Example 6 with X509CertificateCredential
use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.
the class Counter method createIdCred.
/**
* Create an identity from an Identity Token and stores it as a public credential in the JAAS
* subject in a security context.
*
* Set the identcls field in the security context.
*/
private void createIdCred(SecurityContext securityContext, IdentityToken identityToken) throws Exception {
// used to hold DER encodings
byte[] derEncoding;
// Any object returned from codec.decode_value()
Any any;
switch(identityToken.discriminator()) {
case ITTAbsent.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is Absent");
}
securityContext.identcls = null;
break;
case ITTAnonymous.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is Anonymous");
logger.log(FINE, "Adding AnonyCredential to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(new AnonCredential());
securityContext.identcls = AnonCredential.class;
break;
case ITTDistinguishedName.value:
// Construct a X500Name
derEncoding = identityToken.dn();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(derEncoding)) {
any = codec.decode_value(derEncoding, X501DistinguishedNameHelper.type());
// Extract CDR encoding
derEncoding = X501DistinguishedNameHelper.extract(any);
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Create an X500Name object from identity token");
}
X500Name xname = new X500Name(derEncoding);
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity to be asserted is " + xname.toString());
logger.log(FINE, "Adding X500Name to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(xname);
securityContext.identcls = X500Name.class;
break;
case ITTX509CertChain.value:
// Construct a X509CertificateChain
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is a X509 Certificate Chain");
}
derEncoding = identityToken.certificate_chain();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(derEncoding)) {
// Decode CDR encoding
any = codec.decode_value(derEncoding, X509CertificateChainHelper.type());
// Extract DER encoding
derEncoding = X509CertificateChainHelper.extract(any);
}
DerInputStream din = new DerInputStream(derEncoding);
/**
* Size specified for getSequence() is 1 and is just used as a guess by the method getSequence().
*/
DerValue[] derval = din.getSequence(1);
X509Certificate[] certchain = new X509CertImpl[derval.length];
/**
* X509Certificate does not have a constructor which can be used to instantiate objects from DER
* encodings. So use X509CertImpl extends X509Cerificate and also implements DerEncoder interface.
*/
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "Contents of X509 Certificate chain:");
}
for (int i = 0; i < certchain.length; i++) {
certchain[i] = new X509CertImpl(derval[i]);
if (logger.isLoggable(FINE)) {
logger.log(FINE, " " + certchain[i].getSubjectDN().getName());
}
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Creating a X509CertificateCredential object from certchain");
}
/**
* The alias field in the X509CertificateCredential is currently ignored by the RI. So it is set to
* "dummy".
*/
X509CertificateCredential cred = new X509CertificateCredential(certchain, certchain[0].getSubjectDN().getName(), "default");
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Adding X509CertificateCredential to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(cred);
securityContext.identcls = X509CertificateCredential.class;
break;
case ITTPrincipalName.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is GSS Exported Name");
}
byte[] expname = identityToken.principal_name();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(expname)) {
// Decode CDR encoding
any = codec.decode_value(expname, GSS_NT_ExportedNameHelper.type());
expname = GSS_NT_ExportedNameHelper.extract(any);
}
if (!verifyMechOID(GSSUP_MECH_OID, expname)) {
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
}
GSSUPName gssname = new GSSUPName(expname);
securityContext.subject.getPublicCredentials().add(gssname);
securityContext.identcls = GSSUPName.class;
logger.log(FINE, "Adding GSSUPName credential to subject");
break;
default:
logger.log(SEVERE, "iiop.unknown_identity");
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
}
}
Also used :
X500Name(sun.security.x509.X500Name)
Any(org.omg.CORBA.Any)
X509Certificate(java.security.cert.X509Certificate)
GSSUPName(com.sun.enterprise.common.iiop.security.GSSUPName)
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
DerValue(sun.security.util.DerValue)
X509CertImpl(sun.security.x509.X509CertImpl)
DerInputStream(sun.security.util.DerInputStream)
AnonCredential(com.sun.enterprise.common.iiop.security.AnonCredential)
Example 7 with X509CertificateCredential
use of com.sun.enterprise.security.auth.login.common.X509CertificateCredential in project Payara by payara.
the class J2EEKeyManager method postClientAuth.
