Example 6 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class AsyncFutureInterceptorFactory method create.
@Override
public Interceptor create(final InterceptorFactoryContext context) {
final SessionBeanComponent component = (SessionBeanComponent) context.getContextData().get(Component.class);
if (component.isSecurityDomainKnown()) {
return new Interceptor() {
@Override
public Object processInvocation(final InterceptorContext context) throws Exception {
if (!context.isBlockingCaller()) {
return context.proceed();
}
final InterceptorContext asyncInterceptorContext = context.clone();
asyncInterceptorContext.putPrivateData(InvocationType.class, InvocationType.ASYNC);
final CancellationFlag flag = new CancellationFlag();
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
final StartupCountdown.Frame frame = StartupCountdown.current();
final SecurityIdentity currentIdentity = securityDomain == null ? null : securityDomain.getCurrentSecurityIdentity();
final Connection remoteConnection = getConnection();
Callable<Object> invocationTask = () -> {
setConnection(remoteConnection);
StartupCountdown.restore(frame);
try {
return asyncInterceptorContext.proceed();
} finally {
StartupCountdown.restore(null);
clearConnection();
}
};
final AsyncInvocationTask task = new AsyncInvocationTask(flag) {
@Override
protected Object runInvocation() throws Exception {
if (currentIdentity != null) {
return currentIdentity.runAs(invocationTask);
} else {
return invocationTask.call();
}
}
};
asyncInterceptorContext.putPrivateData(CancellationFlag.class, flag);
asyncInterceptorContext.setBlockingCaller(false);
return execute(component, task);
}
};
} else {
return new Interceptor() {
@Override
public Object processInvocation(final InterceptorContext context) throws Exception {
if (!context.isBlockingCaller()) {
return context.proceed();
}
final InterceptorContext asyncInterceptorContext = context.clone();
asyncInterceptorContext.putPrivateData(InvocationType.class, InvocationType.ASYNC);
final CancellationFlag flag = new CancellationFlag();
final SecurityContext securityContext;
if (WildFlySecurityManager.isChecking()) {
securityContext = AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() {
@Override
public SecurityContext run() {
return SecurityContextAssociation.getSecurityContext();
}
});
} else {
securityContext = SecurityContextAssociation.getSecurityContext();
}
// clone the original security context so that changes to the original security context in a separate (caller/unrelated) thread doesn't affect
// the security context associated with the async invocation thread
final SecurityContext clonedSecurityContext;
if (securityContext instanceof JBossSecurityContext) {
clonedSecurityContext = (SecurityContext) ((JBossSecurityContext) securityContext).clone();
} else {
// we can't do anything if it isn't a JBossSecurityContext so just use the original one
clonedSecurityContext = securityContext;
}
final Connection remoteConnection = getConnection();
final StartupCountdown.Frame frame = StartupCountdown.current();
final AsyncInvocationTask task = new AsyncInvocationTask(flag) {
@Override
protected Object runInvocation() throws Exception {
setSecurityContextOnAssociation(clonedSecurityContext);
setConnection(remoteConnection);
StartupCountdown.restore(frame);
try {
return asyncInterceptorContext.proceed();
} finally {
StartupCountdown.restore(null);
try {
clearSecurityContextOnAssociation();
} finally {
clearConnection();
}
}
}
};
asyncInterceptorContext.putPrivateData(CancellationFlag.class, flag);
asyncInterceptorContext.setBlockingCaller(false);
return execute(component, task);
}
};
}
}
Also used :
Connection(org.jboss.remoting3.Connection)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
PrivilegedAction(java.security.PrivilegedAction)
SessionBeanComponent(org.jboss.as.ejb3.component.session.SessionBeanComponent)
InterceptorContext(org.jboss.invocation.InterceptorContext)
SecurityContext(org.jboss.security.SecurityContext)
JBossSecurityContext(org.jboss.security.plugins.JBossSecurityContext)
JBossSecurityContext(org.jboss.security.plugins.JBossSecurityContext)
SessionBeanComponent(org.jboss.as.ejb3.component.session.SessionBeanComponent)
Component(org.jboss.as.ee.component.Component)
Interceptor(org.jboss.invocation.Interceptor)
StartupCountdown(org.jboss.as.ee.component.deployers.StartupCountdown)
Example 7 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class ElytronSecurityIntegration method createCallbackHandler.
