Search in sources :

Example 1 with PrivateCredentialPermission

use of javax.security.auth.PrivateCredentialPermission in project jdk8u_jdk by JetBrains.

the class PolicyPermissions method addSelfPermissions.

/**
     * Returns true if 'Self' permissions were added to the provided
     * 'perms', and false otherwise.
     *
     * <p>
     *
     * @param p check to see if this Permission is a "SELF"
     *                  PrivateCredentialPermission. <p>
     *
     * @param entryCs the codesource for the Policy entry.
     *
     * @param accCs the codesource for from the current AccessControlContext.
     *
     * @param perms the PermissionCollection where the individual
     *                  PrivateCredentialPermissions will be added.
     */
private boolean addSelfPermissions(final Permission p, CodeSource entryCs, CodeSource accCs, Permissions perms) {
    if (!(p instanceof PrivateCredentialPermission)) {
        return false;
    }
    if (!(entryCs instanceof SubjectCodeSource)) {
        return false;
    }
    PrivateCredentialPermission pcp = (PrivateCredentialPermission) p;
    SubjectCodeSource scs = (SubjectCodeSource) entryCs;
    // see if it is a SELF permission
    String[][] pPrincipals = pcp.getPrincipals();
    if (pPrincipals.length <= 0 || !pPrincipals[0][0].equalsIgnoreCase("self") || !pPrincipals[0][1].equalsIgnoreCase("self")) {
        // regular PrivateCredentialPermission
        return false;
    } else {
        if (scs.getPrincipals() == null) {
            // XXX SubjectCodeSource has no Subject???
            return true;
        }
        for (PrincipalEntry principal : scs.getPrincipals()) {
            //      if the Policy entry's Principal does not contain a
            //              WILDCARD for the Principal name, then a
            //              new PrivateCredentialPermission is created
            //              for the Principal listed in the Policy entry.
            //      if the Policy entry's Principal contains a WILDCARD
            //              for the Principal name, then a new
            //              PrivateCredentialPermission is created
            //              for each Principal associated with the Subject
            //              in the current ACC.
            String[][] principalInfo = getPrincipalInfo(principal, accCs);
            for (int i = 0; i < principalInfo.length; i++) {
                // here's the new PrivateCredentialPermission
                PrivateCredentialPermission newPcp = new PrivateCredentialPermission(pcp.getCredentialClass() + " " + principalInfo[i][0] + " " + "\"" + principalInfo[i][1] + "\"", "read");
                if (debug != null) {
                    debug.println("adding SELF permission: " + newPcp.toString());
                }
                perms.add(newPcp);
            }
        }
    }
    return true;
}
Also used : PrincipalEntry(sun.security.provider.PolicyParser.PrincipalEntry) PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission)

Example 2 with PrivateCredentialPermission

use of javax.security.auth.PrivateCredentialPermission in project Bytecoder by mirkosertic.

the class PolicyPermissions method addSelfPermissions.

/**
 * Returns true if 'Self' permissions were added to the provided
 * 'perms', and false otherwise.
 *
 * <p>
 *
 * @param p check to see if this Permission is a "SELF"
 *                  PrivateCredentialPermission. <p>
 *
 * @param entryCs the codesource for the Policy entry.
 *
 * @param accCs the codesource for from the current AccessControlContext.
 *
 * @param perms the PermissionCollection where the individual
 *                  PrivateCredentialPermissions will be added.
 */
private boolean addSelfPermissions(final Permission p, CodeSource entryCs, CodeSource accCs, Permissions perms) {
    if (!(p instanceof PrivateCredentialPermission)) {
        return false;
    }
    if (!(entryCs instanceof SubjectCodeSource)) {
        return false;
    }
    PrivateCredentialPermission pcp = (PrivateCredentialPermission) p;
    SubjectCodeSource scs = (SubjectCodeSource) entryCs;
    // see if it is a SELF permission
    String[][] pPrincipals = pcp.getPrincipals();
    if (pPrincipals.length <= 0 || !pPrincipals[0][0].equalsIgnoreCase("self") || !pPrincipals[0][1].equalsIgnoreCase("self")) {
        // regular PrivateCredentialPermission
        return false;
    } else {
        if (scs.getPrincipals() == null) {
            // XXX SubjectCodeSource has no Subject???
            return true;
        }
        for (PrincipalEntry principal : scs.getPrincipals()) {
            // if the Policy entry's Principal does not contain a
            // WILDCARD for the Principal name, then a
            // new PrivateCredentialPermission is created
            // for the Principal listed in the Policy entry.
            // if the Policy entry's Principal contains a WILDCARD
            // for the Principal name, then a new
            // PrivateCredentialPermission is created
            // for each Principal associated with the Subject
            // in the current ACC.
            String[][] principalInfo = getPrincipalInfo(principal, accCs);
            for (int i = 0; i < principalInfo.length; i++) {
                // here's the new PrivateCredentialPermission
                PrivateCredentialPermission newPcp = new PrivateCredentialPermission(pcp.getCredentialClass() + " " + principalInfo[i][0] + " " + "\"" + principalInfo[i][1] + "\"", "read");
                if (debug != null) {
                    debug.println("adding SELF permission: " + newPcp.toString());
                }
                perms.add(newPcp);
            }
        }
    }
    return true;
}
Also used : PrincipalEntry(sun.security.provider.PolicyParser.PrincipalEntry) PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission)

