Example 1 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class ForbidAnonymousInterceptor method processInvocation.
public Object processInvocation(final InterceptorContext context) throws Exception {
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
Assert.checkNotNullParam("securityDomain", securityDomain);
if (securityDomain.getCurrentSecurityIdentity().getPrincipal() instanceof AnonymousPrincipal) {
throw EjbLogger.EJB3_INVOCATION_LOGGER.ejbAuthenticationRequired();
} else {
return context.proceed();
}
}
Also used :
AnonymousPrincipal(org.wildfly.security.auth.principal.AnonymousPrincipal)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Example 2 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class RoleAddingInterceptor method processInvocation.
public Object processInvocation(final InterceptorContext context) throws Exception {
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
Assert.checkNotNullParam("securityDomain", securityDomain);
final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
final RoleMapper mergeMapper = roleMapper.or((roles) -> currentIdentity.getRoles(category));
final SecurityIdentity newIdentity = currentIdentity.withRoleMapper(category, mergeMapper);
try {
return newIdentity.runAs(context);
} catch (PrivilegedActionException e) {
Throwable cause = e.getCause();
if (cause != null) {
if (cause instanceof Exception) {
throw (Exception) cause;
} else {
throw new RuntimeException(e);
}
} else {
throw e;
}
}
}
Also used :
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
RoleMapper(org.wildfly.security.authz.RoleMapper)
PrivilegedActionException(java.security.PrivilegedActionException)
PrivilegedActionException(java.security.PrivilegedActionException)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Example 3 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class RolesAllowedInterceptor method processInvocation.
public Object processInvocation(final InterceptorContext context) throws Exception {
final Component component = context.getPrivateData(Component.class);
if (!(component instanceof EJBComponent)) {
throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
}
final Iterator<String> iterator = rolesAllowed.iterator();
if (iterator.hasNext()) {
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
final SecurityIdentity identity = securityDomain.getCurrentSecurityIdentity();
final Roles ejbRoles = identity.getRoles("ejb", true);
do {
final String role = iterator.next();
if (ejbRoles.contains(role) || (role.equals("**") && !identity.isAnonymous())) {
return context.proceed();
}
} while (iterator.hasNext());
}
throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(context.getMethod(), ((EJBComponent) component).getComponentName());
}
Also used :
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
Roles(org.wildfly.security.authz.Roles)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
Component(org.jboss.as.ee.component.Component)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Example 4 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class SecurityDomainInterceptorFactory method create.
@Override
protected Interceptor create(final Component component, final InterceptorFactoryContext context) {
if (!(component instanceof EJBComponent)) {
throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
}
final EJBComponent ejbComponent = (EJBComponent) component;
final EJBSecurityMetaData securityMetaData = ejbComponent.getSecurityMetaData();
String securityDomainName = securityMetaData.getSecurityDomain();
if (securityDomainName == null) {
securityDomainName = DEFAULT_DOMAIN;
}
final SecurityDomain securityDomain = ejbComponent.getSecurityDomain();
if (securityDomain == null) {
throw EjbLogger.ROOT_LOGGER.invalidSecurityForDomainSet(ejbComponent.getComponentName());
}
if (ROOT_LOGGER.isTraceEnabled()) {
ROOT_LOGGER.trace("Using security domain: " + securityDomainName + " for EJB " + ejbComponent.getComponentName());
}
return new SecurityDomainInterceptor(securityDomain);
}
Also used :
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Example 5 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class ElytronSASClientInterceptor method send_request.
@Override
public void send_request(ClientRequestInfo ri) throws ForwardRequest {
try {
CompoundSecMech secMech = CSIv2Util.getMatchingSecurityMech(ri, codec, EstablishTrustInClient.value, /* client supports */
(short) 0);
if (secMech == null) {
return;
}
// these "null tokens" will be changed if needed.
IdentityToken identityToken = ABSENT_IDENTITY_TOKEN;
byte[] encodedAuthenticationToken = NO_AUTHENTICATION_TOKEN;
final URI uri = this.getURI(ri);
if (uri == null) {
return;
}
SecurityDomain domain = SecurityDomain.getCurrent();
SecurityIdentity currentIdentity = null;
if (domain != null) {
currentIdentity = domain.getCurrentSecurityIdentity();
}
final AuthenticationContext authContext;
if (this.authContext != null) {
authContext = this.authContext;
} else if (currentIdentity == null || currentIdentity.isAnonymous()) {
authContext = AuthenticationContext.captureCurrent();
} else {
authContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.EMPTY.useForwardedIdentity(domain));
}
if ((secMech.sas_context_mech.target_supports & IdentityAssertion.value) != 0) {
final AuthenticationConfiguration configuration = AUTH_CONFIG_CLIENT.getAuthenticationConfiguration(uri, authContext, -1, null, null, "client-auth");
final Principal principal = AUTH_CONFIG_CLIENT.getPrincipal(configuration);
if (principal != null && principal != AnonymousPrincipal.getInstance()) {
// The name scope needs to be externalized.
