Search in sources :

Example 1 with ServerAuthContext

use of com.sun.enterprise.security.jauth.ServerAuthContext in project Payara by payara.

the class ServletSystemHandlerDelegate method processRequest.

/**
 * The processRequest method is invoked with an object that implements
 * com.sun.xml.rpc.spi.runtime.SOAPMessageContext.
 * <p>
 * When this method is called by the JAXRPCServletDelegate (on the server side of jaxrpc servlet
 * container invocation processing) it must be called just before the call to
 * implementor.getTie().handle(), and at the time of the request message and the following
 * properties must have been set on the SOAPMessageContext.
 * <p>
 * com.sun.xml.rpc.server.http.MessageContextProperties.IMPLEMENTOR <br>
 * This property must be set to the com.sun.xml.rpc.spi.runtime.Implementor object corresponding to
 * the target endpoint.
 * <p>
 * com.sun.xml.rpc.server.http.MessageContextProperties.HTTP_SERVLET_REQUEST <br>
 * This property must be set to the javax.servlet.http.HttpServletRequest object containing the
 * JAXRPC invocation.
 * <p>
 * com.sun.xml.rpc.server.http.MessageContextProperties.HTTP_SERVLET_RESPONSE <br>
 * This property must be set to the javax.servlet.http.HttpServletResponse object corresponding to
 * the JAXRPC invocation.
 * <p>
 * com.sun.xml.rpc.server.MessageContextProperties.HTTP_SERVLET_CONTEXT <br>
 * This property must be set to the javax.servlet.ServletContext object corresponding to web
 * application in which the JAXRPC servlet is running.
 *
 * @param messageContext the SOAPMessageContext object containing the request message and the
 * properties described above.
 * @return true if processing by the delegate was such that the caller should continue with its
 * normal message processing. Returns false if the processing by the delegate resulted in the
 * messageContext containing a response message that should be returned without the caller proceding
 * to its normal message processing.
 * @throws java.lang.RuntimeException when the processing by the delegate failed, without yielding a
 * response message. In this case, the expectation is that the caller will return a HTTP layer
 * response code reporting that an internal error occured.
 */
@Override
public boolean processRequest(SOAPMessageContext messageContext) {
    if (_logger.isLoggable(Level.FINE)) {
        _logger.fine("ws.processRequest");
    }
    final SOAPMessageContext finalMC = messageContext;
    Implementor implementor = (Implementor) messageContext.getProperty(IMPLEMENTOR);
    final Tie tie = implementor.getTie();
    StreamingHandler handler = (StreamingHandler) implementor.getTie();
    SOAPMessage request = finalMC.getMessage();
    final ServerAuthContext sAC = config_.getAuthContext(handler, request);
    boolean status = true;
    try {
        if (sAC != null) {
            status = false;
            // proceed to process message security
            status = WebServiceSecurity.validateRequest(finalMC, sAC);
            if (status) {
                messageContext.setProperty(SERVER_AUTH_CONTEXT, sAC);
            }
        }
    } catch (AuthException ae) {
        _logger.log(Level.SEVERE, LogUtils.ERROR_REQUEST_VALIDATION, ae);
        throw new RuntimeException(ae);
    } finally {
        WebServiceSecurity.auditInvocation(messageContext, endpoint_, status);
    }
    if (status) {
        if (System.getSecurityManager() != null) {
            // on this branch, the endpoint invocation and the
            // processing of the response will be initiated from
            // within the system handler delegate. delegate returns
            // false so that dispatcher will not invoke the endpoint.
            status = false;
            try {
                Subject.doAsPrivileged(SecurityContext.getCurrent().getSubject(), new PrivilegedExceptionAction() {

                    @Override
                    public Object run() throws Exception {
                        tie.handle(finalMC);
                        processResponse(finalMC);
                        return null;
                    }
                }, null);
            } catch (PrivilegedActionException pae) {
                Throwable cause = pae.getCause();
                if (cause instanceof AuthException) {
                    _logger.log(Level.SEVERE, LogUtils.ERROR_RESPONSE_SECURING, cause);
                }
                RuntimeException re = null;
                if (cause instanceof RuntimeException) {
                    re = (RuntimeException) cause;
                } else {
                    re = new RuntimeException(cause);
                }
                throw re;
            }
        }
    }
    return status;
}
Also used : Implementor(com.sun.xml.rpc.spi.runtime.Implementor) PrivilegedActionException(java.security.PrivilegedActionException) StreamingHandler(com.sun.xml.rpc.spi.runtime.StreamingHandler) AuthException(com.sun.enterprise.security.jauth.AuthException) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) SOAPMessage(javax.xml.soap.SOAPMessage) PrivilegedActionException(java.security.PrivilegedActionException) AuthException(com.sun.enterprise.security.jauth.AuthException) ServerAuthContext(com.sun.enterprise.security.jauth.ServerAuthContext) Tie(com.sun.xml.rpc.spi.runtime.Tie) SOAPMessageContext(com.sun.xml.rpc.spi.runtime.SOAPMessageContext)

Example 2 with ServerAuthContext

use of com.sun.enterprise.security.jauth.ServerAuthContext in project Payara by payara.

the class SecurityServiceImpl method validateRequest.