Example 3 with PrivateCredentialPermission

use of javax.security.auth.PrivateCredentialPermission in project wildfly by wildfly.

the class WildFlyActivationRaWithElytronAuthContextTestCase method deploymentSingleton.

@Deployment
public static Archive<?> deploymentSingleton() {
    final JavaArchive jar = ShrinkWrap.create(JavaArchive.class, "single.jar").addClass(WildFlyActivationRaWithElytronAuthContextTestCase.class).addPackage(MultipleConnectionFactory1.class.getPackage());
    jar.addClasses(AbstractElytronSetupTask.class);
    final ResourceAdapterArchive rar = ShrinkWrap.create(ResourceAdapterArchive.class, "wf-ra-ely-security.rar").addAsLibrary(jar).addAsManifestResource(WildFlyActivationRaWithElytronAuthContextTestCase.class.getPackage(), "ra.xml", "ra.xml").addAsManifestResource(new StringAsset("Dependencies: org.jboss.dmr, org.jboss.as.controller, org.jboss.as.controller-client\n"), "MANIFEST.MF");
    rar.addAsManifestResource(PermissionUtils.createPermissionsXmlAsset(new PrivateCredentialPermission("javax.resource.spi.security.PasswordCredential org.wildfly.security.auth.principal.NamePrincipal \"sa\"", "read")), "permissions.xml");
    return rar;
}
Also used : StringAsset(org.jboss.shrinkwrap.api.asset.StringAsset) ResourceAdapterArchive(org.jboss.shrinkwrap.api.spec.ResourceAdapterArchive) MultipleConnectionFactory1(org.jboss.as.test.integration.jca.rar.MultipleConnectionFactory1) JavaArchive(org.jboss.shrinkwrap.api.spec.JavaArchive) PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission) Deployment(org.jboss.arquillian.container.test.api.Deployment)

Example 4 with PrivateCredentialPermission

use of javax.security.auth.PrivateCredentialPermission in project jdk8u_jdk by JetBrains.

the class PolicyPermissions method addGrantEntry.

