Example 1 with WebSecurityManager
use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.
the class RealmAdapter method hasRole.
/**
* Check if the given principal has the provided role. Returns true if the principal has the specified role, false
* otherwise.
*
* @param principal the principal
* @param role the role
* @return true if the principal has the specified role.
* @param request Request we are processing
* @param response Response we are creating
*/
// START OF SJSAS 6232464
@Override
public boolean hasRole(HttpRequest request, HttpResponse response, Principal principal, String role) {
WebSecurityManager securityManager = getWebSecurityManager(true);
if (securityManager == null) {
return false;
}
// add HttpResponse and HttpResponse to the parameters, and remove
// instance variable currentRequest from this class. References to
// this.currentRequest are also removed from other methods.
// String servletName = getResourceName( currentRequest.getRequestURI(),
// currentRequest.getContextPath());
String servletName = getCanonicalName(request);
// END S1AS8PE 4966609
boolean isGranted = securityManager.hasRoleRefPermission(servletName, role, principal);
if (logger.isLoggable(FINE)) {
logger.fine("Checking if servlet " + servletName + " with principal " + principal + " has role " + role + " isGranted: " + isGranted);
}
return isGranted;
}
Also used :
WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager)
Example 2 with WebSecurityManager
use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.
the class RealmAdapter method hasUserDataPermission.
/**
* Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of
* CONFIDENTIAL, and whether any such constraint is already satisfied.
*
* If <tt>uri</tt> and <tt>method</tt> are null, then the URI and method of the given <tt>request</tt> are checked.
*
* If a user-data-constraint exists that is not satisfied, then the given <tt>request</tt> will be redirected to HTTPS.
*
* @param request the request that may be redirected
* @param response the response that may be redirected
* @param constraints the security constraints to check against
* @param uri the request URI (minus the context path) to check
* @param method the request method to check
*
* @return true if the request URI and method are not the target of any unsatisfied user-data-constraint with a
* transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected
* to HTTPS)
*/
@Override
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method) throws IOException {
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
if (httpServletRequest.getServletPath() == null) {
request.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
}
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security][ hasUserDataPermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
}
if (request.getRequest().isSecure()) {
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security] request.getRequest().isSecure(): " + request.getRequest().isSecure());
}
return true;
}
WebSecurityManager securityManager = getWebSecurityManager(true);
if (securityManager == null) {
return false;
}
int isGranted = 0;
try {
isGranted = securityManager.hasUserDataPermission(httpServletRequest, uri, method);
} catch (IllegalArgumentException e) {
// End the request after getting IllegalArgumentException while checking user data permission
logger.log(WARNING, resourceBundle.getString("realmAdapter.badRequestWithId"), e);
((HttpServletResponse) response.getResponse()).sendError(SC_BAD_REQUEST, resourceBundle.getString("realmAdapter.badRequest"));
return false;
}
// so the grand will succeed.
if (isGranted == -1) {
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security] redirecting using SSL");
}
return redirect(request, response);
}
if (isGranted == 0) {
((HttpServletResponse) response.getResponse()).sendError(SC_FORBIDDEN, resourceBundle.getString("realmBase.forbidden"));
return false;
}
return true;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)
Example 3 with WebSecurityManager
use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.
the class SecurityDeployer method loadPolicy.
/**
* Translate Web Bundle Policy
*
* @param webBD
* @param remove boolean indicated whether any existing policy statements are removed form context before translation
* @throws DeploymentException
*/
private void loadPolicy(WebBundleDescriptor webBD, boolean remove) throws DeploymentException {
try {
if (webBD != null) {
if (remove) {
String cid = SecurityUtil.getContextID(webBD);
WebSecurityManager wsm = wsmf.getManager(cid, null, true);
if (wsm != null) {
wsm.release();
}
}
wsmf.createManager(webBD, true, serverContext);
}
} catch (Exception se) {
String msg = "Error in generating security policy for " + webBD.getModuleDescriptor().getModuleName();
throw new DeploymentException(msg, se);
}
}
Also used :
WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager)
DeploymentException(org.glassfish.deployment.common.DeploymentException)
IASSecurityException(com.sun.enterprise.security.util.IASSecurityException)
DeploymentException(org.glassfish.deployment.common.DeploymentException)
Example 4 with WebSecurityManager
use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.
the class RealmAdapter method invokeWebSecurityManager.
