Example 1 with InvalidTypeForEncoding
use of org.omg.IOP.CodecPackage.InvalidTypeForEncoding in project wildfly by wildfly.
the class CSIv2Util method createSSLTaggedComponent.
/**
* <p>
* Return a top-level {@code IOP::TaggedComponent} to be stuffed into an IOR, containing a structure
* {@code SSLIOP::SSL}, tagged as {@code TAG_SSL_SEC_TRANS}.
* </p>
* <p>
* Should be called with non-null metadata, in which case we probably don't want to include security info in the IOR.
* </p>
*
* @param metadata the metadata object that contains the SSL configuration info.
* @param codec the {@code Codec} used to encode the SSL component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded SSL component.
*/
public static TaggedComponent createSSLTaggedComponent(IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
IIOPLogger.ROOT_LOGGER.debug("Method createSSLTaggedComponent() called with null metadata");
return null;
}
if (sslPort == 0) {
// no support for transport security.
return null;
}
TaggedComponent tc;
try {
int supports = createTargetSupports(metadata.getTransportConfig());
int requires = createTargetRequires(metadata.getTransportConfig());
SSL ssl = new SSL((short) supports, (short) requires, (short) sslPort);
Any any = orb.create_any();
SSLHelper.insert(any, ssl);
byte[] componentData = codec.encode_value(any);
tc = new TaggedComponent(TAG_SSL_SEC_TRANS.value, componentData);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
return tc;
}
Also used :
TaggedComponent(org.omg.IOP.TaggedComponent)
SSL(org.omg.SSLIOP.SSL)
Any(org.omg.CORBA.Any)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
Example 2 with InvalidTypeForEncoding
use of org.omg.IOP.CodecPackage.InvalidTypeForEncoding in project wildfly by wildfly.
the class CSIv2Util method createSecurityTaggedComponent.
/**
* <p>
* Return a top-level {@code IOP:TaggedComponent} to be stuffed into an IOR, containing a {@code org.omg.CSIIOP}.
* {@code CompoundSecMechList}, tagged as {@code TAG_CSI_SEC_MECH_LIST}. Only one such component can exist inside
* an IOR.
* </p>
* <p>
* Should be called with non-null metadata, in which case we probably don't want to include security info in the IOR.
* </p>
*
* @param metadata the metadata object that contains the CSIv2 security configuration info.
* @param codec the {@code Codec} used to encode the CSIv2 security component.
* @param sslPort an {@code int} representing the SSL port.
* @param orb a reference to the running {@code ORB}.
* @return a {@code TaggedComponent} representing the encoded CSIv2 security component.
*/
public static TaggedComponent createSecurityTaggedComponent(IORSecurityConfigMetaData metadata, Codec codec, int sslPort, ORB orb) {
if (metadata == null) {
IIOPLogger.ROOT_LOGGER.debug("Method createSecurityTaggedComponent() called with null metadata");
return null;
}
TaggedComponent tc;
// get the the supported security mechanisms.
CompoundSecMech[] mechList = createCompoundSecMechanisms(metadata, codec, sslPort, orb);
// the above is wrapped into a org.omg.CSIIOP.CompoundSecMechList structure, which is NOT a CompoundSecMech[].
// we don't support stateful/reusable security contexts (false).
CompoundSecMechList csmList = new CompoundSecMechList(false, mechList);
// finally, the CompoundSecMechList must be encoded as a TaggedComponent
try {
Any any = orb.create_any();
CompoundSecMechListHelper.insert(any, csmList);
byte[] b = codec.encode_value(any);
tc = new TaggedComponent(TAG_CSI_SEC_MECH_LIST.value, b);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
return tc;
}
Also used :
CompoundSecMechList(org.omg.CSIIOP.CompoundSecMechList)
TaggedComponent(org.omg.IOP.TaggedComponent)
CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)
Any(org.omg.CORBA.Any)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
Example 3 with InvalidTypeForEncoding
use of org.omg.IOP.CodecPackage.InvalidTypeForEncoding in project wildfly by wildfly.
the class ElytronSASClientInterceptor method send_request.
@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
try {
CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
(short) 0);
if (secMech == null) {
return;
}
// these "null tokens" will be changed if needed.
IdentityToken identityToken = ABSENT_IDENTITY_TOKEN;
byte[] encodedAuthenticationToken = NO_AUTHENTICATION_TOKEN;
final URI uri = this.getURI(ri);
if (uri == null) {
return;
}
SecurityDomain domain = SecurityDomain.getCurrent();
SecurityIdentity currentIdentity = null;
if (domain != null) {
currentIdentity = domain.getCurrentSecurityIdentity();
}
final AuthenticationContext authContext;
if (this.authContext != null) {
authContext = this.authContext;
} else if (currentIdentity == null || currentIdentity.isAnonymous()) {
authContext = AuthenticationContext.captureCurrent();
} else {
authContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.EMPTY.useForwardedIdentity(domain));
}
if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, "client-auth");
final Principal principal = AUTH_CONFIG_CLIENT.getPrincipal(configuration);
if (principal != null && principal != AnonymousPrincipal.getInstance()) {
// The name scope needs to be externalized.
