Search in sources :

Example 6 with AuthenticationContext

use of org.wildfly.security.auth.client.AuthenticationContext in project wildfly by wildfly.

the class HTTPEJBClientUserTransactionTestCase method setup.

@BeforeClass
public static void setup() {
    AuthenticationConfiguration config = AuthenticationConfiguration.EMPTY.useName("user1").usePassword("password1");
    AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, config);
    old = AuthenticationContext.captureCurrent();
    AuthenticationContext.getContextManager().setGlobalDefault(context);
}
Also used : AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext) BeforeClass(org.junit.BeforeClass)

Example 7 with AuthenticationContext

use of org.wildfly.security.auth.client.AuthenticationContext in project wildfly by wildfly.

the class HTTPEJBClientXidTransactionTestCase method beforeTestClass.

/**
     * Create and setup the remoting connection
     *
     * @throws Exception
     */
@BeforeClass
public static void beforeTestClass() throws Exception {
    // These system properties are required or else we end up picking up JTS transaction manager,
    // which is not what we want
    final JTAEnvironmentBean jtaEnvironmentBean = jtaPropertyManager.getJTAEnvironmentBean();
    jtaEnvironmentBean.setTransactionManagerClassName(TransactionManagerImple.class.getName());
    jtaEnvironmentBean.setTransactionSynchronizationRegistryClassName(TransactionSynchronizationRegistryImple.class.getName());
    final TransactionManager narayanaTm = jtaEnvironmentBean.getTransactionManager();
    final TransactionSynchronizationRegistry narayanaTsr = jtaEnvironmentBean.getTransactionSynchronizationRegistry();
    final XATerminator xat = new XATerminator();
    final JBossLocalTransactionProvider.Builder builder = JBossLocalTransactionProvider.builder();
    builder.setXATerminator(xat).setExtendedJBossXATerminator(xat);
    builder.setTransactionManager(narayanaTm);
    builder.setTransactionSynchronizationRegistry(narayanaTsr);
    LocalTransactionContext.getContextManager().setGlobalDefault(new LocalTransactionContext(builder.build()));
    txManager = ContextTransactionManager.getInstance();
    txSyncRegistry = ContextTransactionSynchronizationRegistry.getInstance();
    // setup the tx manager and tx sync registry
    AuthenticationConfiguration config = AuthenticationConfiguration.EMPTY.useName("user1").usePassword("password1");
    AuthenticationContext context = AuthenticationContext.empty().with(MatchRule.ALL, config);
    old = AuthenticationContext.captureCurrent();
    AuthenticationContext.getContextManager().setGlobalDefault(context);
}
Also used : AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) XATerminator(com.arjuna.ats.internal.jbossatx.jta.jca.XATerminator) TransactionManagerImple(com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionManagerImple) TransactionSynchronizationRegistryImple(com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionSynchronizationRegistryImple) JBossLocalTransactionProvider(org.wildfly.transaction.client.provider.jboss.JBossLocalTransactionProvider) AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext) ContextTransactionManager(org.wildfly.transaction.client.ContextTransactionManager) TransactionManager(javax.transaction.TransactionManager) TransactionSynchronizationRegistry(javax.transaction.TransactionSynchronizationRegistry) ContextTransactionSynchronizationRegistry(org.wildfly.transaction.client.ContextTransactionSynchronizationRegistry) JTAEnvironmentBean(com.arjuna.ats.jta.common.JTAEnvironmentBean) LocalTransactionContext(org.wildfly.transaction.client.LocalTransactionContext) BeforeClass(org.junit.BeforeClass)

Example 8 with AuthenticationContext

use of org.wildfly.security.auth.client.AuthenticationContext in project wildfly by wildfly.

the class EjbCorbaServant method _invoke.

