Search in sources :

Example 1 with KerberosSecurityFactoryConfiguration

use of org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration in project infinispan by infinispan.

the class EndpointConfigurationBuilder method enableImplicitAuthentication.

public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, HotRodServerConfigurationBuilder builder) {
    // Set the security realm only if it has not been set already
    AuthenticationConfigurationBuilder authentication = builder.authentication();
    if (!authentication.hasSecurityRealm()) {
        authentication.securityRealm(securityRealmName);
        Server.log.debugf("Using endpoint realm \"%s\" for Hot Rod", securityRealmName);
    }
    ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
    // Only add implicit mechanisms if the user has not set any explicitly
    if (!authentication.hasMechanisms()) {
        String serverPrincipal = null;
        for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
            if (identity.getPrincipal().startsWith("hotrod/")) {
                authentication.enable().addMechanisms(SaslMechanismInformation.Names.GS2_KRB5, SaslMechanismInformation.Names.GSSAPI);
                serverPrincipal = identity.getPrincipal();
                break;
            }
            Server.log.debugf("Enabled Kerberos mechanisms for Hot Rod using principal '%s'", identity.getPrincipal());
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
            authentication.enable().addMechanisms(SaslMechanismInformation.Names.OAUTHBEARER);
            Server.log.debug("Enabled OAUTHBEARER mechanism for Hot Rod");
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
            authentication.enable().addMechanisms(SaslMechanismInformation.Names.EXTERNAL);
            Server.log.debug("Enabled EXTERNAL mechanism for Hot Rod");
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
            authentication.enable().addMechanisms(SaslMechanismInformation.Names.SCRAM_SHA_512, SaslMechanismInformation.Names.SCRAM_SHA_384, SaslMechanismInformation.Names.SCRAM_SHA_256, SaslMechanismInformation.Names.SCRAM_SHA_1, SaslMechanismInformation.Names.DIGEST_SHA_512, SaslMechanismInformation.Names.DIGEST_SHA_384, SaslMechanismInformation.Names.DIGEST_SHA_256, SaslMechanismInformation.Names.DIGEST_SHA, SaslMechanismInformation.Names.CRAM_MD5, SaslMechanismInformation.Names.DIGEST_MD5);
            Server.log.debug("Enabled SCRAM, DIGEST and CRAM mechanisms for Hot Rod");
            // Only enable PLAIN if encryption is on
            if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
                authentication.enable().addMechanisms(SaslMechanismInformation.Names.PLAIN);
                Server.log.debug("Enabled PLAIN mechanism for Hot Rod");
            }
        }
        authentication.serverAuthenticationProvider(new ElytronSASLAuthenticationProvider(authentication.securityRealm(), serverPrincipal, authentication.sasl().mechanisms()));
    }
}
Also used : KerberosSecurityFactoryConfiguration(org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration) ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm) ElytronSASLAuthenticationProvider(org.infinispan.server.security.ElytronSASLAuthenticationProvider) AuthenticationConfigurationBuilder(org.infinispan.server.hotrod.configuration.AuthenticationConfigurationBuilder)

Example 2 with KerberosSecurityFactoryConfiguration

use of org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration in project infinispan by infinispan.

the class ServerConfigurationSerializer method writeServerIdentities.

private void writeServerIdentities(ConfigurationWriter writer, ServerIdentitiesConfiguration identities) {
    SSLConfiguration ssl = identities.sslConfiguration();
    List<KerberosSecurityFactoryConfiguration> kerberosList = identities.kerberosConfigurations();
    if (ssl != null || !kerberosList.isEmpty()) {
        writer.writeStartElement(Element.SERVER_IDENTITIES);
        if (ssl != null) {
            writer.writeStartElement(Element.SSL);
            ssl.keyStore().write(writer);
            TrustStoreConfiguration trustStore = ssl.trustStore();
            if (trustStore != null) {
                trustStore.write(writer);
            }
            ssl.engine().write(writer);
            writer.writeEndElement();
        }
        if (!kerberosList.isEmpty()) {
            for (KerberosSecurityFactoryConfiguration kerberos : kerberosList) {
                kerberos.write(writer);
            }
        }
        writer.writeEndElement();
    }
}
Also used : SSLConfiguration(org.infinispan.server.configuration.security.SSLConfiguration) TrustStoreConfiguration(org.infinispan.server.configuration.security.TrustStoreConfiguration) KerberosSecurityFactoryConfiguration(org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)

Example 3 with KerberosSecurityFactoryConfiguration

use of org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration in project infinispan by infinispan.

the class EndpointConfigurationBuilder method enableImplicitAuthentication.

public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, RestServerConfigurationBuilder builder) {
    // Set the security realm only if it has not been set already
    org.infinispan.rest.configuration.AuthenticationConfigurationBuilder authentication = builder.authentication();
    if (!authentication.hasSecurityRealm()) {
        authentication.securityRealm(securityRealmName);
    }
    ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
    // Only add implicit mechanisms if the user has not set any explicitly
    if (!authentication.hasMechanisms()) {
        String serverPrincipal = null;
        for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
            if (identity.getPrincipal().startsWith("HTTP/")) {
                authentication.enable().addMechanisms("SPNEGO");
                serverPrincipal = identity.getPrincipal();
            }
            Server.log.debugf("Enabled SPNEGO authentication for HTTP using principal '%s'", identity.getPrincipal());
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
            authentication.enable().addMechanisms("BEARER_TOKEN");
            Server.log.debug("Enabled BEARER_TOKEN for HTTP");
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
            authentication.enable().addMechanisms("CLIENT_CERT");
            Server.log.debug("Enabled CLIENT_CERT for HTTP");
        }
        if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
            authentication.enable().addMechanisms("DIGEST");
            Server.log.debug("Enabled DIGEST for HTTP");
            // Only enable PLAIN if encryption is on
            if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
                authentication.enable().addMechanisms("BASIC");
                Server.log.debug("Enabled BASIC for HTTP");
            }
        }
        authentication.authenticator(new ElytronHTTPAuthenticator(authentication.securityRealm(), serverPrincipal, authentication.mechanisms()));
    }
}
Also used : ElytronHTTPAuthenticator(org.infinispan.server.security.ElytronHTTPAuthenticator) KerberosSecurityFactoryConfiguration(org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration) ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)

Aggregations

KerberosSecurityFactoryConfiguration (org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)3 ServerSecurityRealm (org.infinispan.server.security.ServerSecurityRealm)2 SSLConfiguration (org.infinispan.server.configuration.security.SSLConfiguration)1 TrustStoreConfiguration (org.infinispan.server.configuration.security.TrustStoreConfiguration)1 AuthenticationConfigurationBuilder (org.infinispan.server.hotrod.configuration.AuthenticationConfigurationBuilder)1 ElytronHTTPAuthenticator (org.infinispan.server.security.ElytronHTTPAuthenticator)1 ElytronSASLAuthenticationProvider (org.infinispan.server.security.ElytronSASLAuthenticationProvider)1