use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class ElytronSecurityDomainContextImpl method runAs.
public void runAs(Callable<Void> action) throws Exception {
final SecurityIdentity ci = currentIdentity.get();
if (ci != null) {
//there is no security constrains in servlet and directly with jaas
ci.runAs(action);
currentIdentity.set(null);
} else {
//undertow's ElytronRunAsHandler will propagate the SecurityIndentity to SecurityDomain and directly run this action
action.call();
}
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class ConnectionSecurityContext method getConnectionPrincipals.
/**
* Obtain a {@link Collection} containing the {@link Principal} instances for the user associated with the connection.
*
* Note: This method should be called from within a {@link PrivilegedAction}.
*
* @return The Collection of Principals for the user authenticated with the connection. An empty Collection will be returned
* of no user is associated with the connection, {@code null} will be returned if no connection is associated with
* the {@link Thread}
*/
public static Collection<Principal> getConnectionPrincipals() {
Connection con = RemotingContext.getConnection();
if (con != null) {
Collection<Principal> principals = new HashSet<>();
SecurityIdentity localIdentity = con.getLocalIdentity();
if (localIdentity != null) {
principals.add(new RealmUser(localIdentity.getPrincipal().getName()));
StreamSupport.stream(localIdentity.getRoles().spliterator(), true).forEach((String role) -> {
principals.add(new RealmGroup(role));
principals.add(new RealmRole(role));
});
return principals;
} else {
return Collections.emptySet();
}
}
return null;
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class SimpleSecurityManager method push.
/**
* Must be called from within a privileged action.
*
* @param securityDomain
*/
public void push(final String securityDomain) {
// TODO - Handle a null securityDomain here? Yes I think so.
final SecurityContext previous = SecurityContextAssociation.getSecurityContext();
contexts.push(previous);
SecurityContext current = establishSecurityContext(securityDomain);
if (propagate && previous != null) {
current.setSubjectInfo(getSubjectInfo(previous));
current.setIncomingRunAs(previous.getOutgoingRunAs());
}
RunAs currentRunAs = current.getIncomingRunAs();
boolean trusted = currentRunAs != null && currentRunAs instanceof RunAsIdentity;
if (trusted == false) {
/*
* We should only be switching to a context based on an identity from the Remoting connection if we don't already
* have a trusted identity - this allows for beans to reauthenticate as a different identity.
*/
if (SecurityActions.remotingContextIsSet()) {
// In this case the principal and credential will not have been set to set some random values.
SecurityContextUtil util = current.getUtil();
Connection connection = SecurityActions.remotingContextGetConnection();
Principal p = null;
Object credential = null;
SecurityIdentity localIdentity = connection.getLocalIdentity();
if (localIdentity != null) {
p = new SimplePrincipal(localIdentity.getPrincipal().getName());
IdentityCredentials privateCredentials = localIdentity.getPrivateCredentials();
PasswordCredential passwordCredential = privateCredentials.getCredential(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR);
if (passwordCredential != null) {
credential = new String(passwordCredential.getPassword(ClearPassword.class).getPassword());
} else {
credential = new RemotingConnectionCredential(connection);
}
} else {
throw SecurityLogger.ROOT_LOGGER.noUserPrincipalFound();
}
SecurityActions.remotingContextClear();
util.createSubjectInfo(p, credential, null);
}
}
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class RemotingLoginModule method login.
@SuppressWarnings("unchecked")
@Override
public boolean login() throws LoginException {
if (super.login() == true) {
log.debug("super.login()==true");
return true;
}
Object credential = getCredential();
if (credential instanceof RemotingConnectionCredential) {
Connection con = ((RemotingConnectionCredential) credential).getConnection();
Principal up = null;
SecurityIdentity localIdentity = con.getLocalIdentity();
if (localIdentity != null) {
up = new RealmUser(localIdentity.getPrincipal().getName());
}
// If we found a principal from the connection then authentication succeeded.
if (up != null) {
identity = up;
if (getUseFirstPass()) {
String userName = identity.getName();
log.debugf("Storing username '%s'", userName);
// Add the username to the shared state map
sharedState.put("javax.security.auth.login.name", identity);
if (useNewClientCert) {
SSLSession session = con.getSslSession();
if (session != null) {
try {
credential = session.getPeerCertificates()[0];
log.debug("Using new certificate as credential.");
} catch (SSLPeerUnverifiedException e) {
log.debugf("No peer certificate available for '%s'", userName);
}
}
} else if (useClientCert) {
SSLSession session = con.getSslSession();
if (session != null) {
try {
credential = session.getPeerCertificateChain()[0];
log.debug("Using certificate as credential.");
} catch (SSLPeerUnverifiedException e) {
log.debugf("No peer certificate available for '%s'", userName);
}
}
}
sharedState.put("javax.security.auth.login.password", credential);
}
loginOk = true;
return true;
}
}
// username and password has been supplied to a web auth.
return false;
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class JobOperatorService method checkPermission.
private void checkPermission(final String targetName) {
if (permissionsCheckEnabled.get()) {
final SecurityAwareBatchEnvironment environment = getBatchEnvironment();
final SecurityIdentity identity = environment.getIdentity();
if (identity != null) {
final BatchPermission permission = BatchPermission.forName(targetName);
if (!identity.implies(permission)) {
throw BatchLogger.LOGGER.unauthorized(identity.getPrincipal().getName(), permission);
}
}
}
}
Aggregations