/**
* Invokes WebSecurityManager to perform access control check. Return <code>true</code> if permission is granted, or
* <code>false</code> otherwise.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraints Security constraint we are enforcing
*
* @exception IOException if an input/output error occurs
*/
private boolean invokeWebSecurityManager(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints) throws IOException {
// Allow access to form login related pages and targets
// and the "j_security_check" action
boolean evaluated = false;
try {
rwLock.readLock().lock();
evaluated = contextEvaluated;
} finally {
rwLock.readLock().unlock();
}
if (!evaluated) {
try {
rwLock.writeLock().lock();
if (!contextEvaluated) {
// Get Context here as preAuthenticateCheck does not have it
// and our Container is always a Context
Context context = (Context) getContainer();
LoginConfig config = context.getLoginConfig();
if (config != null && FORM_METHOD.equals(config.getAuthMethod())) {
loginPage = config.getLoginPage();
errorPage = config.getErrorPage();
}
contextEvaluated = true;
}
} finally {
rwLock.writeLock().unlock();
}
}
if (loginPage != null || errorPage != null) {
String requestURI = request.getRequestPathMB().toString();
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security] requestURI: " + requestURI + " loginPage: " + loginPage);
}
if (loginPage != null && loginPage.equals(requestURI)) {
if (logger.isLoggable(FINE)) {
logger.fine(" Allow access to login page " + loginPage);
}
return true;
} else if (errorPage != null && errorPage.equals(requestURI)) {
if (logger.isLoggable(FINE)) {
logger.fine(" Allow access to error page " + errorPage);
}
return true;
} else if (requestURI.endsWith(FORM_ACTION)) {
if (logger.isLoggable(FINE)) {
logger.fine(" Allow access to username/password submission");
}
return true;
}
}
HttpServletRequest httpServletRequest = (HttpServletRequest) request;
if (httpServletRequest.getServletPath() == null) {
request.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
}
if (logger.isLoggable(FINE)) {
logger.fine("[Web-Security] [ hasResourcePermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
}
WebSecurityManager securityManager = getWebSecurityManager(true);
if (securityManager == null) {
return false;
}
return securityManager.hasResourcePermission(httpServletRequest);
}
Also used :
SecurityContext(com.sun.enterprise.security.SecurityContext)
ServletContext(javax.servlet.ServletContext)
ServerContext(org.glassfish.internal.api.ServerContext)
PolicyContext(javax.security.jacc.PolicyContext)
ServerAuthContext(javax.security.auth.message.config.ServerAuthContext)
Context(org.apache.catalina.Context)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager)
LoginConfig(org.apache.catalina.deploy.LoginConfig)
Aggregations
WebSecurityManager (com.sun.enterprise.security.web.integration.WebSecurityManager)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)2
SecurityContext (com.sun.enterprise.security.SecurityContext)1
IASSecurityException (com.sun.enterprise.security.util.IASSecurityException)1
ServerAuthContext (javax.security.auth.message.config.ServerAuthContext)1
PolicyContext (javax.security.jacc.PolicyContext)1
ServletContext (javax.servlet.ServletContext)1
HttpServletResponse (javax.servlet.http.HttpServletResponse)1
Context (org.apache.catalina.Context)1
LoginConfig (org.apache.catalina.deploy.LoginConfig)1
SecurityConstraint (org.apache.catalina.deploy.SecurityConstraint)1
DeploymentException (org.glassfish.deployment.common.DeploymentException)1
ServerContext (org.glassfish.internal.api.ServerContext)1
