Example 1 with InitialContextToken
use of org.omg.GSSUP.InitialContextToken in project wildfly by wildfly.
the class ElytronSASClientInterceptor method createInitialContextToken.
/**
* Create an encoded {@link InitialContextToken} with an username/password pair obtained from an Elytron client configuration
* matched by the specified {@link URI} and purpose.
*
* @param uri the target {@link URI}.
* @param purpose a {@link String} representing the purpose of the configuration that will be used.
* @param secMech a reference to the {@link CompoundSecMech} that was found in the {@link ClientRequestInfo}.
* @return the encoded {@link InitialContextToken}, if a valid username is obtained from the matched configuration;
* an empty {@code byte[]} otherwise;
* @throws Exception if an error occurs while building the encoded {@link InitialContextToken}.
*/
private byte[] createInitialContextToken(final URI uri, final String purpose, final CompoundSecMech secMech) throws Exception {
AuthenticationContext authContext = this.authContext == null ? AuthenticationContext.captureCurrent() : this.authContext;
// obtain the configuration that matches the URI and purpose.
final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, purpose);
// get the callback handler from the configuration and use it to obtain a username/password pair.
final CallbackHandler handler = AUTH_CONFIG_CLIENT.getCallbackHandler(configuration);
final NameCallback nameCallback = new NameCallback("Username: ");
final PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
try {
handler.handle(new Callback[] { nameCallback, passwordCallback });
} catch (UnsupportedCallbackException e) {
return NO_AUTHENTICATION_TOKEN;
}
// if the name callback contains a valid username we create the initial context token.
if (nameCallback.getName() != null && !nameCallback.getName().equals(AnonymousPrincipal.getInstance().getName())) {
byte[] encodedTargetName = secMech.as_context_mech.target_name;
String name = nameCallback.getName();
if (name.indexOf('@') < 0) {
byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
// "@default"
name += "@" + targetName;
}
byte[] username = name.getBytes(StandardCharsets.UTF_8);
byte[] password = {};
if (passwordCallback.getPassword() != null)
password = new String(passwordCallback.getPassword()).getBytes(StandardCharsets.UTF_8);
// create the initial context token and ASN.1-encode it, as defined in RFC 2743.
InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
return CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
}
return NO_AUTHENTICATION_TOKEN;
}
Also used :
AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext)
NameCallback(javax.security.auth.callback.NameCallback)
InitialContextToken(org.omg.GSSUP.InitialContextToken)
PasswordCallback(javax.security.auth.callback.PasswordCallback)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
Example 2 with InitialContextToken
use of org.omg.GSSUP.InitialContextToken in project wildfly by wildfly.
the class SASClientInterceptor method send_request.
@Override
public void send_request(ClientRequestInfo ri) {
try {
CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
(short) 0);
if (secMech == null) {
return;
}
if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
Principal p = SecurityActions.getPrincipal();
if (p != null) {
byte[] encodedTargetName = secMech.as_context_mech.target_name;
// The name scope needs to be externalized.
String name = p.getName();
if (name.indexOf('@') < 0) {
byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
// "@default"
name += "@" + targetName;
}
byte[] username = name.getBytes(StandardCharsets.UTF_8);
// I don't know why there is not a better way to go from char[] -> byte[].
Object credential = SecurityActions.getCredential();
byte[] password = {};
if (credential instanceof char[]) {
String tmp = new String((char[]) credential);
password = tmp.getBytes(StandardCharsets.UTF_8);
} else if (credential instanceof byte[])
password = (byte[]) credential;
else if (credential != null) {
String tmp = credential.toString();
password = tmp.getBytes(StandardCharsets.UTF_8);
}
// create authentication token.
InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
// ASN.1-encode it, as defined in RFC 2743.
byte[] encodedAuthenticationToken = CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
// create EstablishContext message with the encoded token.
EstablishContext message = new // stateless ctx id
EstablishContext(// stateless ctx id
0, noAuthorizationToken, absentIdentityToken, encodedAuthenticationToken);
// create SAS context with the EstablishContext message.
SASContextBody contextBody = new SASContextBody();
contextBody.establish_msg(message);
// stuff the SAS context into the outgoing request.
Any any = ORB.init().create_any();
SASContextBodyHelper.insert(any, contextBody);
ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(any));
ri.add_request_service_context(sc, true);
}
}
} catch (Exception e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
Also used :
CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)
ServiceContext(org.omg.IOP.ServiceContext)
InitialContextToken(org.omg.GSSUP.InitialContextToken)
SASContextBody(org.omg.CSI.SASContextBody)
LocalObject(org.omg.CORBA.LocalObject)
EstablishContext(org.omg.CSI.EstablishContext)
Any(org.omg.CORBA.Any)
Principal(java.security.Principal)
Example 3 with InitialContextToken
use of org.omg.GSSUP.InitialContextToken in project wildfly by wildfly.
the class SASTargetInterceptor method receive_request.
