Search in sources :

Example 6 with X509CertificateCredential

use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.

the class Counter method createIdCred.

/**
 * Create an identity from an Identity Token and stores it as a public credential in the JAAS
 * subject in a security context.
 *
 * Set the identcls field in the security context.
 */
private void createIdCred(SecurityContext securityContext, IdentityToken identityToken) throws Exception {
    // used to hold DER encodings
    byte[] derEncoding;
    // Any object returned from codec.decode_value()
    Any any;
    switch(identityToken.discriminator()) {
        case ITTAbsent.value:
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is Absent");
            }
            securityContext.identcls = null;
            break;
        case ITTAnonymous.value:
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is Anonymous");
                logger.log(FINE, "Adding AnonyCredential to subject's PublicCredentials");
            }
            securityContext.subject.getPublicCredentials().add(new AnonCredential());
            securityContext.identcls = AnonCredential.class;
            break;
        case ITTDistinguishedName.value:
            // Construct a X500Name
            derEncoding = identityToken.dn();
            // Issue 5766: Decode CDR encoding if necessary
            if (isCDR(derEncoding)) {
                any = codec.decode_value(derEncoding, X501DistinguishedNameHelper.type());
                // Extract CDR encoding
                derEncoding = X501DistinguishedNameHelper.extract(any);
            }
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Create an X500Name object from identity token");
            }
            X500Name xname = new X500Name(derEncoding);
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity to be asserted is " + xname.toString());
                logger.log(FINE, "Adding X500Name to subject's PublicCredentials");
            }
            securityContext.subject.getPublicCredentials().add(xname);
            securityContext.identcls = X500Name.class;
            break;
        case ITTX509CertChain.value:
            // Construct a X509CertificateChain
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is a X509 Certificate Chain");
            }
            derEncoding = identityToken.certificate_chain();
            // Issue 5766: Decode CDR encoding if necessary
            if (isCDR(derEncoding)) {
                // Decode CDR encoding
                any = codec.decode_value(derEncoding, X509CertificateChainHelper.type());
                // Extract DER encoding
                derEncoding = X509CertificateChainHelper.extract(any);
            }
            DerInputStream din = new DerInputStream(derEncoding);
            /**
             * Size specified for getSequence() is 1 and is just used as a guess by the method getSequence().
             */
            DerValue[] derval = din.getSequence(1);
            X509Certificate[] certchain = new X509CertImpl[derval.length];
            /**
             * X509Certificate does not have a constructor which can be used to instantiate objects from DER
             * encodings. So use X509CertImpl extends X509Cerificate and also implements DerEncoder interface.
             */
            if (logger.isLoggable(Level.FINE)) {
                logger.log(Level.FINE, "Contents of X509 Certificate chain:");
            }
            for (int i = 0; i < certchain.length; i++) {
                certchain[i] = new X509CertImpl(derval[i]);
                if (logger.isLoggable(FINE)) {
                    logger.log(FINE, "    " + certchain[i].getSubjectDN().getName());
                }
            }
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Creating a X509CertificateCredential object from certchain");
            }
            /**
             * The alias field in the X509CertificateCredential is currently ignored by the RI. So it is set to
             * "dummy".
             */
            X509CertificateCredential cred = new X509CertificateCredential(certchain, certchain[0].getSubjectDN().getName(), "default");
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Adding X509CertificateCredential to subject's PublicCredentials");
            }
            securityContext.subject.getPublicCredentials().add(cred);
            securityContext.identcls = X509CertificateCredential.class;
            break;
        case ITTPrincipalName.value:
            if (logger.isLoggable(FINE)) {
                logger.log(FINE, "Identity token type is GSS Exported Name");
            }
            byte[] expname = identityToken.principal_name();
            // Issue 5766: Decode CDR encoding if necessary
            if (isCDR(expname)) {
                // Decode CDR encoding
                any = codec.decode_value(expname, GSS_NT_ExportedNameHelper.type());
                expname = GSS_NT_ExportedNameHelper.extract(any);
            }
            if (!verifyMechOID(GSSUP_MECH_OID, expname)) {
                throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
            }
            GSSUPName gssname = new GSSUPName(expname);
            securityContext.subject.getPublicCredentials().add(gssname);
            securityContext.identcls = GSSUPName.class;
            logger.log(FINE, "Adding GSSUPName credential to subject");
            break;
        default:
            logger.log(SEVERE, "iiop.unknown_identity");
            throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
    }
}
Also used : X500Name(sun.security.x509.X500Name) Any(org.omg.CORBA.Any) X509Certificate(java.security.cert.X509Certificate) GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName) X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) DerValue(sun.security.util.DerValue) X509CertImpl(sun.security.x509.X509CertImpl) DerInputStream(sun.security.util.DerInputStream) AnonCredential(com.sun.enterprise.common.iiop.security.AnonCredential)