@Override
public CallbackHandler createCallbackHandler(final Callback callback) {
assert callback != null;
// TODO switch to use the elytron security domain once the callback has that info available.
final String securityDomainName = callback.getDomain();
// get domain reference from the service container and create the callback handler using the domain.
if (securityDomainName != null) {
final ServiceContainer container = this.currentServiceContainer();
final ServiceName securityDomainServiceName = SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName(securityDomainName);
final SecurityDomain securityDomain = (SecurityDomain) container.getRequiredService(securityDomainServiceName).getValue();
return new ElytronCallbackHandler(securityDomain, callback);
}
// TODO use subsystem logger for the exception.
throw ConnectorLogger.ROOT_LOGGER.invalidCallbackSecurityDomain();
}
Also used :
ServiceContainer(org.jboss.msc.service.ServiceContainer)
CurrentServiceContainer(org.jboss.as.server.CurrentServiceContainer)
ServiceName(org.jboss.msc.service.ServiceName)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Example 8 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class ActiveMQServerService method start.
public synchronized void start(final StartContext context) throws StartException {
ClassLoader origTCCL = org.wildfly.security.manager.WildFlySecurityManager.getCurrentContextClassLoaderPrivileged();
// Validate whether the AIO native layer can be used
JournalType jtype = configuration.getJournalType();
if (jtype == JournalType.ASYNCIO) {
boolean supportsAIO = AIOSequentialFileFactory.isSupported();
if (supportsAIO == false) {
String osName = System.getProperty("os.name").toLowerCase(Locale.ENGLISH);
if (osName.contains("nux")) {
ROOT_LOGGER.aioInfoLinux();
} else {
ROOT_LOGGER.aioInfo();
}
configuration.setJournalType(JournalType.NIO);
}
}
// Setup paths
PathManager pathManager = this.pathManager.getValue();
configuration.setBindingsDirectory(pathConfig.resolveBindingsPath(pathManager));
configuration.setLargeMessagesDirectory(pathConfig.resolveLargeMessagePath(pathManager));
configuration.setJournalDirectory(pathConfig.resolveJournalPath(pathManager));
configuration.setPagingDirectory(pathConfig.resolvePagingPath(pathManager));
pathConfig.registerCallbacks(pathManager);
try {
// Update the acceptor/connector port/host values from the
// Map the socket bindings onto the connectors/acceptors
Collection<TransportConfiguration> acceptors = configuration.getAcceptorConfigurations();
Collection<TransportConfiguration> connectors = configuration.getConnectorConfigurations().values();
Collection<BroadcastGroupConfiguration> broadcastGroups = configuration.getBroadcastGroupConfigurations();
Map<String, DiscoveryGroupConfiguration> discoveryGroups = configuration.getDiscoveryGroupConfigurations();
if (connectors != null) {
for (TransportConfiguration tc : connectors) {
// If there is a socket binding set the HOST/PORT values
Object socketRef = tc.getParams().remove(SOCKET_REF);
if (socketRef != null) {
String name = socketRef.toString();
String host;
int port;
OutboundSocketBinding binding = outboundSocketBindings.get(name);
if (binding == null) {
final SocketBinding socketBinding = socketBindings.get(name);
if (socketBinding == null) {
throw MessagingLogger.ROOT_LOGGER.failedToFindConnectorSocketBinding(tc.getName());
}
InetSocketAddress sa = socketBinding.getSocketAddress();
port = sa.getPort();
// resolve the host name of the address only if a loopback address has been set
if (sa.getAddress().isLoopbackAddress()) {
host = NetworkUtils.canonize(sa.getAddress().getHostName());
} else {
host = NetworkUtils.canonize(sa.getAddress().getHostAddress());
}
} else {
port = binding.getDestinationPort();
host = NetworkUtils.canonize(binding.getUnresolvedDestinationAddress());
if (binding.getSourceAddress() != null) {
tc.getParams().put(TransportConstants.LOCAL_ADDRESS_PROP_NAME, NetworkUtils.canonize(binding.getSourceAddress().getHostAddress()));
}
if (binding.getSourcePort() != null) {
// Use absolute port to account for source port offset/fixation
tc.getParams().put(TransportConstants.LOCAL_PORT_PROP_NAME, binding.getAbsoluteSourcePort());
}
}
tc.getParams().put(HOST, host);
tc.getParams().put(PORT, port);
}
}
}
if (acceptors != null) {
for (TransportConfiguration tc : acceptors) {
// If there is a socket binding set the HOST/PORT values
Object socketRef = tc.getParams().remove(SOCKET_REF);
if (socketRef != null) {
String name = socketRef.toString();
SocketBinding binding = socketBindings.get(name);
if (binding == null) {