/**
     * Receives IIOP requests to this servant's <code>EJBObject</code>s
     * and forwards them to the bean container, through the JBoss
     * <code>MBean</code> server.
     */
public OutputStream _invoke(final String opName, final InputStream in, final ResponseHandler handler) {
    EjbLogger.ROOT_LOGGER.tracef("EJBObject invocation: %s", opName);
    SkeletonStrategy op = methodInvokerMap.get(opName);
    if (op == null) {
        EjbLogger.ROOT_LOGGER.debugf("Unable to find opname '%s' valid operations:%s", opName, methodInvokerMap.keySet());
        throw new BAD_OPERATION(opName);
    }
    final NamespaceContextSelector selector = componentView.getComponent().getNamespaceContextSelector();
    final ClassLoader oldCl = WildFlySecurityManager.getCurrentContextClassLoaderPrivileged();
    NamespaceContextSelector.pushCurrentSelector(selector);
    try {
        WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(classLoader);
        org.omg.CORBA_2_3.portable.OutputStream out;
        try {
            Object retVal;
            if (!home && opName.equals("_get_handle")) {
                retVal = new HandleImplIIOP(orb.object_to_string(_this_object()));
            } else if (home && opName.equals("_get_homeHandle")) {
                retVal = homeHandle;
            } else if (home && opName.equals("_get_EJBMetaData")) {
                retVal = ejbMetaData;
            } else {
                Principal identityPrincipal = null;
                Principal principal = null;
                Object credential = null;
                if (this.sasCurrent != null) {
                    final byte[] incomingIdentity = this.sasCurrent.get_incoming_principal_name();
                    //we have an identity token, which is a trust based mechanism
                    if (incomingIdentity != null && incomingIdentity.length > 0) {
                        String name = new String(incomingIdentity, StandardCharsets.UTF_8);
                        int domainIndex = name.indexOf('@');
                        if (domainIndex > 0)
                            name = name.substring(0, domainIndex);
                        identityPrincipal = new NamePrincipal(name);
                    }
                    final byte[] incomingUsername = this.sasCurrent.get_incoming_username();
                    if (incomingUsername != null && incomingUsername.length > 0) {
                        final byte[] incomingPassword = this.sasCurrent.get_incoming_password();
                        String name = new String(incomingUsername, StandardCharsets.UTF_8);
                        int domainIndex = name.indexOf('@');
                        if (domainIndex > 0) {
                            name = name.substring(0, domainIndex);
                        }
                        principal = new NamePrincipal(name);
                        credential = new String(incomingPassword, StandardCharsets.UTF_8).toCharArray();
                    }
                }
                final Object[] params = op.readParams((org.omg.CORBA_2_3.portable.InputStream) in);
                if (!this.home && opName.equals("isIdentical") && params.length == 1) {
                    //handle isIdentical specially
                    Object val = params[0];
                    retVal = val instanceof org.omg.CORBA.Object && handleIsIdentical((org.omg.CORBA.Object) val);
                } else {
                    if (this.securityDomain != null) {
                        // an elytron security domain is available: authenticate and authorize the client before invoking the component.
                        SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity();
                        AuthenticationConfiguration authenticationConfiguration = AuthenticationConfiguration.EMPTY;
                        if (identityPrincipal != null) {
                            // permission to run as the identity token principal.
                            if (principal != null) {
                                char[] password = (char[]) credential;
                                authenticationConfiguration = authenticationConfiguration.useName(principal.getName()).usePassword(password);
                                SecurityIdentity authenticatedIdentity = this.authenticate(principal, password);
                                identity = authenticatedIdentity.createRunAsIdentity(identityPrincipal.getName(), true);
                            } else {
                                // no TLS nor initial context token found - check if the anonymous identity has
                                // permission to run as the identity principal.
                                identity = this.securityDomain.getAnonymousSecurityIdentity().createRunAsIdentity(identityPrincipal.getName(), true);
                            }
                        } else if (principal != null) {
                            char[] password = (char[]) credential;
                            // we have an initial context token containing a username/password pair.
                            authenticationConfiguration = authenticationConfiguration.useName(principal.getName()).usePassword(password);
                            identity = this.authenticate(principal, password);
