Search in sources :

Example 21 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class SecurityIdentityUtils method doIdentityWrap.

static <T> Callable<T> doIdentityWrap(final Callable<T> callable) {
    if (callable == null) {
        return null;
    }
    final SecurityIdentity securityIdentity = getSecurityIdentity();
    if (securityIdentity == null) {
        return callable;
    }
    Callable<T> securedCallable = () -> securityIdentity.runAs(callable);
    return callable instanceof ManagedTask ? new SecuredManagedCallable<T>(securedCallable, (ManagedTask) callable) : securedCallable;
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) ManagedTask(javax.enterprise.concurrent.ManagedTask)

Example 22 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class AsyncFutureInterceptorFactory method create.

@Override
public Interceptor create(final InterceptorFactoryContext context) {
    final SessionBeanComponent component = (SessionBeanComponent) context.getContextData().get(Component.class);
    if (component.isSecurityDomainKnown()) {
        return new Interceptor() {

            @Override
            public Object processInvocation(final InterceptorContext context) throws Exception {
                if (!context.isBlockingCaller()) {
                    return context.proceed();
                }
                final InterceptorContext asyncInterceptorContext = context.clone();
                asyncInterceptorContext.putPrivateData(InvocationType.class, InvocationType.ASYNC);
                final CancellationFlag flag = new CancellationFlag();
                final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
                final StartupCountdown.Frame frame = StartupCountdown.current();
                final SecurityIdentity currentIdentity = securityDomain == null ? null : securityDomain.getCurrentSecurityIdentity();
                final Connection remoteConnection = getConnection();
                Callable<Object> invocationTask = () -> {
                    setConnection(remoteConnection);
                    StartupCountdown.restore(frame);
                    try {
                        return asyncInterceptorContext.proceed();
                    } finally {
                        StartupCountdown.restore(null);
                        clearConnection();
                    }
                };
                final AsyncInvocationTask task = new AsyncInvocationTask(flag) {

                    @Override
                    protected Object runInvocation() throws Exception {
                        if (currentIdentity != null) {
                            return currentIdentity.runAs(invocationTask);
                        } else {
                            return invocationTask.call();
                        }
                    }
                };
                asyncInterceptorContext.putPrivateData(CancellationFlag.class, flag);
                asyncInterceptorContext.setBlockingCaller(false);
                return execute(component, task);
            }
        };
    } else {
        return new Interceptor() {

            @Override
            public Object processInvocation(final InterceptorContext context) throws Exception {
                if (!context.isBlockingCaller()) {
                    return context.proceed();
                }
                final InterceptorContext asyncInterceptorContext = context.clone();
                asyncInterceptorContext.putPrivateData(InvocationType.class, InvocationType.ASYNC);
                final CancellationFlag flag = new CancellationFlag();
                final SecurityContext securityContext;
                if (WildFlySecurityManager.isChecking()) {
                    securityContext = AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() {

                        @Override
                        public SecurityContext run() {
                            return SecurityContextAssociation.getSecurityContext();
                        }
                    });
                } else {
                    securityContext = SecurityContextAssociation.getSecurityContext();
                }
                // clone the original security context so that changes to the original security context in a separate (caller/unrelated) thread doesn't affect
                // the security context associated with the async invocation thread
                final SecurityContext clonedSecurityContext;
                if (securityContext instanceof JBossSecurityContext) {
                    clonedSecurityContext = (SecurityContext) ((JBossSecurityContext) securityContext).clone();
                } else {
                    // we can't do anything if it isn't a JBossSecurityContext so just use the original one
                    clonedSecurityContext = securityContext;
                }
                final Connection remoteConnection = getConnection();
                final StartupCountdown.Frame frame = StartupCountdown.current();
                final AsyncInvocationTask task = new AsyncInvocationTask(flag) {

                    @Override
                    protected Object runInvocation() throws Exception {
                        setSecurityContextOnAssociation(clonedSecurityContext);
                        setConnection(remoteConnection);
                        StartupCountdown.restore(frame);
                        try {
                            return asyncInterceptorContext.proceed();
                        } finally {
                            StartupCountdown.restore(null);
                            try {
                                clearSecurityContextOnAssociation();
                            } finally {
                                clearConnection();
                            }
                        }
                    }
                };
                asyncInterceptorContext.putPrivateData(CancellationFlag.class, flag);
                asyncInterceptorContext.setBlockingCaller(false);
                return execute(component, task);
            }
        };
    }
}
Also used : Connection(org.jboss.remoting3.Connection) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) PrivilegedAction(java.security.PrivilegedAction) SessionBeanComponent(org.jboss.as.ejb3.component.session.SessionBeanComponent) InterceptorContext(org.jboss.invocation.InterceptorContext) SecurityContext(org.jboss.security.SecurityContext) JBossSecurityContext(org.jboss.security.plugins.JBossSecurityContext) JBossSecurityContext(org.jboss.security.plugins.JBossSecurityContext) SessionBeanComponent(org.jboss.as.ejb3.component.session.SessionBeanComponent) Component(org.jboss.as.ee.component.Component) Interceptor(org.jboss.invocation.Interceptor) StartupCountdown(org.jboss.as.ee.component.deployers.StartupCountdown)

Example 23 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class SecurityIdentityUtils method doIdentityWrap.

static Runnable doIdentityWrap(final Runnable runnable) {
    if (runnable == null) {
        return null;
    }
    final SecurityIdentity securityIdentity = getSecurityIdentity();
    if (securityIdentity == null) {
        return runnable;
    }
    Runnable securedRunnable = () -> securityIdentity.runAs(runnable);
    return runnable instanceof ManagedTask ? new SecuredManagedRunnable(securedRunnable, (ManagedTask) runnable) : securedRunnable;
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) ManagedTask(javax.enterprise.concurrent.ManagedTask)

Example 24 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ElytronSecurityContext method getRoles.

