Example 6 with AuthenticationConfiguration
use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.
the class ElytronSASClientInterceptor method send_request.
@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
try {
CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
(short) 0);
if (secMech == null) {
return;
}
// these "null tokens" will be changed if needed.
IdentityToken identityToken = ABSENT_IDENTITY_TOKEN;
byte[] encodedAuthenticationToken = NO_AUTHENTICATION_TOKEN;
final URI uri = this.getURI(ri);
if (uri == null) {
return;
}
SecurityDomain domain = SecurityDomain.getCurrent();
SecurityIdentity currentIdentity = null;
if (domain != null) {
currentIdentity = domain.getCurrentSecurityIdentity();
}
final AuthenticationContext authContext;
if (this.authContext != null) {
authContext = this.authContext;
} else if (currentIdentity == null || currentIdentity.isAnonymous()) {
authContext = AuthenticationContext.captureCurrent();
} else {
authContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.EMPTY.useForwardedIdentity(domain));
}
if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, "client-auth");
final Principal principal = AUTH_CONFIG_CLIENT.getPrincipal(configuration);
if (principal != null && principal != AnonymousPrincipal.getInstance()) {
// The name scope needs to be externalized.
String name = principal.getName();
if (name.indexOf('@') < 0) {
// hardcoded (REVISIT!)
name += "@default";
}
byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
// encode the principal name as mandated by RFC2743.
byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
// encapsulate the encoded name.
Any any = ORB.init().create_any();
byte[] encapsulatedEncodedName;
GSS_NT_ExportedNameHelper.insert(any, encodedName);
try {
encapsulatedEncodedName = codec.encode_value(any);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
// create identity token.
identityToken = new IdentityToken();
identityToken.principal_name(encapsulatedEncodedName);
} else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
// no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
identityToken = new IdentityToken();
identityToken.anonymous(true);
}
// target might require an additional initial context token with a username/password pair for authentication.
if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
encodedAuthenticationToken = this.createInitialContextToken(uri, "server-auth", secMech);
}
} else if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
// target doesn't require an identity token but supports username/password authentication - try to build
// an initial context token using the configuration.
encodedAuthenticationToken = this.createInitialContextToken(uri, "client-auth", secMech);
}
if (identityToken != ABSENT_IDENTITY_TOKEN || encodedAuthenticationToken != NO_AUTHENTICATION_TOKEN) {
// at least one non-null token was created, create EstablishContext message with it.
EstablishContext message = new // stateless ctx id
EstablishContext(// stateless ctx id
0, NO_AUTHORIZATION_TOKEN, identityToken, encodedAuthenticationToken);
// create SAS context with the EstablishContext message.
SASContextBody contextBody = new SASContextBody();
contextBody.establish_msg(message);
// stuff the SAS context into the outgoing request.
final Any any = ORB.init().create_any();
SASContextBodyHelper.insert(any, contextBody);
ServiceContext sc = new ServiceContext(SAS_CONTEXT_ID, codec.encode_value(any));
ri.add_request_service_context(sc, true);
}
} catch (Exception e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
Also used :
AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration)
AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext)
CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)
ServiceContext(org.omg.IOP.ServiceContext)
SASContextBody(org.omg.CSI.SASContextBody)
URI(java.net.URI)
Any(org.omg.CORBA.Any)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
URISyntaxException(java.net.URISyntaxException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
IdentityToken(org.omg.CSI.IdentityToken)
EstablishContext(org.omg.CSI.EstablishContext)
AnonymousPrincipal(org.wildfly.security.auth.principal.AnonymousPrincipal)
Principal(java.security.Principal)
Example 7 with AuthenticationConfiguration
use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.
the class EJBClientDescriptorMetaDataProcessor method deploy.
