Search in sources :

Example 1 with CompoundSecMech

use of org.omg.CSIIOP.CompoundSecMech in project wildfly by wildfly.

the class SASClientInterceptor method send_request.

@Override
public void send_request(ClientRequestInfo ri) {
    try {
        CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
        (short) 0);
        if (secMech == null) {
            return;
        }
        if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
            Principal p = SecurityActions.getPrincipal();
            if (p != null) {
                byte[] encodedTargetName = secMech.as_context_mech.target_name;
                // The name scope needs to be externalized.
                String name = p.getName();
                if (name.indexOf('@') < 0) {
                    byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
                    String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
                    // "@default"
                    name += "@" + targetName;
                }
                byte[] username = name.getBytes(StandardCharsets.UTF_8);
                // I don't know why there is not a better way to go from char[] -> byte[].
                Object credential = SecurityActions.getCredential();
                byte[] password = {};
                if (credential instanceof char[]) {
                    String tmp = new String((char[]) credential);
                    password = tmp.getBytes(StandardCharsets.UTF_8);
                } else if (credential instanceof byte[])
                    password = (byte[]) credential;
                else if (credential != null) {
                    String tmp = credential.toString();
                    password = tmp.getBytes(StandardCharsets.UTF_8);
                }
                // create authentication token.
                InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
                // ASN.1-encode it, as defined in RFC 2743.
                byte[] encodedAuthenticationToken = CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
                // create EstablishContext message with the encoded token.
                EstablishContext message = new // stateless ctx id
                EstablishContext(// stateless ctx id
                0, noAuthorizationToken, absentIdentityToken, encodedAuthenticationToken);
                // create SAS context with the EstablishContext message.
                SASContextBody contextBody = new SASContextBody();
                contextBody.establish_msg(message);
                // stuff the SAS context into the outgoing request.
                Any any = ORB.init().create_any();
                SASContextBodyHelper.insert(any, contextBody);
                ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(any));
                ri.add_request_service_context(sc, true);
            }
        }
    } catch (Exception e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) InitialContextToken(org.omg.GSSUP.InitialContextToken) SASContextBody(org.omg.CSI.SASContextBody) LocalObject(org.omg.CORBA.LocalObject) EstablishContext(org.omg.CSI.EstablishContext) Any(org.omg.CORBA.Any) Principal(java.security.Principal)

Example 2 with CompoundSecMech

use of org.omg.CSIIOP.CompoundSecMech in project wildfly by wildfly.

the class CSIv2Util method createSecurityTaggedComponent.

/**
 * <p>
 * Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code org.omg.CSIIOP}.
 * {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such component can exist inside
 * an IOR.
 * </p>
 * <p>
 * Should be called with non-null metadata, in which case we probably don't want to include security info in the IOR.
 * </p>
 *
 * @param metadata the metadata object that contains the CSIv2 security configuration info.
 * @param codec    the {@code Codec} used to encode the CSIv2 security component.
 * @param sslPort  an {@code int} representing the SSL port.
 * @param orb      a reference to the running {@code ORB}.
 * @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
 */
public static TaggedComponent createSecurityTaggedComponent(IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
    if (metadata == null) {
        IIOPLogger.ROOT_LOGGER.debug("Method createSecurityTaggedComponent() called with null metadata");
        return null;
    }
    TaggedComponent tc;
    // get the the supported security mechanisms.
    CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);
    // the above is wrapped into a org.omg.CSIIOP.CompoundSecMechList structure, which is NOT a CompoundSecMech[].
    // we don't support stateful/reusable security contexts (false).
    CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
    // finally, the CompoundSecMechList must be encoded as a TaggedComponent
    try {
        Any any = orb.create_any();
        CompoundSecMechListHelper.insert(any, csmList);
        byte[] b = codec.encode_value(any);
        tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
    } catch (InvalidTypeForEncoding e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
    return tc;
}
Also used : CompoundSecMechList(org.omg.CSIIOP.CompoundSecMechList) TaggedComponent(org.omg.IOP.TaggedComponent) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)

Example 3 with CompoundSecMech

use of org.omg.CSIIOP.CompoundSecMech in project wildfly by wildfly.

the class ElytronSASClientInterceptor method send_request.