@Override
public String[] getRoles() {
    if (this.authenticatedSubject != null) {
        // check if the authenticated subject contains a SecurityIdentity in its private credentials.
        Set<SecurityIdentity> authenticatedIdentities = this.getPrivateCredentials(SecurityIdentity.class);
        // iterate through the identities adding all the roles found.
        final Set<String> rolesSet = new HashSet<>();
        for (SecurityIdentity identity : authenticatedIdentities) {
            for (String role : identity.getRoles()) {
                rolesSet.add(role);
            }
        }
        return rolesSet.toArray(new String[rolesSet.size()]);
    }
    return new String[0];
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) HashSet(java.util.HashSet)

Example 25 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ServerSecurityInterceptor method aroundInvoke.

@AroundInvoke
public Object aroundInvoke(final InvocationContext invocationContext) throws Exception {
    Principal desiredUser = null;
    RealmUser connectionUser = null;
    Map<String, Object> contextData = invocationContext.getContextData();
    if (contextData.containsKey(DELEGATED_USER_KEY)) {
        desiredUser = new SimplePrincipal((String) contextData.get(DELEGATED_USER_KEY));
        Connection con = RemotingContext.getConnection();
        if (con != null) {
            SecurityIdentity localIdentity = con.getLocalIdentity();
            if (localIdentity != null) {
                connectionUser = new RealmUser(localIdentity.getPrincipal().getName());
            }
        } else {
            throw new IllegalStateException("Delegation user requested but no user on connection found.");
        }
    }
    SecurityContext cachedSecurityContext = null;
    boolean contextSet = false;
    try {
        if (desiredUser != null && connectionUser != null && (desiredUser.getName().equals(connectionUser.getName()) == false)) {
            try {
                // The final part of this check is to verify that the change does actually indicate a change in user.
                // We have been requested to switch user and have successfully identified the user from the connection
                // so now we attempt the switch.
                cachedSecurityContext = SecurityContextAssociation.getSecurityContext();
                final SecurityContext nextContext = SecurityContextFactory.createSecurityContext(desiredUser, new CurrentUserCredential(connectionUser.getName()), new Subject(), "fooSecurityDomain");
                SecurityContextAssociation.setSecurityContext(nextContext);
                // keep track that we switched the security context
                contextSet = true;
                RemotingContext.clear();
            } catch (Exception e) {
                LOGGER.error("Failed to switch security context for user", e);
                // Don't propagate the exception stacktrace back to the client for security reasons
                throw new EJBAccessException("Unable to attempt switching of user.");
            }
        }
        return invocationContext.proceed();
    } finally {
        // switch back to original security context
        if (contextSet) {
            SecurityContextAssociation.setSecurityContext(cachedSecurityContext);
        }
    }
}
Also used : IllegalStateException(javax.resource.spi.IllegalStateException) RealmUser(org.jboss.as.core.security.RealmUser) Connection(org.jboss.remoting3.Connection) Subject(javax.security.auth.Subject) EJBAccessException(javax.ejb.EJBAccessException) IllegalStateException(javax.resource.spi.IllegalStateException) EJBAccessException(javax.ejb.EJBAccessException) SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) SecurityContext(org.jboss.security.SecurityContext) Principal(java.security.Principal) SimplePrincipal(org.jboss.security.SimplePrincipal) SimplePrincipal(org.jboss.security.SimplePrincipal) AroundInvoke(javax.interceptor.AroundInvoke)

Aggregations

SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)37 Test (org.junit.Test)10 Properties (java.util.Properties)8 SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)8 Principal (java.security.Principal)7 PrivilegedActionException (java.security.PrivilegedActionException)5 JobSecurityException (javax.batch.operations.JobSecurityException)5 Component (org.jboss.as.ee.component.Component)4 EJBComponent (org.jboss.as.ejb3.component.EJBComponent)4 Connection (org.jboss.remoting3.Connection)4 HashSet (java.util.HashSet)3 RealmUser (org.jboss.as.core.security.RealmUser)3 InterceptorContext (org.jboss.invocation.InterceptorContext)3 SecurityContext (org.jboss.security.SecurityContext)3 PrivilegedAction (java.security.PrivilegedAction)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2 ManagedTask (javax.enterprise.concurrent.ManagedTask)2 Subject (javax.security.auth.Subject)2 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2 SessionBeanComponent (org.jboss.as.ejb3.component.session.SessionBeanComponent)2