@Override
public void receive_request(ServerRequestInfo ri) {
IIOPLogger.ROOT_LOGGER.tracef("receive_request: %s", ri.operation());
CurrentRequestInfo threadLocal = threadLocalData.get();
threadLocal.sasContextReceived = false;
threadLocal.authenticationTokenReceived = false;
threadLocal.incomingUsername = empty;
threadLocal.incomingPassword = empty;
threadLocal.incomingTargetName = empty;
threadLocal.incomingIdentity = absent;
threadLocal.incomingPrincipalName = empty;
threadLocal.sasReply = null;
threadLocal.sasReplyIsAccept = false;
try {
ServiceContext sc = ri.get_request_service_context(sasContextId);
Any any = codec.decode_value(sc.context_data, SASContextBodyHelper.type());
SASContextBody contextBody = SASContextBodyHelper.extract(any);
if (contextBody != null) {
if (contextBody.discriminator() == MTMessageInContext.value) {
// should not happen, as stateful context requests are always negotiated down to stateless in this implementation.
long contextId = contextBody.in_context_msg().client_context_id;
threadLocal.sasReply = createMsgCtxError(contextId, 4);
throw IIOPLogger.ROOT_LOGGER.missingSASContext();
} else if (contextBody.discriminator() == MTEstablishContext.value) {
EstablishContext message = contextBody.establish_msg();
threadLocal.contextId = message.client_context_id;
threadLocal.sasContextReceived = true;
if (message.client_authentication_token != null && message.client_authentication_token.length > 0) {
IIOPLogger.ROOT_LOGGER.trace("Received client authentication token");
InitialContextToken authToken = CSIv2Util.decodeInitialContextToken(message.client_authentication_token, codec);
if (authToken == null) {
threadLocal.sasReply = createMsgCtxError(message.client_context_id, 2);
throw IIOPLogger.ROOT_LOGGER.errorDecodingInitContextToken();
}
threadLocal.incomingUsername = authToken.username;
threadLocal.incomingPassword = authToken.password;
threadLocal.incomingTargetName = CSIv2Util.decodeGssExportedName(authToken.target_name);
if (threadLocal.incomingTargetName == null) {
threadLocal.sasReply = createMsgCtxError(message.client_context_id, 2);
throw IIOPLogger.ROOT_LOGGER.errorDecodingTargetInContextToken();
}
threadLocal.authenticationTokenReceived = true;
}
if (message.identity_token != null) {
IIOPLogger.ROOT_LOGGER.trace("Received identity token");
threadLocal.incomingIdentity = message.identity_token;
if (message.identity_token.discriminator() == ITTPrincipalName.value) {
// Extract the RFC2743-encoded name from CDR encapsulation.
Any a = codec.decode_value(message.identity_token.principal_name(), GSS_NT_ExportedNameHelper.type());
byte[] encodedName = GSS_NT_ExportedNameHelper.extract(a);
// Decode the principal name.
threadLocal.incomingPrincipalName = CSIv2Util.decodeGssExportedName(encodedName);
if (threadLocal.incomingPrincipalName == null) {
threadLocal.sasReply = createMsgCtxError(message.client_context_id, 2);
throw IIOPLogger.ROOT_LOGGER.errorDecodingPrincipalName();
}
}
}
threadLocal.sasReply = (threadLocal.contextId == 0) ? msgCtx0Accepted : createMsgCtxAccepted(threadLocal.contextId);
threadLocal.sasReplyIsAccept = true;
}
}
} catch (BAD_PARAM e) {
// no service context with sasContextId: do nothing.
} catch (FormatMismatch e) {
throw IIOPLogger.ROOT_LOGGER.errorDecodingContextData(this.name(), e);
} catch (TypeMismatch e) {
throw IIOPLogger.ROOT_LOGGER.errorDecodingContextData(this.name(), e);
}
}
Also used :
ServiceContext(org.omg.IOP.ServiceContext)
InitialContextToken(org.omg.GSSUP.InitialContextToken)
BAD_PARAM(org.omg.CORBA.BAD_PARAM)
SASContextBody(org.omg.CSI.SASContextBody)
CompleteEstablishContext(org.omg.CSI.CompleteEstablishContext)
EstablishContext(org.omg.CSI.EstablishContext)
MTEstablishContext(org.omg.CSI.MTEstablishContext)
Any(org.omg.CORBA.Any)
FormatMismatch(org.omg.IOP.CodecPackage.FormatMismatch)
TypeMismatch(org.omg.IOP.CodecPackage.TypeMismatch)
Example 4 with InitialContextToken
use of org.omg.GSSUP.InitialContextToken in project wildfly by wildfly.
the class SASClientIdentityInterceptor method send_request.
