use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.
the class Counter method createIdCred.
/**
* Create an identity from an Identity Token and stores it as a public credential in the JAAS
* subject in a security context.
*
* Set the identcls field in the security context.
*/
private void createIdCred(SecurityContext securityContext, IdentityToken identityToken) throws Exception {
// used to hold DER encodings
byte[] derEncoding;
// Any object returned from codec.decode_value()
Any any;
switch(identityToken.discriminator()) {
case ITTAbsent.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is Absent");
}
securityContext.identcls = null;
break;
case ITTAnonymous.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is Anonymous");
logger.log(FINE, "Adding AnonyCredential to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(new AnonCredential());
securityContext.identcls = AnonCredential.class;
break;
case ITTDistinguishedName.value:
// Construct a X500Name
derEncoding = identityToken.dn();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(derEncoding)) {
any = codec.decode_value(derEncoding, X501DistinguishedNameHelper.type());
// Extract CDR encoding
derEncoding = X501DistinguishedNameHelper.extract(any);
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Create an X500Name object from identity token");
}
X500Name xname = new X500Name(derEncoding);
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity to be asserted is " + xname.toString());
logger.log(FINE, "Adding X500Name to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(xname);
securityContext.identcls = X500Name.class;
break;
case ITTX509CertChain.value:
// Construct a X509CertificateChain
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is a X509 Certificate Chain");
}
derEncoding = identityToken.certificate_chain();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(derEncoding)) {
// Decode CDR encoding
any = codec.decode_value(derEncoding, X509CertificateChainHelper.type());
// Extract DER encoding
derEncoding = X509CertificateChainHelper.extract(any);
}
DerInputStream din = new DerInputStream(derEncoding);
/**
* Size specified for getSequence() is 1 and is just used as a guess by the method getSequence().
*/
DerValue[] derval = din.getSequence(1);
X509Certificate[] certchain = new X509CertImpl[derval.length];
/**
* X509Certificate does not have a constructor which can be used to instantiate objects from DER
* encodings. So use X509CertImpl extends X509Cerificate and also implements DerEncoder interface.
*/
if (logger.isLoggable(Level.FINE)) {
logger.log(Level.FINE, "Contents of X509 Certificate chain:");
}
for (int i = 0; i < certchain.length; i++) {
certchain[i] = new X509CertImpl(derval[i]);
if (logger.isLoggable(FINE)) {
logger.log(FINE, " " + certchain[i].getSubjectDN().getName());
}
}
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Creating a X509CertificateCredential object from certchain");
}
/**
* The alias field in the X509CertificateCredential is currently ignored by the RI. So it is set to
* "dummy".
*/
X509CertificateCredential cred = new X509CertificateCredential(certchain, certchain[0].getSubjectDN().getName(), "default");
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Adding X509CertificateCredential to subject's PublicCredentials");
}
securityContext.subject.getPublicCredentials().add(cred);
securityContext.identcls = X509CertificateCredential.class;
break;
case ITTPrincipalName.value:
if (logger.isLoggable(FINE)) {
logger.log(FINE, "Identity token type is GSS Exported Name");
}
byte[] expname = identityToken.principal_name();
// Issue 5766: Decode CDR encoding if necessary
if (isCDR(expname)) {
// Decode CDR encoding
any = codec.decode_value(expname, GSS_NT_ExportedNameHelper.type());
expname = GSS_NT_ExportedNameHelper.extract(any);
}
if (!verifyMechOID(GSSUP_MECH_OID, expname)) {
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
}
GSSUPName gssname = new GSSUPName(expname);
securityContext.subject.getPublicCredentials().add(gssname);
securityContext.identcls = GSSUPName.class;
logger.log(FINE, "Adding GSSUPName credential to subject");
break;
default:
logger.log(SEVERE, "iiop.unknown_identity");
throw new SecurityException(localStrings.getLocalString("secserverreqinterceptor.err_unknown_idassert_type", "Unknown identity assertion type."));
}
}
use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.
the class SecurityMechanismSelector method evaluateTrust.
/**
* Called by the target to interpret client credentials after validation.
*/
public SecurityContext evaluateTrust(SecurityContext ctx, byte[] object_id, Socket socket) throws SecurityMechanismException {
SecurityContext ssc = null;
// ssl_used is true if SSL was used.
boolean ssl_used = false;
// X509 Certificicate chain is non null if client has authenticated at
// the SSL level.
X509Certificate[] certChain = null;
// security context.
if ((socket != null) && (socket instanceof SSLSocket)) {
// SSL was used
ssl_used = true;
// checkif there is a transport principal
SSLSocket sslSock = (SSLSocket) socket;
SSLSession sslSession = sslSock.getSession();
try {
certChain = (X509Certificate[]) sslSession.getPeerCertificates();
} catch (Exception e) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "iiop.cannot_get_peercert", e);
}
}
}
// For a local invocation - we don't need to check the security
// policies. The following condition guarantees the call is local
// and thus bypassing policy checks.
// XXX: Workaround for non-null connection object ri for local invocation.
