Example 1 with SecurityContext
use of org.jboss.security.SecurityContext in project wildfly by wildfly.
the class SimpleSecurityManager method push.
/**
* Must be called from within a privileged action.
*
* @param securityDomain
*/
public void push(final String securityDomain) {
// TODO - Handle a null securityDomain here? Yes I think so.
final SecurityContext previous = SecurityContextAssociation.getSecurityContext();
contexts.push(previous);
SecurityContext current = establishSecurityContext(securityDomain);
if (propagate && previous != null) {
current.setSubjectInfo(getSubjectInfo(previous));
current.setIncomingRunAs(previous.getOutgoingRunAs());
}
RunAs currentRunAs = current.getIncomingRunAs();
boolean trusted = currentRunAs != null && currentRunAs instanceof RunAsIdentity;
if (trusted == false) {
/*
* We should only be switching to a context based on an identity from the Remoting connection if we don't already
* have a trusted identity - this allows for beans to reauthenticate as a different identity.
*/
if (SecurityActions.remotingContextIsSet()) {
// In this case the principal and credential will not have been set to set some random values.
SecurityContextUtil util = current.getUtil();
Connection connection = SecurityActions.remotingContextGetConnection();
Principal p = null;
Object credential = null;
SecurityIdentity localIdentity = connection.getLocalIdentity();
if (localIdentity != null) {
p = new SimplePrincipal(localIdentity.getPrincipal().getName());
IdentityCredentials privateCredentials = localIdentity.getPrivateCredentials();
PasswordCredential passwordCredential = privateCredentials.getCredential(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR);
if (passwordCredential != null) {
credential = new String(passwordCredential.getPassword(ClearPassword.class).getPassword());
} else {
credential = new RemotingConnectionCredential(connection);
}
} else {
throw SecurityLogger.ROOT_LOGGER.noUserPrincipalFound();
}
SecurityActions.remotingContextClear();
util.createSubjectInfo(p, credential, null);
}
}
}
Also used :
ClearPassword(org.wildfly.security.password.interfaces.ClearPassword)
SecurityContextUtil(org.jboss.security.SecurityContextUtil)
RunAs(org.jboss.security.RunAs)
RunAsIdentity(org.jboss.security.RunAsIdentity)
Connection(org.jboss.remoting3.Connection)
PasswordCredential(org.wildfly.security.credential.PasswordCredential)
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
SecurityContext(org.jboss.security.SecurityContext)
RemotingConnectionCredential(org.jboss.as.security.remoting.RemotingConnectionCredential)
Principal(java.security.Principal)
SimplePrincipal(org.jboss.security.SimplePrincipal)
SimplePrincipal(org.jboss.security.SimplePrincipal)
IdentityCredentials(org.wildfly.security.auth.server.IdentityCredentials)
Example 2 with SecurityContext
use of org.jboss.security.SecurityContext in project wildfly by wildfly.
the class SimpleSecurityManager method authorize.
public boolean authorize(String ejbName, CodeSource ejbCodeSource, String ejbMethodIntf, Method ejbMethod, Set<Principal> methodRoles, String contextID) {
final SecurityContext securityContext = doPrivileged(securityContext());
if (securityContext == null) {
return false;
}
EJBResource resource = new EJBResource(new HashMap<String, Object>());
resource.setEjbName(ejbName);
resource.setEjbMethod(ejbMethod);
resource.setEjbMethodInterface(ejbMethodIntf);
resource.setEjbMethodRoles(new SimpleRoleGroup(methodRoles));
resource.setCodeSource(ejbCodeSource);
resource.setPolicyContextID(contextID);
resource.setCallerRunAsIdentity(securityContext.getIncomingRunAs());
resource.setCallerSubject(securityContext.getUtil().getSubject());
Principal userPrincipal = securityContext.getUtil().getUserPrincipal();
resource.setPrincipal(userPrincipal);
try {
AbstractEJBAuthorizationHelper helper = SecurityHelperFactory.getEJBAuthorizationHelper(securityContext);
return helper.authorize(resource);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
Also used :
EJBResource(org.jboss.security.authorization.resources.EJBResource)
AbstractEJBAuthorizationHelper(org.jboss.security.javaee.AbstractEJBAuthorizationHelper)
SecurityContext(org.jboss.security.SecurityContext)
Principal(java.security.Principal)
SimplePrincipal(org.jboss.security.SimplePrincipal)
SimpleRoleGroup(org.jboss.security.identity.plugins.SimpleRoleGroup)
Example 3 with SecurityContext
use of org.jboss.security.SecurityContext in project wildfly by wildfly.
the class SimpleSecurityManager method getCallerPrincipal.
public Principal getCallerPrincipal() {
final SecurityContext securityContext = doPrivileged(securityContext());
if (securityContext == null) {
return getUnauthenticatedIdentity().asPrincipal();
}
/*
* final Principal principal = getPrincipal(securityContext.getUtil().getSubject());
*/
Principal principal = securityContext.getIncomingRunAs();
if (principal == null)
principal = getPrincipal(getSubjectInfo(securityContext).getAuthenticatedSubject());
if (principal == null)
return getUnauthenticatedIdentity().asPrincipal();
return principal;
}
Also used :
SecurityContext(org.jboss.security.SecurityContext)
Principal(java.security.Principal)
SimplePrincipal(org.jboss.security.SimplePrincipal)
Example 4 with SecurityContext
use of org.jboss.security.SecurityContext in project wildfly by wildfly.
the class SimpleSecurityManager method isCallerInRole.