/**
* Extract the relevant username and realm information from the
* subject and sets the correct state in the security context. The
* relevant information is set into the Thread Local Storage from
* which then is extracted to send over the wire.
*
* @param Subject the subject returned by the JAAS login.
* @param Class the class of the credential object stored in the subject
*/
private static void postClientAuth(Subject subject, Class<?> clazz) {
final Class<?> clas = clazz;
final Subject fs = subject;
Set credset = (Set) AppservAccessController.doPrivileged(new PrivilegedAction<Set>() {
public Set run() {
if (_logger.isLoggable(Level.FINEST)) {
_logger.log(Level.FINEST, "LCD post login subject :{0}", fs);
}
return fs.getPrivateCredentials(clas);
}
});
final Iterator iter = credset.iterator();
while (iter.hasNext()) {
Object obj = null;
try {
obj = AppservAccessController.doPrivileged(new PrivilegedAction() {
public java.lang.Object run() {
return iter.next();
}
});
} catch (Exception e) {
// should never come here
_logger.log(Level.SEVERE, SecurityLoggerInfo.securityAccessControllerActionError, e);
}
if (obj instanceof PasswordCredential) {
PasswordCredential p = (PasswordCredential) obj;
String user = p.getUser();
if (_logger.isLoggable(Level.FINEST)) {
String realm = p.getRealm();
_logger.log(Level.FINEST, "In LCD user-pass login:{0} realm :{1}", new Object[] { user, realm });
}
setClientSecurityContext(user, fs);
return;
} else if (obj instanceof X509CertificateCredential) {
X509CertificateCredential p = (X509CertificateCredential) obj;
String user = p.getAlias();
if (_logger.isLoggable(Level.FINEST)) {
String realm = p.getRealm();
_logger.log(Level.FINEST, "In LCD cert-login::{0} realm :{1}", new Object[] { user, realm });
}
setClientSecurityContext(user, fs);
return;
}
}
}
Also used :
Set(java.util.Set)
PrivilegedAction(java.security.PrivilegedAction)
X509CertificateCredential(com.sun.enterprise.security.auth.login.common.X509CertificateCredential)
Iterator(java.util.Iterator)
PasswordCredential(com.sun.enterprise.security.auth.login.common.PasswordCredential)
Subject(javax.security.auth.Subject)
LoginException(com.sun.enterprise.security.auth.login.common.LoginException)
Aggregations
X509CertificateCredential (com.sun.enterprise.security.auth.login.common.X509CertificateCredential)7
LoginException (com.sun.enterprise.security.auth.login.common.LoginException)3
Iterator (java.util.Iterator)3
Subject (javax.security.auth.Subject)3
GSSUPName (com.sun.enterprise.common.iiop.security.GSSUPName)2
PasswordCredential (com.sun.enterprise.security.auth.login.common.PasswordCredential)2
PrivilegedAction (java.security.PrivilegedAction)2
X509Certificate (java.security.cert.X509Certificate)2
Set (java.util.Set)2
DerValue (sun.security.util.DerValue)2
X500Name (sun.security.x509.X500Name)2
AnonCredential (com.sun.enterprise.common.iiop.security.AnonCredential)1
InvalidOperationException (com.sun.enterprise.security.auth.realm.InvalidOperationException)1
NoSuchRealmException (com.sun.enterprise.security.auth.realm.NoSuchRealmException)1
NoSuchUserException (com.sun.enterprise.security.auth.realm.NoSuchUserException)1
ClientSecurityContext (com.sun.enterprise.security.common.ClientSecurityContext)1
AppClientSSL (com.sun.enterprise.security.integration.AppClientSSL)1
PrincipalImpl (org.glassfish.security.common.PrincipalImpl)1
Any (org.omg.CORBA.Any)1
DerInputStream (sun.security.util.DerInputStream)1
