Search in sources :

Example 1 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class ElytronSASClientInterceptor method receive_exception.

@Override
public void receive_exception(ClientRequestInfo ri) throws ForwardRequest {
    try {
        ServiceContext sc = ri.get_reply_service_context(SAS_CONTEXT_ID);
        Any msg = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
        SASContextBody contextBody = SASContextBodyHelper.extract(msg);
        // At this point contextBody may contain either a CompleteEstablishContext message or a ContextError message.
        // Neither message requires any treatment. We decoded the context body just to check that it contains
        // a well-formed message.
        IIOPLogger.ROOT_LOGGER.tracef("receive_exception: got SAS reply, type %d", contextBody.discriminator());
    } catch (BAD_PARAM e) {
    // no service context with sasContextId: do nothing.
    } catch (FormatMismatch | TypeMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_MAYBE);
    }
}
Also used : ServiceContext(org.omg.IOP.ServiceContext) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch) TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)

Example 2 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class ElytronSASClientInterceptor method receive_reply.

@Override
public void receive_reply(ClientRequestInfo ri) {
    try {
        ServiceContext sc = ri.get_reply_service_context(SAS_CONTEXT_ID);
        Any msg = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
        SASContextBody contextBody = SASContextBodyHelper.extract(msg);
        // At this point contextBody should contain a CompleteEstablishContext message, which does not require any
        // treatment. ContextError messages should arrive via receive_exception().
        IIOPLogger.ROOT_LOGGER.tracef("receive_reply: got SAS reply, type %d", contextBody.discriminator());
        if (contextBody.discriminator() == MTContextError.value) {
            // should not happen.
            throw IIOPLogger.ROOT_LOGGER.unexpectedContextErrorInSASReply(0, CompletionStatus.COMPLETED_YES);
        }
    } catch (BAD_PARAM e) {
    // no service context with sasContextId: do nothing
    } catch (FormatMismatch | TypeMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_YES);
    }
}
Also used : ServiceContext(org.omg.IOP.ServiceContext) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch) TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)

Example 3 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class ElytronSASClientInterceptor method send_request.

@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
    try {
        CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
        (short) 0);
        if (secMech == null) {
            return;
        }
        // these "null tokens" will be changed if needed.
        IdentityToken identityToken = ABSENT_IDENTITY_TOKEN;
        byte[] encodedAuthenticationToken = NO_AUTHENTICATION_TOKEN;
        final URI uri = this.getURI(ri);
        if (uri == null) {
            return;
        }
        SecurityDomain domain = SecurityDomain.getCurrent();
        SecurityIdentity currentIdentity = null;
        if (domain != null) {
            currentIdentity = domain.getCurrentSecurityIdentity();
        }
        final AuthenticationContext authContext;
        if (this.authContext != null) {
            authContext = this.authContext;
        } else if (currentIdentity == null || currentIdentity.isAnonymous()) {
            authContext = AuthenticationContext.captureCurrent();
        } else {
            authContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.EMPTY.useForwardedIdentity(domain));
        }
        if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
            final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, "client-auth");
            final Principal principal = AUTH_CONFIG_CLIENT.getPrincipal(configuration);
            if (principal != null && principal != AnonymousPrincipal.getInstance()) {
                // The name scope needs to be externalized.
                String name = principal.getName();
                if (name.indexOf('@') < 0) {
                    // hardcoded (REVISIT!)
                    name += "@default";
                }
                byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
                // encode the principal name as mandated by RFC2743.
                byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
                // encapsulate the encoded name.
                Any any = ORB.init().create_any();
                byte[] encapsulatedEncodedName;
                GSS_NT_ExportedNameHelper.insert(any, encodedName);
                try {
                    encapsulatedEncodedName = codec.encode_value(any);
                } catch (InvalidTypeForEncoding e) {
                    throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
                }
                // create identity token.
                identityToken = new IdentityToken();
                identityToken.principal_name(encapsulatedEncodedName);
            } else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
                // no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
                identityToken = new IdentityToken();
                identityToken.anonymous(true);
            }
            // target might require an additional initial context token with a username/password pair for authentication.
            if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
                encodedAuthenticationToken = this.createInitialContextToken(uri, "server-auth", secMech);
            }
        } else if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
            // target doesn't require an identity token but supports username/password authentication - try to build
            // an initial context token using the configuration.
            encodedAuthenticationToken = this.createInitialContextToken(uri, "client-auth", secMech);
        }
        if (identityToken != ABSENT_IDENTITY_TOKEN || encodedAuthenticationToken != NO_AUTHENTICATION_TOKEN) {
            // at least one non-null token was created, create EstablishContext message with it.
            EstablishContext message = new // stateless ctx id
            EstablishContext(// stateless ctx id
            0, NO_AUTHORIZATION_TOKEN, identityToken, encodedAuthenticationToken);
            // create SAS context with the EstablishContext message.
            SASContextBody contextBody = new SASContextBody();
            contextBody.establish_msg(message);
            // stuff the SAS context into the outgoing request.
            final Any any = ORB.init().create_any();
            SASContextBodyHelper.insert(any, contextBody);
            ServiceContext sc = new ServiceContext(SAS_CONTEXT_ID, codec.encode_value(any));
            ri.add_request_service_context(sc, true);
        }
    } catch (Exception e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) SASContextBody(org.omg.CSI.SASContextBody) URI(java.net.URI) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding) URISyntaxException(java.net.URISyntaxException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) IdentityToken(org.omg.CSI.IdentityToken) EstablishContext(org.omg.CSI.EstablishContext) AnonymousPrincipal(org.wildfly.security.auth.principal.AnonymousPrincipal) Principal(java.security.Principal)

Example 4 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class SASClientIdentityInterceptor method receive_reply.

