Search in sources :

Example 1 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ElytronSecurityDomainContextImpl method runAs.

public void runAs(Callable<Void> action) throws Exception {
    final SecurityIdentity ci = currentIdentity.get();
    if (ci != null) {
        //there is no security constrains in servlet and directly with jaas
        ci.runAs(action);
        currentIdentity.set(null);
    } else {
        //undertow's ElytronRunAsHandler will propagate the SecurityIndentity to SecurityDomain and directly run this action
        action.call();
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)

Example 2 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ConnectionSecurityContext method getConnectionPrincipals.

/**
     * Obtain a {@link Collection} containing the {@link Principal} instances for the user associated with the connection.
     *
     * Note: This method should be called from within a {@link PrivilegedAction}.
     *
     * @return The Collection of Principals for the user authenticated with the connection. An empty Collection will be returned
     *         of no user is associated with the connection, {@code null} will be returned if no connection is associated with
     *         the {@link Thread}
     */
public static Collection<Principal> getConnectionPrincipals() {
    Connection con = RemotingContext.getConnection();
    if (con != null) {
        Collection<Principal> principals = new HashSet<>();
        SecurityIdentity localIdentity = con.getLocalIdentity();
        if (localIdentity != null) {
            principals.add(new RealmUser(localIdentity.getPrincipal().getName()));
            StreamSupport.stream(localIdentity.getRoles().spliterator(), true).forEach((String role) -> {
                principals.add(new RealmGroup(role));
                principals.add(new RealmRole(role));
            });
            return principals;
        } else {
            return Collections.emptySet();
        }
    }
    return null;
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) RealmRole(org.jboss.as.core.security.RealmRole) RealmGroup(org.jboss.as.core.security.RealmGroup) Connection(org.jboss.remoting3.Connection) RealmUser(org.jboss.as.core.security.RealmUser) Principal(java.security.Principal) HashSet(java.util.HashSet)

Example 3 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class SimpleSecurityManager method push.

/**
     * Must be called from within a privileged action.
     *
     * @param securityDomain
     */
public void push(final String securityDomain) {
    // TODO - Handle a null securityDomain here? Yes I think so.
    final SecurityContext previous = SecurityContextAssociation.getSecurityContext();
    contexts.push(previous);
    SecurityContext current = establishSecurityContext(securityDomain);
    if (propagate && previous != null) {
        current.setSubjectInfo(getSubjectInfo(previous));
        current.setIncomingRunAs(previous.getOutgoingRunAs());
    }
    RunAs currentRunAs = current.getIncomingRunAs();
    boolean trusted = currentRunAs != null && currentRunAs instanceof RunAsIdentity;
    if (trusted == false) {
        /*
             * We should only be switching to a context based on an identity from the Remoting connection if we don't already
             * have a trusted identity - this allows for beans to reauthenticate as a different identity.
             */
        if (SecurityActions.remotingContextIsSet()) {
            // In this case the principal and credential will not have been set to set some random values.
            SecurityContextUtil util = current.getUtil();
            Connection connection = SecurityActions.remotingContextGetConnection();
            Principal p = null;
            Object credential = null;
            SecurityIdentity localIdentity = connection.getLocalIdentity();
            if (localIdentity != null) {
                p = new SimplePrincipal(localIdentity.getPrincipal().getName());
                IdentityCredentials privateCredentials = localIdentity.getPrivateCredentials();
                PasswordCredential passwordCredential = privateCredentials.getCredential(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR);
                if (passwordCredential != null) {
                    credential = new String(passwordCredential.getPassword(ClearPassword.class).getPassword());
                } else {
                    credential = new RemotingConnectionCredential(connection);
                }
            } else {
                throw SecurityLogger.ROOT_LOGGER.noUserPrincipalFound();
            }
            SecurityActions.remotingContextClear();
            util.createSubjectInfo(p, credential, null);
        }
    }
}
Also used : ClearPassword(org.wildfly.security.password.interfaces.ClearPassword) SecurityContextUtil(org.jboss.security.SecurityContextUtil) RunAs(org.jboss.security.RunAs) RunAsIdentity(org.jboss.security.RunAsIdentity) Connection(org.jboss.remoting3.Connection) PasswordCredential(org.wildfly.security.credential.PasswordCredential) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) SecurityContext(org.jboss.security.SecurityContext) RemotingConnectionCredential(org.jboss.as.security.remoting.RemotingConnectionCredential) Principal(java.security.Principal) SimplePrincipal(org.jboss.security.SimplePrincipal) SimplePrincipal(org.jboss.security.SimplePrincipal) IdentityCredentials(org.wildfly.security.auth.server.IdentityCredentials)

Example 4 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class RemotingLoginModule method login.

