Examples with AuthenticationConfiguration org.wildfly.security.auth.client.AuthenticationConfiguration used on opensource projects

Example 1 with AuthenticationConfiguration

use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.

the class HTTPEJBClientUserTransactionTestCase method setup.

@BeforeClass
public static void setup() {
    AuthenticationConfiguration config = AuthenticationConfiguration.EMPTY.useName("user1").usePassword("password1");
    AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, config);
    old = AuthenticationContext.captureCurrent();
    AuthenticationContext.getContextManager().setGlobalDefault(context);
}

Example 2 with AuthenticationConfiguration

use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.

the class HTTPEJBClientXidTransactionTestCase method beforeTestClass.

/**
     * Create and setup the remoting connection
     *
     * @throws Exception
     */
@BeforeClass
public static void beforeTestClass() throws Exception {
    // These system properties are required or else we end up picking up JTS transaction manager,
    // which is not what we want
    final JTAEnvironmentBean jtaEnvironmentBean = jtaPropertyManager.getJTAEnvironmentBean();
    jtaEnvironmentBean.setTransactionManagerClassName(TransactionManagerImple.class.getName());
    jtaEnvironmentBean.setTransactionSynchronizationRegistryClassName(TransactionSynchronizationRegistryImple.class.getName());
    final TransactionManager narayanaTm = jtaEnvironmentBean.getTransactionManager();
    final TransactionSynchronizationRegistry narayanaTsr = jtaEnvironmentBean.getTransactionSynchronizationRegistry();
    final XATerminator xat = new XATerminator();
    final JBossLocalTransactionProvider.Builder builder = JBossLocalTransactionProvider.builder();
    builder.setXATerminator(xat).setExtendedJBossXATerminator(xat);
    builder.setTransactionManager(narayanaTm);
    builder.setTransactionSynchronizationRegistry(narayanaTsr);
    LocalTransactionContext.getContextManager().setGlobalDefault(new LocalTransactionContext(builder.build()));
    txManager = ContextTransactionManager.getInstance();
    txSyncRegistry = ContextTransactionSynchronizationRegistry.getInstance();
    // setup the tx manager and tx sync registry
    AuthenticationConfiguration config = AuthenticationConfiguration.EMPTY.useName("user1").usePassword("password1");
    AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, config);
    old = AuthenticationContext.captureCurrent();
    AuthenticationContext.getContextManager().setGlobalDefault(context);
}

Example 3 with AuthenticationConfiguration

use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.

the class ElytronSubjectFactory method createSubject.

/**
     * Create a {@link Subject} with the principal and password credential obtained from the authentication configuration
     * that matches the target {@link URI}.
     *
     * @param authenticationContext the {@link AuthenticationContext} used to select a configuration that matches the
     *                              target {@link URI}.
     * @return the constructed {@link Subject}. It contains a single principal and a {@link PasswordCredential}.
     */
private Subject createSubject(final AuthenticationContext authenticationContext) {
    final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(this.targetURI, authenticationContext);
    final CallbackHandler handler = AUTH_CONFIG_CLIENT.getCallbackHandler(configuration);
    final NameCallback nameCallback = new NameCallback("Username: ");
    final PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
    try {
        handler.handle(new Callback[] { nameCallback, passwordCallback });
        Subject subject = new Subject();
        if (nameCallback.getName() != null) {
            subject.getPrincipals().add(new NamePrincipal(nameCallback.getName()));
        }
        // add the password as a private credential in the Subject.
        if (passwordCallback.getPassword() != null) {
            this.addPrivateCredential(subject, new PasswordCredential(nameCallback.getName(), passwordCallback.getPassword()));
        }
        return subject;
    } catch (IOException | UnsupportedCallbackException e) {
        throw new SecurityException(e);
    }
}

Example 4 with AuthenticationConfiguration

use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.

the class EjbCorbaServant method _invoke.