@Override
public void deploy(DeploymentPhaseContext phaseContext) throws DeploymentUnitProcessingException {
final DeploymentUnit deploymentUnit = phaseContext.getDeploymentUnit();
// we only process top level deployment units
if (deploymentUnit.getParent() != null) {
return;
}
final EJBClientDescriptorMetaData ejbClientDescriptorMetaData = deploymentUnit.getAttachment(Attachments.EJB_CLIENT_METADATA);
// no explicit EJB client configuration in this deployment, so nothing to do
if (ejbClientDescriptorMetaData == null) {
return;
}
// profile and remoting-ejb-receivers cannot be used together
checkDescriptorConfiguration(ejbClientDescriptorMetaData);
final Module module = deploymentUnit.getAttachment(org.jboss.as.server.deployment.Attachments.MODULE);
if (module == null) {
return;
}
// install the descriptor based EJB client context service
final ServiceName ejbClientContextServiceName = EJBClientContextService.DEPLOYMENT_BASE_SERVICE_NAME.append(deploymentUnit.getName());
final ServiceTarget serviceTarget = phaseContext.getServiceTarget();
// create the service
final EJBClientContextService service = new EJBClientContextService();
// add the service
final ServiceBuilder<EJBClientContextService> serviceBuilder = serviceTarget.addService(ejbClientContextServiceName, service);
if (appclient) {
serviceBuilder.addDependency(EJBClientContextService.APP_CLIENT_URI_SERVICE_NAME, URI.class, service.getAppClientUri());
}
serviceBuilder.addDependency(EJBClientConfiguratorService.SERVICE_NAME, EJBClientConfiguratorService.class, service.getConfiguratorServiceInjector());
final Injector<RemotingProfileService> profileServiceInjector = new Injector<RemotingProfileService>() {
final Injector<EJBTransportProvider> injector = service.getLocalProviderInjector();
boolean injected = false;
public void inject(final RemotingProfileService value) throws InjectionException {
final EJBTransportProvider provider = value.getLocalTransportProviderInjector().getOptionalValue();
if (provider != null) {
injected = true;
injector.inject(provider);
}
}
public void uninject() {
if (injected) {
injected = false;
injector.uninject();
}
}
};
final String profile = ejbClientDescriptorMetaData.getProfile();
final ServiceName profileServiceName;
if (profile != null) {
profileServiceName = RemotingProfileService.BASE_SERVICE_NAME.append(profile);
serviceBuilder.addDependency(profileServiceName, RemotingProfileService.class, profileServiceInjector);
serviceBuilder.addDependency(profileServiceName, RemotingProfileService.class, service.getProfileServiceInjector());
} else {
// if descriptor defines list of ejb-receivers instead of profile then we create internal ProfileService for this
// application which contains defined receivers
profileServiceName = ejbClientContextServiceName.append(INTERNAL_REMOTING_PROFILE);
final Map<String, RemotingProfileService.ConnectionSpec> map = new HashMap<>();
final RemotingProfileService profileService = new RemotingProfileService(Collections.emptyList(), map);
final ServiceBuilder<RemotingProfileService> profileServiceBuilder = serviceTarget.addService(profileServiceName, profileService);
if (ejbClientDescriptorMetaData.isLocalReceiverExcluded() != Boolean.TRUE) {
final Boolean passByValue = ejbClientDescriptorMetaData.isLocalReceiverPassByValue();
profileServiceBuilder.addDependency(passByValue == Boolean.TRUE ? LocalTransportProvider.BY_VALUE_SERVICE_NAME : LocalTransportProvider.BY_REFERENCE_SERVICE_NAME, EJBTransportProvider.class, profileService.getLocalTransportProviderInjector());
}
final Collection<EJBClientDescriptorMetaData.RemotingReceiverConfiguration> receiverConfigurations = ejbClientDescriptorMetaData.getRemotingReceiverConfigurations();
for (EJBClientDescriptorMetaData.RemotingReceiverConfiguration receiverConfiguration : receiverConfigurations) {
final String connectionRef = receiverConfiguration.getOutboundConnectionRef();
final long connectTimeout = receiverConfiguration.getConnectionTimeout();
final Properties channelCreationOptions = receiverConfiguration.getChannelCreationOptions();
final OptionMap optionMap = getOptionMapFromProperties(channelCreationOptions, EJBClientDescriptorMetaDataProcessor.class.getClassLoader());
final InjectedValue<AbstractOutboundConnectionService> injector = new InjectedValue<>();
profileServiceBuilder.addDependency(AbstractOutboundConnectionService.OUTBOUND_CONNECTION_BASE_SERVICE_NAME.append(connectionRef), AbstractOutboundConnectionService.class, injector);
final RemotingProfileService.ConnectionSpec connectionSpec = new RemotingProfileService.ConnectionSpec(connectionRef, injector, optionMap, connectTimeout);
map.put(connectionRef, connectionSpec);
}
profileServiceBuilder.install();
serviceBuilder.addDependency(profileServiceName, RemotingProfileService.class, profileServiceInjector);
