Search in sources :

Example 51 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class JaccInterceptor method processInvocation.

@Override
public Object processInvocation(InterceptorContext context) throws Exception {
    Component component = context.getPrivateData(Component.class);
    final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
    Assert.checkNotNullParam("securityDomain", securityDomain);
    final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
    if (component instanceof EJBComponent == false) {
        throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
    }
    Method invokedMethod = context.getMethod();
    ComponentView componentView = context.getPrivateData(ComponentView.class);
    String viewClassOfInvokedMethod = componentView.getViewClass().getName();
    // shouldn't really happen if the interceptor was setup correctly. But let's be safe and do a check
    if (!viewClassName.equals(viewClassOfInvokedMethod) || !viewMethod.equals(invokedMethod)) {
        throw EjbLogger.ROOT_LOGGER.failProcessInvocation(getClass().getName(), invokedMethod, viewClassOfInvokedMethod, viewMethod, viewClassName);
    }
    EJBComponent ejbComponent = (EJBComponent) component;
    if (WildFlySecurityManager.isChecking()) {
        try {
            AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> {
                hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity);
                return null;
            });
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    } else {
        hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity);
    }
    // successful authorization, let the invocation proceed
    return context.proceed();
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) ComponentView(org.jboss.as.ee.component.ComponentView) PrivilegedActionException(java.security.PrivilegedActionException) Method(java.lang.reflect.Method) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) Component(org.jboss.as.ee.component.Component) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)

Example 52 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class RunAsPrincipalInterceptor method processInvocation.

public Object processInvocation(final InterceptorContext context) throws Exception {
    final Component component = context.getPrivateData(Component.class);
    if (component instanceof EJBComponent == false) {
        throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
    }
    final EJBComponent ejbComponent = (EJBComponent) component;
    // Set the incomingRunAsIdentity before switching users
    final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
    Assert.checkNotNullParam("securityDomain", securityDomain);
    final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
    final SecurityIdentity oldIncomingRunAsIdentity = ejbComponent.getIncomingRunAsIdentity();
    SecurityIdentity newIdentity;
    try {
        // run as a user with the given name or if the caller has sufficient permission
        if (runAsPrincipal.equals(ANONYMOUS_PRINCIPAL)) {
            try {
                newIdentity = currentIdentity.createRunAsAnonymous();
            } catch (AuthorizationFailureException ex) {
                newIdentity = currentIdentity.createRunAsAnonymous(false);
            }
        } else {
            if (!runAsPrincipalExists(securityDomain, runAsPrincipal)) {
                newIdentity = securityDomain.createAdHocIdentity(runAsPrincipal);
            } else {
                try {
                    newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal);
                } catch (AuthorizationFailureException ex) {
                    newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal, false);
                }
            }
        }
        ejbComponent.setIncomingRunAsIdentity(currentIdentity);
        return newIdentity.runAs(context);
    } catch (PrivilegedActionException e) {
        Throwable cause = e.getCause();
        if (cause != null) {
            if (cause instanceof Exception) {
                throw (Exception) cause;
            } else {
                throw new RuntimeException(e);
            }
        } else {
            throw e;
        }
    } finally {
        ejbComponent.setIncomingRunAsIdentity(oldIncomingRunAsIdentity);
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) AuthorizationFailureException(org.wildfly.security.authz.AuthorizationFailureException) PrivilegedActionException(java.security.PrivilegedActionException) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) Component(org.jboss.as.ee.component.Component) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) PrivilegedActionException(java.security.PrivilegedActionException) RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException) AuthorizationFailureException(org.wildfly.security.authz.AuthorizationFailureException) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)

Example 53 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class IdentityOutflowInterceptorFactory method create.

@Override
protected Interceptor create(final Component component, final InterceptorFactoryContext context) {
    if (!(component instanceof EJBComponent)) {
        throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
    }
    final EJBComponent ejbComponent = (EJBComponent) component;
    final Function<SecurityIdentity, Set<SecurityIdentity>> identityOutflowFunction = ejbComponent.getIdentityOutflowFunction();
    return new IdentityOutflowInterceptor(identityOutflowFunction, category, roleMapper);
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) Set(java.util.Set) EJBComponent(org.jboss.as.ejb3.component.EJBComponent)

Example 54 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class SecurityRolesAddingInterceptor method processInvocation.

public Object processInvocation(final InterceptorContext context) throws Exception {
    final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
    Assert.checkNotNullParam("securityDomain", securityDomain);
    final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
    final Set<String> securityRoles = principalVsRolesMap.get(currentIdentity.getPrincipal().getName());
    if (securityRoles != null && !securityRoles.isEmpty()) {
        final RoleMapper roleMapper = RoleMapper.constant(Roles.fromSet(securityRoles));
        final RoleMapper mergeMapper = roleMapper.or((roles) -> currentIdentity.getRoles(category));
        final SecurityIdentity newIdentity;
        if (WildFlySecurityManager.isChecking()) {
            newIdentity = AccessController.doPrivileged((PrivilegedAction<SecurityIdentity>) () -> currentIdentity.withRoleMapper(category, mergeMapper));
        } else {
            newIdentity = currentIdentity.withRoleMapper(category, mergeMapper);
        }
        try {
            return newIdentity.runAs(context);
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (cause != null) {
                if (cause instanceof Exception) {
                    throw (Exception) cause;
                } else {
                    throw new RuntimeException(e);
                }
            } else {
                throw e;
            }
        }
    } else {
        return context.proceed();
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) RoleMapper(org.wildfly.security.authz.RoleMapper) PrivilegedAction(java.security.PrivilegedAction) PrivilegedActionException(java.security.PrivilegedActionException) PrivilegedActionException(java.security.PrivilegedActionException) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)

Example 55 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ElytronSecurityContext method getRoles.

@Override
public String[] getRoles() {
    if (this.authenticatedSubject != null) {
        // check if the authenticated subject contains a SecurityIdentity in its private credentials.
        Set<SecurityIdentity> authenticatedIdentities = this.getPrivateCredentials(SecurityIdentity.class);
        // iterate through the identities adding all the roles found.
        final Set<String> rolesSet = new HashSet<>();
        for (SecurityIdentity identity : authenticatedIdentities) {
            for (String role : identity.getRoles(ElytronSecurityIntegration.SECURITY_IDENTITY_ROLE)) {
                rolesSet.add(role);
            }
        }
        return rolesSet.toArray(new String[rolesSet.size()]);
    }
    return new String[0];
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) HashSet(java.util.HashSet)

Aggregations

SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)60 Test (org.junit.Test)20 Properties (java.util.Properties)16 SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)15 Principal (java.security.Principal)10 JobSecurityException (javax.batch.operations.JobSecurityException)10 PrivilegedActionException (java.security.PrivilegedActionException)6 HashSet (java.util.HashSet)6 EJBComponent (org.jboss.as.ejb3.component.EJBComponent)6 Component (org.jboss.as.ee.component.Component)5 InterceptorContext (org.jboss.invocation.InterceptorContext)5 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)4 IOException (java.io.IOException)3 PrintWriter (java.io.PrintWriter)3 Method (java.lang.reflect.Method)3 PrivilegedAction (java.security.PrivilegedAction)3 HashMap (java.util.HashMap)3 Map (java.util.Map)3 SessionBeanComponent (org.jboss.as.ejb3.component.session.SessionBeanComponent)3 Connection (org.jboss.remoting3.Connection)3