Example 1 with ElytronSASLAuthenticationProvider
use of org.infinispan.server.security.ElytronSASLAuthenticationProvider in project infinispan by infinispan.
the class EndpointConfigurationBuilder method enableImplicitAuthentication.
public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, HotRodServerConfigurationBuilder builder) {
// Set the security realm only if it has not been set already
AuthenticationConfigurationBuilder authentication = builder.authentication();
if (!authentication.hasSecurityRealm()) {
authentication.securityRealm(securityRealmName);
Server.log.debugf("Using endpoint realm \"%s\" for Hot Rod", securityRealmName);
}
ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
// Only add implicit mechanisms if the user has not set any explicitly
if (!authentication.hasMechanisms()) {
String serverPrincipal = null;
for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
if (identity.getPrincipal().startsWith("hotrod/")) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.GS2_KRB5, SaslMechanismInformation.Names.GSSAPI);
serverPrincipal = identity.getPrincipal();
break;
}
Server.log.debugf("Enabled Kerberos mechanisms for Hot Rod using principal '%s'", identity.getPrincipal());
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.OAUTHBEARER);
Server.log.debug("Enabled OAUTHBEARER mechanism for Hot Rod");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.EXTERNAL);
Server.log.debug("Enabled EXTERNAL mechanism for Hot Rod");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.SCRAM_SHA_512, SaslMechanismInformation.Names.SCRAM_SHA_384, SaslMechanismInformation.Names.SCRAM_SHA_256, SaslMechanismInformation.Names.SCRAM_SHA_1, SaslMechanismInformation.Names.DIGEST_SHA_512, SaslMechanismInformation.Names.DIGEST_SHA_384, SaslMechanismInformation.Names.DIGEST_SHA_256, SaslMechanismInformation.Names.DIGEST_SHA, SaslMechanismInformation.Names.CRAM_MD5, SaslMechanismInformation.Names.DIGEST_MD5);
Server.log.debug("Enabled SCRAM, DIGEST and CRAM mechanisms for Hot Rod");
// Only enable PLAIN if encryption is on
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.PLAIN);
Server.log.debug("Enabled PLAIN mechanism for Hot Rod");
}
}
authentication.serverAuthenticationProvider(new ElytronSASLAuthenticationProvider(authentication.securityRealm(), serverPrincipal, authentication.sasl().mechanisms()));
}
}
Also used :
KerberosSecurityFactoryConfiguration(org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)
ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)
ElytronSASLAuthenticationProvider(org.infinispan.server.security.ElytronSASLAuthenticationProvider)
AuthenticationConfigurationBuilder(org.infinispan.server.hotrod.configuration.AuthenticationConfigurationBuilder)
Example 2 with ElytronSASLAuthenticationProvider
use of org.infinispan.server.security.ElytronSASLAuthenticationProvider in project infinispan by infinispan.
the class HotRodServerConfigurationParser method parseAuthentication.
private void parseAuthentication(ConfigurationReader reader, ServerConfigurationBuilder serverBuilder, AuthenticationConfigurationBuilder builder, String securityRealm) {
for (int i = 0; i < reader.getAttributeCount(); i++) {
ParseUtils.requireNoNamespaceAttribute(reader, i);
String value = reader.getAttributeValue(i);
Attribute attribute = Attribute.forName(reader.getAttributeName(i));
switch(attribute) {
case SECURITY_REALM:
{
securityRealm = value;
break;
}
default:
{
throw ParseUtils.unexpectedAttribute(reader, i);
}
}
}
if (securityRealm == null) {
securityRealm = serverBuilder.endpoints().current().securityRealm();
}
if (securityRealm == null) {
throw Server.log.authenticationWithoutSecurityRealm();
}
// Automatically set the digest realm name. It can be overridden by the user
builder.addMechProperty(WildFlySasl.REALM_LIST, securityRealm);
String serverPrincipal = null;
while (reader.inTag()) {
Element element = Element.forName(reader.getLocalName());
switch(element) {
case SASL:
{
serverPrincipal = parseSasl(reader, builder);
break;
}
default:
{
throw ParseUtils.unexpectedElement(reader);
}
}
}
builder.securityRealm(securityRealm);
builder.serverAuthenticationProvider(new ElytronSASLAuthenticationProvider(securityRealm, serverPrincipal, builder.sasl().mechanisms()));
}
Also used :
Attribute(org.infinispan.server.hotrod.configuration.Attribute)
Element(org.infinispan.server.hotrod.configuration.Element)
ElytronSASLAuthenticationProvider(org.infinispan.server.security.ElytronSASLAuthenticationProvider)
Aggregations
ElytronSASLAuthenticationProvider (org.infinispan.server.security.ElytronSASLAuthenticationProvider)2
KerberosSecurityFactoryConfiguration (org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)1
Attribute (org.infinispan.server.hotrod.configuration.Attribute)1
AuthenticationConfigurationBuilder (org.infinispan.server.hotrod.configuration.AuthenticationConfigurationBuilder)1
Element (org.infinispan.server.hotrod.configuration.Element)1
ServerSecurityRealm (org.infinispan.server.security.ServerSecurityRealm)1
