Example 21 with Principal
use of java.security.Principal in project tomcat by apache.
the class JAASRealm method authenticate.
// -------------------------------------------------------- Package Methods
// ------------------------------------------------------ Protected Methods
/**
* Perform the actual JAAS authentication.
* @param username The user name
* @param callbackHandler The callback handler
* @return the associated principal, or <code>null</code> if there is none.
*/
protected Principal authenticate(String username, CallbackHandler callbackHandler) {
// Establish a LoginContext to use for authentication
try {
LoginContext loginContext = null;
if (appName == null)
appName = "Tomcat";
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.beginLogin", username, appName));
// What if the LoginModule is in the container class loader ?
ClassLoader ocl = null;
if (!isUseContextClassLoader()) {
ocl = Thread.currentThread().getContextClassLoader();
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
}
try {
Configuration config = getConfig();
loginContext = new LoginContext(appName, null, callbackHandler, config);
} catch (Throwable e) {
ExceptionUtils.handleThrowable(e);
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
} finally {
if (!isUseContextClassLoader()) {
Thread.currentThread().setContextClassLoader(ocl);
}
}
if (log.isDebugEnabled())
log.debug("Login context created " + username);
// Negotiate a login via this LoginContext
Subject subject = null;
try {
loginContext.login();
subject = loginContext.getSubject();
if (subject == null) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
}
} catch (AccountExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.accountExpired", username));
return (null);
} catch (CredentialExpiredException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.credentialExpired", username));
return (null);
} catch (FailedLoginException e) {
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.failedLogin", username));
return (null);
} catch (LoginException e) {
log.warn(sm.getString("jaasRealm.loginException", username), e);
return (null);
} catch (Throwable e) {
ExceptionUtils.handleThrowable(e);
log.error(sm.getString("jaasRealm.unexpectedError"), e);
return (null);
}
if (log.isDebugEnabled())
log.debug(sm.getString("jaasRealm.loginContextCreated", username));
// Return the appropriate Principal for this authenticated Subject
Principal principal = createPrincipal(username, subject, loginContext);
if (principal == null) {
log.debug(sm.getString("jaasRealm.authenticateFailure", username));
return (null);
}
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.authenticateSuccess", username));
}
return (principal);
} catch (Throwable t) {
log.error("error ", t);
return null;
}
}
Also used :
LoginContext(javax.security.auth.login.LoginContext)
FailedLoginException(javax.security.auth.login.FailedLoginException)
Configuration(javax.security.auth.login.Configuration)
AccountExpiredException(javax.security.auth.login.AccountExpiredException)
LoginException(javax.security.auth.login.LoginException)
FailedLoginException(javax.security.auth.login.FailedLoginException)
CredentialExpiredException(javax.security.auth.login.CredentialExpiredException)
Subject(javax.security.auth.Subject)
Principal(java.security.Principal)
Example 22 with Principal
use of java.security.Principal in project tomcat by apache.
the class JAASRealm method createPrincipal.
/**
* Identify and return a <code>java.security.Principal</code> instance
* representing the authenticated user for the specified <code>Subject</code>.
* The Principal is constructed by scanning the list of Principals returned
* by the JAASLoginModule. The first <code>Principal</code> object that matches
* one of the class names supplied as a "user class" is the user Principal.
* This object is returned to the caller.
* Any remaining principal objects returned by the LoginModules are mapped to
* roles, but only if their respective classes match one of the "role class" classes.
* If a user Principal cannot be constructed, return <code>null</code>.