                        }
                        final InterceptorContext interceptorContext = new InterceptorContext();
                        this.prepareInterceptorContext(op, params, interceptorContext);
                        try {
                            final AuthenticationContext context = AuthenticationContext.captureCurrent().with(MatchRule.ALL.matchProtocol("iiop"), authenticationConfiguration);
                            retVal = identity.runAs((PrivilegedExceptionAction<Object>) () -> context.run((PrivilegedExceptionAction<Object>) () -> this.componentView.invoke(interceptorContext)));
                        } catch (PrivilegedActionException e) {
                            throw e.getCause();
                        }
                    } else {
                        // legacy security behavior: setup the security context if a SASCurrent is available and invoke the component.
                        // One of the EJB security interceptors will authenticate and authorize the client.
                        SecurityContext legacyContext = null;
                        if (this.legacySecurityDomain != null && (identityPrincipal != null || principal != null)) {
                            // we don't have any real way to establish trust in identity based auth so we just use
                            // the SASCurrent as a credential, and a custom legacy login module can make a decision for us.
                            final Object finalCredential = identityPrincipal != null ? this.sasCurrent : credential;
                            final Principal finalPrincipal = identityPrincipal != null ? identityPrincipal : principal;
                            if (WildFlySecurityManager.isChecking()) {
                                legacyContext = AccessController.doPrivileged((PrivilegedExceptionAction<SecurityContext>) () -> {
                                    SecurityContext sc = SecurityContextFactory.createSecurityContext(this.legacySecurityDomain);
                                    sc.getUtil().createSubjectInfo(finalPrincipal, finalCredential, null);
                                    return sc;
                                });
                            } else {
                                legacyContext = SecurityContextFactory.createSecurityContext(this.legacySecurityDomain);
                                legacyContext.getUtil().createSubjectInfo(finalPrincipal, finalCredential, null);
                            }
                        }
                        if (legacyContext != null) {
                            setSecurityContextOnAssociation(legacyContext);
                        }
                        try {
                            final InterceptorContext interceptorContext = new InterceptorContext();
                            if (legacyContext != null) {
                                interceptorContext.putPrivateData(SecurityContext.class, legacyContext);
                            }
                            prepareInterceptorContext(op, params, interceptorContext);
                            retVal = this.componentView.invoke(interceptorContext);
                        } finally {
                            if (legacyContext != null) {
                                clearSecurityContextOnAssociation();
                            }
                        }
                    }
                }
            }
            out = (org.omg.CORBA_2_3.portable.OutputStream) handler.createReply();
            if (op.isNonVoid()) {
                op.writeRetval(out, retVal);
            }
        } catch (Throwable e) {
            EjbLogger.ROOT_LOGGER.trace("Exception in EJBObject invocation", e);
            if (e instanceof MBeanException) {
                e = ((MBeanException) e).getTargetException();
            }
            RmiIdlUtil.rethrowIfCorbaSystemException(e);
            out = (org.omg.CORBA_2_3.portable.OutputStream) handler.createExceptionReply();
            op.writeException(out, e);
        }
        return out;
    } finally {
        NamespaceContextSelector.popCurrentSelector();
        WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(oldCl);
    }
}
Also used : ServerAuthenticationContext(org.wildfly.security.auth.server.ServerAuthenticationContext) AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext) NamePrincipal(org.wildfly.security.auth.principal.NamePrincipal) OutputStream(org.omg.CORBA.portable.OutputStream) NamespaceContextSelector(org.jboss.as.naming.context.NamespaceContextSelector) HandleImplIIOP(org.jboss.ejb.iiop.HandleImplIIOP) InterceptorContext(org.jboss.invocation.InterceptorContext) AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) PrivilegedActionException(java.security.PrivilegedActionException) SkeletonStrategy(org.wildfly.iiop.openjdk.rmi.marshal.strategy.SkeletonStrategy) PrivilegedExceptionAction(java.security.PrivilegedExceptionAction) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) SecurityContext(org.jboss.security.SecurityContext) MBeanException(javax.management.MBeanException) BAD_OPERATION(org.omg.CORBA.BAD_OPERATION) NamePrincipal(org.wildfly.security.auth.principal.NamePrincipal) Principal(java.security.Principal)