/**
     * Receives IIOP requests to this servant's <code>EJBObject</code>s
     * and forwards them to the bean container, through the JBoss
     * <code>MBean</code> server.
     */
public OutputStream _invoke(final String opName, final InputStream in, final ResponseHandler handler) {
    EjbLogger.ROOT_LOGGER.tracef("EJBObject invocation: %s", opName);
    SkeletonStrategy op = methodInvokerMap.get(opName);
    if (op == null) {
        EjbLogger.ROOT_LOGGER.debugf("Unable to find opname '%s' valid operations:%s", opName, methodInvokerMap.keySet());
        throw new BAD_OPERATION(opName);
    }
    final NamespaceContextSelector selector = componentView.getComponent().getNamespaceContextSelector();
    final ClassLoader oldCl = WildFlySecurityManager.getCurrentContextClassLoaderPrivileged();
    NamespaceContextSelector.pushCurrentSelector(selector);
    try {
        WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(classLoader);
        org.omg.CORBA_2_3.portable.OutputStream out;
        try {
            Object retVal;
            if (!home && opName.equals("_get_handle")) {
                retVal = new HandleImplIIOP(orb.object_to_string(_this_object()));
            } else if (home && opName.equals("_get_homeHandle")) {
                retVal = homeHandle;
            } else if (home && opName.equals("_get_EJBMetaData")) {
                retVal = ejbMetaData;
            } else {
                Principal identityPrincipal = null;
                Principal principal = null;
                Object credential = null;
                if (this.sasCurrent != null) {
                    final byte[] incomingIdentity = this.sasCurrent.get_incoming_principal_name();
                    //we have an identity token, which is a trust based mechanism
                    if (incomingIdentity != null && incomingIdentity.length > 0) {
                        String name = new String(incomingIdentity, StandardCharsets.UTF_8);
                        int domainIndex = name.indexOf('@');
                        if (domainIndex > 0)
                            name = name.substring(0, domainIndex);
                        identityPrincipal = new NamePrincipal(name);
                    }
                    final byte[] incomingUsername = this.sasCurrent.get_incoming_username();
                    if (incomingUsername != null && incomingUsername.length > 0) {
                        final byte[] incomingPassword = this.sasCurrent.get_incoming_password();
                        String name = new String(incomingUsername, StandardCharsets.UTF_8);
                        int domainIndex = name.indexOf('@');
                        if (domainIndex > 0) {
                            name = name.substring(0, domainIndex);
                        }
                        principal = new NamePrincipal(name);
                        credential = new String(incomingPassword, StandardCharsets.UTF_8).toCharArray();
                    }
                }
                final Object[] params = op.readParams((org.omg.CORBA_2_3.portable.InputStream) in);
                if (!this.home && opName.equals("isIdentical") && params.length == 1) {
                    //handle isIdentical specially
                    Object val = params[0];
                    retVal = val instanceof org.omg.CORBA.Object && handleIsIdentical((org.omg.CORBA.Object) val);
                } else {
                    if (this.securityDomain != null) {
                        // an elytron security domain is available: authenticate and authorize the client before invoking the component.
                        SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity();
                        AuthenticationConfiguration authenticationConfiguration = AuthenticationConfiguration.EMPTY;
                        if (identityPrincipal != null) {
                            // permission to run as the identity token principal.
                            if (principal != null) {
                                char[] password = (char[]) credential;
                                authenticationConfiguration = authenticationConfiguration.useName(principal.getName()).usePassword(password);
                                SecurityIdentity authenticatedIdentity = this.authenticate(principal, password);
                                identity = authenticatedIdentity.createRunAsIdentity(identityPrincipal.getName(), true);
                            } else {
                                // no TLS nor initial context token found - check if the anonymous identity has
                                // permission to run as the identity principal.
                                identity = this.securityDomain.getAnonymousSecurityIdentity().createRunAsIdentity(identityPrincipal.getName(), true);
                            }
                        } else if (principal != null) {
                            char[] password = (char[]) credential;
                            // we have an initial context token containing a username/password pair.
                            authenticationConfiguration = authenticationConfiguration.useName(principal.getName()).usePassword(password);
                            identity = this.authenticate(principal, password);
                        }
                        final InterceptorContext interceptorContext = new InterceptorContext();
                        this.prepareInterceptorContext(op, params, interceptorContext);
                        try {
                            final AuthenticationContext context = AuthenticationContext.captureCurrent().with(MatchRule.ALL.matchProtocol("iiop"), authenticationConfiguration);
                            retVal = identity.runAs((PrivilegedExceptionAction<Object>) () -> context.run((PrivilegedExceptionAction<Object>) () -> this.componentView.invoke(interceptorContext)));
                        } catch (PrivilegedActionException e) {
                            throw e.getCause();
                        }
                    } else {
                        // legacy security behavior: setup the security context if a SASCurrent is available and invoke the component.
                        // One of the EJB security interceptors will authenticate and authorize the client.
                        SecurityContext legacyContext = null;
                        if (this.legacySecurityDomain != null && (identityPrincipal != null || principal != null)) {
                            // we don't have any real way to establish trust in identity based auth so we just use
                            // the SASCurrent as a credential, and a custom legacy login module can make a decision for us.
                            final Object finalCredential = identityPrincipal != null ? this.sasCurrent : credential;
                            final Principal finalPrincipal = identityPrincipal != null ? identityPrincipal : principal;
                            if (WildFlySecurityManager.isChecking()) {
                                legacyContext = AccessController.doPrivileged((PrivilegedExceptionAction<SecurityContext>) () -> {
                                    SecurityContext sc = SecurityContextFactory.createSecurityContext(this.legacySecurityDomain);
                                    sc.getUtil().createSubjectInfo(finalPrincipal, finalCredential, null);
                                    return sc;
                                });
                            } else {
                                legacyContext = SecurityContextFactory.createSecurityContext(this.legacySecurityDomain);
                                legacyContext.getUtil().createSubjectInfo(finalPrincipal, finalCredential, null);
                            }
                        }
                        if (legacyContext != null) {
                            setSecurityContextOnAssociation(legacyContext);
                        }
                        try {
                            final InterceptorContext interceptorContext = new InterceptorContext();
                            if (legacyContext != null) {
                                interceptorContext.putPrivateData(SecurityContext.class, legacyContext);
                            }
                            prepareInterceptorContext(op, params, interceptorContext);
                            retVal = this.componentView.invoke(interceptorContext);
                        } finally {
                            if (legacyContext != null) {
                                clearSecurityContextOnAssociation();
                            }
                        }
                    }
                }
            }
            out = (org.omg.CORBA_2_3.portable.OutputStream) handler.createReply();
            if (op.isNonVoid()) {
                op.writeRetval(out, retVal);
            }
        } catch (Throwable e) {
            EjbLogger.ROOT_LOGGER.trace("Exception in EJBObject invocation", e);
            if (e instanceof MBeanException) {
                e = ((MBeanException) e).getTargetException();
            }
            RmiIdlUtil.rethrowIfCorbaSystemException(e);
            out = (org.omg.CORBA_2_3.portable.OutputStream) handler.createExceptionReply();
            op.writeException(out, e);
        }
        return out;
    } finally {
        NamespaceContextSelector.popCurrentSelector();
        WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(oldCl);
    }
}

