use of org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration in project infinispan by infinispan.
the class EndpointConfigurationBuilder method enableImplicitAuthentication.
public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, HotRodServerConfigurationBuilder builder) {
// Set the security realm only if it has not been set already
AuthenticationConfigurationBuilder authentication = builder.authentication();
if (!authentication.hasSecurityRealm()) {
authentication.securityRealm(securityRealmName);
Server.log.debugf("Using endpoint realm \"%s\" for Hot Rod", securityRealmName);
}
ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
// Only add implicit mechanisms if the user has not set any explicitly
if (!authentication.hasMechanisms()) {
String serverPrincipal = null;
for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
if (identity.getPrincipal().startsWith("hotrod/")) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.GS2_KRB5, SaslMechanismInformation.Names.GSSAPI);
serverPrincipal = identity.getPrincipal();
break;
}
Server.log.debugf("Enabled Kerberos mechanisms for Hot Rod using principal '%s'", identity.getPrincipal());
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.OAUTHBEARER);
Server.log.debug("Enabled OAUTHBEARER mechanism for Hot Rod");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.EXTERNAL);
Server.log.debug("Enabled EXTERNAL mechanism for Hot Rod");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.SCRAM_SHA_512, SaslMechanismInformation.Names.SCRAM_SHA_384, SaslMechanismInformation.Names.SCRAM_SHA_256, SaslMechanismInformation.Names.SCRAM_SHA_1, SaslMechanismInformation.Names.DIGEST_SHA_512, SaslMechanismInformation.Names.DIGEST_SHA_384, SaslMechanismInformation.Names.DIGEST_SHA_256, SaslMechanismInformation.Names.DIGEST_SHA, SaslMechanismInformation.Names.CRAM_MD5, SaslMechanismInformation.Names.DIGEST_MD5);
Server.log.debug("Enabled SCRAM, DIGEST and CRAM mechanisms for Hot Rod");
// Only enable PLAIN if encryption is on
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.PLAIN);
Server.log.debug("Enabled PLAIN mechanism for Hot Rod");
}
}
authentication.serverAuthenticationProvider(new ElytronSASLAuthenticationProvider(authentication.securityRealm(), serverPrincipal, authentication.sasl().mechanisms()));
}
}
use of org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration in project infinispan by infinispan.
the class ServerConfigurationSerializer method writeServerIdentities.
private void writeServerIdentities(ConfigurationWriter writer, ServerIdentitiesConfiguration identities) {
SSLConfiguration ssl = identities.sslConfiguration();
List<KerberosSecurityFactoryConfiguration> kerberosList = identities.kerberosConfigurations();
if (ssl != null || !kerberosList.isEmpty()) {
writer.writeStartElement(Element.SERVER_IDENTITIES);
if (ssl != null) {
writer.writeStartElement(Element.SSL);
ssl.keyStore().write(writer);
TrustStoreConfiguration trustStore = ssl.trustStore();
if (trustStore != null) {
trustStore.write(writer);
}
ssl.engine().write(writer);
writer.writeEndElement();
}
if (!kerberosList.isEmpty()) {
for (KerberosSecurityFactoryConfiguration kerberos : kerberosList) {
kerberos.write(writer);
}
}
writer.writeEndElement();
}
}
use of org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration in project infinispan by infinispan.
the class EndpointConfigurationBuilder method enableImplicitAuthentication.
public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, RestServerConfigurationBuilder builder) {
// Set the security realm only if it has not been set already
org.infinispan.rest.configuration.AuthenticationConfigurationBuilder authentication = builder.authentication();
if (!authentication.hasSecurityRealm()) {
authentication.securityRealm(securityRealmName);
}
ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
// Only add implicit mechanisms if the user has not set any explicitly
if (!authentication.hasMechanisms()) {
String serverPrincipal = null;
for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
if (identity.getPrincipal().startsWith("HTTP/")) {
authentication.enable().addMechanisms("SPNEGO");
serverPrincipal = identity.getPrincipal();
}
Server.log.debugf("Enabled SPNEGO authentication for HTTP using principal '%s'", identity.getPrincipal());
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
authentication.enable().addMechanisms("BEARER_TOKEN");
Server.log.debug("Enabled BEARER_TOKEN for HTTP");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
authentication.enable().addMechanisms("CLIENT_CERT");
Server.log.debug("Enabled CLIENT_CERT for HTTP");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
authentication.enable().addMechanisms("DIGEST");
Server.log.debug("Enabled DIGEST for HTTP");
// Only enable PLAIN if encryption is on
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
authentication.enable().addMechanisms("BASIC");
Server.log.debug("Enabled BASIC for HTTP");
}
}
authentication.authenticator(new ElytronHTTPAuthenticator(authentication.securityRealm(), serverPrincipal, authentication.mechanisms()));
}
}
Aggregations