Search in sources :

Example 11 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class BatchSubsystemSecurityTestCase method testStart_NotAllowed.

/**
     * Try running a job as a user who doesn't have the permission to run jobs. It should not succeed.
     */
@Test
public void testStart_NotAllowed() throws Exception {
    final SecurityIdentity user2 = getSecurityIdentity("user2", "password2");
    try {
        user2.runAs((Callable<Long>) () -> operator.start("assert-identity", new Properties()));
        Assert.fail("user2 shouldn't be allowed to start batch jobs");
    } catch (JobSecurityException e) {
    // OK
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) JobSecurityException(javax.batch.operations.JobSecurityException) Properties(java.util.Properties) Test(org.junit.Test)

Example 12 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ElytronSecurityDomainContextImpl method runAs.

public void runAs(Callable<Void> action) throws Exception {
    final SecurityIdentity ci = currentIdentity.get();
    if (ci != null) {
        //there is no security constrains in servlet and directly with jaas
        ci.runAs(action);
        currentIdentity.set(null);
    } else {
        //undertow's ElytronRunAsHandler will propagate the SecurityIndentity to SecurityDomain and directly run this action
        action.call();
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)

Example 13 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class JobOperatorService method checkPermission.

private void checkPermission(final String targetName) {
    if (permissionsCheckEnabled.get()) {
        final SecurityAwareBatchEnvironment environment = getBatchEnvironment();
        final SecurityIdentity identity = environment.getIdentity();
        if (identity != null) {
            final BatchPermission permission = BatchPermission.forName(targetName);
            if (!identity.implies(permission)) {
                throw BatchLogger.LOGGER.unauthorized(identity.getPrincipal().getName(), permission);
            }
        }
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)

Example 14 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ElytronCallbackHandler method handleInternal.

protected void handleInternal(final CallerPrincipalCallback callerPrincipalCallback, final GroupPrincipalCallback groupPrincipalCallback, final PasswordValidationCallback passwordValidationCallback) throws IOException {
    if (this.executionSubject == null) {
        throw SUBSYSTEM_RA_LOGGER.executionSubjectNotSetInHandler();
    }
    SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity();
    // establish the caller principal using the info from the callback.
    Principal callerPrincipal = null;
    if (callerPrincipalCallback != null) {
        Principal callbackPrincipal = callerPrincipalCallback.getPrincipal();
        callerPrincipal = callbackPrincipal != null ? new NamePrincipal(callbackPrincipal.getName()) : callerPrincipalCallback.getName() != null ? new NamePrincipal(callerPrincipalCallback.getName()) : null;
    }
    // a null principal is the ra contract for requiring the use of the unauthenticated identity - no point in attempting to authenticate.
    if (callerPrincipal != null) {
        // check if we have a username/password pair to authenticate - first try the password validation callback.
        if (passwordValidationCallback != null) {
            final String username = passwordValidationCallback.getUsername();
            final char[] password = passwordValidationCallback.getPassword();
            try {
                identity = this.authenticate(username, password);
                // add a password credential to the execution subject and set the successful result in the callback.
                this.addPrivateCredential(this.executionSubject, new PasswordCredential(username, password));
                passwordValidationCallback.setResult(true);
            } catch (SecurityException e) {
                passwordValidationCallback.setResult(false);
                return;
            }
        } else {
            // identity not established using the callback - check if the execution subject contains a password credential.
            PasswordCredential passwordCredential = this.getPrivateCredential(this.executionSubject, PasswordCredential.class);
            if (passwordCredential != null) {
                try {
                    identity = this.authenticate(passwordCredential.getUserName(), passwordCredential.getPassword());
                } catch (SecurityException e) {
                    return;
                }
            } else {
                identity = securityDomain.createAdHocIdentity(callerPrincipal);
            }
        }
        // is different from the identity principal and switch to the caller principal identity if needed.
        if (!callerPrincipal.equals(identity.getPrincipal())) {
            identity = identity.createRunAsIdentity(callerPrincipal.getName());
        }
        // if we have new roles coming from the group callback, set a new mapper in the identity.
        if (groupPrincipalCallback != null) {
            String[] groups = groupPrincipalCallback.getGroups();
            if (groups != null) {
                Set<String> roles = new HashSet<>(Arrays.asList(groups));
                // TODO what category should we use here?
                identity = identity.withRoleMapper("ejb", RoleMapper.constant(Roles.fromSet(roles)));
            }
        }
    }
    // set the authenticated identity as a private credential in the subject.
    this.executionSubject.getPrincipals().add(identity.getPrincipal());
    this.addPrivateCredential(executionSubject, identity);
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) NamePrincipal(org.wildfly.security.auth.principal.NamePrincipal) PasswordCredential(javax.resource.spi.security.PasswordCredential) NamePrincipal(org.wildfly.security.auth.principal.NamePrincipal) Principal(java.security.Principal) HashSet(java.util.HashSet)

Example 15 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ElytronSecurityContext method runWork.

/**
     * Runs the work contained in {@param runnable} as an authenticated Identity.
     *
     * @param work executes the work
     */
public void runWork(Runnable work) {
    // if we have an authenticated subject we check if it contains a security identity and use the identity to run the work.
    if (this.authenticatedSubject != null) {
        Set<SecurityIdentity> authenticatedIdentities = this.getPrivateCredentials(SecurityIdentity.class);
        if (!authenticatedIdentities.isEmpty()) {
            SecurityIdentity identity = authenticatedIdentities.iterator().next();
            identity.runAs(work);
            return;
        }
    }
    // no authenticated subject found or the subject didn't have a security identity - just run the work.
    work.run();
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)

Aggregations

SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)37 Test (org.junit.Test)10 Properties (java.util.Properties)8 SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)8 Principal (java.security.Principal)7 PrivilegedActionException (java.security.PrivilegedActionException)5 JobSecurityException (javax.batch.operations.JobSecurityException)5 Component (org.jboss.as.ee.component.Component)4 EJBComponent (org.jboss.as.ejb3.component.EJBComponent)4 Connection (org.jboss.remoting3.Connection)4 HashSet (java.util.HashSet)3 RealmUser (org.jboss.as.core.security.RealmUser)3 InterceptorContext (org.jboss.invocation.InterceptorContext)3 SecurityContext (org.jboss.security.SecurityContext)3 PrivilegedAction (java.security.PrivilegedAction)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2 ManagedTask (javax.enterprise.concurrent.ManagedTask)2 Subject (javax.security.auth.Subject)2 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2 SessionBeanComponent (org.jboss.as.ejb3.component.session.SessionBeanComponent)2