use of org.apache.knox.gateway.security.ImpersonatedPrincipal in project knox by apache.
the class AbstractIdentityAssertionFilter method continueChainAsPrincipal.
/**
* Recreate the current Subject based upon the provided mappedPrincipal
* and look for the groups that should be associated with the new Subject.
* Upon finding groups mapped to the principal - add them to the new Subject.
* @param mappedPrincipalName
* @throws ServletException
* @throws IOException
*/
protected void continueChainAsPrincipal(final ServletRequest request, final ServletResponse response, final FilterChain chain, String mappedPrincipalName) throws IOException, ServletException {
Subject subject = null;
Principal impersonationPrincipal = null;
Principal primaryPrincipal = null;
// get the current subject and determine whether we need another doAs with
// an impersonatedPrincipal and/or mapped group principals
boolean impersonationNeeded = false;
boolean groupsMapped = false;
// look up the current Java Subject and assosciated group principals
Subject currentSubject = Subject.getSubject(AccessController.getContext());
Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class);
primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
if (primaryPrincipal != null) {
if (!primaryPrincipal.getName().equals(mappedPrincipalName)) {
impersonationNeeded = true;
auditService.getContext().setProxyUsername(mappedPrincipalName);
auditor.audit(Action.IDENTITY_MAPPING, primaryPrincipal.getName(), ResourceType.PRINCIPAL, ActionOutcome.SUCCESS);
}
} else {
// something is amiss - authentication/federation providers should have run
// before identity assertion and should have ensured that the appropriate
// principals were added to the current subject
// TODO: log as appropriate
primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) request).getUserPrincipal().getName());
}
groupsMapped = areGroupsMappedForPrincipal(mappedPrincipalName) || !currentGroups.isEmpty();
if (impersonationNeeded || groupsMapped) {
// gonna need a new subject and doAs
subject = new Subject();
Set<Principal> principals = subject.getPrincipals();
principals.add(primaryPrincipal);
// map group principals from current Subject into newly created Subject
for (Object obj : currentGroups) {
principals.add((Principal) obj);
}
if (impersonationNeeded) {
impersonationPrincipal = new ImpersonatedPrincipal(mappedPrincipalName);
subject.getPrincipals().add(impersonationPrincipal);
}
if (groupsMapped) {
addMappedGroupsToSubject(mappedPrincipalName, subject);
addMappedGroupsToSubject("*", subject);
}
doAs(request, response, chain, subject);
} else {
doFilterInternal(request, response, chain);
}
}
use of org.apache.knox.gateway.security.ImpersonatedPrincipal in project knox by apache.
the class AbstractIdentityAssertionFilter method continueChainAsPrincipal.
/**
* @param wrapper
* @param response
* @param chain
* @param mappedPrincipalName
* @param groups
*/
protected void continueChainAsPrincipal(HttpServletRequestWrapper request, ServletResponse response, FilterChain chain, String mappedPrincipalName, String[] groups) throws IOException, ServletException {
Subject subject = null;
Principal impersonationPrincipal = null;
Principal primaryPrincipal = null;
// get the current subject and determine whether we need another doAs with
// an impersonatedPrincipal and/or mapped group principals
boolean impersonationNeeded = false;
boolean groupsMapped = false;
// look up the current Java Subject and assosciated group principals
Subject currentSubject = Subject.getSubject(AccessController.getContext());
Set<?> currentGroups = currentSubject.getPrincipals(GroupPrincipal.class);
primaryPrincipal = (PrimaryPrincipal) currentSubject.getPrincipals(PrimaryPrincipal.class).toArray()[0];
if (primaryPrincipal != null) {
if (!primaryPrincipal.getName().equals(mappedPrincipalName)) {
impersonationNeeded = true;
auditService.getContext().setProxyUsername(mappedPrincipalName);
auditor.audit(Action.IDENTITY_MAPPING, primaryPrincipal.getName(), ResourceType.PRINCIPAL, ActionOutcome.SUCCESS, RES.effectiveUser(mappedPrincipalName));
}
} else {
// something is amiss - authentication/federation providers should have run
// before identity assertion and should have ensured that the appropriate
// principals were added to the current subject
// TODO: log as appropriate
primaryPrincipal = new PrimaryPrincipal(((HttpServletRequest) request).getUserPrincipal().getName());
}
groupsMapped = groups != null || !currentGroups.isEmpty();
if (impersonationNeeded || groupsMapped) {
// gonna need a new subject and doAs
subject = new Subject();
Set<Principal> principals = subject.getPrincipals();
principals.add(primaryPrincipal);
// map group principals from current Subject into newly created Subject
for (Object obj : currentGroups) {
principals.add((Principal) obj);
}
if (impersonationNeeded) {
impersonationPrincipal = new ImpersonatedPrincipal(mappedPrincipalName);
subject.getPrincipals().add(impersonationPrincipal);
}
if (groupsMapped) {
addMappedGroupsToSubject(mappedPrincipalName, groups, subject);
}
doAs(request, response, chain, subject);
} else {
doFilterInternal(request, response, chain);
}
}
Aggregations