Example 1 with PrivateCredentialPermission
use of javax.security.auth.PrivateCredentialPermission in project jdk8u_jdk by JetBrains.
the class PolicyPermissions method addSelfPermissions.
/**
* Returns true if 'Self' permissions were added to the provided
* 'perms', and false otherwise.
*
* <p>
*
* @param p check to see if this Permission is a "SELF"
* PrivateCredentialPermission. <p>
*
* @param entryCs the codesource for the Policy entry.
*
* @param accCs the codesource for from the current AccessControlContext.
*
* @param perms the PermissionCollection where the individual
* PrivateCredentialPermissions will be added.
*/
private boolean addSelfPermissions(final Permission p, CodeSource entryCs, CodeSource accCs, Permissions perms) {
if (!(p instanceof PrivateCredentialPermission)) {
return false;
}
if (!(entryCs instanceof SubjectCodeSource)) {
return false;
}
PrivateCredentialPermission pcp = (PrivateCredentialPermission) p;
SubjectCodeSource scs = (SubjectCodeSource) entryCs;
// see if it is a SELF permission
String[][] pPrincipals = pcp.getPrincipals();
if (pPrincipals.length <= 0 || !pPrincipals[0][0].equalsIgnoreCase("self") || !pPrincipals[0][1].equalsIgnoreCase("self")) {
// regular PrivateCredentialPermission
return false;
} else {
if (scs.getPrincipals() == null) {
// XXX SubjectCodeSource has no Subject???
return true;
}
for (PrincipalEntry principal : scs.getPrincipals()) {
// if the Policy entry's Principal does not contain a
// WILDCARD for the Principal name, then a
// new PrivateCredentialPermission is created
// for the Principal listed in the Policy entry.
// if the Policy entry's Principal contains a WILDCARD
// for the Principal name, then a new
// PrivateCredentialPermission is created
// for each Principal associated with the Subject
// in the current ACC.
String[][] principalInfo = getPrincipalInfo(principal, accCs);
for (int i = 0; i < principalInfo.length; i++) {
// here's the new PrivateCredentialPermission
PrivateCredentialPermission newPcp = new PrivateCredentialPermission(pcp.getCredentialClass() + " " + principalInfo[i][0] + " " + "\"" + principalInfo[i][1] + "\"", "read");
if (debug != null) {
debug.println("adding SELF permission: " + newPcp.toString());
}
perms.add(newPcp);
}
}
}
return true;
}
Also used :
PrincipalEntry(sun.security.provider.PolicyParser.PrincipalEntry)
PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission)
Example 2 with PrivateCredentialPermission
use of javax.security.auth.PrivateCredentialPermission in project Bytecoder by mirkosertic.
the class PolicyPermissions method addSelfPermissions.
/**
* Returns true if 'Self' permissions were added to the provided
* 'perms', and false otherwise.
*
* <p>
*
* @param p check to see if this Permission is a "SELF"
* PrivateCredentialPermission. <p>
*
* @param entryCs the codesource for the Policy entry.
*
* @param accCs the codesource for from the current AccessControlContext.
*
* @param perms the PermissionCollection where the individual
* PrivateCredentialPermissions will be added.
*/
private boolean addSelfPermissions(final Permission p, CodeSource entryCs, CodeSource accCs, Permissions perms) {
if (!(p instanceof PrivateCredentialPermission)) {
return false;
}
if (!(entryCs instanceof SubjectCodeSource)) {
return false;
}
PrivateCredentialPermission pcp = (PrivateCredentialPermission) p;
SubjectCodeSource scs = (SubjectCodeSource) entryCs;
// see if it is a SELF permission
String[][] pPrincipals = pcp.getPrincipals();
if (pPrincipals.length <= 0 || !pPrincipals[0][0].equalsIgnoreCase("self") || !pPrincipals[0][1].equalsIgnoreCase("self")) {
// regular PrivateCredentialPermission
return false;
} else {
if (scs.getPrincipals() == null) {
// XXX SubjectCodeSource has no Subject???
return true;
}
for (PrincipalEntry principal : scs.getPrincipals()) {
// if the Policy entry's Principal does not contain a
// WILDCARD for the Principal name, then a
// new PrivateCredentialPermission is created
// for the Principal listed in the Policy entry.