@Override
public void receive_reply(ClientRequestInfo ri) {
    try {
        ServiceContext sc = ri.get_reply_service_context(sasContextId);
        Any msg = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
        SASContextBody contextBody = SASContextBodyHelper.extract(msg);
        // At this point contextBody should contain a CompleteEstablishContext message, which does not require any
        // treatment. ContextError messages should arrive via receive_exception().
        IIOPLogger.ROOT_LOGGER.tracef("receive_reply: got SAS reply, type %d", contextBody.discriminator());
        if (contextBody.discriminator() == MTContextError.value) {
            // should not happen.
            throw IIOPLogger.ROOT_LOGGER.unexpectedContextErrorInSASReply(0, CompletionStatus.COMPLETED_YES);
        }
    } catch (BAD_PARAM e) {
    // no service context with sasContextId: do nothing.
    } catch (FormatMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_YES);
    } catch (TypeMismatch e) {
        throw IIOPLogger.ROOT_LOGGER.errorParsingSASReply(e, 0, CompletionStatus.COMPLETED_YES);
    }
}
Also used : ServiceContext(org.omg.IOP.ServiceContext) BAD_PARAM(org.omg.CORBA.BAD_PARAM) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch) TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)

Example 5 with SASContextBody

use of org.omg.CSI.SASContextBody in project wildfly by wildfly.

the class SASClientInterceptor method send_request.

@Override
public void send_request(ClientRequestInfo ri) {
    try {
        CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
        (short) 0);
        if (secMech == null) {
            return;
        }
        if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
            Principal p = SecurityActions.getPrincipal();
            if (p != null) {
                byte[] encodedTargetName = secMech.as_context_mech.target_name;
                // The name scope needs to be externalized.
                String name = p.getName();
                if (name.indexOf('@') < 0) {
                    byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
                    String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
                    // "@default"
                    name += "@" + targetName;
                }
                byte[] username = name.getBytes(StandardCharsets.UTF_8);
                // I don't know why there is not a better way to go from char[] -> byte[].
                Object credential = SecurityActions.getCredential();
                byte[] password = {};
                if (credential instanceof char[]) {
                    String tmp = new String((char[]) credential);
                    password = tmp.getBytes(StandardCharsets.UTF_8);
                } else if (credential instanceof byte[])
                    password = (byte[]) credential;
                else if (credential != null) {
                    String tmp = credential.toString();
                    password = tmp.getBytes(StandardCharsets.UTF_8);
                }
                // create authentication token.
                InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
                // ASN.1-encode it, as defined in RFC 2743.
                byte[] encodedAuthenticationToken = CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
                // create EstablishContext message with the encoded token.
                EstablishContext message = new // stateless ctx id
                EstablishContext(// stateless ctx id
                0, noAuthorizationToken, absentIdentityToken, encodedAuthenticationToken);
                // create SAS context with the EstablishContext message.
                SASContextBody contextBody = new SASContextBody();
                contextBody.establish_msg(message);
                // stuff the SAS context into the outgoing request.
                Any any = ORB.init().create_any();
                SASContextBodyHelper.insert(any, contextBody);
                ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(any));
                ri.add_request_service_context(sc, true);
            }
        }
    } catch (Exception e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) InitialContextToken(org.omg.GSSUP.InitialContextToken) SASContextBody(org.omg.CSI.SASContextBody) LocalObject(org.omg.CORBA.LocalObject) EstablishContext(org.omg.CSI.EstablishContext) Any(org.omg.CORBA.Any) Principal(java.security.Principal)

Aggregations

Any (org.omg.CORBA.Any)10 SASContextBody (org.omg.CSI.SASContextBody)10 ServiceContext (org.omg.IOP.ServiceContext)10 BAD_PARAM (org.omg.CORBA.BAD_PARAM)7 FormatMismatch (org.omg.IOP.CodecPackage.FormatMismatch)7 TypeMismatch (org.omg.IOP.CodecPackage.TypeMismatch)7 EstablishContext (org.omg.CSI.EstablishContext)4 Principal (java.security.Principal)3 CompoundSecMech (org.omg.CSIIOP.CompoundSecMech)3 InitialContextToken (org.omg.GSSUP.InitialContextToken)3 IdentityToken (org.omg.CSI.IdentityToken)2 InvalidTypeForEncoding (org.omg.IOP.CodecPackage.InvalidTypeForEncoding)2 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 RunAs (org.jboss.security.RunAs)1 LocalObject (org.omg.CORBA.LocalObject)1 CompleteEstablishContext (org.omg.CSI.CompleteEstablishContext)1 MTEstablishContext (org.omg.CSI.MTEstablishContext)1 AuthenticationConfiguration (org.wildfly.security.auth.client.AuthenticationConfiguration)1