@SuppressWarnings("unchecked")
@Override
public boolean login() throws LoginException {
    if (super.login() == true) {
        log.debug("super.login()==true");
        return true;
    }
    Object credential = getCredential();
    if (credential instanceof RemotingConnectionCredential) {
        Connection con = ((RemotingConnectionCredential) credential).getConnection();
        Principal up = null;
        SecurityIdentity localIdentity = con.getLocalIdentity();
        if (localIdentity != null) {
            up = new RealmUser(localIdentity.getPrincipal().getName());
        }
        // If we found a principal from the connection then authentication succeeded.
        if (up != null) {
            identity = up;
            if (getUseFirstPass()) {
                String userName = identity.getName();
                log.debugf("Storing username '%s'", userName);
                // Add the username to the shared state map
                sharedState.put("javax.security.auth.login.name", identity);
                if (useNewClientCert) {
                    SSLSession session = con.getSslSession();
                    if (session != null) {
                        try {
                            credential = session.getPeerCertificates()[0];
                            log.debug("Using new certificate as credential.");
                        } catch (SSLPeerUnverifiedException e) {
                            log.debugf("No peer certificate available for '%s'", userName);
                        }
                    }
                } else if (useClientCert) {
                    SSLSession session = con.getSslSession();
                    if (session != null) {
                        try {
                            credential = session.getPeerCertificateChain()[0];
                            log.debug("Using certificate as credential.");
                        } catch (SSLPeerUnverifiedException e) {
                            log.debugf("No peer certificate available for '%s'", userName);
                        }
                    }
                }
                sharedState.put("javax.security.auth.login.password", credential);
            }
            loginOk = true;
            return true;
        }
    }
    // username and password has been supplied to a web auth.
    return false;
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) SSLPeerUnverifiedException(javax.net.ssl.SSLPeerUnverifiedException) Connection(org.jboss.remoting3.Connection) RealmUser(org.jboss.as.core.security.RealmUser) SSLSession(javax.net.ssl.SSLSession) Principal(java.security.Principal)

Example 5 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class JobOperatorService method checkPermission.

private void checkPermission(final String targetName) {
    if (permissionsCheckEnabled.get()) {
        final SecurityAwareBatchEnvironment environment = getBatchEnvironment();
        final SecurityIdentity identity = environment.getIdentity();
        if (identity != null) {
            final BatchPermission permission = BatchPermission.forName(targetName);
            if (!identity.implies(permission)) {
                throw BatchLogger.LOGGER.unauthorized(identity.getPrincipal().getName(), permission);
            }
        }
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)

Aggregations

SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)60 Test (org.junit.Test)20 Properties (java.util.Properties)16 SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)15 Principal (java.security.Principal)10 JobSecurityException (javax.batch.operations.JobSecurityException)10 PrivilegedActionException (java.security.PrivilegedActionException)6 HashSet (java.util.HashSet)6 EJBComponent (org.jboss.as.ejb3.component.EJBComponent)6 Component (org.jboss.as.ee.component.Component)5 InterceptorContext (org.jboss.invocation.InterceptorContext)5 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)4 IOException (java.io.IOException)3 PrintWriter (java.io.PrintWriter)3 Method (java.lang.reflect.Method)3 PrivilegedAction (java.security.PrivilegedAction)3 HashMap (java.util.HashMap)3 Map (java.util.Map)3 SessionBeanComponent (org.jboss.as.ejb3.component.session.SessionBeanComponent)3 Connection (org.jboss.remoting3.Connection)3