Search in sources :

Example 1 with SecurityRoleMapper

use of org.glassfish.deployment.common.SecurityRoleMapper in project Payara by payara.

the class RoleMapperFactory method getRoleMapper.

/**
 * Returns a RoleMapper corresponding to the AppName.
 *
 * @param appName Application Name of this RoleMapper.
 * @return SecurityRoleMapper for the application
 */
public RoleMapper getRoleMapper(String appName, SecurityRoleMapperFactory fact) {
    RoleMapper r = (RoleMapper) ROLEMAPPER.get(appName);
    if (r == null) {
        r = new RoleMapper(appName);
        ROLEMAPPER.put(appName, r);
    }
    return r;
}
Also used : SecurityRoleMapper(org.glassfish.deployment.common.SecurityRoleMapper)

Example 2 with SecurityRoleMapper

use of org.glassfish.deployment.common.SecurityRoleMapper in project Payara by payara.

the class PolicyConfigurationImpl method generatePermissions.

private void generatePermissions() throws java.io.FileNotFoundException, java.io.IOException {
    if (!writeOnCommit)
        return;
    // otherwise proceed to write policy file
    Map roleToSubjectMap = null;
    SecurityRoleMapperFactory factory = SecurityRoleMapperFactoryGen.getSecurityRoleMapperFactory();
    if (rolePermissionsTable != null) {
        // Make sure a role to subject map has been defined for the Policy Context
        if (factory != null) {
            // the rolemapper is stored against the
            // appname, for a web app get the appname for this contextid
            SecurityRoleMapper srm = factory.getRoleMapper(CONTEXT_ID);
            if (srm != null) {
                roleToSubjectMap = srm.getRoleToSubjectMapping();
            }
            if (roleToSubjectMap != null) {
                // make sure all liked PC's have the same roleToSubjectMap
                Set linkSet = (Set) fact.getLinkTable().get(CONTEXT_ID);
                if (linkSet != null) {
                    Iterator it = linkSet.iterator();
                    while (it.hasNext()) {
                        String contextId = (String) it.next();
                        if (!CONTEXT_ID.equals(contextId)) {
                            SecurityRoleMapper otherSrm = factory.getRoleMapper(contextId);
                            Map otherRoleToSubjectMap = null;
                            if (otherSrm != null) {
                                otherRoleToSubjectMap = otherSrm.getRoleToSubjectMapping();
                            }
                            if (otherRoleToSubjectMap != roleToSubjectMap) {
                                String defMsg = "Linked policy contexts have different roleToSubjectMaps (" + CONTEXT_ID + ")<->(" + contextId + ")";
                                String msg = localStrings.getLocalString("pc.linked_with_different_role_maps", defMsg, new Object[] { CONTEXT_ID, contextId });
                                logger.log(Level.SEVERE, msg);
                                throw new RuntimeException(defMsg);
                            }
                        }
                    }
                }
            }
        }
    }
    if (roleToSubjectMap == null && rolePermissionsTable != null) {
        String defMsg = "This application has no role mapper factory defined";
        String msg = localStrings.getLocalString("pc.role_map_not_defined_at_commit", defMsg, new Object[] { CONTEXT_ID });
        logger.log(Level.SEVERE, msg);
        throw new RuntimeException(localStrings.getLocalString("enterprise.deployment.deployment.norolemapperfactorydefine", defMsg));
    }
    PolicyParser parser = new PolicyParser(false);
    // load unchecked grants in parser
    if (uncheckedPermissions != null) {
        Enumeration pEnum = uncheckedPermissions.elements();
        if (pEnum.hasMoreElements()) {
            GrantEntry grant = new GrantEntry();
            while (pEnum.hasMoreElements()) {
                Permission p = (Permission) pEnum.nextElement();
                PermissionEntry entry = new PermissionEntry(p.getClass().getName(), p.getName(), p.getActions());
                grant.add(entry);
            }
            parser.add(grant);
        }
    }
    // load role based grants in parser
    if (rolePermissionsTable != null) {
        Iterator roleIt = rolePermissionsTable.keySet().iterator();
        while (roleIt.hasNext()) {
