Search in sources :

Example 1 with WebSecurityManager

use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.

the class RealmAdapter method hasRole.

/**
 * Check if the given principal has the provided role. Returns true if the principal has the specified role, false
 * otherwise.
 *
 * @param principal the principal
 * @param role the role
 * @return true if the principal has the specified role.
 * @param request Request we are processing
 * @param response Response we are creating
 */
// START OF SJSAS 6232464
@Override
public boolean hasRole(HttpRequest request, HttpResponse response, Principal principal, String role) {
    WebSecurityManager securityManager = getWebSecurityManager(true);
    if (securityManager == null) {
        return false;
    }
    // add HttpResponse and HttpResponse to the parameters, and remove
    // instance variable currentRequest from this class. References to
    // this.currentRequest are also removed from other methods.
    // String servletName = getResourceName( currentRequest.getRequestURI(),
    // currentRequest.getContextPath());
    String servletName = getCanonicalName(request);
    // END S1AS8PE 4966609
    boolean isGranted = securityManager.hasRoleRefPermission(servletName, role, principal);
    if (logger.isLoggable(FINE)) {
        logger.fine("Checking if servlet " + servletName + " with principal " + principal + " has role " + role + " isGranted: " + isGranted);
    }
    return isGranted;
}
Also used : WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager)

Example 2 with WebSecurityManager

use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.

the class RealmAdapter method hasUserDataPermission.

/**
 * Checks if the given request URI and method are the target of any user-data-constraint with a transport-guarantee of
 * CONFIDENTIAL, and whether any such constraint is already satisfied.
 *
 * If <tt>uri</tt> and <tt>method</tt> are null, then the URI and method of the given <tt>request</tt> are checked.
 *
 * If a user-data-constraint exists that is not satisfied, then the given <tt>request</tt> will be redirected to HTTPS.
 *
 * @param request the request that may be redirected
 * @param response the response that may be redirected
 * @param constraints the security constraints to check against
 * @param uri the request URI (minus the context path) to check
 * @param method the request method to check
 *
 * @return true if the request URI and method are not the target of any unsatisfied user-data-constraint with a
 * transport-guarantee of CONFIDENTIAL, and false if they are (in which case the given request will have been redirected
 * to HTTPS)
 */
@Override
public boolean hasUserDataPermission(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints, String uri, String method) throws IOException {
    HttpServletRequest httpServletRequest = (HttpServletRequest) request;
    if (httpServletRequest.getServletPath() == null) {
        request.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
    }
    if (logger.isLoggable(FINE)) {
        logger.fine("[Web-Security][ hasUserDataPermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
    }
    if (request.getRequest().isSecure()) {
        if (logger.isLoggable(FINE)) {
            logger.fine("[Web-Security] request.getRequest().isSecure(): " + request.getRequest().isSecure());
        }
        return true;
    }
    WebSecurityManager securityManager = getWebSecurityManager(true);
    if (securityManager == null) {
        return false;
    }
    int isGranted = 0;
    try {
        isGranted = securityManager.hasUserDataPermission(httpServletRequest, uri, method);
    } catch (IllegalArgumentException e) {
        // End the request after getting IllegalArgumentException while checking user data permission
        logger.log(WARNING, resourceBundle.getString("realmAdapter.badRequestWithId"), e);
        ((HttpServletResponse) response.getResponse()).sendError(SC_BAD_REQUEST, resourceBundle.getString("realmAdapter.badRequest"));
        return false;
    }
    // so the grand will succeed.
    if (isGranted == -1) {
        if (logger.isLoggable(FINE)) {
            logger.fine("[Web-Security] redirecting using SSL");
        }
        return redirect(request, response);
    }
    if (isGranted == 0) {
        ((HttpServletResponse) response.getResponse()).sendError(SC_FORBIDDEN, resourceBundle.getString("realmBase.forbidden"));
        return false;
    }
    return true;
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager) HttpServletResponse(javax.servlet.http.HttpServletResponse) SecurityConstraint(org.apache.catalina.deploy.SecurityConstraint)

Example 3 with WebSecurityManager

use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.

the class SecurityDeployer method loadPolicy.

/**
 * Translate Web Bundle Policy
 *
 * @param webBD
 * @param remove boolean indicated whether any existing policy statements are removed form context before translation
 * @throws DeploymentException
 */
private void loadPolicy(WebBundleDescriptor webBD, boolean remove) throws DeploymentException {
    try {
        if (webBD != null) {
            if (remove) {
                String cid = SecurityUtil.getContextID(webBD);
                WebSecurityManager wsm = wsmf.getManager(cid, null, true);
                if (wsm != null) {
                    wsm.release();
                }
            }
            wsmf.createManager(webBD, true, serverContext);
        }
    } catch (Exception se) {
        String msg = "Error in generating security policy for " + webBD.getModuleDescriptor().getModuleName();
        throw new DeploymentException(msg, se);
    }
}
Also used : WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager) DeploymentException(org.glassfish.deployment.common.DeploymentException) IASSecurityException(com.sun.enterprise.security.util.IASSecurityException) DeploymentException(org.glassfish.deployment.common.DeploymentException)

Example 4 with WebSecurityManager

use of com.sun.enterprise.security.web.integration.WebSecurityManager in project Payara by payara.

the class RealmAdapter method invokeWebSecurityManager.