* @param username The associated user name
* @param subject The <code>Subject</code> representing the logged-in user
* @param loginContext Associated with the Principal so
* {@link LoginContext#logout()} can be called later
* @return the principal object
*/
protected Principal createPrincipal(String username, Subject subject, LoginContext loginContext) {
// Prepare to scan the Principals for this Subject
List<String> roles = new ArrayList<>();
Principal userPrincipal = null;
// Scan the Principals for this Subject
Iterator<Principal> principals = subject.getPrincipals().iterator();
while (principals.hasNext()) {
Principal principal = principals.next();
String principalClass = principal.getClass().getName();
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.checkPrincipal", principal, principalClass));
}
if (userPrincipal == null && userClasses.contains(principalClass)) {
userPrincipal = principal;
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.userPrincipalSuccess", principal.getName()));
}
}
if (roleClasses.contains(principalClass)) {
roles.add(principal.getName());
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.rolePrincipalAdd", principal.getName()));
}
}
}
// Print failure message if needed
if (userPrincipal == null) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.userPrincipalFailure"));
log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
}
} else {
if (roles.size() == 0) {
if (log.isDebugEnabled()) {
log.debug(sm.getString("jaasRealm.rolePrincipalFailure"));
}
}
}
// Return the resulting Principal for our authenticated user
return new GenericPrincipal(username, null, roles, userPrincipal, loginContext);
}Example 23 with Principal
use of java.security.Principal in project tomcat by apache.
the class JNDIRealm method getPrincipal.
@Override
protected Principal getPrincipal(String username, GSSCredential gssCredential) {
DirContext context = null;
Principal principal = null;
try {
// Ensure that we have a directory context available
context = open();
// time before giving up.
try {
// Authenticate the specified username if possible
principal = getPrincipal(context, username, gssCredential);
} catch (CommunicationException | ServiceUnavailableException e) {
// log the exception so we know it's there.
containerLog.info(sm.getString("jndiRealm.exception.retry"), e);
// close the connection so we know it will be reopened.
if (context != null)
close(context);
// open a new directory context.
context = open();
// Try the authentication again.
principal = getPrincipal(context, username, gssCredential);
}
// Release this context
release(context);
// Return the authenticated Principal (if any)
return principal;
} catch (NamingException e) {
// Log the problem for posterity
containerLog.error(sm.getString("jndiRealm.exception"), e);
// Close the connection so that it gets reopened next time
if (context != null)
close(context);
// Return "not authenticated" for this request
return null;
}
}
Also used :
CommunicationException(javax.naming.CommunicationException)
NamingException(javax.naming.NamingException)
InitialDirContext(javax.naming.directory.InitialDirContext)
DirContext(javax.naming.directory.DirContext)
ServiceUnavailableException(javax.naming.ServiceUnavailableException)
Principal(java.security.Principal)
Example 24 with Principal
use of java.security.Principal in project tomcat by apache.
the class LockOutRealm method authenticate.
/**
* Return the Principal associated with the specified chain of X509
* client certificates. If there is none, return <code>null</code>.
*
* @param certs Array of client certificates, with the first one in
* the array being the certificate of the client itself.
*/
@Override
public Principal authenticate(X509Certificate[] certs) {
String username = null;
if (certs != null && certs.length > 0) {
username = certs[0].getSubjectDN().getName();
}
Principal authenticatedUser = super.authenticate(certs);
return filterLockedAccounts(username, authenticatedUser);
}
Also used :
Principal(java.security.Principal)
Example 25 with Principal
use of java.security.Principal in project tomcat by apache.
the class RealmBase method hasResourcePermission.
/**
* Perform access control based on the specified authorization constraint.
* Return <code>true</code> if this constraint is satisfied and processing
* should continue, or <code>false</code> otherwise.
*
* @param request Request we are processing
* @param response Response we are creating
* @param constraints Security constraint we are enforcing
* @param context The Context to which client of this class is attached.
*
* @exception IOException if an input/output error occurs
*/
@Override
public boolean hasResourcePermission(Request request, Response response, SecurityConstraint[] constraints, Context context) throws IOException {
if (constraints == null || constraints.length == 0)
return true;
// Which user principal have we already authenticated?
