Search in sources :

Example 31 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class IdentityOutflowInterceptorFactory method create.

@Override
protected Interceptor create(final Component component, final InterceptorFactoryContext context) {
    if (!(component instanceof EJBComponent)) {
        throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
    }
    final EJBComponent ejbComponent = (EJBComponent) component;
    final Function<SecurityIdentity, Set<SecurityIdentity>> identityOutflowFunction = ejbComponent.getIdentityOutflowFunction();
    return new IdentityOutflowInterceptor(identityOutflowFunction, category, roleMapper);
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) Set(java.util.Set) EJBComponent(org.jboss.as.ejb3.component.EJBComponent)

Example 32 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class JaccInterceptor method processInvocation.

@Override
public Object processInvocation(InterceptorContext context) throws Exception {
    Component component = context.getPrivateData(Component.class);
    final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
    Assert.checkNotNullParam("securityDomain", securityDomain);
    final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
    if (component instanceof EJBComponent == false) {
        throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
    }
    Method invokedMethod = context.getMethod();
    ComponentView componentView = context.getPrivateData(ComponentView.class);
    String viewClassOfInvokedMethod = componentView.getViewClass().getName();
    // shouldn't really happen if the interceptor was setup correctly. But let's be safe and do a check
    if (!viewClassName.equals(viewClassOfInvokedMethod) || !viewMethod.equals(invokedMethod)) {
        throw EjbLogger.ROOT_LOGGER.failProcessInvocation(getClass().getName(), invokedMethod, viewClassOfInvokedMethod, viewMethod, viewClassName);
    }
    EJBComponent ejbComponent = (EJBComponent) component;
    if (WildFlySecurityManager.isChecking()) {
        try {
            AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> {
                hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity);
                return null;
            });
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    } else {
        hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity);
    }
    // successful authorization, let the invocation proceed
    return context.proceed();
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) ComponentView(org.jboss.as.ee.component.ComponentView) PrivilegedActionException(java.security.PrivilegedActionException) Method(java.lang.reflect.Method) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) Component(org.jboss.as.ee.component.Component) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)

Example 33 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class RunAsPrincipalInterceptor method processInvocation.

public Object processInvocation(final InterceptorContext context) throws Exception {
    final Component component = context.getPrivateData(Component.class);
    if (component instanceof EJBComponent == false) {
        throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
    }
    final EJBComponent ejbComponent = (EJBComponent) component;
    // Set the incomingRunAsIdentity before switching users
    final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
    Assert.checkNotNullParam("securityDomain", securityDomain);
    final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
    final SecurityIdentity oldIncomingRunAsIdentity = ejbComponent.getIncomingRunAsIdentity();
    SecurityIdentity newIdentity;
    try {
        // run as a user with the given name or if the caller has sufficient permission
        if (runAsPrincipal.equals(ANONYMOUS_PRINCIPAL)) {
            try {
                newIdentity = currentIdentity.createRunAsAnonymous();
            } catch (AuthorizationFailureException ex) {
                newIdentity = currentIdentity.createRunAsAnonymous(false);
            }
        } else {
            try {
                newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal);
            } catch (AuthorizationFailureException ex) {
                newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal, false);
            }
        }
        ejbComponent.setIncomingRunAsIdentity(currentIdentity);
        return newIdentity.runAs(context);
    } catch (PrivilegedActionException e) {
        Throwable cause = e.getCause();
        if (cause != null) {
            if (cause instanceof Exception) {
                throw (Exception) cause;
            } else {
                throw new RuntimeException(e);
            }
        } else {
            throw e;
        }
    } finally {
        ejbComponent.setIncomingRunAsIdentity(oldIncomingRunAsIdentity);
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) AuthorizationFailureException(org.wildfly.security.authz.AuthorizationFailureException) PrivilegedActionException(java.security.PrivilegedActionException) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) Component(org.jboss.as.ee.component.Component) EJBComponent(org.jboss.as.ejb3.component.EJBComponent) PrivilegedActionException(java.security.PrivilegedActionException) AuthorizationFailureException(org.wildfly.security.authz.AuthorizationFailureException) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)

Example 34 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class SecurityRolesAddingInterceptor method processInvocation.

public Object processInvocation(final InterceptorContext context) throws Exception {
    final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
    Assert.checkNotNullParam("securityDomain", securityDomain);
    final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
    final Set<String> securityRoles = principalVsRolesMap.get(currentIdentity.getPrincipal().getName());
    if (securityRoles != null && !securityRoles.isEmpty()) {
        final RoleMapper roleMapper = RoleMapper.constant(Roles.fromSet(securityRoles));
        final RoleMapper mergeMapper = roleMapper.or((roles) -> currentIdentity.getRoles(category));
        final SecurityIdentity newIdentity;
        if (WildFlySecurityManager.isChecking()) {
            newIdentity = AccessController.doPrivileged((PrivilegedAction<SecurityIdentity>) () -> currentIdentity.withRoleMapper(category, mergeMapper));
        } else {
            newIdentity = currentIdentity.withRoleMapper(category, mergeMapper);
        }
        try {
            return newIdentity.runAs(context);
        } catch (PrivilegedActionException e) {
            Throwable cause = e.getCause();
            if (cause != null) {
                if (cause instanceof Exception) {
                    throw (Exception) cause;
                } else {
                    throw new RuntimeException(e);
                }
            } else {
                throw e;
            }
        }
    } else {
        return context.proceed();
    }
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) RoleMapper(org.wildfly.security.authz.RoleMapper) PrivilegedAction(java.security.PrivilegedAction) PrivilegedActionException(java.security.PrivilegedActionException) PrivilegedActionException(java.security.PrivilegedActionException) SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)

Example 35 with SecurityIdentity

use of org.wildfly.security.auth.server.SecurityIdentity in project wildfly by wildfly.

the class ElytronSecurityDomainContextImpl method isValid.

@Override
public boolean isValid(Principal principal, Object password, Subject subject) {
    if (subject == null) {
        subject = new Subject();
    }
    String username = principal.getName();
    if (!(password instanceof String)) {
        throw new java.lang.IllegalArgumentException("only string password accepted");
    }
    SecurityIdentity identity = authenticate(username, (String) password);
    if (identity == null) {
        return false;
    }
    SubjectUtil.fromSecurityIdentity(identity, subject);
    currentIdentity.set(identity);
    return true;
}
Also used : SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity) Subject(javax.security.auth.Subject)

Aggregations

SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)37 Test (org.junit.Test)10 Properties (java.util.Properties)8 SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)8 Principal (java.security.Principal)7 PrivilegedActionException (java.security.PrivilegedActionException)5 JobSecurityException (javax.batch.operations.JobSecurityException)5 Component (org.jboss.as.ee.component.Component)4 EJBComponent (org.jboss.as.ejb3.component.EJBComponent)4 Connection (org.jboss.remoting3.Connection)4 HashSet (java.util.HashSet)3 RealmUser (org.jboss.as.core.security.RealmUser)3 InterceptorContext (org.jboss.invocation.InterceptorContext)3 SecurityContext (org.jboss.security.SecurityContext)3 PrivilegedAction (java.security.PrivilegedAction)2 PrivilegedExceptionAction (java.security.PrivilegedExceptionAction)2 ManagedTask (javax.enterprise.concurrent.ManagedTask)2 Subject (javax.security.auth.Subject)2 UnsupportedCallbackException (javax.security.auth.callback.UnsupportedCallbackException)2 SessionBeanComponent (org.jboss.as.ejb3.component.session.SessionBeanComponent)2