Assert.checkNotNullParam("environment", environment); AuthenticationConfiguration globalAuthConf = RemotingOptions.mergeOptionsIntoAuthenticationConfiguration(remotingOptions, AuthenticationConfiguration.empty()); globalAuthConf = globalAuthConf.useName(userName); globalAuthConf = globalAuthConf.useCallbackHandler(callbackHandler); globalAuthConf = globalAuthConf.useCredentials(credentials); } else if (passwordBase64 != null) { globalAuthConf = globalAuthConf.usePassword(CodePointIterator.ofString(passwordBase64).base64Decode().asUtf8String().drainToString()); globalAuthConf = globalAuthConf.useRealm(securityRealm); overrides = new HashMap<>(); AuthenticationConfiguration authConfig = RemotingOptions.mergeOptionsIntoAuthenticationConfiguration(connRemotingOptions, AuthenticationConfiguration.empty()); authConfig = authConfig.useName(connUserName); authConfig = authConfig.useCallbackHandler(connCallbackHandler); authConfig = authConfig.usePassword(connPassword); } else if (connPasswordBase64 != null) { authConfig = authConfig.usePassword(CodePointIterator.ofString(connPasswordBase64).base64Decode().asUtf8String().drainToString());
Assert.checkNotNullParam("optionMap", optionMap); Assert.checkNotNullParam("authenticationConfiguration", authenticationConfiguration); authenticationConfiguration = authenticationConfiguration.useSaslProtocol(saslProtocol != null ? saslProtocol : RemotingOptions.DEFAULT_SASL_PROTOCOL); authenticationConfiguration = authenticationConfiguration.useRealm(realm); authenticationConfiguration = authenticationConfiguration.useAuthorizationName(authzId); authenticationConfiguration = authenticationConfiguration.setSaslMechanismSelector(selector); case MEDIUM: saslPropertiesMap.put(Sasl.STRENGTH, "medium"); break; case HIGH: saslPropertiesMap.put(Sasl.STRENGTH, "high"); break; default: throw Assert.impossibleSwitchCase(strength); authenticationConfiguration = authenticationConfiguration.useMechanismProperties(saslPropertiesMap);
private static AuthenticationConfiguration initializeConfiguration(final URI uri, AuthenticationConfiguration configuration) { final SecurityDomain authenticationNameForwardSecurityDomain = configuration.authenticationNameForwardSecurityDomain; final String userInfo = uri.getUserInfo(); if (userInfo != null && configuration.getPrincipal() == AnonymousPrincipal.getInstance() && authenticationNameForwardSecurityDomain == null) { configuration = configuration.useName(userInfo); } // capture forwards if (authenticationNameForwardSecurityDomain != null) { configuration = configuration.useForwardedAuthenticationIdentity(null).usePrincipal(authenticationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal()); } final SecurityDomain authenticationCredentialsForwardSecurityDomain = configuration.authenticationCredentialsForwardSecurityDomain; if (authenticationCredentialsForwardSecurityDomain != null) { final SecurityIdentity securityIdentity = authenticationCredentialsForwardSecurityDomain.getCurrentSecurityIdentity(); final IdentityCredentials privateCredentials = securityIdentity.getPrivateCredentials(); final IdentityCredentials publicCredentials = securityIdentity.getPublicCredentials(); // private overrides public configuration = configuration.useForwardedAuthenticationCredentials(null).useCredentials(publicCredentials.with(privateCredentials)); } final SecurityDomain authorizationNameForwardSecurityDomain = configuration.authorizationNameForwardSecurityDomain; if (authorizationNameForwardSecurityDomain != null) { configuration = configuration.useForwardedAuthorizationIdentity(null).useAuthorizationPrincipal(authorizationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal()); } final AccessControlContext capturedContext = configuration.getCapturedContext(); if (capturedContext == null) { configuration = configuration.withCapturedAccessControlContext(); } return configuration; }