String name = principal.getName();
if (name.indexOf('@') < 0) {
// hardcoded (REVISIT!)
name += "@default";
}
byte[] principalName = name.getBytes(StandardCharsets.UTF_8);
// encode the principal name as mandated by RFC2743.
byte[] encodedName = CSIv2Util.encodeGssExportedName(principalName);
// encapsulate the encoded name.
Any any = ORB.init().create_any();
byte[] encapsulatedEncodedName;
GSS_NT_ExportedNameHelper.insert(any, encodedName);
try {
encapsulatedEncodedName = codec.encode_value(any);
} catch (InvalidTypeForEncoding e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
// create identity token.
identityToken = new IdentityToken();
identityToken.principal_name(encapsulatedEncodedName);
} else if ((secMech.sas_context_mech.supported_identity_types & ITTAnonymous.value) != 0) {
// no run-as or caller identity and the target supports ITTAnonymous: use the anonymous identity.
identityToken = new IdentityToken();
identityToken.anonymous(true);
}
// target might require an additional initial context token with a username/password pair for authentication.
if ((secMech.as_context_mech.target_requires & EstablishTrustInClient.value) != 0) {
encodedAuthenticationToken = this.createInitialContextToken(uri, "server-auth", secMech);
}
} else if ((secMech.as_context_mech.target_supports & EstablishTrustInClient.value) != 0) {
// target doesn't require an identity token but supports username/password authentication - try to build
// an initial context token using the configuration.
encodedAuthenticationToken = this.createInitialContextToken(uri, "client-auth", secMech);
}
if (identityToken != ABSENT_IDENTITY_TOKEN || encodedAuthenticationToken != NO_AUTHENTICATION_TOKEN) {
// at least one non-null token was created, create EstablishContext message with it.
EstablishContext message = new // stateless ctx id
EstablishContext(// stateless ctx id
0, NO_AUTHORIZATION_TOKEN, identityToken, encodedAuthenticationToken);
// create SAS context with the EstablishContext message.
SASContextBody contextBody = new SASContextBody();
contextBody.establish_msg(message);
// stuff the SAS context into the outgoing request.
final Any any = ORB.init().create_any();
SASContextBodyHelper.insert(any, contextBody);
ServiceContext sc = new ServiceContext(SAS_CONTEXT_ID, codec.encode_value(any));
ri.add_request_service_context(sc, true);
}
} catch (Exception e) {
throw IIOPLogger.ROOT_LOGGER.unexpectedException(e);
}
}
Also used :
AuthenticationConfiguration(org.wildfly.security.auth.client.AuthenticationConfiguration)
AuthenticationContext(org.wildfly.security.auth.client.AuthenticationContext)
CompoundSecMech(org.omg.CSIIOP.CompoundSecMech)
ServiceContext(org.omg.IOP.ServiceContext)
SASContextBody(org.omg.CSI.SASContextBody)
URI(java.net.URI)
Any(org.omg.CORBA.Any)
InvalidTypeForEncoding(org.omg.IOP.CodecPackage.InvalidTypeForEncoding)
URISyntaxException(java.net.URISyntaxException)
UnsupportedCallbackException(javax.security.auth.callback.UnsupportedCallbackException)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
IdentityToken(org.omg.CSI.IdentityToken)
EstablishContext(org.omg.CSI.EstablishContext)
AnonymousPrincipal(org.wildfly.security.auth.principal.AnonymousPrincipal)
Principal(java.security.Principal)
Aggregations
SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)13
SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)8
PrivilegedActionException (java.security.PrivilegedActionException)4
Component (org.jboss.as.ee.component.Component)4
EJBComponent (org.jboss.as.ejb3.component.EJBComponent)4
RoleMapper (org.wildfly.security.authz.RoleMapper)3
PrivilegedAction (java.security.PrivilegedAction)2
AnonymousPrincipal (org.wildfly.security.auth.principal.AnonymousPrincipal)2
Method (java.lang.reflect.Method)1
InetSocketAddress (java.net.InetSocketAddress)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
Principal (java.security.Principal)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1
DataSource (javax.sql.DataSource)1
BroadcastGroupConfiguration (org.apache.activemq.artemis.api.core.BroadcastGroupConfiguration)1
DiscoveryGroupConfiguration (org.apache.activemq.artemis.api.core.DiscoveryGroupConfiguration)1