// if the Policy entry's Principal contains a WILDCARD
// for the Principal name, then a new
// PrivateCredentialPermission is created
// for each Principal associated with the Subject
// in the current ACC.
String[][] principalInfo = getPrincipalInfo(principal, accCs);
for (int i = 0; i < principalInfo.length; i++) {
// here's the new PrivateCredentialPermission
PrivateCredentialPermission newPcp = new PrivateCredentialPermission(pcp.getCredentialClass() + " " + principalInfo[i][0] + " " + "\"" + principalInfo[i][1] + "\"", "read");
if (debug != null) {
debug.println("adding SELF permission: " + newPcp.toString());
}
perms.add(newPcp);
}
}
}
return true;
}
Also used :
PrincipalEntry(sun.security.provider.PolicyParser.PrincipalEntry)
PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission)
Example 3 with PrivateCredentialPermission
use of javax.security.auth.PrivateCredentialPermission in project wildfly by wildfly.
the class WildFlyActivationRaWithElytronAuthContextTestCase method deploymentSingleton.
@Deployment
public static Archive<?> deploymentSingleton() {
final JavaArchive jar = ShrinkWrap.create(JavaArchive.class, "single.jar").addClass(WildFlyActivationRaWithElytronAuthContextTestCase.class).addPackage(MultipleConnectionFactory1.class.getPackage());
jar.addClasses(AbstractElytronSetupTask.class);
final ResourceAdapterArchive rar = ShrinkWrap.create(ResourceAdapterArchive.class, "wf-ra-ely-security.rar").addAsLibrary(jar).addAsManifestResource(WildFlyActivationRaWithElytronAuthContextTestCase.class.getPackage(), "ra.xml", "ra.xml").addAsManifestResource(new StringAsset("Dependencies: org.jboss.dmr, org.jboss.as.controller, org.jboss.as.controller-client\n"), "MANIFEST.MF");
rar.addAsManifestResource(PermissionUtils.createPermissionsXmlAsset(new PrivateCredentialPermission("javax.resource.spi.security.PasswordCredential org.wildfly.security.auth.principal.NamePrincipal \"sa\"", "read")), "permissions.xml");
return rar;
}
Also used :
StringAsset(org.jboss.shrinkwrap.api.asset.StringAsset)
ResourceAdapterArchive(org.jboss.shrinkwrap.api.spec.ResourceAdapterArchive)
MultipleConnectionFactory1(org.jboss.as.test.integration.jca.rar.MultipleConnectionFactory1)
JavaArchive(org.jboss.shrinkwrap.api.spec.JavaArchive)
PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission)
Deployment(org.jboss.arquillian.container.test.api.Deployment)
Example 4 with PrivateCredentialPermission
use of javax.security.auth.PrivateCredentialPermission in project jdk8u_jdk by JetBrains.
the class PolicyPermissions method addGrantEntry.
/**
* Add one policy entry to the vector.
*/
private void addGrantEntry(GrantEntry ge, KeyStore keyStore) {
if (debug != null) {
debug.println("Adding policy entry: ");
debug.println(" signedBy " + ge.signedBy);
debug.println(" codeBase " + ge.codeBase);
if (ge.principals != null) {
for (PrincipalEntry pppe : ge.principals) {
debug.println(" " + pppe.getPrincipalClass() + " " + pppe.getPrincipalName());
}
}
debug.println();
}
try {
CodeSource codesource = getCodeSource(ge, keyStore);
// skip if signedBy alias was unknown...
if (codesource == null)
return;
PolicyEntry entry = new PolicyEntry(codesource);
Enumeration<PermissionEntry> enum_ = ge.permissionElements();
while (enum_.hasMoreElements()) {
PermissionEntry pe = enum_.nextElement();
try {
// XXX special case PrivateCredentialPermission-SELF
Permission perm;
if (pe.permission.equals("javax.security.auth.PrivateCredentialPermission") && pe.name.endsWith(" self")) {
perm = getInstance(pe.permission, pe.name + " \"self\"", pe.action);
} else {
perm = getInstance(pe.permission, pe.name, pe.action);
}
entry.add(perm);
if (debug != null) {
debug.println(" " + perm);
}
} catch (ClassNotFoundException cnfe) {
Certificate[] certs;
if (pe.signedBy != null) {
certs = getCertificates(keyStore, pe.signedBy);
} else {
certs = null;
}
// a signer and found the keys for it.