serviceBuilder.addDependency(profileServiceName, RemotingProfileService.class, service.getProfileServiceInjector());
}
// these items are the same no matter how we were configured
final String deploymentNodeSelectorClassName = ejbClientDescriptorMetaData.getDeploymentNodeSelector();
if (deploymentNodeSelectorClassName != null) {
final DeploymentNodeSelector deploymentNodeSelector;
try {
deploymentNodeSelector = module.getClassLoader().loadClass(deploymentNodeSelectorClassName).asSubclass(DeploymentNodeSelector.class).getConstructor().newInstance();
} catch (Exception e) {
throw EjbLogger.ROOT_LOGGER.failedToCreateDeploymentNodeSelector(e, deploymentNodeSelectorClassName);
}
service.setDeploymentNodeSelector(deploymentNodeSelector);
}
final long invocationTimeout = ejbClientDescriptorMetaData.getInvocationTimeout();
service.setInvocationTimeout(invocationTimeout);
// clusters
final Collection<EJBClientDescriptorMetaData.ClusterConfig> clusterConfigs = ejbClientDescriptorMetaData.getClusterConfigs();
if (!clusterConfigs.isEmpty()) {
final List<EJBClientCluster> clientClusters = new ArrayList<>(clusterConfigs.size());
AuthenticationContext clustersAuthenticationContext = AuthenticationContext.empty();
for (EJBClientDescriptorMetaData.ClusterConfig clusterConfig : clusterConfigs) {
MatchRule defaultRule = MatchRule.ALL.matchAbstractType("ejb", "jboss");
AuthenticationConfiguration defaultAuthenticationConfiguration = AuthenticationConfiguration.EMPTY;
final EJBClientCluster.Builder clientClusterBuilder = new EJBClientCluster.Builder();
final String clusterName = clusterConfig.getClusterName();
clientClusterBuilder.setName(clusterName);
defaultRule = defaultRule.matchProtocol("cluster");
defaultRule = defaultRule.matchUrnName(clusterName);
final long maxAllowedConnectedNodes = clusterConfig.getMaxAllowedConnectedNodes();
clientClusterBuilder.setMaximumConnectedNodes(maxAllowedConnectedNodes);
final String clusterNodeSelectorClassName = clusterConfig.getNodeSelector();
if (clusterNodeSelectorClassName != null) {
final ClusterNodeSelector clusterNodeSelector;
try {
clusterNodeSelector = module.getClassLoader().loadClass(clusterNodeSelectorClassName).asSubclass(ClusterNodeSelector.class).getConstructor().newInstance();
} catch (Exception e) {
throw EjbLogger.ROOT_LOGGER.failureDuringLoadOfClusterNodeSelector(clusterNodeSelectorClassName, clusterName, e);
}
clientClusterBuilder.setClusterNodeSelector(clusterNodeSelector);
}
final Properties clusterChannelCreationOptions = clusterConfig.getChannelCreationOptions();
final OptionMap clusterChannelCreationOptionMap = getOptionMapFromProperties(clusterChannelCreationOptions, EJBClientDescriptorMetaDataProcessor.class.getClassLoader());
final Properties clusterConnectionOptions = clusterConfig.getConnectionOptions();
final OptionMap clusterConnectionOptionMap = getOptionMapFromProperties(clusterConnectionOptions, EJBClientDescriptorMetaDataProcessor.class.getClassLoader());
final long clusterConnectTimeout = clusterConfig.getConnectTimeout();
clientClusterBuilder.setConnectTimeoutMilliseconds(clusterConnectTimeout);
final String clusterSecurityRealm = clusterConfig.getSecurityRealm();
final String clusterUserName = clusterConfig.getUserName();
CallbackHandler callbackHandler = getCallbackHandler(phaseContext.getServiceRegistry(), clusterUserName, clusterSecurityRealm);
if (callbackHandler != null) {
defaultAuthenticationConfiguration = defaultAuthenticationConfiguration.useCallbackHandler(callbackHandler);
}
if (clusterConnectionOptionMap != null) {
RemotingOptions.mergeOptionsIntoAuthenticationConfiguration(clusterConnectionOptionMap, defaultAuthenticationConfiguration);
}
clustersAuthenticationContext = clustersAuthenticationContext.with(defaultRule, defaultAuthenticationConfiguration);
final Collection<EJBClientDescriptorMetaData.ClusterNodeConfig> clusterNodeConfigs = clusterConfig.getClusterNodeConfigs();
for (EJBClientDescriptorMetaData.ClusterNodeConfig clusterNodeConfig : clusterNodeConfigs) {
MatchRule nodeRule = MatchRule.ALL.matchAbstractType("ejb", "jboss");
AuthenticationConfiguration nodeAuthenticationConfiguration = AuthenticationConfiguration.EMPTY;
final String nodeName = clusterNodeConfig.getNodeName();
nodeRule = nodeRule.matchProtocol("node");
nodeRule = nodeRule.matchUrnName(nodeName);
final Properties channelCreationOptions = clusterNodeConfig.getChannelCreationOptions();
final Properties connectionOptions = clusterNodeConfig.getConnectionOptions();
final OptionMap connectionOptionMap = getOptionMapFromProperties(connectionOptions, EJBClientDescriptorMetaDataProcessor.class.getClassLoader());
final long connectTimeout = clusterNodeConfig.getConnectTimeout();
final String securityRealm = clusterNodeConfig.getSecurityRealm();