@Override
public boolean validateRequest(Object serverAuthConfig, StreamingHandler implementor, SOAPMessageContext context) {
    ServerAuthConfig authConfig = (ServerAuthConfig) serverAuthConfig;
    if (authConfig == null) {
        return true;
    }
    ServerAuthContext serverAuthContext = authConfig.getAuthContext(implementor, context.getMessage());
    req.set(new WeakReference<SOAPMessage>(context.getMessage()));
    if (serverAuthContext == null) {
        return true;
    }
    try {
        return WebServiceSecurity.validateRequest(context, serverAuthContext);
    } catch (AuthException ex) {
        _logger.log(SEVERE, EXCEPTION_THROWN, ex);
        if (req.get() != null) {
            req.get().clear();
            req.set(null);
        }
        throw new RuntimeException(ex);
    }
}
Also used : AuthException(com.sun.enterprise.security.jauth.AuthException) SOAPMessage(javax.xml.soap.SOAPMessage) ServerAuthConfig(com.sun.enterprise.security.jauth.jaspic.provider.ServerAuthConfig) ServerAuthContext(com.sun.enterprise.security.jauth.ServerAuthContext)

Example 3 with ServerAuthContext

use of com.sun.enterprise.security.jauth.ServerAuthContext in project Payara by payara.

the class ServerAuthConfig method getConfig.

public static ServerAuthConfig getConfig(String authLayer, MessageSecurityBindingDescriptor binding, CallbackHandler cbh) throws AuthException {
    ServerAuthConfig rvalue = null;
    String provider = null;
    List<MessageSecurityDescriptor> descriptors = null;
    ServerAuthContext defaultContext = null;
    if (binding != null) {
        String layer = binding.getAttributeValue(AUTH_LAYER);
        if (authLayer != null && layer.equals(authLayer)) {
            provider = binding.getAttributeValue(PROVIDER_ID);
            descriptors = binding.getMessageSecurityDescriptors();
        }
    }
    if (descriptors == null || descriptors.size() == 0) {
        defaultContext = getAuthContext(authLayer, provider, null, null, cbh);
        if (defaultContext != null) {
            rvalue = new ServerAuthConfig(defaultContext);
        }
    } else {
        boolean hasPolicy = false;
        ArrayList authContexts = new ArrayList();
        for (int i = 0; i < descriptors.size(); i++) {
            MessageSecurityDescriptor msd = (MessageSecurityDescriptor) descriptors.get(i);
            AuthPolicy requestPolicy = getAuthPolicy(msd.getRequestProtectionDescriptor());
            AuthPolicy responsePolicy = getAuthPolicy(msd.getResponseProtectionDescriptor());
            if (requestPolicy.authRequired() || responsePolicy.authRequired()) {
                authContexts.add(getAuthContext(authLayer, provider, requestPolicy, responsePolicy, cbh));
                hasPolicy = true;
            } else {
                authContexts.add(null);
            }
        }
        if (hasPolicy) {
            rvalue = new ServerAuthConfig(descriptors, authContexts);
        }
    }
    return rvalue;
}
Also used : AuthPolicy(com.sun.enterprise.security.jauth.AuthPolicy) ArrayList(java.util.ArrayList) MessageSecurityDescriptor(com.sun.enterprise.deployment.runtime.common.MessageSecurityDescriptor) ServerAuthContext(com.sun.enterprise.security.jauth.ServerAuthContext)

Example 4 with ServerAuthContext

use of com.sun.enterprise.security.jauth.ServerAuthContext in project Payara by payara.

the class SecurityServiceImpl method secureResponse.

@Override
public void secureResponse(Object serverAuthConfig, StreamingHandler implementor, SOAPMessageContext msgContext) {
    if (serverAuthConfig != null) {
        ServerAuthConfig config = (ServerAuthConfig) serverAuthConfig;
        SOAPMessage reqmsg = (req.get() != null) ? req.get().get() : msgContext.getMessage();
        try {
            ServerAuthContext serverAuthContext = config.getAuthContext(implementor, reqmsg);
            if (serverAuthContext != null) {
                try {
                    WebServiceSecurity.secureResponse(msgContext, serverAuthContext);
                } catch (AuthException ex) {
                    _logger.log(SEVERE, EXCEPTION_THROWN, ex);
                    throw new RuntimeException(ex);
                }
            }
        } finally {
            if (req.get() != null) {
                req.get().clear();
                req.set(null);
            }
        }
    }
}
Also used : AuthException(com.sun.enterprise.security.jauth.AuthException) SOAPMessage(javax.xml.soap.SOAPMessage) ServerAuthConfig(com.sun.enterprise.security.jauth.jaspic.provider.ServerAuthConfig) ServerAuthContext(com.sun.enterprise.security.jauth.ServerAuthContext)

Aggregations

ServerAuthContext (com.sun.enterprise.security.jauth.ServerAuthContext)4 AuthException (com.sun.enterprise.security.jauth.AuthException)3 SOAPMessage (javax.xml.soap.SOAPMessage)3 ServerAuthConfig (com.sun.enterprise.security.jauth.jaspic.provider.ServerAuthConfig)2 MessageSecurityDescriptor (com.sun.enterprise.deployment.runtime.common.MessageSecurityDescriptor)1 AuthPolicy (com.sun.enterprise.security.jauth.AuthPolicy)1 Implementor (com.sun.xml.rpc.spi.runtime.Implementor)1 SOAPMessageContext (com.sun.xml.rpc.spi.runtime.SOAPMessageContext)1 StreamingHandler (com.sun.xml.rpc.spi.runtime.StreamingHandler)1 Tie (com.sun.xml.rpc.spi.runtime.Tie)1 PrivilegedActionException (java.security.PrivilegedActionException)1 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1 ArrayList (java.util.ArrayList)1