Principal principal = request.getPrincipal();
boolean status = false;
boolean denyfromall = false;
for (int i = 0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String[] roles;
if (constraint.getAllRoles()) {
// * means all roles defined in web.xml
roles = request.getContext().findSecurityRoles();
} else {
roles = constraint.findAuthRoles();
}
if (roles == null)
roles = new String[0];
if (log.isDebugEnabled())
log.debug(" Checking roles " + principal);
if (constraint.getAuthenticatedUsers() && principal != null) {
if (log.isDebugEnabled()) {
log.debug("Passing all authenticated users");
}
status = true;
} else if (roles.length == 0 && !constraint.getAllRoles() && !constraint.getAuthenticatedUsers()) {
if (constraint.getAuthConstraint()) {
if (log.isDebugEnabled())
log.debug("No roles");
// No listed roles means no access at all
status = false;
denyfromall = true;
break;
}
if (log.isDebugEnabled())
log.debug("Passing all access");
status = true;
} else if (principal == null) {
if (log.isDebugEnabled())
log.debug(" No user authenticated, cannot grant access");
} else {
for (int j = 0; j < roles.length; j++) {
if (hasRole(null, principal, roles[j])) {
status = true;
if (log.isDebugEnabled())
log.debug("Role found: " + roles[j]);
} else if (log.isDebugEnabled())
log.debug("No role found: " + roles[j]);
}
}
}
if (!denyfromall && allRolesMode != AllRolesMode.STRICT_MODE && !status && principal != null) {
if (log.isDebugEnabled()) {
log.debug("Checking for all roles mode: " + allRolesMode);
}
// Check for an all roles(role-name="*")
for (int i = 0; i < constraints.length; i++) {
SecurityConstraint constraint = constraints[i];
String[] roles;
// If the all roles mode exists, sets
if (constraint.getAllRoles()) {
if (allRolesMode == AllRolesMode.AUTH_ONLY_MODE) {
if (log.isDebugEnabled()) {
log.debug("Granting access for role-name=*, auth-only");
}
status = true;
break;
}
// For AllRolesMode.STRICT_AUTH_ONLY_MODE there must be zero roles
roles = request.getContext().findSecurityRoles();
if (roles.length == 0 && allRolesMode == AllRolesMode.STRICT_AUTH_ONLY_MODE) {
if (log.isDebugEnabled()) {
log.debug("Granting access for role-name=*, strict auth-only");
}
status = true;
break;
}
}
}
}
// Return a "Forbidden" message denying access to this resource
if (!status) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, sm.getString("realmBase.forbidden"));
}
return status;
}
Also used :
Principal(java.security.Principal)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
SecurityConstraint(org.apache.tomcat.util.descriptor.web.SecurityConstraint)
Aggregations
Principal (java.security.Principal)931
Test (org.junit.Test)243
Subject (javax.security.auth.Subject)114
EveryonePrincipal (org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal)114
HashSet (java.util.HashSet)89
User (org.apache.jackrabbit.api.security.user.User)75
Group (org.apache.jackrabbit.api.security.user.Group)74
Authorizable (org.apache.jackrabbit.api.security.user.Authorizable)58
Privilege (javax.jcr.security.Privilege)57
RepositoryException (javax.jcr.RepositoryException)51
IOException (java.io.IOException)50
ArrayList (java.util.ArrayList)48
HttpServletRequest (javax.servlet.http.HttpServletRequest)47
TestPrincipal (org.apache.jackrabbit.core.security.TestPrincipal)45
AbstractSecurityTest (org.apache.jackrabbit.oak.AbstractSecurityTest)43
EveryonePrincipal (org.apache.jackrabbit.core.security.principal.EveryonePrincipal)42
PrincipalIterator (org.apache.jackrabbit.api.security.principal.PrincipalIterator)40
HashMap (java.util.HashMap)39
PrincipalImpl (org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl)39
X500Principal (javax.security.auth.x500.X500Principal)38