Example 5 with AuthenticationConfiguration

use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.

the class ElytronSASClientInterceptor method createInitialContextToken.

/**
     * Create an encoded {@link InitialContextToken} with an username/password pair obtained from an Elytron client configuration
     * matched by the specified {@link URI} and purpose.
     *
     * @param uri the target {@link URI}.
     * @param purpose a {@link String} representing the purpose of the configuration that will be used.
     * @param secMech a reference to the {@link CompoundSecMech} that was found in the {@link ClientRequestInfo}.
     * @return the encoded {@link InitialContextToken}, if a valid username is obtained from the matched configuration;
     *         an empty {@code byte[]} otherwise;
     * @throws Exception if an error occurs while building the encoded {@link InitialContextToken}.
     */
private byte[] createInitialContextToken(final URI uri, final String purpose, final CompoundSecMech secMech) throws Exception {
    AuthenticationContext authContext = this.authContext == null ? AuthenticationContext.captureCurrent() : this.authContext;
    // obtain the configuration that matches the URI and purpose.
    final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, purpose);
    // get the callback handler from the configuration and use it to obtain a username/password pair.
    final CallbackHandler handler = AUTH_CONFIG_CLIENT.getCallbackHandler(configuration);
    final NameCallback nameCallback = new NameCallback("Username: ");
    final PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
    try {
        handler.handle(new Callback[] { nameCallback, passwordCallback });
    } catch (UnsupportedCallbackException e) {
        return NO_AUTHENTICATION_TOKEN;
    }
    // if the name callback contains a valid username we create the initial context token.
    if (nameCallback.getName() != null && !nameCallback.getName().equals(AnonymousPrincipal.getInstance().getName())) {
        byte[] encodedTargetName = secMech.as_context_mech.target_name;
        String name = nameCallback.getName();
        if (name.indexOf('@') < 0) {
            byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
            String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
            // "@default"
            name += "@" + targetName;
        }
        byte[] username = name.getBytes(StandardCharsets.UTF_8);
        byte[] password = {};
        if (passwordCallback.getPassword() != null)
            password = new String(passwordCallback.getPassword()).getBytes(StandardCharsets.UTF_8);
        // create the initial context token and ASN.1-encode it, as defined in RFC 2743.
        InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
        return CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
    }
    return NO_AUTHENTICATION_TOKEN;
}