throw MessagingLogger.ROOT_LOGGER.failedToFindConnectorSocketBinding(tc.getName());
}
binding.getSocketBindings().getNamedRegistry().registerBinding(ManagedBinding.Factory.createSimpleManagedBinding(binding));
InetSocketAddress socketAddress = binding.getSocketAddress();
tc.getParams().put(HOST, socketAddress.getAddress().getHostAddress());
tc.getParams().put(PORT, socketAddress.getPort());
}
}
}
if (broadcastGroups != null) {
final List<BroadcastGroupConfiguration> newConfigs = new ArrayList<BroadcastGroupConfiguration>();
for (final BroadcastGroupConfiguration config : broadcastGroups) {
final String name = config.getName();
final String key = "broadcast" + name;
if (jgroupFactories.containsKey(key)) {
ChannelFactory channelFactory = jgroupFactories.get(key);
String channelName = jgroupsChannels.get(key);
JChannel channel = (JChannel) channelFactory.createChannel(channelName);
channels.put(channelName, channel);
newConfigs.add(BroadcastGroupAdd.createBroadcastGroupConfiguration(name, config, channel, channelName));
} else {
final SocketBinding binding = groupBindings.get(key);
if (binding == null) {
throw MessagingLogger.ROOT_LOGGER.failedToFindBroadcastSocketBinding(name);
}
binding.getSocketBindings().getNamedRegistry().registerBinding(ManagedBinding.Factory.createSimpleManagedBinding(binding));
newConfigs.add(BroadcastGroupAdd.createBroadcastGroupConfiguration(name, config, binding));
}
}
configuration.getBroadcastGroupConfigurations().clear();
configuration.getBroadcastGroupConfigurations().addAll(newConfigs);
}
if (discoveryGroups != null) {
configuration.setDiscoveryGroupConfigurations(new HashMap<String, DiscoveryGroupConfiguration>());
for (final Map.Entry<String, DiscoveryGroupConfiguration> entry : discoveryGroups.entrySet()) {
final String name = entry.getKey();
final String key = "discovery" + name;
DiscoveryGroupConfiguration config = null;
if (jgroupFactories.containsKey(key)) {
ChannelFactory channelFactory = jgroupFactories.get(key);
String channelName = jgroupsChannels.get(key);
JChannel channel = channels.get(channelName);
if (channel == null) {
channel = (JChannel) channelFactory.createChannel(key);
channels.put(channelName, channel);
}
config = DiscoveryGroupAdd.createDiscoveryGroupConfiguration(name, entry.getValue(), channel, channelName);
} else {
final SocketBinding binding = groupBindings.get(key);
if (binding == null) {
throw MessagingLogger.ROOT_LOGGER.failedToFindDiscoverySocketBinding(name);
}
config = DiscoveryGroupAdd.createDiscoveryGroupConfiguration(name, entry.getValue(), binding);
binding.getSocketBindings().getNamedRegistry().registerBinding(ManagedBinding.Factory.createSimpleManagedBinding(binding));
}
configuration.getDiscoveryGroupConfigurations().put(name, config);
}
}
// security - if an Elytron domain has been defined we delegate security checks to the Elytron based security manager.
ActiveMQSecurityManager securityManager = null;
final SecurityDomain elytronDomain = this.elytronSecurityDomain.getOptionalValue();
if (elytronDomain != null) {
securityManager = new ElytronSecurityManager(elytronDomain);
} else {
securityManager = new WildFlySecurityManager(securityDomainContextValue.getValue());
}
// insert possible credential source hold passwords
setBridgePasswordsFromCredentialSource();
setClusterPasswordFromCredentialSource();
DataSource ds = dataSource.getOptionalValue();
if (ds != null) {
DatabaseStorageConfiguration dbConfiguration = (DatabaseStorageConfiguration) configuration.getStoreConfiguration();
dbConfiguration.setDataSource(ds);
// inject the datasource into the PropertySQLProviderFactory to be able to determine the
// type of database for the datasource metadata
PropertySQLProviderFactory sqlProviderFactory = (PropertySQLProviderFactory) dbConfiguration.getSqlProviderFactory();
sqlProviderFactory.investigateDialect(ds);
configuration.setStoreConfiguration(dbConfiguration);
ROOT_LOGGER.infof("use JDBC store for Artemis server, bindingsTable:%s", dbConfiguration.getBindingsTableName());
}
// Now start the server
server = new ActiveMQServerImpl(configuration, mbeanServer.getOptionalValue(), securityManager);
if (ActiveMQDefaultConfiguration.getDefaultClusterPassword().equals(server.getConfiguration().getClusterPassword())) {
server.getConfiguration().setClusterPassword(java.util.UUID.randomUUID().toString());
}
for (Interceptor incomingInterceptor : incomingInterceptors) {
server.getServiceRegistry().addIncomingInterceptor(incomingInterceptor);
}
for (Interceptor outgoingInterceptor : outgoingInterceptors) {
server.getServiceRegistry().addOutgoingInterceptor(outgoingInterceptor);
}
// the server is actually started by the JMSService.