Example 9 with AuthenticationContext

use of org.wildfly.security.auth.client.AuthenticationContext in project wildfly by wildfly.

the class ElytronSASClientInterceptor method createInitialContextToken.

/**
     * Create an encoded {@link InitialContextToken} with an username/password pair obtained from an Elytron client configuration
     * matched by the specified {@link URI} and purpose.
     *
     * @param uri the target {@link URI}.
     * @param purpose a {@link String} representing the purpose of the configuration that will be used.
     * @param secMech a reference to the {@link CompoundSecMech} that was found in the {@link ClientRequestInfo}.
     * @return the encoded {@link InitialContextToken}, if a valid username is obtained from the matched configuration;
     *         an empty {@code byte[]} otherwise;
     * @throws Exception if an error occurs while building the encoded {@link InitialContextToken}.
     */
private byte[] createInitialContextToken(final URI uri, final String purpose, final CompoundSecMech secMech) throws Exception {
    AuthenticationContext authContext = this.authContext == null ? AuthenticationContext.captureCurrent() : this.authContext;
    // obtain the configuration that matches the URI and purpose.
    final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, purpose);
    // get the callback handler from the configuration and use it to obtain a username/password pair.
    final CallbackHandler handler = AUTH_CONFIG_CLIENT.getCallbackHandler(configuration);
    final NameCallback nameCallback = new NameCallback("Username: ");
    final PasswordCallback passwordCallback = new PasswordCallback("Password: ", false);
    try {
        handler.handle(new Callback[] { nameCallback, passwordCallback });
    } catch (UnsupportedCallbackException e) {
        return NO_AUTHENTICATION_TOKEN;
    }
    // if the name callback contains a valid username we create the initial context token.
    if (nameCallback.getName() != null && !nameCallback.getName().equals(AnonymousPrincipal.getInstance().getName())) {
        byte[] encodedTargetName = secMech.as_context_mech.target_name;
        String name = nameCallback.getName();
        if (name.indexOf('@') < 0) {
            byte[] decodedTargetName = CSIv2Util.decodeGssExportedName(encodedTargetName);
            String targetName = new String(decodedTargetName, StandardCharsets.UTF_8);
            // "@default"
            name += "@" + targetName;
        }
        byte[] username = name.getBytes(StandardCharsets.UTF_8);
        byte[] password = {};
        if (passwordCallback.getPassword() != null)
            password = new String(passwordCallback.getPassword()).getBytes(StandardCharsets.UTF_8);
        // create the initial context token and ASN.1-encode it, as defined in RFC 2743.
        InitialContextToken authenticationToken = new InitialContextToken(username, password, encodedTargetName);
        return CSIv2Util.encodeInitialContextToken(authenticationToken, codec);
    }
    return NO_AUTHENTICATION_TOKEN;
}
Also used : AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) CallbackHandler(javax.security.auth.callback.CallbackHandler) AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext) NameCallback(javax.security.auth.callback.NameCallback) InitialContextToken(org.omg.GSSUP.InitialContextToken) PasswordCallback(javax.security.auth.callback.PasswordCallback) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)

Example 10 with AuthenticationContext

use of org.wildfly.security.auth.client.AuthenticationContext in project wildfly by wildfly.

the class ElytronSASClientInterceptor method send_request.