// if (socket == null && ctx == null)
Long ClientID = ConnectionExecutionContext.readClientThreadID();
if (ClientID != null && ClientID == Thread.currentThread().getId() && ctx == null)
return null;
if (evaluate_client_conformance(ctx, object_id, ssl_used, certChain) == false) {
String msg = "Trust evaluation failed because ";
msg = msg + "client does not conform to configured security policies";
throw new SecurityMechanismException(msg);
}
if (ctx == null) {
if (socket == null || !ssl_used || certChain == null) {
// no security ctx is needed.
return null;
} else {
// Set the transport principal in subject and
// return the X500Name class
ssc = new SecurityContext();
X500Name x500Name = (X500Name) certChain[0].getSubjectDN();
ssc.subject = new Subject();
ssc.subject.getPublicCredentials().add(x500Name);
ssc.identcls = X500Name.class;
ssc.authcls = null;
return ssc;
}
} else {
ssc = ctx;
}
Class authCls = ctx.authcls;
Class identCls = ctx.identcls;
ssc.authcls = null;
ssc.identcls = null;
if (identCls != null)
ssc.identcls = identCls;
else if (authCls != null)
ssc.authcls = authCls;
else
ssc.identcls = AnonCredential.class;
return ssc;
}
use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.
the class LoginContextDriver method doX500Login.
/**
* A special case login for X500Name credentials.
* This is invoked for certificate login because the containers
* extract the X.500 name from the X.509 certificate before calling
* into this class.
*/
public static void doX500Login(Subject s, String appModuleID) throws LoginException {
if (_logger.isLoggable(Level.FINE)) {
_logger.fine("Processing X.500 name login.");
}
String user = null;
String realm_name = null;
try {
X500Name x500name = (X500Name) getPublicCredentials(s, X500Name.class);
user = x500name.getName();
// In the RI-inherited implementation this directly creates
// some credentials and sets the security context. This means
// that the certificate realm does not get an opportunity to
// process the request. While the realm will not do any
// authentication (already done by this point) it can choose
// to adjust the groups or principal name or other variables
// of the security context. Of course, bug 4646134 needs to be
// kept in mind at all times.
Realm realm = Realm.getInstance(CertificateRealm.AUTH_TYPE);
if (realm instanceof CertificateRealm) {
// should always be true
CertificateRealm certRealm = (CertificateRealm) realm;
String jaasCtx = certRealm.getJAASContext();
if (jaasCtx != null) {
// The subject has the Cretificate Credential.
LoginContext lg = new LoginContext(jaasCtx, s, new ServerLoginCallbackHandler(user, null, appModuleID));
lg.login();
}
certRealm.authenticate(s, x500name);
realm_name = CertificateRealm.AUTH_TYPE;
if (getAuditManager().isAuditOn()) {
getAuditManager().authentication(user, realm_name, true);
}
} else {
_logger.warning(SecurityLoggerInfo.certLoginBadRealmError);
realm_name = realm.getName();
setSecurityContext(user, s, realm_name);
}
if (_logger.isLoggable(Level.FINE)) {
_logger.fine("X.500 name login succeeded for : " + user);
}
} catch (LoginException le) {
if (getAuditManager().isAuditOn()) {
getAuditManager().authentication(user, realm_name, false);
}
throw le;
} catch (Exception ex) {
throw (LoginException) new LoginException(ex.toString()).initCause(ex);
}
}
use of org.bouncycastle.asn1.x500.X500Name in project Payara by payara.
the class LDAPRealm method getGroups.
private List<String> getGroups(String userDN) {
// no authentication has happened through the realm.
DirContext ctx = null;
String srcFilter = null;
String dynFilter = null;
String dynMember = getProperty(PARAM_DYNAMIC_GRP_TARGET);
try {
ctx = new InitialDirContext(getLdapBindProps());
String _username = userDN;
try {
X500Name name = new X500Name(userDN);
_username = name.getCommonName();
} catch (IOException e) {
// Ignoring the exception to suppot simple group names as userDN
// Issue GLASSFISH-19595
}
if (_username == null && userDN != null && userDN.startsWith("uid")) {
// handle uid=XXX here where cn is not present
// TODO :maybe there is a better way to handle this??
int first = userDN.indexOf("uid=");
int last = userDN.indexOf(",");
if (first != -1 && last != -1) {
_username = userDN.substring(first + 4, last);
}
}
StringBuffer sb = new StringBuffer(getProperty(PARAM_GRP_SEARCH_FILTER));
StringBuffer dynSb = new StringBuffer(getProperty(PARAM_DYNAMIC_GRP_FILTER));
substitute(sb, SUBST_SUBJECT_NAME, _username);
substitute(sb, SUBST_SUBJECT_DN, userDN);
substitute(dynSb, SUBST_SUBJECT_NAME, _username);
substitute(dynSb, SUBST_SUBJECT_DN, userDN);
srcFilter = sb.toString();
dynFilter = dynSb.toString();
List<String> groupsList = new ArrayList<String>();
groupsList.addAll(groupSearch(ctx, getProperty(PARAM_GRPDN), srcFilter, getProperty(PARAM_GRP_TARGET)));
// search filter is constructed internally as
// as a groupofURLS
groupsList.addAll(dynamicGroupSearch(ctx, getProperty(PARAM_GRPDN), dynMember, dynFilter, getProperty(PARAM_GRP_TARGET)));
return groupsList;
} catch (Exception e) {
_logger.log(Level.WARNING, "ldaprealm.groupsearcherror", e);
} finally {
if (ctx != null) {
try {
ctx.close();
} catch (NamingException e) {
_logger.log(Level.WARNING, "ldaprealm.exception", e);
}
}
}
return null;
}
Aggregations