@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
    try {
        CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
        (short) 0);
        if (secMech == null) {
            return;
        }
        // these "null tokens" will be changed if needed.
        IdentityToken identityToken = ABSENT_IDENTITY_TOKEN;
        byte[] encodedAuthenticationToken = NO_AUTHENTICATION_TOKEN;
        final URI uri = this.getURI(ri);
        if (uri == null) {
            return;
        }
        SecurityDomain domain = getCurrentSecurityDomain();
        SecurityIdentity currentIdentity = null;
        if (domain != null) {
            currentIdentity = domain.getCurrentSecurityIdentity();
        }
        final AuthenticationContext authContext;
        if (this.authContext != null) {
            authContext = this.authContext;
        } else if (currentIdentity == null || currentIdentity.isAnonymous()) {
            authContext = AuthenticationContext.captureCurrent();
        } else {
            authContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty().useForwardedIdentity(domain));
        }
        if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
            final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null);
            final Principal principal = AUTH_CONFIG_CLIENT.getPrincipal(configuration);
            if (principal != null && principal != AnonymousPrincipal.getInstance()) {
                // The name scope needs to be externalized.
                String name = principal.getName();
                if (name.indexOf('@') < 0) {
                    // hardcoded (REVISIT!)
                    name += "@default";
                }
                byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
                // encode the principal name as mandated by RFC2743.
                byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
                // encapsulate the encoded name.
                Any any = ORB.init().create_any();
                byte[] encapsulatedEncodedName;
                GSS_NT_ExportedNameHelper.insert(any, encodedName);
                try {
                    encapsulatedEncodedName = codec.encode_value(any);
                } catch (InvalidTypeForEncoding e) {
                    throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
                }
                // create identity token.
                identityToken = new IdentityToken();
                identityToken.principal_name(encapsulatedEncodedName);
            } else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
                // no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
                identityToken = new IdentityToken();
                identityToken.anonymous(true);
            }
            // target might require an additional initial context token with a username/password pair for authentication.
            if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
                encodedAuthenticationToken = this.createInitialContextToken(uri, secMech);
            }
        } else if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
            // target doesn't require an identity token but supports username/password authentication - try to build
            // an initial context token using the configuration.
            encodedAuthenticationToken = this.createInitialContextToken(uri, secMech);
        }
        if (identityToken != ABSENT_IDENTITY_TOKEN || encodedAuthenticationToken != NO_AUTHENTICATION_TOKEN) {
            // at least one non-null token was created, create EstablishContext message with it.
            EstablishContext message = new // stateless ctx id
            EstablishContext(// stateless ctx id
            0, NO_AUTHORIZATION_TOKEN, identityToken, encodedAuthenticationToken);
            // create SAS context with the EstablishContext message.
            SASContextBody contextBody = new SASContextBody();
            contextBody.establish_msg(message);
            // stuff the SAS context into the outgoing request.
            final Any any = ORB.init().create_any();
            SASContextBodyHelper.insert(any, contextBody);
            ServiceContext sc = new ServiceContext(SAS_CONTEXT_ID, codec.encode_value(any));
            ri.add_request_service_context(sc, true);
        }
    } catch (Exception e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) SASContextBody(org.omg.CSI.SASContextBody) URI(java.net.URI) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding) URISyntaxException(java.net.URISyntaxException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) IdentityToken(org.omg.CSI.IdentityToken) EstablishContext(org.omg.CSI.EstablishContext) AnonymousPrincipal(org.wildfly.security.auth.principal.AnonymousPrincipal) Principal(java.security.Principal)

Example 4 with CompoundSecMech

use of org.omg.CSIIOP.CompoundSecMech in project wildfly by wildfly.

the class SASClientIdentityInterceptor method send_request.