if (certs != null || pe.signedBy == null) {
Permission perm = new UnresolvedPermission(pe.permission, pe.name, pe.action, certs);
entry.add(perm);
if (debug != null) {
debug.println(" " + perm);
}
}
} catch (java.lang.reflect.InvocationTargetException ite) {
System.err.println(AUTH_POLICY + rb.getString(".error.adding.Permission.") + pe.permission + rb.getString("SPACE") + ite.getTargetException());
} catch (Exception e) {
System.err.println(AUTH_POLICY + rb.getString(".error.adding.Permission.") + pe.permission + rb.getString("SPACE") + e);
}
}
policyEntries.addElement(entry);
} catch (Exception e) {
System.err.println(AUTH_POLICY + rb.getString(".error.adding.Entry.") + ge + rb.getString("SPACE") + e);
}
if (debug != null) {
debug.println();
}
}
Also used :
UnresolvedPermission(java.security.UnresolvedPermission)
java.lang.reflect(java.lang.reflect)
PermissionEntry(sun.security.provider.PolicyParser.PermissionEntry)
UnresolvedPermission(java.security.UnresolvedPermission)
PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission)
Permission(java.security.Permission)
PrincipalEntry(sun.security.provider.PolicyParser.PrincipalEntry)
CodeSource(java.security.CodeSource)
KeyStoreException(java.security.KeyStoreException)
Example 5 with PrivateCredentialPermission
use of javax.security.auth.PrivateCredentialPermission in project jdk8u_jdk by JetBrains.
the class BasicProc method main.
public static void main(String[] args) throws Exception {
String HOST = "localhost";
String SERVER = "server/" + HOST;
String BACKEND = "backend/" + HOST;
String USER = "user";
char[] PASS = "password".toCharArray();
String REALM = "REALM";
Oid oid = new Oid("1.2.840.113554.1.2.2");
if (args.length == 0) {
System.setProperty("java.security.krb5.conf", CONF);
KDC kdc = KDC.create(REALM, HOST, 0, true);
kdc.addPrincipal(USER, PASS);
kdc.addPrincipalRandKey("krbtgt/" + REALM);
kdc.addPrincipalRandKey(SERVER);
kdc.addPrincipalRandKey(BACKEND);
String cwd = System.getProperty("user.dir");
kdc.writeKtab(KTAB);
KDC.saveConfig(CONF, kdc, "forwardable = true");
Proc pc = Proc.create("BasicProc").args("client").prop("java.security.krb5.conf", CONF).prop("java.security.manager", "").perm(new java.util.PropertyPermission("sun.security.krb5.principal", "read")).perm(new javax.security.auth.AuthPermission("modifyPrincipals")).perm(new javax.security.auth.AuthPermission("modifyPrivateCredentials")).perm(new javax.security.auth.AuthPermission("doAs")).perm(new javax.security.auth.kerberos.ServicePermission("krbtgt/" + REALM + "@" + REALM, "initiate")).perm(new javax.security.auth.kerberos.ServicePermission("server/localhost@" + REALM, "initiate")).perm(new javax.security.auth.kerberos.DelegationPermission("\"server/localhost@" + REALM + "\" " + "\"krbtgt/" + REALM + "@" + REALM + "\"")).debug("C").start();
Proc ps = Proc.create("BasicProc").args("server").prop("java.security.krb5.conf", CONF).prop("java.security.manager", "").perm(new java.util.PropertyPermission("sun.security.krb5.principal", "read")).perm(new javax.security.auth.AuthPermission("modifyPrincipals")).perm(new javax.security.auth.AuthPermission("modifyPrivateCredentials")).perm(new javax.security.auth.AuthPermission("doAs")).perm(new PrivateCredentialPermission("javax.security.auth.kerberos.KeyTab * \"*\"", "read")).perm(new javax.security.auth.kerberos.ServicePermission("server/localhost@" + REALM, "accept")).perm(new java.io.FilePermission(cwd + File.separator + KTAB, "read")).perm(new javax.security.auth.kerberos.ServicePermission("backend/localhost@" + REALM, "initiate")).debug("S").start();
