Search in sources :

Example 1 with X509CertificateCredential

use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.

the class LoginContextDriver method doCertificateLogin.

/**
 * A special case login for handling X509CertificateCredential.
 * This does not get triggered based on current RI code. See X500Login.
 */
private static void doCertificateLogin(Subject s) throws LoginException {
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "Processing X509 certificate login.");
    }
    String realm = CertificateRealm.AUTH_TYPE;
    String user = null;
    try {
        Object obj = getPublicCredentials(s, X509CertificateCredential.class);
        X509CertificateCredential xp = (X509CertificateCredential) obj;
        user = xp.getAlias();
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Set security context as user: " + user);
        }
        setSecurityContext(user, s, realm);
        if (getAuditManager().isAuditOn()) {
            getAuditManager().authentication(user, realm, true);
        }
    } catch (LoginException le) {
        if (getAuditManager().isAuditOn()) {
            getAuditManager().authentication(user, realm, false);
        }
        throw le;
    }
}
Also used : X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) LoginException(com.sun.enterprise.security.auth.login.common.LoginException)

Example 2 with X509CertificateCredential

use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.

the class J2EEKeyManager method chooseClientAlias.

/**
 * Choose the client alias that will be used to select the client certificate for SSL client auth.
 *
 * @param the keytype
 * @param the certificate issuers.
 * @param the socket used for this connection. This parameter can be null, in which case the method will return the most
 * generic alias to use.
 * @return the alias.
 */
@Override
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
    String clientAlias = null;
    if (this.alias == null) {
        // if (im == null) {
        if (Util.getInstance().isNotServerOrACC()) {
            // standalone client
            clientAlias = x509KeyManager.chooseClientAlias(keyType, issuers, socket);
        } else {
            if (Util.getInstance().isACC()) {
                ClientSecurityContext ctx = ClientSecurityContext.getCurrent();
                Subject s = ctx.getSubject();
                if (s == null) {
                    // pass the handler and do the login
                    // TODO V3: Use LoginContextDriver? -> LoginContextDriver.doClientLogin(AppContainer.CERTIFICATE,
                    // AppContainer.getCallbackHandler());
                    doClientLogin(SecurityConstants.CERTIFICATE, Util.getInstance().getCallbackHandler());
                    s = ctx.getSubject();
                }
                Iterator itr = s.getPrivateCredentials().iterator();
                while (itr.hasNext()) {
                    Object o = itr.next();
                    if (o instanceof X509CertificateCredential) {
                        X509CertificateCredential crt = (X509CertificateCredential) o;
                        clientAlias = crt.getAlias();
                        break;
                    }
                }
            }
        }
    } else {
        clientAlias = this.alias;
    }
    LOGGER.log(FINE, "Choose client Alias :{0}", clientAlias);
    return clientAlias;
}
Also used : X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext) Iterator(java.util.Iterator) Subject(javax.security.auth.Subject)

Example 3 with X509CertificateCredential

use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.

the class ClientCertificateLoginModule method commit.

/**
 * <p>
 * This method is called if the LoginContext's overall authentication succeeded (the relevant
 * REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).
 *
 * <p>
 * If this LoginModule's own authentication attempt succeeded (checked by retrieving the private
 * state saved by the <code>login</code> method), then this method associates a
 * <code>PrincipalImpl</code> with the <code>Subject</code> located in the <code>LoginModule</code>.
 * If this LoginModule's own authentication attempted failed, then this method removes any state
 * that was originally saved.
 *
 * <p>
 *
 * @exception LoginException if the commit fails.
 *
 * @return true if this LoginModule's own login and commit attempts succeeded, or false otherwise.
 */
@Override
public boolean commit() throws LoginException {
    if (succeeded == false) {
        return false;
    }
    // Add a Principal (authenticated identity) to the Subject
    // Assume the user we authenticated is the PrincipalImpl
    userPrincipal = new PrincipalImpl(alias);
    if (!subject.getPrincipals().contains(userPrincipal)) {
        subject.getPrincipals().add(userPrincipal);
    }
    if (debug) {
        if (_logger.isLoggable(FINE)) {
            _logger.log(FINE, "\t\t[ClientCertificateLoginModule] " + "added PrincipalImpl to Subject");
        }
    }
    ssl = new AppClientSSL();
    ssl.setCertNickname(this.alias);
    sslUtils.setAppclientSsl(ssl);
    X509Certificate[] certChain = new X509Certificate[1];
    certChain[0] = certificate;
    X509CertificateCredential pc = new X509CertificateCredential(certChain, alias, CERT_REALMNAME);
    if (!subject.getPrivateCredentials().contains(pc)) {
        subject.getPrivateCredentials().add(pc);
    }
    commitSucceeded = true;
    return true;
}
Also used : X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) PrincipalImpl(org.glassfish.security.common.PrincipalImpl) AppClientSSL(com.sun.enterprise.security.integration.AppClientSSL) X509Certificate(java.security.cert.X509Certificate)

Example 4 with X509CertificateCredential

use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.

the class LoginContextDriver method postClientAuth.

