Example 1 with X509CertificateCredential
use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.
the class LoginContextDriver method doCertificateLogin.
/**
* A special case login for handling X509CertificateCredential.
* This does not get triggered based on current RI code. See X500Login.
*/
private static void doCertificateLogin(Subject s) throws LoginException {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Processing X509 certificate login.");
}
String realm = CertificateRealm.AUTH_TYPE;
String user = null;
try {
Object obj = getPublicCredentials(s, X509CertificateCredential.class);
X509CertificateCredential xp = (X509CertificateCredential) obj;
user = xp.getAlias();
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "Set security context as user: " + user);
}
setSecurityContext(user, s, realm);
if (getAuditManager().isAuditOn()) {
getAuditManager().authentication(user, realm, true);
}
} catch (LoginException le) {
if (getAuditManager().isAuditOn()) {
getAuditManager().authentication(user, realm, false);
}
throw le;
}
}
Also used :
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
Example 2 with X509CertificateCredential
use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.
the class J2EEKeyManager method chooseClientAlias.
/**
* Choose the client alias that will be used to select the client certificate for SSL client auth.
*
* @param the keytype
* @param the certificate issuers.
* @param the socket used for this connection. This parameter can be null, in which case the method will return the most
* generic alias to use.
* @return the alias.
*/
@Override
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
String clientAlias = null;
if (this.alias == null) {
// if (im == null) {
if (Util.getInstance().isNotServerOrACC()) {
// standalone client
clientAlias = x509KeyManager.chooseClientAlias(keyType, issuers, socket);
} else {
if (Util.getInstance().isACC()) {
ClientSecurityContext ctx = ClientSecurityContext.getCurrent();
Subject s = ctx.getSubject();
if (s == null) {
// pass the handler and do the login
// TODO V3: Use LoginContextDriver? -> LoginContextDriver.doClientLogin(AppContainer.CERTIFICATE,
// AppContainer.getCallbackHandler());
doClientLogin(SecurityConstants.CERTIFICATE, Util.getInstance().getCallbackHandler());
s = ctx.getSubject();
}
Iterator itr = s.getPrivateCredentials().iterator();
while (itr.hasNext()) {
Object o = itr.next();
if (o instanceof X509CertificateCredential) {
X509CertificateCredential crt = (X509CertificateCredential) o;
clientAlias = crt.getAlias();
break;
}
}
}
}
} else {
clientAlias = this.alias;
}
LOGGER.log(FINE, "Choose client Alias :{0}", clientAlias);
return clientAlias;
}
Also used :
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
ClientSecurityContext(com.sun.enterprise.security.common.ClientSecurityContext)
Iterator(java.util.Iterator)
Subject(javax.security.auth.Subject)
Example 3 with X509CertificateCredential
use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.
the class ClientCertificateLoginModule method commit.
/**
* <p>
* This method is called if the LoginContext's overall authentication succeeded (the relevant
* REQUIRED, REQUISITE, SUFFICIENT and OPTIONAL LoginModules succeeded).
*
* <p>
* If this LoginModule's own authentication attempt succeeded (checked by retrieving the private
* state saved by the <code>login</code> method), then this method associates a
* <code>PrincipalImpl</code> with the <code>Subject</code> located in the <code>LoginModule</code>.
* If this LoginModule's own authentication attempted failed, then this method removes any state
* that was originally saved.
*
* <p>
*
* @exception LoginException if the commit fails.
*
* @return true if this LoginModule's own login and commit attempts succeeded, or false otherwise.
*/
@Override
public boolean commit() throws LoginException {
if (succeeded == false) {
return false;
}
// Add a Principal (authenticated identity) to the Subject
// Assume the user we authenticated is the PrincipalImpl
userPrincipal = new PrincipalImpl(alias);
if (!subject.getPrincipals().contains(userPrincipal)) {
subject.getPrincipals().add(userPrincipal);
}
if (debug) {
if (_logger.isLoggable(FINE)) {
_logger.log(FINE, "\t\t[ClientCertificateLoginModule] " + "added PrincipalImpl to Subject");
}
}
ssl = new AppClientSSL();
ssl.setCertNickname(this.alias);
sslUtils.setAppclientSsl(ssl);
X509Certificate[] certChain = new X509Certificate[1];
certChain[0] = certificate;
X509CertificateCredential pc = new X509CertificateCredential(certChain, alias, CERT_REALMNAME);
if (!subject.getPrivateCredentials().contains(pc)) {
subject.getPrivateCredentials().add(pc);
}
commitSucceeded = true;
return true;
}
Also used :
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
PrincipalImpl(org.glassfish.security.common.PrincipalImpl)
AppClientSSL(com.sun.enterprise.security.integration.AppClientSSL)
X509Certificate(java.security.cert.X509Certificate)
Example 4 with X509CertificateCredential
use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.
the class LoginContextDriver method postClientAuth.
/**
* Extract the relevant username and realm information from the subject and sets the correct state
* in the security context. The relevant information is set into the Thread Local Storage. The IIOP
* code (for remote EJB) knows where to find this, and uses that data to sent it over the wire
* to the remote server where the actual authentication takes place.
*
* @param Subject the subject returned by the JAAS login.