@Override
public void send_request(ClientRequestInfo ri) {
    try {
        CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, (short) (EstablishTrustInClient.value + IdentityAssertion.value), /* client supports */
        (short) 0);
        if (secMech == null) {
            return;
        }
        if (IIOPLogger.ROOT_LOGGER.isTraceEnabled()) {
            StringBuilder tmp = new StringBuilder();
            CSIv2Util.toString(secMech, tmp);
            IIOPLogger.ROOT_LOGGER.trace(tmp);
        }
        // these "null tokens" will be changed if needed.
        IdentityToken identityToken = absentIdentityToken;
        byte[] encodedAuthenticationToken = noAuthenticationToken;
        if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
            // will create identity token.
            RunAs runAs = SecurityActions.peekRunAsIdentity();
            Principal p = (runAs != null) ? runAs : SecurityActions.getPrincipal();
            if (p != null) {
                // The name scope needs to be externalized.
                String name = p.getName();
                if (name.indexOf('@') < 0) {
                    // hardcoded (REVISIT!)
                    name += "@default";
                }
                byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
                // encode the principal name as mandated by RFC2743.
                byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
                // encapsulate the encoded name.
                Any any = ORB.init().create_any();
                byte[] encapsulatedEncodedName;
                GSS_NT_ExportedNameHelper.insert(any, encodedName);
                try {
                    encapsulatedEncodedName = codec.encode_value(any);
                } catch (InvalidTypeForEncoding e) {
                    throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
                }
                // create identity token.
                identityToken = new IdentityToken();
                identityToken.principal_name(encapsulatedEncodedName);
            } else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
                // no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
                identityToken = new IdentityToken();
                identityToken.anonymous(true);
            }
        }
        if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
            // will create authentication token with the configured pair serverUsername/serverPassword.
            byte[] encodedTargetName = secMech.as_context_mech.target_name;
            String name = serverUsername;
            if (name.indexOf('@') < 0) {
                byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
                String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
                // "@default"
                name += "@" + targetName;
            }
            byte[] username = name.getBytes(StandardCharsets.UTF_8);
            // I don't know why there is not a better way to go from char[] -> byte[].
            byte[] password = serverPassword.getBytes(StandardCharsets.UTF_8);
            // create authentication token
            InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
            // ASN.1-encode it, as defined in RFC 2743.
            encodedAuthenticationToken = CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
        }
        if (identityToken != absentIdentityToken || encodedAuthenticationToken != noAuthenticationToken) {
            // at least one non-null token was created, create EstablishContext message with it.
            EstablishContext message = new // stateless ctx id
            EstablishContext(// stateless ctx id
            0, noAuthorizationToken, identityToken, encodedAuthenticationToken);
            // create SAS context with the EstablishContext message.
            SASContextBody contextBody = new SASContextBody();
            contextBody.establish_msg(message);
            // stuff the SAS context into the outgoing request.
            Any any = ORB.init().create_any();
            SASContextBodyHelper.insert(any, contextBody);
            ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(any));
            ri.add_request_service_context(sc, true);
        }
    } catch (InvalidTypeForEncoding e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) RunAs(org.jboss.security.RunAs) SASContextBody(org.omg.CSI.SASContextBody) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding) IdentityToken(org.omg.CSI.IdentityToken) InitialContextToken(org.omg.GSSUP.InitialContextToken) EstablishContext(org.omg.CSI.EstablishContext) Principal(java.security.Principal)

Example 5 with CompoundSecMech

use of org.omg.CSIIOP.CompoundSecMech in project wildfly by wildfly.

the class CSIV2IORToSocketInfo method selectSSLTransportAddress.

private TransportAddress selectSSLTransportAddress(IOR ior) {
    CompoundSecMechList compoundSecMechList = readCompoundSecMechList(ior);
    if (compoundSecMechList != null) {
        for (CompoundSecMech mech : compoundSecMechList.mechanism_list) {
            TLS_SEC_TRANS sslMech = extractTlsSecTrans(ior, mech);
            if (sslMech == null) {
                continue;
            }
            boolean targetSupportsSsl = checkSSL(sslMech.target_supports);
            boolean targetRequiresSsl = checkSSL(sslMech.target_requires);
            if (!targetSupportsSsl && clientRequiresSsl) {
                throw IIOPLogger.ROOT_LOGGER.serverDoesNotSupportSsl();
            }
            if (targetSupportsSsl && (targetRequiresSsl || clientRequiresSsl)) {
                return extractAddress(sslMech);
            }
        }
    }
    return null;
}
Also used : TAG_TLS_SEC_TRANS(org.omg.CSIIOP.TAG_TLS_SEC_TRANS) TLS_SEC_TRANS(org.omg.CSIIOP.TLS_SEC_TRANS) CompoundSecMechList(org.omg.CSIIOP.CompoundSecMechList) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)

Aggregations

CompoundSecMech (org.omg.CSIIOP.CompoundSecMech)7 Any (org.omg.CORBA.Any)5 Principal (java.security.Principal)3 EstablishContext (org.omg.CSI.EstablishContext)3 SASContextBody (org.omg.CSI.SASContextBody)3 CompoundSecMechList (org.omg.CSIIOP.CompoundSecMechList)3 InvalidTypeForEncoding (org.omg.IOP.CodecPackage.InvalidTypeForEncoding)3 ServiceContext (org.omg.IOP.ServiceContext)3 TaggedComponent (org.omg.IOP.TaggedComponent)3 IdentityToken (org.omg.CSI.IdentityToken)2 AS_ContextSec (org.omg.CSIIOP.AS_ContextSec)2 SAS_ContextSec (org.omg.CSIIOP.SAS_ContextSec)2 InitialContextToken (org.omg.GSSUP.InitialContextToken)2 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1 RunAs (org.jboss.security.RunAs)1 BAD_PARAM (org.omg.CORBA.BAD_PARAM)1 LocalObject (org.omg.CORBA.LocalObject)1 TAG_TLS_SEC_TRANS (org.omg.CSIIOP.TAG_TLS_SEC_TRANS)1