String name = principal.getName();
if (name.indexOf('@') < 0) {
// hardcoded (REVISIT!)
name += "@default";
}
byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
// encode the principal name as mandated by RFC2743.
byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
// encapsulate the encoded name.
Any any = ORB.init().create_any();
byte[] encapsulatedEncodedName;
GSS_NT_ExportedNameHelper.insert(any, encodedName);
try {
encapsulatedEncodedName = codec.encode_value(any);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
// create identity token.
identityToken = new IdentityToken();
identityToken.principal_name(encapsulatedEncodedName);
} else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
// no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
identityToken = new IdentityToken();
identityToken.anonymous(true);
}
// target might require an additional initial context token with a username/password pair for authentication.
if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
encodedAuthenticationToken = this.createInitialContextToken(uri, "server-auth", secMech);
}
} else if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
// target doesn't require an identity token but supports username/password authentication - try to build
// an initial context token using the configuration.
encodedAuthenticationToken = this.createInitialContextToken(uri, "client-auth", secMech);
}
if (identityToken != ABSENT_IDENTITY_TOKEN || encodedAuthenticationToken != NO_AUTHENTICATION_TOKEN) {
// at least one non-null token was created, create EstablishContext message with it.
EstablishContext message = new // stateless ctx id
EstablishContext(// stateless ctx id
0, NO_AUTHORIZATION_TOKEN, identityToken, encodedAuthenticationToken);
// create SAS context with the EstablishContext message.
SASContextBody contextBody = new SASContextBody();
contextBody.establish_msg(message);
// stuff the SAS context into the outgoing request.
final Any any = ORB.init().create_any();
SASContextBodyHelper.insert(any, contextBody);
ServiceContext sc = new ServiceContext(SAS_CONTEXT_ID, codec.encode_value(any));
ri.add_request_service_context(sc, true);
}
} catch (Exception e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
Also used :
AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration)
AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext)
CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)
ServiceContext(org.omg.IOP.ServiceContext)
SASContextBody(org.omg.CSI.SASContextBody)
URI(java.net.URI)
Any(org.omg.CORBA.Any)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
URISyntaxException(java.net.URISyntaxException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
IdentityToken(org.omg.CSI.IdentityToken)
EstablishContext(org.omg.CSI.EstablishContext)
AnonymousPrincipal(org.wildfly.security.auth.principal.AnonymousPrincipal)
Principal(java.security.Principal)
Example 4 with InvalidTypeForEncoding
use of org.omg.IOP.CodecPackage.InvalidTypeForEncoding in project wildfly by wildfly.
the class SASTargetInterceptor method send_reply.
@Override
public void send_reply(ServerRequestInfo ri) {
IIOPLogger.ROOT_LOGGER.tracef("send_reply: %s", ri.operation());
CurrentRequestInfo threadLocal = (CurrentRequestInfo) threadLocalData.get();
if (threadLocal.sasReply != null) {
try {
ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(threadLocal.sasReply));
ri.add_reply_service_context(sc, true);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
}
Also used :
ServiceContext(org.omg.IOP.ServiceContext)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
Example 5 with InvalidTypeForEncoding
use of org.omg.IOP.CodecPackage.InvalidTypeForEncoding in project wildfly by wildfly.
the class SASTargetInterceptor method send_exception.
@Override
public void send_exception(ServerRequestInfo ri) {
IIOPLogger.ROOT_LOGGER.tracef("send_exception: %s", ri.operation());
CurrentRequestInfo threadLocal = (CurrentRequestInfo) threadLocalData.get();
// The CSIv2 spec does not explicitly disallow an SAS accept in an IIOP exception reply.
if (threadLocal.sasReply != null) {
try {
ServiceContext sc = new ServiceContext(sasContextId, codec.encode_value(threadLocal.sasReply));
ri.add_reply_service_context(sc, true);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
}
Also used :
ServiceContext(org.omg.IOP.ServiceContext)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
Aggregations
InvalidTypeForEncoding (org.omg.IOP.CodecPackage.InvalidTypeForEncoding)8
Any (org.omg.CORBA.Any)6
ServiceContext (org.omg.IOP.ServiceContext)4
TaggedComponent (org.omg.IOP.TaggedComponent)4
CompoundSecMech (org.omg.CSIIOP.CompoundSecMech)3
Principal (java.security.Principal)2
EstablishContext (org.omg.CSI.EstablishContext)2
IdentityToken (org.omg.CSI.IdentityToken)2
SASContextBody (org.omg.CSI.SASContextBody)2
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1
RunAs (org.jboss.security.RunAs)1
CompoundSecMechList (org.omg.CSIIOP.CompoundSecMechList)1
TAG_TLS_SEC_TRANS (org.omg.CSIIOP.TAG_TLS_SEC_TRANS)1
TLS_SEC_TRANS (org.omg.CSIIOP.TLS_SEC_TRANS)1
TransportAddress (org.omg.CSIIOP.TransportAddress)1
InitialContextToken (org.omg.GSSUP.InitialContextToken)1
SSL (org.omg.SSLIOP.SSL)1
AuthenticationConfiguration (org.wildfly.security.auth.client.AuthenticationConfiguration)1