@Override
public void send_request(ClientRequestInfo ri) {
try {
CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, (short) (EstablishTrustInClient.value + IdentityAssertion.value), /* client supports */
(short) 0);
if (secMech == null) {
return;
}
if (IIOPLogger.ROOT_LOGGER.isTraceEnabled()) {
StringBuilder tmp = new StringBuilder();
CSIv2Util.toString(secMech, tmp);
IIOPLogger.ROOT_LOGGER.trace(tmp);
}
// these "null tokens" will be changed if needed.
IdentityToken identityToken = absentIdentityToken;
byte[] encodedAuthenticationToken = noAuthenticationToken;
if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
// will create identity token.
RunAs runAs = SecurityActions.peekRunAsIdentity();
Principal p = (runAs != null) ? runAs : SecurityActions.getPrincipal();
if (p != null) {
// The name scope needs to be externalized.
String name = p.getName();
if (name.indexOf('@') < 0) {
// hardcoded (REVISIT!)
name += "@default";
}
byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
// encode the principal name as mandated by RFC2743.
byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
// encapsulate the encoded name.
Any any = ORB.init().create_any();
byte[] encapsulatedEncodedName;
GSS_NT_ExportedNameHelper.insert(any, encodedName);
try {
encapsulatedEncodedName = codec.encode_value(any);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
// create identity token.
identityToken = new IdentityToken();
identityToken.principal_name(encapsulatedEncodedName);
} else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
// no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
identityToken = new IdentityToken();
identityToken.anonymous(true);
}
}
if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
// will create authentication token with the configured pair serverUsername/serverPassword.
byte[] encodedTargetName = secMech.as_context_mech.target_name;
String name = serverUsername;
if (name.indexOf('@') < 0) {
byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
// "@default"
name += "@" + targetName;
}
byte[] username = name.getBytes(StandardCharsets.UTF_8);
// I don't know why there is not a better way to go from char[] -> byte[].
byte[] password = serverPassword.getBytes(StandardCharsets.UTF_8);
// create authentication token
InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
// ASN.1-encode it, as defined in RFC 2743.
encodedAuthenticationToken = CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
}
if (identityToken != absentIdentityToken || encodedAuthenticationToken != noAuthenticationToken) {
// at least one non-null token was created, create EstablishContext message with it.
EstablishContext message = new // stateless ctx id
EstablishContext(// stateless ctx id
0, noAuthorizationToken, identityToken, encodedAuthenticationToken);
// create SAS context with the EstablishContext message.
SASContextBody contextBody = new SASContextBody();
contextBody.establish_msg(message);
// stuff the SAS context into the outgoing request.
Any any = ORB.init().create_any();
SASContextBodyHelper.insert(any, contextBody);
ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(any));
ri.add_request_service_context(sc, true);
}
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
Also used :
CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)
ServiceContext(org.omg.IOP.ServiceContext)
RunAs(org.jboss.security.RunAs)
SASContextBody(org.omg.CSI.SASContextBody)
Any(org.omg.CORBA.Any)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
IdentityToken(org.omg.CSI.IdentityToken)
InitialContextToken(org.omg.GSSUP.InitialContextToken)
EstablishContext(org.omg.CSI.EstablishContext)
Principal(java.security.Principal)
Aggregations
InitialContextToken (org.omg.GSSUP.InitialContextToken)4
Any (org.omg.CORBA.Any)3
EstablishContext (org.omg.CSI.EstablishContext)3
SASContextBody (org.omg.CSI.SASContextBody)3
ServiceContext (org.omg.IOP.ServiceContext)3
Principal (java.security.Principal)2
CompoundSecMech (org.omg.CSIIOP.CompoundSecMech)2
CallbackHandler (javax.security.auth.callback.CallbackHandler)1
NameCallback (javax.security.auth.callback.NameCallback)1
PasswordCallback (javax.security.auth.callback.PasswordCallback)1
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1
RunAs (org.jboss.security.RunAs)1
BAD_PARAM (org.omg.CORBA.BAD_PARAM)1
LocalObject (org.omg.CORBA.LocalObject)1
CompleteEstablishContext (org.omg.CSI.CompleteEstablishContext)1
IdentityToken (org.omg.CSI.IdentityToken)1
MTEstablishContext (org.omg.CSI.MTEstablishContext)1
FormatMismatch (org.omg.IOP.CodecPackage.FormatMismatch)1
InvalidTypeForEncoding (org.omg.IOP.CodecPackage.InvalidTypeForEncoding)1
TypeMismatch (org.omg.IOP.CodecPackage.TypeMismatch)1