/**
     * Add one policy entry to the vector.
     */
private void addGrantEntry(GrantEntry ge, KeyStore keyStore) {
    if (debug != null) {
        debug.println("Adding policy entry: ");
        debug.println("  signedBy " + ge.signedBy);
        debug.println("  codeBase " + ge.codeBase);
        if (ge.principals != null) {
            for (PrincipalEntry pppe : ge.principals) {
                debug.println("  " + pppe.getPrincipalClass() + " " + pppe.getPrincipalName());
            }
        }
        debug.println();
    }
    try {
        CodeSource codesource = getCodeSource(ge, keyStore);
        // skip if signedBy alias was unknown...
        if (codesource == null)
            return;
        PolicyEntry entry = new PolicyEntry(codesource);
        Enumeration<PermissionEntry> enum_ = ge.permissionElements();
        while (enum_.hasMoreElements()) {
            PermissionEntry pe = enum_.nextElement();
            try {
                // XXX special case PrivateCredentialPermission-SELF
                Permission perm;
                if (pe.permission.equals("javax.security.auth.PrivateCredentialPermission") && pe.name.endsWith(" self")) {
                    perm = getInstance(pe.permission, pe.name + " \"self\"", pe.action);
                } else {
                    perm = getInstance(pe.permission, pe.name, pe.action);
                }
                entry.add(perm);
                if (debug != null) {
                    debug.println("  " + perm);
                }
            } catch (ClassNotFoundException cnfe) {
                Certificate[] certs;
                if (pe.signedBy != null) {
                    certs = getCertificates(keyStore, pe.signedBy);
                } else {
                    certs = null;
                }
                // a signer and found the keys for it.
                if (certs != null || pe.signedBy == null) {
                    Permission perm = new UnresolvedPermission(pe.permission, pe.name, pe.action, certs);
                    entry.add(perm);
                    if (debug != null) {
                        debug.println("  " + perm);
                    }
                }
            } catch (java.lang.reflect.InvocationTargetException ite) {
                System.err.println(AUTH_POLICY + rb.getString(".error.adding.Permission.") + pe.permission + rb.getString("SPACE") + ite.getTargetException());
            } catch (Exception e) {
                System.err.println(AUTH_POLICY + rb.getString(".error.adding.Permission.") + pe.permission + rb.getString("SPACE") + e);
            }
        }
        policyEntries.addElement(entry);
    } catch (Exception e) {
        System.err.println(AUTH_POLICY + rb.getString(".error.adding.Entry.") + ge + rb.getString("SPACE") + e);
    }
    if (debug != null) {
        debug.println();
    }
}
Also used : UnresolvedPermission(java.security.UnresolvedPermission) java.lang.reflect(java.lang.reflect) PermissionEntry(sun.security.provider.PolicyParser.PermissionEntry) UnresolvedPermission(java.security.UnresolvedPermission) PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission) Permission(java.security.Permission) PrincipalEntry(sun.security.provider.PolicyParser.PrincipalEntry) CodeSource(java.security.CodeSource) KeyStoreException(java.security.KeyStoreException)

Example 5 with PrivateCredentialPermission

use of javax.security.auth.PrivateCredentialPermission in project jdk8u_jdk by JetBrains.

the class BasicProc method main.