/**
 * Extract the relevant username and realm information from the subject and sets the correct state
 * in the security context. The relevant information is set into the Thread Local Storage. The IIOP
 * code (for remote EJB) knows where to find this, and uses that data to sent it over the wire
 * to the remote server where the actual authentication takes place.
 *
 * @param Subject the subject returned by the JAAS login.
 * @param Class the class of the credential object stored in the subject
 */
private static void postClientAuth(Subject subject, Class<?> clazz) {
    if (LOGGER.isLoggable(FINEST)) {
        LOGGER.log(FINEST, "LoginContextDriver post login subject :{0}", subject);
    }
    Iterator<?> credentialsIterator = privileged(() -> subject.getPrivateCredentials(clazz)).iterator();
    while (credentialsIterator.hasNext()) {
        Object credential = null;
        try {
            credential = privileged(() -> credentialsIterator.next());
        } catch (Exception e) {
            // Should never come here
            LOGGER.log(SEVERE, securityAccessControllerActionError, e);
        }
        if (credential instanceof PasswordCredential) {
            PasswordCredential passwordCredential = (PasswordCredential) credential;
            String user = passwordCredential.getUser();
            if (LOGGER.isLoggable(FINEST)) {
                LOGGER.log(FINEST, "In LoginContextDriver user-pass login:{0} realm :{1}", new Object[] { user, passwordCredential.getRealm() });
            }
            setClientSecurityContext(user, subject);
            return;
        } else if (credential instanceof X509CertificateCredential) {
            X509CertificateCredential certificateCredential = (X509CertificateCredential) credential;
            String user = certificateCredential.getAlias();
            if (LOGGER.isLoggable(FINEST)) {
                LOGGER.log(FINEST, "In LoginContextDriver cert-login::{0} realm :{1}", new Object[] { user, certificateCredential.getRealm() });
            }
            setClientSecurityContext(user, subject);
            return;
        }
    }
}
Also used : X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential) LoginException(com.sun.enterprise.security.auth.login.common.LoginException) NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException)

Example 5 with X509CertificateCredential

use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.

the class J2EEKeyManager method postClientAuth.

/**
 * Extract the relevant username and realm information from the subject and sets the correct state in the security
 * context. The relevant information is set into the Thread Local Storage from which then is extracted to send over the
 * wire.
 *
 * @param Subject the subject returned by the JAAS login.
 * @param Class the class of the credential object stored in the subject
 */
private static void postClientAuth(Subject subject, Class<?> clazz) {
    final Class<?> clas = clazz;
    final Subject fs = subject;
    Set credset = (Set) AppservAccessController.doPrivileged(new PrivilegedAction<Set>() {

        public Set run() {
            if (LOGGER.isLoggable(Level.FINEST)) {
                LOGGER.log(Level.FINEST, "LCD post login subject :{0}", fs);
            }
            return fs.getPrivateCredentials(clas);
        }
    });
    final Iterator iter = credset.iterator();
    while (iter.hasNext()) {
        Object obj = null;
        try {
            obj = AppservAccessController.doPrivileged(new PrivilegedAction() {

                public java.lang.Object run() {
                    return iter.next();
                }
            });
        } catch (Exception e) {
            // should never come here
            LOGGER.log(Level.SEVERE, SecurityLoggerInfo.securityAccessControllerActionError, e);
        }
        if (obj instanceof PasswordCredential) {
            PasswordCredential p = (PasswordCredential) obj;
            String user = p.getUser();
            if (LOGGER.isLoggable(Level.FINEST)) {
                String realm = p.getRealm();
                LOGGER.log(Level.FINEST, "In LCD user-pass login:{0} realm :{1}", new Object[] { user, realm });
            }
            setClientSecurityContext(user, fs);
            return;
        } else if (obj instanceof X509CertificateCredential) {
            X509CertificateCredential p = (X509CertificateCredential) obj;
            String user = p.getAlias();
            if (LOGGER.isLoggable(Level.FINEST)) {
                String realm = p.getRealm();
                LOGGER.log(Level.FINEST, "In LCD cert-login::{0} realm :{1}", new Object[] { user, realm });
            }
            setClientSecurityContext(user, fs);
            return;
        }
    }
}
Also used : Set(java.util.Set) PrivilegedAction(java.security.PrivilegedAction) X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) Iterator(java.util.Iterator) PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential) Subject(javax.security.auth.Subject) LoginException(com.sun.enterprise.security.auth.login.common.LoginException)

Aggregations

X509CertificateCredential (com.sun.enterprise.security.auth.login.common.X509CertificateCredential)7 LoginException (com.sun.enterprise.security.auth.login.common.LoginException)3 GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)2 PasswordCredential (com.sun.enterprise.security.auth.login.common.PasswordCredential)2 X509Certificate (java.security.cert.X509Certificate)2 Iterator (java.util.Iterator)2 Subject (javax.security.auth.Subject)2 X500Principal (javax.security.auth.x500.X500Principal)2 Any (org.omg.CORBA.Any)2 IdentityToken (com.sun.corba.ee.org.omg.CSI.IdentityToken)1 AnonCredential (com.sun.enterprise.common.iiop.security.AnonCredential)1 DistinguishedPrincipalCredential (com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)1 NoSuchRealmException (com.sun.enterprise.security.auth.realm.NoSuchRealmException)1 ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)1 AppClientSSL (com.sun.enterprise.security.integration.AppClientSSL)1 ByteArrayInputStream (java.io.ByteArrayInputStream)1 PrivilegedAction (java.security.PrivilegedAction)1 Set (java.util.Set)1 PrincipalImpl (org.glassfish.security.common.PrincipalImpl)1