            boolean withPrincipals = false;
            String roleName = (String) roleIt.next();
            Permissions rolePerms = getRolePermissions(roleName);
            Subject rolePrincipals = (Subject) roleToSubjectMap.get(roleName);
            if (rolePrincipals != null) {
                Iterator pit = rolePrincipals.getPrincipals().iterator();
                while (pit.hasNext()) {
                    Principal prin = (Principal) pit.next();
                    if (prin != null) {
                        withPrincipals = true;
                        PrincipalEntry prinEntry = new PrincipalEntry(prin.getClass().getName(), escapeName(prin.getName()));
                        GrantEntry grant = new GrantEntry();
                        grant.principals.add(prinEntry);
                        Enumeration pEnum = rolePerms.elements();
                        while (pEnum.hasMoreElements()) {
                            Permission perm = (Permission) pEnum.nextElement();
                            PermissionEntry permEntry = new PermissionEntry(perm.getClass().getName(), perm.getName(), perm.getActions());
                            grant.add(permEntry);
                        }
                        parser.add(grant);
                    } else {
                        String msg = localStrings.getLocalString("pc.non_principal_mapped_to_role", "non principal mapped to role " + roleName, new Object[] { prin, roleName });
                        logger.log(Level.WARNING, msg);
                    }
                }
            }
            /**
             * JACC MR8 add grant for the any authenticated user role '**'
             */
            if (!withPrincipals && ("**".equals(roleName))) {
                withPrincipals = true;
                PrincipalEntry prinEntry = new PrincipalEntry(PrincipalEntry.WILDCARD_CLASS, PrincipalEntry.WILDCARD_NAME);
                GrantEntry grant = new GrantEntry();
                grant.principals.add(prinEntry);
                Enumeration pEnum = rolePerms.elements();
                while (pEnum.hasMoreElements()) {
                    Permission perm = (Permission) pEnum.nextElement();
                    PermissionEntry permEntry = new PermissionEntry(perm.getClass().getName(), perm.getName(), perm.getActions());
                    grant.add(permEntry);
                }
                parser.add(grant);
                if (logger.isLoggable(Level.FINE)) {
                    logger.fine("JACC Policy Provider: added role grant for any authenticated user");
                }
            }
            if (!withPrincipals) {
                String msg = localStrings.getLocalString("pc.no_principals_mapped_to_role", "no principals mapped to role " + roleName, new Object[] { roleName });
                logger.log(Level.WARNING, msg);
            }
        }
    }
    writeOnCommit = createPolicyFile(true, parser, writeOnCommit);
    // load excluded perms in excluded parser
    if (excludedPermissions != null) {
        PolicyParser excludedParser = new PolicyParser(false);
        Enumeration pEnum = excludedPermissions.elements();
        if (pEnum.hasMoreElements()) {
            GrantEntry grant = new GrantEntry();
            while (pEnum.hasMoreElements()) {
                Permission p = (Permission) pEnum.nextElement();
                PermissionEntry entry = new PermissionEntry(p.getClass().getName(), p.getName(), p.getActions());
                grant.add(entry);
            }
            excludedParser.add(grant);
        }
        writeOnCommit = createPolicyFile(false, excludedParser, writeOnCommit);
    }
    if (!writeOnCommit)
        wasRefreshed = false;
}
Also used : Set(java.util.Set) HashSet(java.util.HashSet) Enumeration(java.util.Enumeration) SecurityRoleMapper(org.glassfish.deployment.common.SecurityRoleMapper) PrincipalEntry(com.sun.enterprise.security.provider.PolicyParser.PrincipalEntry) Subject(javax.security.auth.Subject) SecurityRoleMapperFactory(org.glassfish.deployment.common.SecurityRoleMapperFactory) Iterator(java.util.Iterator) PermissionEntry(com.sun.enterprise.security.provider.PolicyParser.PermissionEntry) HashMap(java.util.HashMap) Map(java.util.Map) GrantEntry(com.sun.enterprise.security.provider.PolicyParser.GrantEntry)