Example 7 with X509CertificateCredential

use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.

the class J2EEKeyManager method postClientAuth.

/**
 * Extract the relevant username and realm information from the
 * subject and sets the correct state in the security context. The
 * relevant information is set into the Thread Local Storage from
 * which then is extracted to send over the wire.
 *
 * @param Subject the subject returned by the JAAS login.
 * @param Class the class of the credential object stored in the subject
 */
private static void postClientAuth(Subject subject, Class<?> clazz) {
    final Class<?> clas = clazz;
    final Subject fs = subject;
    Set credset = (Set) AppservAccessController.doPrivileged(new PrivilegedAction<Set>() {

        public Set run() {
            if (_logger.isLoggable(Level.FINEST)) {
                _logger.log(Level.FINEST, "LCD post login subject :{0}", fs);
            }
            return fs.getPrivateCredentials(clas);
        }
    });
    final Iterator iter = credset.iterator();
    while (iter.hasNext()) {
        Object obj = null;
        try {
            obj = AppservAccessController.doPrivileged(new PrivilegedAction() {

                public java.lang.Object run() {
                    return iter.next();
                }
            });
        } catch (Exception e) {
            // should never come here
            _logger.log(Level.SEVERE, SecurityLoggerInfo.securityAccessControllerActionError, e);
        }
        if (obj instanceof PasswordCredential) {
            PasswordCredential p = (PasswordCredential) obj;
            String user = p.getUser();
            if (_logger.isLoggable(Level.FINEST)) {
                String realm = p.getRealm();
                _logger.log(Level.FINEST, "In LCD user-pass login:{0} realm :{1}", new Object[] { user, realm });
            }
            setClientSecurityContext(user, fs);
            return;
        } else if (obj instanceof X509CertificateCredential) {
            X509CertificateCredential p = (X509CertificateCredential) obj;
            String user = p.getAlias();
            if (_logger.isLoggable(Level.FINEST)) {
                String realm = p.getRealm();
                _logger.log(Level.FINEST, "In LCD cert-login::{0} realm :{1}", new Object[] { user, realm });
            }
            setClientSecurityContext(user, fs);
            return;
        }
    }
}
Also used : Set(java.util.Set) PrivilegedAction(java.security.PrivilegedAction) X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential) Iterator(java.util.Iterator) PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential) Subject(javax.security.auth.Subject) LoginException(com.sun.enterprise.security.auth.login.common.LoginException)

Aggregations

X509CertificateCredential (com.sun.enterprise.security.auth.login.common.X509CertificateCredential)7 LoginException (com.sun.enterprise.security.auth.login.common.LoginException)3 Iterator (java.util.Iterator)3 Subject (javax.security.auth.Subject)3 GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)2 PasswordCredential (com.sun.enterprise.security.auth.login.common.PasswordCredential)2 PrivilegedAction (java.security.PrivilegedAction)2 X509Certificate (java.security.cert.X509Certificate)2 Set (java.util.Set)2 DerValue (sun.security.util.DerValue)2 X500Name (sun.security.x509.X500Name)2 AnonCredential (com.sun.enterprise.common.iiop.security.AnonCredential)1 InvalidOperationException (com.sun.enterprise.security.auth.realm.InvalidOperationException)1 NoSuchRealmException (com.sun.enterprise.security.auth.realm.NoSuchRealmException)1 NoSuchUserException (com.sun.enterprise.security.auth.realm.NoSuchUserException)1 ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)1 AppClientSSL (com.sun.enterprise.security.integration.AppClientSSL)1 PrincipalImpl (org.glassfish.security.common.PrincipalImpl)1 Any (org.omg.CORBA.Any)1 DerInputStream (sun.security.util.DerInputStream)1