* @param Class the class of the credential object stored in the subject
*/
private static void postClientAuth(Subject subject, Class<?> clazz) {
if (LOGGER.isLoggable(FINEST)) {
LOGGER.log(FINEST, "LoginContextDriver post login subject :{0}", subject);
}
Iterator<?> credentialsIterator = privileged(() -> subject.getPrivateCredentials(clazz)).iterator();
while (credentialsIterator.hasNext()) {
Object credential = null;
try {
credential = privileged(() -> credentialsIterator.next());
} catch (Exception e) {
// Should never come here
LOGGER.log(SEVERE, securityAccessControllerActionError, e);
}
if (credential instanceof PasswordCredential) {
PasswordCredential passwordCredential = (PasswordCredential) credential;
String user = passwordCredential.getUser();
if (LOGGER.isLoggable(FINEST)) {
LOGGER.log(FINEST, "In LoginContextDriver user-pass login:{0} realm :{1}", new Object[] { user, passwordCredential.getRealm() });
}
setClientSecurityContext(user, subject);
return;
} else if (credential instanceof X509CertificateCredential) {
X509CertificateCredential certificateCredential = (X509CertificateCredential) credential;
String user = certificateCredential.getAlias();
if (LOGGER.isLoggable(FINEST)) {
LOGGER.log(FINEST, "In LoginContextDriver cert-login::{0} realm :{1}", new Object[] { user, certificateCredential.getRealm() });
}
setClientSecurityContext(user, subject);
return;
}
}
}
Also used :
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
NoSuchRealmException(com.sun.enterprise.security.auth.realm.NoSuchRealmException)
Example 5 with X509CertificateCredential
use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.
the class J2EEKeyManager method postClientAuth.
/**
* Extract the relevant username and realm information from the subject and sets the correct state in the security
* context. The relevant information is set into the Thread Local Storage from which then is extracted to send over the
* wire.
*
* @param Subject the subject returned by the JAAS login.
* @param Class the class of the credential object stored in the subject
*/
private static void postClientAuth(Subject subject, Class<?> clazz) {
final Class<?> clas = clazz;
final Subject fs = subject;
Set credset = (Set) AppservAccessController.doPrivileged(new PrivilegedAction<Set>() {
public Set run() {
if (LOGGER.isLoggable(Level.FINEST)) {
LOGGER.log(Level.FINEST, "LCD post login subject :{0}", fs);
}
return fs.getPrivateCredentials(clas);
}
});
final Iterator iter = credset.iterator();
while (iter.hasNext()) {
Object obj = null;
try {
obj = AppservAccessController.doPrivileged(new PrivilegedAction() {
public java.lang.Object run() {
return iter.next();
}
});
} catch (Exception e) {
// should never come here
LOGGER.log(Level.SEVERE, SecurityLoggerInfo.securityAccessControllerActionError, e);
}
if (obj instanceof PasswordCredential) {
PasswordCredential p = (PasswordCredential) obj;
String user = p.getUser();
if (LOGGER.isLoggable(Level.FINEST)) {
String realm = p.getRealm();
LOGGER.log(Level.FINEST, "In LCD user-pass login:{0} realm :{1}", new Object[] { user, realm });
}
setClientSecurityContext(user, fs);
return;
} else if (obj instanceof X509CertificateCredential) {
X509CertificateCredential p = (X509CertificateCredential) obj;
String user = p.getAlias();
if (LOGGER.isLoggable(Level.FINEST)) {
String realm = p.getRealm();
LOGGER.log(Level.FINEST, "In LCD cert-login::{0} realm :{1}", new Object[] { user, realm });
}
setClientSecurityContext(user, fs);
return;
}
}
}
Also used :
Set(java.util.Set)
PrivilegedAction(java.security.PrivilegedAction)
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
Iterator(java.util.Iterator)
PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential)
Subject(javax.security.auth.Subject)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
Aggregations
X509CertificateCredential (com.sun.enterprise.security.auth.login.common.X509CertificateCredential)7
LoginException (com.sun.enterprise.security.auth.login.common.LoginException)3
GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)2
PasswordCredential (com.sun.enterprise.security.auth.login.common.PasswordCredential)2
X509Certificate (java.security.cert.X509Certificate)2
Iterator (java.util.Iterator)2
Subject (javax.security.auth.Subject)2
X500Principal (javax.security.auth.x500.X500Principal)2
Any (org.omg.CORBA.Any)2
IdentityToken (com.sun.corba.ee.org.omg.CSI.IdentityToken)1
AnonCredential (com.sun.enterprise.common.iiop.security.AnonCredential)1
DistinguishedPrincipalCredential (com.sun.enterprise.security.auth.login.DistinguishedPrincipalCredential)1
NoSuchRealmException (com.sun.enterprise.security.auth.realm.NoSuchRealmException)1
ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)1
AppClientSSL (com.sun.enterprise.security.integration.AppClientSSL)1
ByteArrayInputStream (java.io.ByteArrayInputStream)1
PrivilegedAction (java.security.PrivilegedAction)1
Set (java.util.Set)1
PrincipalImpl (org.glassfish.security.common.PrincipalImpl)1