Example 3 with SecurityRoleMapper

use of org.glassfish.deployment.common.SecurityRoleMapper in project Payara by payara.

the class WebBundleRuntimeNode method addDescriptor.

/**
 * Adds a new DOL descriptor instance to the descriptor instance associated with this XMLNode
 *
 * @param newDescriptor the new descriptor
 */
@Override
public void addDescriptor(Object newDescriptor) {
    SunWebAppImpl sunWebApp = (SunWebAppImpl) descriptor.getSunDescriptor();
    if (newDescriptor instanceof WebComponentDescriptor) {
        WebComponentDescriptor servlet = (WebComponentDescriptor) newDescriptor;
        // for backward compatibility with s1as schema2beans generated desc
        Servlet s1descriptor = new Servlet();
        s1descriptor.setServletName(servlet.getCanonicalName());
        if (servlet.getRunAsIdentity() != null) {
            s1descriptor.setPrincipalName(servlet.getRunAsIdentity().getPrincipal());
        }
        sunWebApp.addServlet(s1descriptor);
    } else if (newDescriptor instanceof ServiceReferenceDescriptor) {
        descriptor.addServiceReferenceDescriptor((ServiceReferenceDescriptor) newDescriptor);
    } else if (newDescriptor instanceof SecurityRoleMapping) {
        SecurityRoleMapping srm = (SecurityRoleMapping) newDescriptor;
        sunWebApp.addSecurityRoleMapping(srm);
        // store it in the application using pure DOL descriptors...
        Application app = descriptor.getApplication();
        if (app != null) {
            Role role = new Role(srm.getRoleName());
            SecurityRoleMapper rm = app.getRoleMapper();
            if (rm != null) {
                List<PrincipalNameDescriptor> principals = srm.getPrincipalNames();
                for (int i = 0; i < principals.size(); i++) {
                    rm.assignRole(principals.get(i).getPrincipal(), role, descriptor);
                }
                List<String> groups = srm.getGroupNames();
                for (int i = 0; i < groups.size(); i++) {
                    rm.assignRole(new Group(groups.get(i)), role, descriptor);
                }
            }
        }
    } else if (newDescriptor instanceof IdempotentUrlPattern) {
        sunWebApp.addIdempotentUrlPattern((IdempotentUrlPattern) newDescriptor);
    } else if (newDescriptor instanceof SessionConfig) {
        sunWebApp.setSessionConfig((SessionConfig) newDescriptor);
    } else if (newDescriptor instanceof Cache) {
        sunWebApp.setCache((Cache) newDescriptor);
    } else if (newDescriptor instanceof ClassLoader) {
        sunWebApp.setClassLoader((ClassLoader) newDescriptor);
    } else if (newDescriptor instanceof JspConfig) {
        sunWebApp.setJspConfig((JspConfig) newDescriptor);
    } else if (newDescriptor instanceof LocaleCharsetInfo) {
        sunWebApp.setLocaleCharsetInfo((LocaleCharsetInfo) newDescriptor);
    } else if (newDescriptor instanceof WebProperty) {
        sunWebApp.addWebProperty((WebProperty) newDescriptor);
    } else if (newDescriptor instanceof Valve) {
        sunWebApp.addValve((Valve) newDescriptor);
    } else
        super.addDescriptor(descriptor);
}
Also used : SunWebAppImpl(org.glassfish.web.deployment.runtime.SunWebAppImpl) Group(org.glassfish.security.common.Group) JspConfig(org.glassfish.web.deployment.runtime.JspConfig) WebProperty(org.glassfish.web.deployment.runtime.WebProperty) SecurityRoleMapping(com.sun.enterprise.deployment.runtime.common.SecurityRoleMapping) SecurityRoleMapper(org.glassfish.deployment.common.SecurityRoleMapper) IdempotentUrlPattern(com.sun.enterprise.deployment.runtime.web.IdempotentUrlPattern) PrincipalNameDescriptor(com.sun.enterprise.deployment.runtime.common.PrincipalNameDescriptor) SessionConfig(org.glassfish.web.deployment.runtime.SessionConfig) ServiceReferenceDescriptor(com.sun.enterprise.deployment.ServiceReferenceDescriptor) Role(org.glassfish.security.common.Role) WebComponentDescriptor(com.sun.enterprise.deployment.WebComponentDescriptor) Servlet(org.glassfish.web.deployment.runtime.Servlet) ClassLoader(org.glassfish.web.deployment.runtime.ClassLoader) Valve(org.glassfish.web.deployment.runtime.Valve) Application(com.sun.enterprise.deployment.Application) LocaleCharsetInfo(org.glassfish.web.deployment.runtime.LocaleCharsetInfo) Cache(org.glassfish.web.deployment.runtime.Cache)

Example 4 with SecurityRoleMapper

use of org.glassfish.deployment.common.SecurityRoleMapper in project Payara by payara.

the class PolicyConfigurationImpl method getRoleToSubjectMap.

