use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class SecurityIdentityUtils method doIdentityWrap.
static <T> Callable<T> doIdentityWrap(final Callable<T> callable) {
if (callable == null) {
return null;
}
final SecurityIdentity securityIdentity = getSecurityIdentity();
if (securityIdentity == null) {
return callable;
}
Callable<T> securedCallable = () -> securityIdentity.runAs(callable);
return callable instanceof ManagedTask ? new SecuredManagedCallable<T>(securedCallable, (ManagedTask) callable) : securedCallable;
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class AsyncFutureInterceptorFactory method create.
@Override
public Interceptor create(final InterceptorFactoryContext context) {
final SessionBeanComponent component = (SessionBeanComponent) context.getContextData().get(Component.class);
if (component.isSecurityDomainKnown()) {
return new Interceptor() {
@Override
public Object processInvocation(final InterceptorContext context) throws Exception {
if (!context.isBlockingCaller()) {
return context.proceed();
}
final InterceptorContext asyncInterceptorContext = context.clone();
asyncInterceptorContext.putPrivateData(InvocationType.class, InvocationType.ASYNC);
final CancellationFlag flag = new CancellationFlag();
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
final StartupCountdown.Frame frame = StartupCountdown.current();
final SecurityIdentity currentIdentity = securityDomain == null ? null : securityDomain.getCurrentSecurityIdentity();
final Connection remoteConnection = getConnection();
Callable<Object> invocationTask = () -> {
setConnection(remoteConnection);
StartupCountdown.restore(frame);
try {
return asyncInterceptorContext.proceed();
} finally {
StartupCountdown.restore(null);
clearConnection();
}
};
final AsyncInvocationTask task = new AsyncInvocationTask(flag) {
@Override
protected Object runInvocation() throws Exception {
if (currentIdentity != null) {
return currentIdentity.runAs(invocationTask);
} else {
return invocationTask.call();
}
}
};
asyncInterceptorContext.putPrivateData(CancellationFlag.class, flag);
asyncInterceptorContext.setBlockingCaller(false);
return execute(component, task);
}
};
} else {
return new Interceptor() {
@Override
public Object processInvocation(final InterceptorContext context) throws Exception {
if (!context.isBlockingCaller()) {
return context.proceed();
}
final InterceptorContext asyncInterceptorContext = context.clone();
asyncInterceptorContext.putPrivateData(InvocationType.class, InvocationType.ASYNC);
final CancellationFlag flag = new CancellationFlag();
final SecurityContext securityContext;
if (WildFlySecurityManager.isChecking()) {
securityContext = AccessController.doPrivileged(new PrivilegedAction<SecurityContext>() {
@Override
public SecurityContext run() {
return SecurityContextAssociation.getSecurityContext();
}
});
} else {
securityContext = SecurityContextAssociation.getSecurityContext();
}
// clone the original security context so that changes to the original security context in a separate (caller/unrelated) thread doesn't affect
// the security context associated with the async invocation thread
final SecurityContext clonedSecurityContext;
if (securityContext instanceof JBossSecurityContext) {
clonedSecurityContext = (SecurityContext) ((JBossSecurityContext) securityContext).clone();
} else {
// we can't do anything if it isn't a JBossSecurityContext so just use the original one
clonedSecurityContext = securityContext;
}
final Connection remoteConnection = getConnection();
final StartupCountdown.Frame frame = StartupCountdown.current();
final AsyncInvocationTask task = new AsyncInvocationTask(flag) {
@Override
protected Object runInvocation() throws Exception {
setSecurityContextOnAssociation(clonedSecurityContext);
setConnection(remoteConnection);
StartupCountdown.restore(frame);
try {
return asyncInterceptorContext.proceed();
} finally {
StartupCountdown.restore(null);
try {
clearSecurityContextOnAssociation();
} finally {
clearConnection();
}
}
}
};
asyncInterceptorContext.putPrivateData(CancellationFlag.class, flag);
asyncInterceptorContext.setBlockingCaller(false);
return execute(component, task);
}
};
}
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class SecurityIdentityUtils method doIdentityWrap.
static Runnable doIdentityWrap(final Runnable runnable) {
if (runnable == null) {
return null;
}
final SecurityIdentity securityIdentity = getSecurityIdentity();
if (securityIdentity == null) {
return runnable;
}
Runnable securedRunnable = () -> securityIdentity.runAs(runnable);
return runnable instanceof ManagedTask ? new SecuredManagedRunnable(securedRunnable, (ManagedTask) runnable) : securedRunnable;
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class ElytronSecurityContext method getRoles.
@Override
public String[] getRoles() {
if (this.authenticatedSubject != null) {
// check if the authenticated subject contains a SecurityIdentity in its private credentials.
Set<SecurityIdentity> authenticatedIdentities = this.getPrivateCredentials(SecurityIdentity.class);
// iterate through the identities adding all the roles found.
final Set<String> rolesSet = new HashSet<>();
for (SecurityIdentity identity : authenticatedIdentities) {
for (String role : identity.getRoles()) {
rolesSet.add(role);
}
}
return rolesSet.toArray(new String[rolesSet.size()]);
}
return new String[0];
}
use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.
the class ServerSecurityInterceptor method aroundInvoke.
@AroundInvoke
public Object aroundInvoke(final InvocationContext invocationContext) throws Exception {
Principal desiredUser = null;
RealmUser connectionUser = null;
Map<String, Object> contextData = invocationContext.getContextData();
if (contextData.containsKey(DELEGATED_USER_KEY)) {
desiredUser = new SimplePrincipal((String) contextData.get(DELEGATED_USER_KEY));
Connection con = RemotingContext.getConnection();
if (con != null) {
SecurityIdentity localIdentity = con.getLocalIdentity();
if (localIdentity != null) {
connectionUser = new RealmUser(localIdentity.getPrincipal().getName());
}
} else {
throw new IllegalStateException("Delegation user requested but no user on connection found.");
}
}
SecurityContext cachedSecurityContext = null;
boolean contextSet = false;
try {
if (desiredUser != null && connectionUser != null && (desiredUser.getName().equals(connectionUser.getName()) == false)) {
try {
// The final part of this check is to verify that the change does actually indicate a change in user.
// We have been requested to switch user and have successfully identified the user from the connection
// so now we attempt the switch.
cachedSecurityContext = SecurityContextAssociation.getSecurityContext();
final SecurityContext nextContext = SecurityContextFactory.createSecurityContext(desiredUser, new CurrentUserCredential(connectionUser.getName()), new Subject(), "fooSecurityDomain");
SecurityContextAssociation.setSecurityContext(nextContext);
// keep track that we switched the security context
contextSet = true;
RemotingContext.clear();
} catch (Exception e) {
LOGGER.error("Failed to switch security context for user", e);
// Don't propagate the exception stacktrace back to the client for security reasons
throw new EJBAccessException("Unable to attempt switching of user.");
}
}
return invocationContext.proceed();
} finally {
// switch back to original security context
if (contextSet) {
SecurityContextAssociation.setSecurityContext(cachedSecurityContext);
}
}
}
Aggregations