use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class BatchSubsystemSecurityTestCase method testStart_NotAllowed.
/**
* Try running a job as a user who doesn't have the permission to run jobs. It should not succeed.
*/
@Test
public void testStart_NotAllowed() throws Exception {
final SecurityIdentity user2 = getSecurityIdentity("user2", "password2");
try {
user2.runAs((Callable<Long>) () -> operator.start("assert-identity", new Properties()));
Assert.fail("user2 shouldn't be allowed to start batch jobs");
} catch (JobSecurityException e) {
// OK
}
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class ElytronSecurityDomainContextImpl method runAs.
public void runAs(Callable<Void> action) throws Exception {
final SecurityIdentity ci = currentIdentity.get();
if (ci != null) {
//there is no security constrains in servlet and directly with jaas
ci.runAs(action);
currentIdentity.set(null);
} else {
//undertow's ElytronRunAsHandler will propagate the SecurityIndentity to SecurityDomain and directly run this action
action.call();
}
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class JobOperatorService method checkPermission.
private void checkPermission(final String targetName) {
if (permissionsCheckEnabled.get()) {
final SecurityAwareBatchEnvironment environment = getBatchEnvironment();
final SecurityIdentity identity = environment.getIdentity();
if (identity != null) {
final BatchPermission permission = BatchPermission.forName(targetName);
if (!identity.implies(permission)) {
throw BatchLogger.LOGGER.unauthorized(identity.getPrincipal().getName(), permission);
}
}
}
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class ElytronCallbackHandler method handleInternal.
protected void handleInternal(final CallerPrincipalCallback callerPrincipalCallback, final GroupPrincipalCallback groupPrincipalCallback, final PasswordValidationCallback passwordValidationCallback) throws IOException {
if (this.executionSubject == null) {
throw SUBSYSTEM_RA_LOGGER.executionSubjectNotSetInHandler();
}
SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity();
// establish the caller principal using the info from the callback.
Principal callerPrincipal = null;
if (callerPrincipalCallback != null) {
Principal callbackPrincipal = callerPrincipalCallback.getPrincipal();
callerPrincipal = callbackPrincipal != null ? new NamePrincipal(callbackPrincipal.getName()) : callerPrincipalCallback.getName() != null ? new NamePrincipal(callerPrincipalCallback.getName()) : null;
}
// a null principal is the ra contract for requiring the use of the unauthenticated identity - no point in attempting to authenticate.
if (callerPrincipal != null) {
// check if we have a username/password pair to authenticate - first try the password validation callback.
if (passwordValidationCallback != null) {
final String username = passwordValidationCallback.getUsername();
final char[] password = passwordValidationCallback.getPassword();
try {
identity = this.authenticate(username, password);
// add a password credential to the execution subject and set the successful result in the callback.
this.addPrivateCredential(this.executionSubject, new PasswordCredential(username, password));
passwordValidationCallback.setResult(true);
} catch (SecurityException e) {
passwordValidationCallback.setResult(false);
return;
}
} else {
// identity not established using the callback - check if the execution subject contains a password credential.
PasswordCredential passwordCredential = this.getPrivateCredential(this.executionSubject, PasswordCredential.class);
if (passwordCredential != null) {
try {
identity = this.authenticate(passwordCredential.getUserName(), passwordCredential.getPassword());
} catch (SecurityException e) {
return;
}
} else {
identity = securityDomain.createAdHocIdentity(callerPrincipal);
}
}
// is different from the identity principal and switch to the caller principal identity if needed.
if (!callerPrincipal.equals(identity.getPrincipal())) {
identity = identity.createRunAsIdentity(callerPrincipal.getName());
}
// if we have new roles coming from the group callback, set a new mapper in the identity.
if (groupPrincipalCallback != null) {
String[] groups = groupPrincipalCallback.getGroups();
if (groups != null) {
Set<String> roles = new HashSet<>(Arrays.asList(groups));
// TODO what category should we use here?
identity = identity.withRoleMapper("ejb", RoleMapper.constant(Roles.fromSet(roles)));
}
}
}
// set the authenticated identity as a private credential in the subject.
this.executionSubject.getPrincipals().add(identity.getPrincipal());
this.addPrivateCredential(executionSubject, identity);
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class ElytronSecurityContext method runWork.
/**
* Runs the work contained in {@param runnable} as an authenticated Identity.
*
* @param work executes the work
*/
public void runWork(Runnable work) {
// if we have an authenticated subject we check if it contains a security identity and use the identity to run the work.
if (this.authenticatedSubject != null) {
Set<SecurityIdentity> authenticatedIdentities = this.getPrivateCredentials(SecurityIdentity.class);
if (!authenticatedIdentities.isEmpty()) {
SecurityIdentity identity = authenticatedIdentities.iterator().next();
identity.runAs(work);
return;
}
}
// no authenticated subject found or the subject didn't have a security identity - just run the work.
work.run();
}
Aggregations