Search in sources :

Example 1 with SecurityContext

use of org.jboss.security.SecurityContext in project wildfly by wildfly.

the class SimpleSecurityManager method push.

/**
     * Must be called from within a privileged action.
     *
     * @param securityDomain
     */
public void push(final String securityDomain) {
    // TODO - Handle a null securityDomain here? Yes I think so.
    final SecurityContext previous = SecurityContextAssociation.getSecurityContext();
    contexts.push(previous);
    SecurityContext current = establishSecurityContext(securityDomain);
    if (propagate && previous != null) {
        current.setSubjectInfo(getSubjectInfo(previous));
        current.setIncomingRunAs(previous.getOutgoingRunAs());
    }
    RunAs currentRunAs = current.getIncomingRunAs();
    boolean trusted = currentRunAs != null && currentRunAs instanceof RunAsIdentity;
    if (trusted == false) {
        /*
             * We should only be switching to a context based on an identity from the Remoting connection if we don't already
             * have a trusted identity - this allows for beans to reauthenticate as a different identity.
             */
        if (SecurityActions.remotingContextIsSet()) {
            // In this case the principal and credential will not have been set to set some random values.
            SecurityContextUtil util = current.getUtil();
            Connection connection = SecurityActions.remotingContextGetConnection();
            Principal p = null;
            Object credential = null;
            SecurityIdentity localIdentity = connection.getLocalIdentity();
            if (localIdentity != null) {
                p = new SimplePrincipal(localIdentity.getPrincipal().getName());
                IdentityCredentials privateCredentials = localIdentity.getPrivateCredentials();
                PasswordCredential passwordCredential = privateCredentials.getCredential(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR);
                if (passwordCredential != null) {
                    credential = new String(passwordCredential.getPassword(ClearPassword.class).getPassword());
                } else {
                    credential = new RemotingConnectionCredential(connection);
                }
            } else {
                throw SecurityLogger.ROOT_LOGGER.noUserPrincipalFound();
            }
            SecurityActions.remotingContextClear();
            util.createSubjectInfo(p, credential, null);
        }
    }
}
Also used : ClearPassword(org.wildfly.security.password.interfaces.ClearPassword) SecurityContextUtil(org.jboss.security.SecurityContextUtil) RunAs(org.jboss.security.RunAs) RunAsIdentity(org.jboss.security.RunAsIdentity) Connection(org.jboss.remoting3.Connection) PasswordCredential(org.wildfly.security.credential.PasswordCredential) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) SecurityContext(org.jboss.security.SecurityContext) RemotingConnectionCredential(org.jboss.as.security.remoting.RemotingConnectionCredential) Principal(java.security.Principal) SimplePrincipal(org.jboss.security.SimplePrincipal) SimplePrincipal(org.jboss.security.SimplePrincipal) IdentityCredentials(org.wildfly.security.auth.server.IdentityCredentials)

Example 2 with SecurityContext

use of org.jboss.security.SecurityContext in project wildfly by wildfly.

the class SimpleSecurityManager method authorize.

public boolean authorize(String ejbName, CodeSource ejbCodeSource, String ejbMethodIntf, Method ejbMethod, Set<Principal> methodRoles, String contextID) {
    final SecurityContext securityContext = doPrivileged(securityContext());
    if (securityContext == null) {
        return false;
    }
    EJBResource resource = new EJBResource(new HashMap<String, Object>());
    resource.setEjbName(ejbName);
    resource.setEjbMethod(ejbMethod);
    resource.setEjbMethodInterface(ejbMethodIntf);
    resource.setEjbMethodRoles(new SimpleRoleGroup(methodRoles));
    resource.setCodeSource(ejbCodeSource);
    resource.setPolicyContextID(contextID);
    resource.setCallerRunAsIdentity(securityContext.getIncomingRunAs());
    resource.setCallerSubject(securityContext.getUtil().getSubject());
    Principal userPrincipal = securityContext.getUtil().getUserPrincipal();
    resource.setPrincipal(userPrincipal);
    try {
        AbstractEJBAuthorizationHelper helper = SecurityHelperFactory.getEJBAuthorizationHelper(securityContext);
        return helper.authorize(resource);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
Also used : EJBResource(org.jboss.security.authorization.resources.EJBResource) AbstractEJBAuthorizationHelper(org.jboss.security.javaee.AbstractEJBAuthorizationHelper) SecurityContext(org.jboss.security.SecurityContext) Principal(java.security.Principal) SimplePrincipal(org.jboss.security.SimplePrincipal) SimpleRoleGroup(org.jboss.security.identity.plugins.SimpleRoleGroup)

Example 3 with SecurityContext

use of org.jboss.security.SecurityContext in project wildfly by wildfly.

the class SimpleSecurityManager method getCallerPrincipal.

public Principal getCallerPrincipal() {
    final SecurityContext securityContext = doPrivileged(securityContext());
    if (securityContext == null) {
        return getUnauthenticatedIdentity().asPrincipal();
    }
    /*
         * final Principal principal = getPrincipal(securityContext.getUtil().getSubject());
         */
    Principal principal = securityContext.getIncomingRunAs();
    if (principal == null)
        principal = getPrincipal(getSubjectInfo(securityContext).getAuthenticatedSubject());
    if (principal == null)
        return getUnauthenticatedIdentity().asPrincipal();
    return principal;
}
Also used : SecurityContext(org.jboss.security.SecurityContext) Principal(java.security.Principal) SimplePrincipal(org.jboss.security.SimplePrincipal)

Example 4 with SecurityContext

use of org.jboss.security.SecurityContext in project wildfly by wildfly.

the class SimpleSecurityManager method isCallerInRole.

