Search in sources :

Example 1 with ServerLoginCallbackHandler

use of com.sun.enterprise.security.auth.login.common.ServerLoginCallbackHandler in project Payara by payara.

the class WebAndEjbToJaasBridge method doX500Login.

/**
 * A special case login for X500Name credentials.This is invoked for
 * certificate login because the containers extract the X.500 name from the
 * X.509 certificate before calling into this class.
 *
 * @param subject
 * @param realmName
 * @param appModuleID
 * @throws LoginException when login fails
 */
public static void doX500Login(Subject subject, String realmName, String appModuleID) {
    LOGGER.finest(() -> String.format("doX500Login(subject=%s, realmName=%s, appModuleID=%s)", subject, realmName, appModuleID));
    String user = null;
    try {
        X500Principal x500principal = getPublicCredentials(subject, X500Principal.class);
        if (x500principal == null) {
            // Should never happen
            return;
        }
        user = x500principal.getName(X500Principal.RFC2253, OID.getOIDMap());
        // In the RI-inherited implementation this directly creates
        // some credentials and sets the security context.
        // 
        // This means that the certificate realm does not get an opportunity to
        // process the request. While the realm will not do any authentication
        // (already done by this point) it can choose to adjust the groups or principal
        // name or other variables of the security context.
        // 
        // Of course, bug 4646134 needs to be kept in mind at all times, even though time has
        // forgotten what 4646134 was.
        Realm realm = Realm.getInstance(realmName);
        if (realm instanceof CertificateRealm) {
            // Should always be true
            CertificateRealm certRealm = (CertificateRealm) realm;
            String jaasCtx = certRealm.getJAASContext();
            if (jaasCtx != null) {
                // The subject has the certificate Credential.
                new LoginContext(jaasCtx, subject, new ServerLoginCallbackHandler(user, null, appModuleID)).login();
            }
            // The name that the cert realm decided to set as the caller principal name
            user = certRealm.authenticate(subject, x500principal);
            auditAuthenticate(user, realmName, true);
        } else {
            // Should never come here
            LOGGER.warning(certLoginBadRealmError);
            setSecurityContext(user, subject, realmName);
        }
        if (LOGGER.isLoggable(FINE)) {
            LOGGER.log(FINE, "X.500 name login succeeded for : {0}", user);
        }
    } catch (LoginException le) {
        auditAuthenticate(user, realmName, false);
        throw le;
    } catch (Exception ex) {
        throw (LoginException) new LoginException(ex.toString()).initCause(ex);
    }
}
Also used : LoginContext(javax.security.auth.login.LoginContext) X500Principal(javax.security.auth.x500.X500Principal) LoginContextDriver.throwLoginException(com.sun.enterprise.security.auth.login.LoginContextDriver.throwLoginException) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) CertificateRealm(com.sun.enterprise.security.auth.realm.certificate.CertificateRealm) LoginContextDriver.getValidRealm(com.sun.enterprise.security.auth.login.LoginContextDriver.getValidRealm) FileRealm(com.sun.enterprise.security.auth.realm.file.FileRealm) Realm(com.sun.enterprise.security.auth.realm.Realm) CertificateRealm(com.sun.enterprise.security.auth.realm.certificate.CertificateRealm) ServerLoginCallbackHandler(com.sun.enterprise.security.auth.login.common.ServerLoginCallbackHandler) LoginContextDriver.throwLoginException(com.sun.enterprise.security.auth.login.LoginContextDriver.throwLoginException) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException) InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException) NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)

Example 2 with ServerLoginCallbackHandler

use of com.sun.enterprise.security.auth.login.common.ServerLoginCallbackHandler in project Payara by payara.

the class LoginContextDriver method doX500Login.

/**
 * A special case login for X500Name credentials.
 * This is invoked for certificate login because the containers
 * extract the X.500 name from the X.509 certificate before calling
 * into this class.
 */
public static void doX500Login(Subject s, String appModuleID) throws LoginException {
    if (_logger.isLoggable(Level.FINE)) {
        _logger.fine("Processing X.500 name login.");
    }
    String user = null;
    String realm_name = null;
    try {
        X500Name x500name = (X500Name) getPublicCredentials(s, X500Name.class);
        user = x500name.getName();
        // In the RI-inherited implementation this directly creates
        // some credentials and sets the security context. This means
        // that the certificate realm does not get an opportunity to
        // process the request. While the realm will not do any
        // authentication (already done by this point) it can choose
        // to adjust the groups or principal name or other variables
        // of the security context. Of course, bug 4646134 needs to be
        // kept in mind at all times.
        Realm realm = Realm.getInstance(CertificateRealm.AUTH_TYPE);
        if (realm instanceof CertificateRealm) {
            // should always be true
            CertificateRealm certRealm = (CertificateRealm) realm;
            String jaasCtx = certRealm.getJAASContext();
            if (jaasCtx != null) {
                // The subject has the Cretificate Credential.
                LoginContext lg = new LoginContext(jaasCtx, s, new ServerLoginCallbackHandler(user, null, appModuleID));
                lg.login();
            }
            certRealm.authenticate(s, x500name);
            realm_name = CertificateRealm.AUTH_TYPE;
            if (getAuditManager().isAuditOn()) {
                getAuditManager().authentication(user, realm_name, true);
            }
        } else {
            _logger.warning(SecurityLoggerInfo.certLoginBadRealmError);
            realm_name = realm.getName();
            setSecurityContext(user, s, realm_name);
        }
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("X.500 name login succeeded for : " + user);
        }
    } catch (LoginException le) {
        if (getAuditManager().isAuditOn()) {
            getAuditManager().authentication(user, realm_name, false);
        }
        throw le;
    } catch (Exception ex) {
        throw (LoginException) new LoginException(ex.toString()).initCause(ex);
    }
}
Also used : LoginContext(javax.security.auth.login.LoginContext) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) X500Name(sun.security.x509.X500Name) CertificateRealm(com.sun.enterprise.security.auth.realm.certificate.CertificateRealm) Realm(com.sun.enterprise.security.auth.realm.Realm) CertificateRealm(com.sun.enterprise.security.auth.realm.certificate.CertificateRealm) ServerLoginCallbackHandler(com.sun.enterprise.security.auth.login.common.ServerLoginCallbackHandler) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException) InvalidOperationException(com.sun.enterprise.security.auth.realm.InvalidOperationException) NoSuchUserException(com.sun.enterprise.security.auth.realm.NoSuchUserException)

Aggregations

LoginException (com.sun.enterprise.security.auth.login.common.LoginException)2 ServerLoginCallbackHandler (com.sun.enterprise.security.auth.login.common.ServerLoginCallbackHandler)2 InvalidOperationException (com.sun.enterprise.security.auth.realm.InvalidOperationException)2 NoSuchRealmException (com.sun.enterprise.security.auth.realm.NoSuchRealmException)2 NoSuchUserException (com.sun.enterprise.security.auth.realm.NoSuchUserException)2 Realm (com.sun.enterprise.security.auth.realm.Realm)2 CertificateRealm (com.sun.enterprise.security.auth.realm.certificate.CertificateRealm)2 LoginContext (javax.security.auth.login.LoginContext)2 LoginContextDriver.getValidRealm (com.sun.enterprise.security.auth.login.LoginContextDriver.getValidRealm)1 LoginContextDriver.throwLoginException (com.sun.enterprise.security.auth.login.LoginContextDriver.throwLoginException)1 FileRealm (com.sun.enterprise.security.auth.realm.file.FileRealm)1 X500Principal (javax.security.auth.x500.X500Principal)1 X500Name (sun.security.x509.X500Name)1