/**
* @param ejbName The name of the EJB component where isCallerInRole was invoked.
* @param incommingMappedRoles The principal vs roles mapping (if any). Can be null.
* @param roleLinks The role link map where the key is an alias role name and the value is the collection of
* role names, that alias represents. Can be null.
* @param roleNames The role names for which the caller is being checked for
* @return true if the user is in <b>any</b> one of the <code>roleNames</code>. Else returns false
*/
public boolean isCallerInRole(final String ejbName, final String policyContextID, final Object incommingMappedRoles, final Map<String, Collection<String>> roleLinks, final String... roleNames) {
final SecurityContext securityContext = doPrivileged(securityContext());
if (securityContext == null) {
return false;
}
final EJBResource resource = new EJBResource(new HashMap<String, Object>());
resource.setEjbName(ejbName);
resource.setPolicyContextID(policyContextID);
resource.setCallerRunAsIdentity(securityContext.getIncomingRunAs());
resource.setCallerSubject(securityContext.getUtil().getSubject());
Principal userPrincipal = securityContext.getUtil().getUserPrincipal();
resource.setPrincipal(userPrincipal);
if (roleLinks != null) {
final Set<SecurityRoleRef> roleRefs = new HashSet<SecurityRoleRef>();
for (String key : roleLinks.keySet()) {
Collection<String> values = roleLinks.get(key);
if (values != null) {
for (String value : values) roleRefs.add(new SecurityRoleRef(key, value));
}
}
resource.setSecurityRoleReferences(roleRefs);
}
Map<String, Set<String>> previousRolesAssociationMap = null;
try {
// ensure the security roles association contains the incoming principal x roles map.
if (incommingMappedRoles != null) {
SecurityRolesMetaData rolesMetaData = (SecurityRolesMetaData) incommingMappedRoles;
previousRolesAssociationMap = this.setSecurityRolesAssociation(rolesMetaData.getPrincipalVersusRolesMap());
}
AbstractEJBAuthorizationHelper helper = SecurityHelperFactory.getEJBAuthorizationHelper(securityContext);
for (String roleName : roleNames) {
if (helper.isCallerInRole(resource, roleName)) {
return true;
}
}
return false;
} catch (Exception e) {
throw new RuntimeException(e);
} finally {
// reset the security roles association state.
if (incommingMappedRoles != null) {
this.setSecurityRolesAssociation(previousRolesAssociationMap);
}
}
}
Also used :
EJBResource(org.jboss.security.authorization.resources.EJBResource)
HashSet(java.util.HashSet)
Set(java.util.Set)
SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData)
SecurityRoleRef(org.jboss.security.javaee.SecurityRoleRef)
AbstractEJBAuthorizationHelper(org.jboss.security.javaee.AbstractEJBAuthorizationHelper)
SecurityContext(org.jboss.security.SecurityContext)
Principal(java.security.Principal)
SimplePrincipal(org.jboss.security.SimplePrincipal)
HashSet(java.util.HashSet)
Example 5 with SecurityContext
use of org.jboss.security.SecurityContext in project wildfly by wildfly.
the class SimpleSecurityManager method pop.
/**
* Must be called from within a privileged action.
*/
public void pop() {
final SecurityContext sc = contexts.pop();
SecurityContextAssociation.setSecurityContext(sc);
}
Also used :
SecurityContext(org.jboss.security.SecurityContext)
Aggregations
SecurityContext (org.jboss.security.SecurityContext)26
Subject (javax.security.auth.Subject)10
Principal (java.security.Principal)9
SimplePrincipal (org.jboss.security.SimplePrincipal)7
RunAs (org.jboss.security.RunAs)5
RunAsIdentity (org.jboss.security.RunAsIdentity)5
Connection (org.jboss.remoting3.Connection)4
SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)4
IOException (java.io.IOException)3
PrivilegedAction (java.security.PrivilegedAction)3
ArrayList (java.util.ArrayList)3
HashMap (java.util.HashMap)3
HashSet (java.util.HashSet)3
InterceptorContext (org.jboss.invocation.InterceptorContext)3
Set (java.util.Set)2
StartupCountdown (org.jboss.as.ee.component.deployers.StartupCountdown)2
SessionBeanComponent (org.jboss.as.ejb3.component.session.SessionBeanComponent)2
RemotingConnectionCredential (org.jboss.as.security.remoting.RemotingConnectionCredential)2
SecurityContextUtil (org.jboss.security.SecurityContextUtil)2
EJBResource (org.jboss.security.authorization.resources.EJBResource)2
