Example 1 with ServerSecurityRealm
use of org.infinispan.server.security.ServerSecurityRealm in project infinispan by infinispan.
the class EndpointConfigurationBuilder method enableImplicitAuthentication.
public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, HotRodServerConfigurationBuilder builder) {
// Set the security realm only if it has not been set already
AuthenticationConfigurationBuilder authentication = builder.authentication();
if (!authentication.hasSecurityRealm()) {
authentication.securityRealm(securityRealmName);
Server.log.debugf("Using endpoint realm \"%s\" for Hot Rod", securityRealmName);
}
ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
// Only add implicit mechanisms if the user has not set any explicitly
if (!authentication.hasMechanisms()) {
String serverPrincipal = null;
for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
if (identity.getPrincipal().startsWith("hotrod/")) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.GS2_KRB5, SaslMechanismInformation.Names.GSSAPI);
serverPrincipal = identity.getPrincipal();
break;
}
Server.log.debugf("Enabled Kerberos mechanisms for Hot Rod using principal '%s'", identity.getPrincipal());
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.OAUTHBEARER);
Server.log.debug("Enabled OAUTHBEARER mechanism for Hot Rod");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.EXTERNAL);
Server.log.debug("Enabled EXTERNAL mechanism for Hot Rod");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.SCRAM_SHA_512, SaslMechanismInformation.Names.SCRAM_SHA_384, SaslMechanismInformation.Names.SCRAM_SHA_256, SaslMechanismInformation.Names.SCRAM_SHA_1, SaslMechanismInformation.Names.DIGEST_SHA_512, SaslMechanismInformation.Names.DIGEST_SHA_384, SaslMechanismInformation.Names.DIGEST_SHA_256, SaslMechanismInformation.Names.DIGEST_SHA, SaslMechanismInformation.Names.CRAM_MD5, SaslMechanismInformation.Names.DIGEST_MD5);
Server.log.debug("Enabled SCRAM, DIGEST and CRAM mechanisms for Hot Rod");
// Only enable PLAIN if encryption is on
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
authentication.enable().addMechanisms(SaslMechanismInformation.Names.PLAIN);
Server.log.debug("Enabled PLAIN mechanism for Hot Rod");
}
}
authentication.serverAuthenticationProvider(new ElytronSASLAuthenticationProvider(authentication.securityRealm(), serverPrincipal, authentication.sasl().mechanisms()));
}
}
Also used :
KerberosSecurityFactoryConfiguration(org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)
ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)
ElytronSASLAuthenticationProvider(org.infinispan.server.security.ElytronSASLAuthenticationProvider)
AuthenticationConfigurationBuilder(org.infinispan.server.hotrod.configuration.AuthenticationConfigurationBuilder)
Example 2 with ServerSecurityRealm
use of org.infinispan.server.security.ServerSecurityRealm in project infinispan by infinispan.
the class EndpointConfigurationBuilder method enableImplicitAuthentication.
private void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, RespServerConfigurationBuilder builder) {
// Set the security realm only if it has not been set already
org.infinispan.server.resp.configuration.AuthenticationConfigurationBuilder authentication = builder.authentication();
if (!authentication.hasSecurityRealm()) {
authentication.securityRealm(securityRealmName);
}
ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
authentication.authenticator(new ElytronRESPAuthenticator(authentication.securityRealm()));
} else {
throw Server.log.respEndpointRequiresRealmWithPassword();
}
}
Also used :
ElytronRESPAuthenticator(org.infinispan.server.security.ElytronRESPAuthenticator)
ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)
Example 3 with ServerSecurityRealm
use of org.infinispan.server.security.ServerSecurityRealm in project infinispan by infinispan.
the class EndpointConfigurationBuilder method enableImplicitAuthentication.
public static void enableImplicitAuthentication(SecurityConfiguration security, String securityRealmName, RestServerConfigurationBuilder builder) {
// Set the security realm only if it has not been set already
org.infinispan.rest.configuration.AuthenticationConfigurationBuilder authentication = builder.authentication();
if (!authentication.hasSecurityRealm()) {
authentication.securityRealm(securityRealmName);
}
ServerSecurityRealm securityRealm = security.realms().getRealm(authentication.securityRealm()).serverSecurityRealm();
// Only add implicit mechanisms if the user has not set any explicitly
if (!authentication.hasMechanisms()) {
String serverPrincipal = null;
for (KerberosSecurityFactoryConfiguration identity : securityRealm.getServerIdentities().kerberosConfigurations()) {
if (identity.getPrincipal().startsWith("HTTP/")) {
authentication.enable().addMechanisms("SPNEGO");
serverPrincipal = identity.getPrincipal();
}
Server.log.debugf("Enabled SPNEGO authentication for HTTP using principal '%s'", identity.getPrincipal());
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TOKEN)) {
authentication.enable().addMechanisms("BEARER_TOKEN");
Server.log.debug("Enabled BEARER_TOKEN for HTTP");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.TRUST)) {
authentication.enable().addMechanisms("CLIENT_CERT");
Server.log.debug("Enabled CLIENT_CERT for HTTP");
}
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.PASSWORD)) {
authentication.enable().addMechanisms("DIGEST");
Server.log.debug("Enabled DIGEST for HTTP");
// Only enable PLAIN if encryption is on
if (securityRealm.hasFeature(ServerSecurityRealm.Feature.ENCRYPT)) {
authentication.enable().addMechanisms("BASIC");
Server.log.debug("Enabled BASIC for HTTP");
}
}
authentication.authenticator(new ElytronHTTPAuthenticator(authentication.securityRealm(), serverPrincipal, authentication.mechanisms()));
}
}
Also used :
ElytronHTTPAuthenticator(org.infinispan.server.security.ElytronHTTPAuthenticator)
KerberosSecurityFactoryConfiguration(org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)
ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)
Example 4 with ServerSecurityRealm
use of org.infinispan.server.security.ServerSecurityRealm in project infinispan by infinispan.