public static void main(String[] args) throws Exception {
    String HOST = "localhost";
    String SERVER = "server/" + HOST;
    String BACKEND = "backend/" + HOST;
    String USER = "user";
    char[] PASS = "password".toCharArray();
    String REALM = "REALM";
    Oid oid = new Oid("1.2.840.113554.1.2.2");
    if (args.length == 0) {
        System.setProperty("java.security.krb5.conf", CONF);
        KDC kdc = KDC.create(REALM, HOST, 0, true);
        kdc.addPrincipal(USER, PASS);
        kdc.addPrincipalRandKey("krbtgt/" + REALM);
        kdc.addPrincipalRandKey(SERVER);
        kdc.addPrincipalRandKey(BACKEND);
        String cwd = System.getProperty("user.dir");
        kdc.writeKtab(KTAB);
        KDC.saveConfig(CONF, kdc, "forwardable = true");
        Proc pc = Proc.create("BasicProc").args("client").prop("java.security.krb5.conf", CONF).prop("java.security.manager", "").perm(new java.util.PropertyPermission("sun.security.krb5.principal", "read")).perm(new javax.security.auth.AuthPermission("modifyPrincipals")).perm(new javax.security.auth.AuthPermission("modifyPrivateCredentials")).perm(new javax.security.auth.AuthPermission("doAs")).perm(new javax.security.auth.kerberos.ServicePermission("krbtgt/" + REALM + "@" + REALM, "initiate")).perm(new javax.security.auth.kerberos.ServicePermission("server/localhost@" + REALM, "initiate")).perm(new javax.security.auth.kerberos.DelegationPermission("\"server/localhost@" + REALM + "\" " + "\"krbtgt/" + REALM + "@" + REALM + "\"")).debug("C").start();
        Proc ps = Proc.create("BasicProc").args("server").prop("java.security.krb5.conf", CONF).prop("java.security.manager", "").perm(new java.util.PropertyPermission("sun.security.krb5.principal", "read")).perm(new javax.security.auth.AuthPermission("modifyPrincipals")).perm(new javax.security.auth.AuthPermission("modifyPrivateCredentials")).perm(new javax.security.auth.AuthPermission("doAs")).perm(new PrivateCredentialPermission("javax.security.auth.kerberos.KeyTab * \"*\"", "read")).perm(new javax.security.auth.kerberos.ServicePermission("server/localhost@" + REALM, "accept")).perm(new java.io.FilePermission(cwd + File.separator + KTAB, "read")).perm(new javax.security.auth.kerberos.ServicePermission("backend/localhost@" + REALM, "initiate")).debug("S").start();
        Proc pb = Proc.create("BasicProc").args("backend").prop("java.security.krb5.conf", CONF).prop("java.security.manager", "").perm(new java.util.PropertyPermission("sun.security.krb5.principal", "read")).perm(new javax.security.auth.AuthPermission("modifyPrincipals")).perm(new javax.security.auth.AuthPermission("modifyPrivateCredentials")).perm(new javax.security.auth.AuthPermission("doAs")).perm(new PrivateCredentialPermission("javax.security.auth.kerberos.KeyTab * \"*\"", "read")).perm(new javax.security.auth.kerberos.ServicePermission("backend/localhost@" + REALM, "accept")).perm(new java.io.FilePermission(cwd + File.separator + KTAB, "read")).debug("B").start();
        // Client and server handshake
        String token = pc.readData();
        ps.println(token);
        token = ps.readData();
        pc.println(token);
        // Server and backend handshake
        token = ps.readData();
        pb.println(token);
        token = pb.readData();
        ps.println(token);
        // wrap/unwrap/getMic/verifyMic and plain text
        token = ps.readData();
        pb.println(token);
        token = pb.readData();
        ps.println(token);
        token = pb.readData();
        ps.println(token);
        if ((pc.waitFor() | ps.waitFor() | pb.waitFor()) != 0) {
            throw new Exception();
        }
    } else if (args[0].equals("client")) {
        Context c = Context.fromUserPass(USER, PASS, false);
        c.startAsClient(SERVER, oid);
        c.x().requestCredDeleg(true);
        Proc.binOut(c.take(new byte[0]));
        byte[] token = Proc.binIn();
        c.take(token);
    } else if (args[0].equals("server")) {
        Context s = Context.fromUserKtab(SERVER, KTAB, true);
        s.startAsServer(oid);
        byte[] token = Proc.binIn();
        token = s.take(token);
        Proc.binOut(token);
        Context s2 = s.delegated();
        s2.startAsClient(BACKEND, oid);
        Proc.binOut(s2.take(new byte[0]));
        token = Proc.binIn();
        s2.take(token);
        byte[] msg = "Hello".getBytes();
        Proc.binOut(s2.wrap(msg, true));
        s2.verifyMic(Proc.binIn(), msg);
        String in = Proc.textIn();
        if (!in.equals("Hello")) {
            throw new Exception();
        }
    } else if (args[0].equals("backend")) {
        Context b = Context.fromUserKtab(BACKEND, KTAB, true);
        b.startAsServer(oid);
        byte[] token = Proc.binIn();
        Proc.binOut(b.take(token));
        byte[] msg = b.unwrap(Proc.binIn(), true);
        Proc.binOut(b.getMic(msg));
        Proc.textOut(new String(msg));
    }
}
Also used : PrivateCredentialPermission(javax.security.auth.PrivateCredentialPermission) Oid(org.ietf.jgss.Oid)

Aggregations

PrivateCredentialPermission (javax.security.auth.PrivateCredentialPermission)6 PrincipalEntry (sun.security.provider.PolicyParser.PrincipalEntry)4 java.lang.reflect (java.lang.reflect)2 CodeSource (java.security.CodeSource)2 KeyStoreException (java.security.KeyStoreException)2 Permission (java.security.Permission)2 UnresolvedPermission (java.security.UnresolvedPermission)2 PermissionEntry (sun.security.provider.PolicyParser.PermissionEntry)2 Oid (org.ietf.jgss.Oid)1 Deployment (org.jboss.arquillian.container.test.api.Deployment)1 MultipleConnectionFactory1 (org.jboss.as.test.integration.jca.rar.MultipleConnectionFactory1)1 StringAsset (org.jboss.shrinkwrap.api.asset.StringAsset)1 JavaArchive (org.jboss.shrinkwrap.api.spec.JavaArchive)1 ResourceAdapterArchive (org.jboss.shrinkwrap.api.spec.ResourceAdapterArchive)1