/**
 * Invokes WebSecurityManager to perform access control check. Return <code>true</code> if permission is granted, or
 * <code>false</code> otherwise.
 *
 * @param request Request we are processing
 * @param response Response we are creating
 * @param constraints Security constraint we are enforcing
 *
 * @exception IOException if an input/output error occurs
 */
private boolean invokeWebSecurityManager(HttpRequest request, HttpResponse response, SecurityConstraint[] constraints) throws IOException {
    // Allow access to form login related pages and targets
    // and the "j_security_check" action
    boolean evaluated = false;
    try {
        rwLock.readLock().lock();
        evaluated = contextEvaluated;
    } finally {
        rwLock.readLock().unlock();
    }
    if (!evaluated) {
        try {
            rwLock.writeLock().lock();
            if (!contextEvaluated) {
                // Get Context here as preAuthenticateCheck does not have it
                // and our Container is always a Context
                Context context = (Context) getContainer();
                LoginConfig config = context.getLoginConfig();
                if (config != null && FORM_METHOD.equals(config.getAuthMethod())) {
                    loginPage = config.getLoginPage();
                    errorPage = config.getErrorPage();
                }
                contextEvaluated = true;
            }
        } finally {
            rwLock.writeLock().unlock();
        }
    }
    if (loginPage != null || errorPage != null) {
        String requestURI = request.getRequestPathMB().toString();
        if (logger.isLoggable(FINE)) {
            logger.fine("[Web-Security]  requestURI: " + requestURI + " loginPage: " + loginPage);
        }
        if (loginPage != null && loginPage.equals(requestURI)) {
            if (logger.isLoggable(FINE)) {
                logger.fine(" Allow access to login page " + loginPage);
            }
            return true;
        } else if (errorPage != null && errorPage.equals(requestURI)) {
            if (logger.isLoggable(FINE)) {
                logger.fine(" Allow access to error page " + errorPage);
            }
            return true;
        } else if (requestURI.endsWith(FORM_ACTION)) {
            if (logger.isLoggable(FINE)) {
                logger.fine(" Allow access to username/password submission");
            }
            return true;
        }
    }
    HttpServletRequest httpServletRequest = (HttpServletRequest) request;
    if (httpServletRequest.getServletPath() == null) {
        request.setServletPath(getResourceName(httpServletRequest.getRequestURI(), httpServletRequest.getContextPath()));
    }
    if (logger.isLoggable(FINE)) {
        logger.fine("[Web-Security] [ hasResourcePermission ] Principal: " + httpServletRequest.getUserPrincipal() + " ContextPath: " + httpServletRequest.getContextPath());
    }
    WebSecurityManager securityManager = getWebSecurityManager(true);
    if (securityManager == null) {
        return false;
    }
    return securityManager.hasResourcePermission(httpServletRequest);
}
Also used : SecurityContext(com.sun.enterprise.security.SecurityContext) ServletContext(javax.servlet.ServletContext) ServerContext(org.glassfish.internal.api.ServerContext) PolicyContext(javax.security.jacc.PolicyContext) ServerAuthContext(javax.security.auth.message.config.ServerAuthContext) Context(org.apache.catalina.Context) HttpServletRequest(javax.servlet.http.HttpServletRequest) WebSecurityManager(com.sun.enterprise.security.web.integration.WebSecurityManager) LoginConfig(org.apache.catalina.deploy.LoginConfig)

Aggregations

WebSecurityManager (com.sun.enterprise.security.web.integration.WebSecurityManager)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 SecurityContext (com.sun.enterprise.security.SecurityContext)1 IASSecurityException (com.sun.enterprise.security.util.IASSecurityException)1 ServerAuthContext (javax.security.auth.message.config.ServerAuthContext)1 PolicyContext (javax.security.jacc.PolicyContext)1 ServletContext (javax.servlet.ServletContext)1 HttpServletResponse (javax.servlet.http.HttpServletResponse)1 Context (org.apache.catalina.Context)1 LoginConfig (org.apache.catalina.deploy.LoginConfig)1 SecurityConstraint (org.apache.catalina.deploy.SecurityConstraint)1 DeploymentException (org.glassfish.deployment.common.DeploymentException)1 ServerContext (org.glassfish.internal.api.ServerContext)1