the class RealmConfiguration method init.
void init(SecurityConfiguration security, Properties properties) {
SSLConfiguration sslConfiguration = serverIdentitiesConfiguration.sslConfiguration();
SSLContextBuilder sslContextBuilder = sslConfiguration != null ? sslConfiguration.build(properties, features) : null;
SecurityDomain.Builder domainBuilder = SecurityDomain.builder();
domainBuilder.setPermissionMapper((principal, roles) -> PermissionVerifier.from(new LoginPermission()));
if (realmProviders.isEmpty() || !(realmProviders.get(0) instanceof TrustStoreRealmConfiguration)) {
// Initialize the SSLContexts now, because they may be needed for client connections of the LDAP or Token realms
buildSSLContexts(sslContextBuilder);
}
realms = new HashMap<>(realmProviders.size());
for (RealmProvider provider : realmProviders) {
SecurityRealm realm = provider.build(security, this, domainBuilder, properties);
realms.put(provider.name(), realm);
if (realm != null) {
domainBuilder.addRealm(provider.name(), cacheable(realm)).build();
if (domainBuilder.getDefaultRealmName() == null) {
domainBuilder.setDefaultRealmName(provider.name());
}
}
}
SecurityDomain securityDomain = domainBuilder.build();
if (features.contains(ServerSecurityRealm.Feature.TRUST)) {
sslContextBuilder.setSecurityDomain(securityDomain);
// Initialize the SSLContexts
buildSSLContexts(sslContextBuilder);
}
String name = attributes.attribute(RealmConfiguration.NAME).get();
serverSecurityRealm = new ServerSecurityRealm(name, securityDomain, httpChallengeReadiness, serverIdentitiesConfiguration, features);
}
Also used :
ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)
LoginPermission(org.wildfly.security.auth.permission.LoginPermission)
CachingSecurityRealm(org.infinispan.server.security.realm.CachingSecurityRealm)
CachingModifiableSecurityRealm(org.infinispan.server.security.realm.CachingModifiableSecurityRealm)
SecurityRealm(org.wildfly.security.auth.server.SecurityRealm)
ServerSecurityRealm(org.infinispan.server.security.ServerSecurityRealm)
CacheableSecurityRealm(org.wildfly.security.auth.realm.CacheableSecurityRealm)
ModifiableSecurityRealm(org.wildfly.security.auth.server.ModifiableSecurityRealm)
SSLContextBuilder(org.wildfly.security.ssl.SSLContextBuilder)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Aggregations
ServerSecurityRealm (org.infinispan.server.security.ServerSecurityRealm)4
KerberosSecurityFactoryConfiguration (org.infinispan.server.configuration.security.KerberosSecurityFactoryConfiguration)2
AuthenticationConfigurationBuilder (org.infinispan.server.hotrod.configuration.AuthenticationConfigurationBuilder)1
ElytronHTTPAuthenticator (org.infinispan.server.security.ElytronHTTPAuthenticator)1
ElytronRESPAuthenticator (org.infinispan.server.security.ElytronRESPAuthenticator)1
ElytronSASLAuthenticationProvider (org.infinispan.server.security.ElytronSASLAuthenticationProvider)1
CachingModifiableSecurityRealm (org.infinispan.server.security.realm.CachingModifiableSecurityRealm)1
CachingSecurityRealm (org.infinispan.server.security.realm.CachingSecurityRealm)1
LoginPermission (org.wildfly.security.auth.permission.LoginPermission)1
CacheableSecurityRealm (org.wildfly.security.auth.realm.CacheableSecurityRealm)1
ModifiableSecurityRealm (org.wildfly.security.auth.server.ModifiableSecurityRealm)1
SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)1
SecurityRealm (org.wildfly.security.auth.server.SecurityRealm)1
SSLContextBuilder (org.wildfly.security.ssl.SSLContextBuilder)1