@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
    try {
        CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
        (short) 0);
        if (secMech == null) {
            return;
        }
        // these "null tokens" will be changed if needed.
        IdentityToken identityToken = ABSENT_IDENTITY_TOKEN;
        byte[] encodedAuthenticationToken = NO_AUTHENTICATION_TOKEN;
        final URI uri = this.getURI(ri);
        if (uri == null) {
            return;
        }
        SecurityDomain domain = SecurityDomain.getCurrent();
        SecurityIdentity currentIdentity = null;
        if (domain != null) {
            currentIdentity = domain.getCurrentSecurityIdentity();
        }
        final AuthenticationContext authContext;
        if (this.authContext != null) {
            authContext = this.authContext;
        } else if (currentIdentity == null || currentIdentity.isAnonymous()) {
            authContext = AuthenticationContext.captureCurrent();
        } else {
            authContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.EMPTY.useForwardedIdentity(domain));
        }
        if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
            final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, "client-auth");
            final Principal principal = AUTH_CONFIG_CLIENT.getPrincipal(configuration);
            if (principal != null && principal != AnonymousPrincipal.getInstance()) {
                // The name scope needs to be externalized.
                String name = principal.getName();
                if (name.indexOf('@') < 0) {
                    // hardcoded (REVISIT!)
                    name += "@default";
                }
                byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
                // encode the principal name as mandated by RFC2743.
                byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
                // encapsulate the encoded name.
                Any any = ORB.init().create_any();
                byte[] encapsulatedEncodedName;
                GSS_NT_ExportedNameHelper.insert(any, encodedName);
                try {
                    encapsulatedEncodedName = codec.encode_value(any);
                } catch (InvalidTypeForEncoding e) {
                    throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
                }
                // create identity token.
                identityToken = new IdentityToken();
                identityToken.principal_name(encapsulatedEncodedName);
            } else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
                // no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
                identityToken = new IdentityToken();
                identityToken.anonymous(true);
            }
            // target might require an additional initial context token with a username/password pair for authentication.
            if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
                encodedAuthenticationToken = this.createInitialContextToken(uri, "server-auth", secMech);
            }
        } else if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
            // target doesn't require an identity token but supports username/password authentication - try to build
            // an initial context token using the configuration.
            encodedAuthenticationToken = this.createInitialContextToken(uri, "client-auth", secMech);
        }
        if (identityToken != ABSENT_IDENTITY_TOKEN || encodedAuthenticationToken != NO_AUTHENTICATION_TOKEN) {
            // at least one non-null token was created, create EstablishContext message with it.
            EstablishContext message = new // stateless ctx id
            EstablishContext(// stateless ctx id
            0, NO_AUTHORIZATION_TOKEN, identityToken, encodedAuthenticationToken);
            // create SAS context with the EstablishContext message.
            SASContextBody contextBody = new SASContextBody();
            contextBody.establish_msg(message);
            // stuff the SAS context into the outgoing request.
            final Any any = ORB.init().create_any();
            SASContextBodyHelper.insert(any, contextBody);
            ServiceContext sc = new ServiceContext(SAS_CONTEXT_ID, codec.encode_value(any));
            ri.add_request_service_context(sc, true);
        }
    } catch (Exception e) {
        throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
    }
}
Also used : AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration) AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext) CompoundSecMech(org.omg.CSIIOP.CompoundSecMech) ServiceContext(org.omg.IOP.ServiceContext) SASContextBody(org.omg.CSI.SASContextBody) URI(java.net.URI) Any(org.omg.CORBA.Any) InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding) URISyntaxException(java.net.URISyntaxException) UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) IdentityToken(org.omg.CSI.IdentityToken) EstablishContext(org.omg.CSI.EstablishContext) AnonymousPrincipal(org.wildfly.security.auth.principal.AnonymousPrincipal) Principal(java.security.Principal)

Aggregations

AuthenticationContext (org.wildfly.security.auth.client.AuthenticationContext)16 AuthenticationConfiguration (org.wildfly.security.auth.client.AuthenticationConfiguration)7 OptionMap (org.xnio.OptionMap)4 EJBAccessException (javax.ejb.EJBAccessException)3 Context (javax.naming.Context)3 NamingException (javax.naming.NamingException)3 BeforeClass (org.junit.BeforeClass)3 Principal (java.security.Principal)2 CallbackHandler (javax.security.auth.callback.CallbackHandler)2 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2 EJBClientContext (org.jboss.ejb.client.EJBClientContext)2 SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)2 XATerminator (com.arjuna.ats.internal.jbossatx.jta.jca.XATerminator)1 TransactionManagerImple (com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionManagerImple)1 TransactionSynchronizationRegistryImple (com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionSynchronizationRegistryImple)1 JTAEnvironmentBean (com.arjuna.ats.jta.common.JTAEnvironmentBean)1 URI (java.net.URI)1 URISyntaxException (java.net.URISyntaxException)1 PrivilegedActionException (java.security.PrivilegedActionException)1 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)1