Proc pb = Proc.create("BasicProc").args("backend").prop("java.security.krb5.conf", CONF).prop("java.security.manager", "").perm(new java.util.PropertyPermission("sun.security.krb5.principal", "read")).perm(new javax.security.auth.AuthPermission("modifyPrincipals")).perm(new javax.security.auth.AuthPermission("modifyPrivateCredentials")).perm(new javax.security.auth.AuthPermission("doAs")).perm(new PrivateCredentialPermission("javax.security.auth.kerberos.KeyTab * \"*\"", "read")).perm(new javax.security.auth.kerberos.ServicePermission("backend/localhost@" + REALM, "accept")).perm(new java.io.FilePermission(cwd + File.separator + KTAB, "read")).debug("B").start();
// Client and server handshake
String token = pc.readData();
ps.println(token);
token = ps.readData();
pc.println(token);
// Server and backend handshake
token = ps.readData();
pb.println(token);
token = pb.readData();
ps.println(token);
// wrap/unwrap/getMic/verifyMic and plain text
token = ps.readData();
pb.println(token);
token = pb.readData();
ps.println(token);
token = pb.readData();
ps.println(token);
if ((pc.waitFor() | ps.waitFor() | pb.waitFor()) != 0) {
throw new Exception();
}
} else if (args[0].equals("client")) {
Context c = Context.fromUserPass(USER, PASS, false);
c.startAsClient(SERVER, oid);
c.x().requestCredDeleg(true);
Proc.binOut(c.take(new byte[0]));
byte[] token = Proc.binIn();
c.take(token);
} else if (args[0].equals("server")) {
Context s = Context.fromUserKtab(SERVER, KTAB, true);
s.startAsServer(oid);
byte[] token = Proc.binIn();
token = s.take(token);
Proc.binOut(token);
Context s2 = s.delegated();
s2.startAsClient(BACKEND, oid);
Proc.binOut(s2.take(new byte[0]));
token = Proc.binIn();
s2.take(token);
byte[] msg = "Hello".getBytes();
Proc.binOut(s2.wrap(msg, true));
s2.verifyMic(Proc.binIn(), msg);
String in = Proc.textIn();
if (!in.equals("Hello")) {
throw new Exception();
}
} else if (args[0].equals("backend")) {
Context b = Context.fromUserKtab(BACKEND, KTAB, true);
b.startAsServer(oid);
byte[] token = Proc.binIn();
Proc.binOut(b.take(token));
byte[] msg = b.unwrap(Proc.binIn(), true);
Proc.binOut(b.getMic(msg));
Proc.textOut(new String(msg));
}
}
Also used :
PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission)
Oid(org.ietf.jgss.Oid)
Aggregations
PrivateCredentialPermission (javax.security.auth.PrivateCredentialPermission)6
PrincipalEntry (sun.security.provider.PolicyParser.PrincipalEntry)4
java.lang.reflect (java.lang.reflect)2
CodeSource (java.security.CodeSource)2
KeyStoreException (java.security.KeyStoreException)2
Permission (java.security.Permission)2
UnresolvedPermission (java.security.UnresolvedPermission)2
PermissionEntry (sun.security.provider.PolicyParser.PermissionEntry)2
Oid (org.ietf.jgss.Oid)1
Deployment (org.jboss.arquillian.container.test.api.Deployment)1
MultipleConnectionFactory1 (org.jboss.as.test.integration.jca.rar.MultipleConnectionFactory1)1
StringAsset (org.jboss.shrinkwrap.api.asset.StringAsset)1
JavaArchive (org.jboss.shrinkwrap.api.spec.JavaArchive)1
ResourceAdapterArchive (org.jboss.shrinkwrap.api.spec.ResourceAdapterArchive)1