private Map<String, Subject> getRoleToSubjectMap() {
    if (roleToPermissionsMap == null) {
        return null;
    }
    Map<String, Subject> roleToSubjectMap = null;
    SecurityRoleMapperFactory factory = SecurityRoleMapperFactoryGen.getSecurityRoleMapperFactory();
    // Make sure a role to subject map has been defined for the Policy Context
    if (factory != null) {
        // The role mapper is stored against the application naeme.
        // For a web app get the appname for this contextid
        SecurityRoleMapper securityRoleMapper = factory.getRoleMapper(CONTEXT_ID);
        if (securityRoleMapper != null) {
            roleToSubjectMap = securityRoleMapper.getRoleToSubjectMapping();
        }
        if (roleToSubjectMap != null) {
            // Make sure all linked PCs have the same roleToSubjectMap
            Set<String> linkContextIds = configurationFactory.getLinkTable().get(CONTEXT_ID);
            if (linkContextIds != null) {
                for (String contextId : linkContextIds) {
                    if (!CONTEXT_ID.equals(contextId)) {
                        SecurityRoleMapper otherSecurityRoleMapper = factory.getRoleMapper(contextId);
                        Map otherRoleToSubjectMap = null;
                        if (otherSecurityRoleMapper != null) {
                            otherRoleToSubjectMap = otherSecurityRoleMapper.getRoleToSubjectMapping();
                        }
                        if (otherRoleToSubjectMap != roleToSubjectMap) {
                            String defMsg = "Linked policy contexts have different roleToSubjectMaps (" + CONTEXT_ID + ")<->(" + contextId + ")";
                            logger.log(SEVERE, localStrings.getLocalString("pc.linked_with_different_role_maps", defMsg, new Object[] { CONTEXT_ID, contextId }));
                            throw new RuntimeException(defMsg);
                        }
                    }
                }
            }
        }
    }
    return roleToSubjectMap;
}
Also used : SecurityRoleMapper(org.glassfish.deployment.common.SecurityRoleMapper) SecurityRoleMapperFactory(org.glassfish.deployment.common.SecurityRoleMapperFactory) Map(java.util.Map) HashMap(java.util.HashMap) Subject(javax.security.auth.Subject)

Example 5 with SecurityRoleMapper

use of org.glassfish.deployment.common.SecurityRoleMapper in project Payara by payara.

the class GlassfishRoleMapper method getRolesOfPrincipals.

public Set<String> getRolesOfPrincipals(String pcid, Principal[] principals) throws SecurityException, UnsupportedOperationException {
    if (principals.length == 0) {
        return null;
    }
    SecurityRoleMapper srm = getInternalMapper(pcid);
    Set<String> roleNames = getDeclaredRoles(srm);
    // Comment out for now to supress FindBugs warning, getDeclaredRoles(srm) always throw UnsupportedOperationException
    // currently so roleNames cannot be null, when getDeclaredRoles is fixed we can uncomment this
    // if (roleNames == null) {
    // return null;
    // }
    HashSet<String> roles = new HashSet<String>();
    Iterator<String> it = roleNames.iterator();
    while (it.hasNext()) {
        String roleName = it.next();
        Set<Principal> pSet = getPrincipalsInRole(srm, roleName);
        if (pSet != null) {
            for (Principal p : principals) {
                if (pSet.contains(p)) {
                    roles.add(roleName);
                    break;
                }
            }
        }
    }
    return roles;
}
Also used : SecurityRoleMapper(org.glassfish.deployment.common.SecurityRoleMapper) Principal(java.security.Principal) HashSet(java.util.HashSet)

Aggregations

SecurityRoleMapper (org.glassfish.deployment.common.SecurityRoleMapper)13 SecurityRoleMapperFactory (org.glassfish.deployment.common.SecurityRoleMapperFactory)4 Role (org.glassfish.security.common.Role)4 PrincipalNameDescriptor (com.sun.enterprise.deployment.runtime.common.PrincipalNameDescriptor)3 SecurityRoleMapping (com.sun.enterprise.deployment.runtime.common.SecurityRoleMapping)3 Subject (javax.security.auth.Subject)3 Group (org.glassfish.security.common.Group)3 Application (com.sun.enterprise.deployment.Application)2 ResourcePropertyDescriptor (com.sun.enterprise.deployment.ResourcePropertyDescriptor)2 WebBundleDescriptor (com.sun.enterprise.deployment.WebBundleDescriptor)2 WebComponentDescriptor (com.sun.enterprise.deployment.WebComponentDescriptor)2 HashMap (java.util.HashMap)2 HashSet (java.util.HashSet)2 Map (java.util.Map)2 EjbBundleDescriptor (com.sun.enterprise.deployment.EjbBundleDescriptor)1 EjbDescriptor (com.sun.enterprise.deployment.EjbDescriptor)1 EjbIORConfigurationDescriptor (com.sun.enterprise.deployment.EjbIORConfigurationDescriptor)1 MethodDescriptor (com.sun.enterprise.deployment.MethodDescriptor)1 MethodPermission (com.sun.enterprise.deployment.MethodPermission)1 RunAsIdentityDescriptor (com.sun.enterprise.deployment.RunAsIdentityDescriptor)1