final String userName = clusterNodeConfig.getUserName();
CallbackHandler nodeCallbackHandler = getCallbackHandler(phaseContext.getServiceRegistry(), userName, securityRealm);
if (nodeCallbackHandler != null) {
nodeAuthenticationConfiguration = nodeAuthenticationConfiguration.useCallbackHandler(nodeCallbackHandler);
}
if (connectionOptionMap != null) {
RemotingOptions.mergeOptionsIntoAuthenticationConfiguration(connectionOptionMap, nodeAuthenticationConfiguration);
}
clustersAuthenticationContext = clustersAuthenticationContext.with(0, nodeRule, nodeAuthenticationConfiguration);
}
final EJBClientCluster clientCluster = clientClusterBuilder.build();
clientClusters.add(clientCluster);
}
service.setClientClusters(clientClusters);
service.setClustersAuthenticationContext(clustersAuthenticationContext);
}
// install the service
serviceBuilder.install();
EjbLogger.DEPLOYMENT_LOGGER.debugf("Deployment unit %s will use %s as the EJB client context service", deploymentUnit, ejbClientContextServiceName);
// attach the service name of this EJB client context to the deployment unit
phaseContext.addDeploymentDependency(ejbClientContextServiceName, EjbDeploymentAttachmentKeys.EJB_CLIENT_CONTEXT_SERVICE);
deploymentUnit.putAttachment(EjbDeploymentAttachmentKeys.EJB_CLIENT_CONTEXT_SERVICE_NAME, ejbClientContextServiceName);
deploymentUnit.putAttachment(EjbDeploymentAttachmentKeys.EJB_REMOTING_PROFILE_SERVICE_NAME, profileServiceName);
}
Also used :
AbstractOutboundConnectionService(org.jboss.as.remoting.AbstractOutboundConnectionService)
InjectedValue(org.jboss.msc.value.InjectedValue)
CallbackHandler(javax.security.auth.callback.CallbackHandler)
AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext)
HashMap(java.util.HashMap)
EJBClientContextService(org.jboss.as.ejb3.remote.EJBClientContextService)
ServiceBuilder(org.jboss.msc.service.ServiceBuilder)
ArrayList(java.util.ArrayList)
MatchRule(org.wildfly.security.auth.client.MatchRule)
Properties(java.util.Properties)
DeploymentNodeSelector(org.jboss.ejb.client.DeploymentNodeSelector)
ClusterNodeSelector(org.jboss.ejb.client.ClusterNodeSelector)
EJBClientDescriptorMetaData(org.jboss.as.ee.metadata.EJBClientDescriptorMetaData)
Injector(org.jboss.msc.inject.Injector)
RemotingProfileService(org.jboss.as.ejb3.remote.RemotingProfileService)
EJBClientCluster(org.jboss.ejb.client.EJBClientCluster)
AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration)
ServiceTarget(org.jboss.msc.service.ServiceTarget)
InjectionException(org.jboss.msc.inject.InjectionException)
DeploymentUnitProcessingException(org.jboss.as.server.deployment.DeploymentUnitProcessingException)
EJBTransportProvider(org.jboss.ejb.client.EJBTransportProvider)
ServiceName(org.jboss.msc.service.ServiceName)
OptionMap(org.xnio.OptionMap)
Module(org.jboss.modules.Module)
DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit)
Example 8 with AuthenticationConfiguration
use of org.wildfly.security.auth.client.AuthenticationConfiguration in project wildfly by wildfly.
the class RemoteNamingHTTPTestCase method setup.
@BeforeClass
public static void setup() {
AuthenticationConfiguration config = AuthenticationConfiguration.EMPTY.useName("user1").usePassword("password1");
AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, config);
old = AuthenticationContext.captureCurrent();
AuthenticationContext.getContextManager().setGlobalDefault(context);
}
Also used :
AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration)
AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext)
BeforeClass(org.junit.BeforeClass)
Aggregations
AuthenticationConfiguration (org.wildfly.security.auth.client.AuthenticationConfiguration)8
AuthenticationContext (org.wildfly.security.auth.client.AuthenticationContext)7
CallbackHandler (javax.security.auth.callback.CallbackHandler)3
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)3
BeforeClass (org.junit.BeforeClass)3
Principal (java.security.Principal)2
NameCallback (javax.security.auth.callback.NameCallback)2
PasswordCallback (javax.security.auth.callback.PasswordCallback)2
NamePrincipal (org.wildfly.security.auth.principal.NamePrincipal)2
SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)2
XATerminator (com.arjuna.ats.internal.jbossatx.jta.jca.XATerminator)1
TransactionManagerImple (com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionManagerImple)1
TransactionSynchronizationRegistryImple (com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionSynchronizationRegistryImple)1
JTAEnvironmentBean (com.arjuna.ats.jta.common.JTAEnvironmentBean)1
IOException (java.io.IOException)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
PrivilegedActionException (java.security.PrivilegedActionException)1
PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1
ArrayList (java.util.ArrayList)1