} catch (Exception e) {
throw MessagingLogger.ROOT_LOGGER.failedToStartService(e);
} finally {
org.wildfly.security.manager.WildFlySecurityManager.setCurrentContextClassLoaderPrivileged(origTCCL);
}
}
Also used :
OutboundSocketBinding(org.jboss.as.network.OutboundSocketBinding)
SocketBinding(org.jboss.as.network.SocketBinding)
JChannel(org.jgroups.JChannel)
OutboundSocketBinding(org.jboss.as.network.OutboundSocketBinding)
InetSocketAddress(java.net.InetSocketAddress)
ArrayList(java.util.ArrayList)
TransportConfiguration(org.apache.activemq.artemis.api.core.TransportConfiguration)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
BroadcastGroupConfiguration(org.apache.activemq.artemis.api.core.BroadcastGroupConfiguration)
ActiveMQSecurityManager(org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager)
Interceptor(org.apache.activemq.artemis.api.core.Interceptor)
PathManager(org.jboss.as.controller.services.path.PathManager)
DiscoveryGroupConfiguration(org.apache.activemq.artemis.api.core.DiscoveryGroupConfiguration)
ChannelFactory(org.wildfly.clustering.jgroups.spi.ChannelFactory)
ActiveMQServerImpl(org.apache.activemq.artemis.core.server.impl.ActiveMQServerImpl)
StartException(org.jboss.msc.service.StartException)
DataSource(javax.sql.DataSource)
DatabaseStorageConfiguration(org.apache.activemq.artemis.core.config.storage.DatabaseStorageConfiguration)
JournalType(org.apache.activemq.artemis.core.server.JournalType)
Map(java.util.Map)
HashMap(java.util.HashMap)
Example 9 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class WeldSecurityServices method getPrincipal.
@Override
public Principal getPrincipal() {
SecurityDomain elytronDomain = SecurityDomain.getCurrent();
if (elytronDomain != null) {
return elytronDomain.getCurrentSecurityIdentity().getPrincipal();
}
final SimpleSecurityManager securityManager = securityManagerValue.getOptionalValue();
if (securityManager == null)
throw WeldLogger.ROOT_LOGGER.securityNotEnabled();
return securityManager.getCallerPrincipal();
}
Also used :
SimpleSecurityManager(org.jboss.as.security.service.SimpleSecurityManager)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Example 10 with SecurityDomain
use of org.wildfly.security.auth.server.SecurityDomain in project wildfly by wildfly.
the class IdentityOutflowInterceptor method processInvocation.
public Object processInvocation(final InterceptorContext context) throws Exception {
if (identityOutflowFunction != null) {
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
Set<SecurityIdentity> outflowedIdentities = identityOutflowFunction.apply(currentIdentity);
SecurityIdentity[] newIdentities;
if (category != null && roleMapper != null) {
// Propagate the runAsRole or any extra principal roles that are configured
// (TODO: ensure this is the desired behaviour)
newIdentities = outflowedIdentities.stream().map(outflowedIdentity -> {
final RoleMapper mergeMapper = roleMapper.or((roles) -> outflowedIdentity.getRoles(category));
return outflowedIdentity.withRoleMapper(category, mergeMapper);
}).toArray(SecurityIdentity[]::new);
} else {
newIdentities = outflowedIdentities.toArray(new SecurityIdentity[outflowedIdentities.size()]);
}
return SecurityIdentity.runAsAll(context, newIdentities);
} else {
return context.proceed();
}
}
Also used :
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
RoleMapper(org.wildfly.security.authz.RoleMapper)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Aggregations
SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)13
SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)8
PrivilegedActionException (java.security.PrivilegedActionException)4
Component (org.jboss.as.ee.component.Component)4
EJBComponent (org.jboss.as.ejb3.component.EJBComponent)4
RoleMapper (org.wildfly.security.authz.RoleMapper)3
PrivilegedAction (java.security.PrivilegedAction)2
AnonymousPrincipal (org.wildfly.security.auth.principal.AnonymousPrincipal)2
Method (java.lang.reflect.Method)1
InetSocketAddress (java.net.InetSocketAddress)1
URI (java.net.URI)1
URISyntaxException (java.net.URISyntaxException)1
Principal (java.security.Principal)1
ArrayList (java.util.ArrayList)1
HashMap (java.util.HashMap)1
Map (java.util.Map)1
UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)1
DataSource (javax.sql.DataSource)1
BroadcastGroupConfiguration (org.apache.activemq.artemis.api.core.BroadcastGroupConfiguration)1
DiscoveryGroupConfiguration (org.apache.activemq.artemis.api.core.DiscoveryGroupConfiguration)1