/**
     * @param ejbName              The name of the EJB component where isCallerInRole was invoked.
     * @param incommingMappedRoles The principal vs roles mapping (if any). Can be null.
     * @param roleLinks            The role link map where the key is an alias role name and the value is the collection of
     *                             role names, that alias represents. Can be null.
     * @param roleNames            The role names for which the caller is being checked for
     * @return true if the user is in <b>any</b> one of the <code>roleNames</code>. Else returns false
     */
public boolean isCallerInRole(final String ejbName, final String policyContextID, final Object incommingMappedRoles, final Map<String, Collection<String>> roleLinks, final String... roleNames) {
    final SecurityContext securityContext = doPrivileged(securityContext());
    if (securityContext == null) {
        return false;
    }
    final EJBResource resource = new EJBResource(new HashMap<String, Object>());
    resource.setEjbName(ejbName);
    resource.setPolicyContextID(policyContextID);
    resource.setCallerRunAsIdentity(securityContext.getIncomingRunAs());
    resource.setCallerSubject(securityContext.getUtil().getSubject());
    Principal userPrincipal = securityContext.getUtil().getUserPrincipal();
    resource.setPrincipal(userPrincipal);
    if (roleLinks != null) {
        final Set<SecurityRoleRef> roleRefs = new HashSet<SecurityRoleRef>();
        for (String key : roleLinks.keySet()) {
            Collection<String> values = roleLinks.get(key);
            if (values != null) {
                for (String value : values) roleRefs.add(new SecurityRoleRef(key, value));
            }
        }
        resource.setSecurityRoleReferences(roleRefs);
    }
    Map<String, Set<String>> previousRolesAssociationMap = null;
    try {
        // ensure the security roles association contains the incoming principal x roles map.
        if (incommingMappedRoles != null) {
            SecurityRolesMetaData rolesMetaData = (SecurityRolesMetaData) incommingMappedRoles;
            previousRolesAssociationMap = this.setSecurityRolesAssociation(rolesMetaData.getPrincipalVersusRolesMap());
        }
        AbstractEJBAuthorizationHelper helper = SecurityHelperFactory.getEJBAuthorizationHelper(securityContext);
        for (String roleName : roleNames) {
            if (helper.isCallerInRole(resource, roleName)) {
                return true;
            }
        }
        return false;
    } catch (Exception e) {
        throw new RuntimeException(e);
    } finally {
        // reset the security roles association state.
        if (incommingMappedRoles != null) {
            this.setSecurityRolesAssociation(previousRolesAssociationMap);
        }
    }
}
Also used : EJBResource(org.jboss.security.authorization.resources.EJBResource) HashSet(java.util.HashSet) Set(java.util.Set) SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData) SecurityRoleRef(org.jboss.security.javaee.SecurityRoleRef) AbstractEJBAuthorizationHelper(org.jboss.security.javaee.AbstractEJBAuthorizationHelper) SecurityContext(org.jboss.security.SecurityContext) Principal(java.security.Principal) SimplePrincipal(org.jboss.security.SimplePrincipal) HashSet(java.util.HashSet)

Example 5 with SecurityContext

use of org.jboss.security.SecurityContext in project wildfly by wildfly.

the class SimpleSecurityManager method pop.

/**
     * Must be called from within a privileged action.
     */
public void pop() {
    final SecurityContext sc = contexts.pop();
    SecurityContextAssociation.setSecurityContext(sc);
}
Also used : SecurityContext(org.jboss.security.SecurityContext)

Aggregations

SecurityContext (org.jboss.security.SecurityContext)26 Subject (javax.security.auth.Subject)10 Principal (java.security.Principal)9 SimplePrincipal (org.jboss.security.SimplePrincipal)7 RunAs (org.jboss.security.RunAs)5 RunAsIdentity (org.jboss.security.RunAsIdentity)5 Connection (org.jboss.remoting3.Connection)4 SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)4 IOException (java.io.IOException)3 PrivilegedAction (java.security.PrivilegedAction)3 ArrayList (java.util.ArrayList)3 HashMap (java.util.HashMap)3 HashSet (java.util.HashSet)3 InterceptorContext (org.jboss.invocation.InterceptorContext)3 Set (java.util.Set)2 StartupCountdown (org.jboss.as.ee.component.deployers.StartupCountdown)2 SessionBeanComponent (org.jboss.as.ejb3.component.session.SessionBeanComponent)2 RemotingConnectionCredential (org.jboss.as.security.remoting.RemotingConnectionCredential)2 SecurityContextUtil (org.jboss.security.SecurityContextUtil)2 EJBResource (org.jboss.security.authorization.resources.EJBResource)2