
if (_logger.isLoggable(Level.INFO)) {
_logger.log(Level.INFO, SecurityLoggerInfo.auditAtnRefusedError, digestCred.getUserName());
}
if (_logger.isLoggable(Level.FINEST)) {
_logger.log(Level.FINEST, "doPasswordLogin fails", e);
}
if (getAuditManager().isAuditOn()) {
getAuditManager().authentication(digestCred.getUserName(), digestCred.getRealmName(), false);
}
if (e instanceof LoginException) {
throw (LoginException) e;
} else {
throw (LoginException) new LoginException("Login failed: " + e.getMessage()).initCause(e);
}
}
setSecurityContext(digestCred.getUserName(), subject, digestCred.getRealmName());
}
Aggregations