private static AuthenticationConfiguration configureCommon(final JBossEJBProperties properties, final JBossEJBProperties.CommonSubconfiguration configuration, AuthenticationConfiguration config) { final JBossEJBProperties.AuthenticationConfiguration authenticationConfiguration = configuration.getAuthenticationConfiguration(); final String userName = authenticationConfiguration == null ? null : authenticationConfiguration.getUserName(); if (userName != null) config = config.useName(userName); final String realm = authenticationConfiguration == null ? null : authenticationConfiguration.getMechanismRealm(); if (realm != null) config = config.useRealm(realm); final ExceptionSupplier<CallbackHandler, ReflectiveOperationException> callbackHandlerSupplier = authenticationConfiguration == null ? null : authenticationConfiguration.getCallbackHandlerSupplier(); CallbackHandler callbackHandler = null; throw Logs.MAIN.cannotInstantiateCallbackHandler(properties.getDefaultCallbackHandlerClassName(), e); config = config.useCallbackHandler(callbackHandler); if (password != null) config = config.usePassword(password); final Map<String, String> props = (Map) SaslUtils.createPropertyMap(options, false); if (! props.isEmpty()) { config = config.useMechanismProperties(props); config = config.setSaslMechanismSelector(SaslMechanismSelector.DEFAULT.forbidMechanisms(options.get(Options.SASL_DISALLOWED_MECHANISMS).toArray(NO_STRINGS))); } else if (options.contains(Options.SASL_MECHANISMS)) { config = config.setSaslMechanismSelector(SaslMechanismSelector.DEFAULT.addMechanisms(options.get(Options.SASL_MECHANISMS).toArray(NO_STRINGS))); config = config.useProvidersFromClassLoader(ElytronLegacyConfiguration.class.getClassLoader()); return config;
authConfigUri = (URI) authConfig; } else { authConfigUri = URI.create(authConfig.toString()); handler = (CallbackHandler) env.get(CallbackHandler.class.getName()); if (handler != null) { mergedConfiguration = mergedConfiguration.useCallbackHandler(handler); } else { if (env.containsKey(CREDENTIALS)) { String[] credentials = (String[]) env.get(CREDENTIALS); mergedConfiguration = mergedConfiguration.useName(credentials[0]).usePassword(credentials[1]).useRealm(null); disabledMechanisms.add(JBOSS_LOCAL_USER);
final SSLContext sslContext; try { uri = new URI(protocol, username, hostName, port, null, null, null); } catch (URISyntaxException e) { throw new StartException(e); uri = new URI(realProtocol == null ? Protocol.REMOTE_HTTP.toString() : realProtocol, username, hostName, port, null, null, null); } catch (URISyntaxException e) { throw new StartException(e); } else { final SecurityRealm securityRealm = securityRealmInjectedValue.getOptionalValue(); AuthenticationConfiguration configuration = AuthenticationConfiguration.empty(); if (securityRealm != null) { .useName(username) .setSaslMechanismSelector(SaslMechanismSelector.DEFAULT.forbidMechanism(JBOSS_LOCAL_USER)); final CallbackHandlerFactory callbackHandlerFactory = securityRealm.getSecretCallbackHandlerFactory(); if (callbackHandlerFactory != null) { configuration = configuration.useCallbackHandler(callbackHandlerFactory.getCallbackHandler(username));
AuthenticationContextConfigurationClient client = AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION); AuthenticationConfiguration configuration = client.getAuthenticationConfiguration(URI.create(connectionAddress.toString()), context); CallbackHandler callbackHandler = client.getCallbackHandler(configuration); context.with(MatchRule.ALL, configuration.useCallbackHandler(this)).run((PrivilegedAction<Object>) () -> { try { callbackHandler.handle(callbacks);
/** * Get the authentication configuration which matches the given URI and type, or {@link AuthenticationConfiguration#EMPTY} if there is none. * The user name from the URI is copied into the configuration if the configuration does not already establish a value for that field. * No host, port, or protocol information is copied to the resultant configuration from the URI. * * @param uri the URI to match (must not be {@code null}) * @param authenticationContext the authentication context to examine (must not be {@code null}) * @param abstractType the abstract type (may be {@code null}) * @param abstractTypeAuthority the abstract type authority (may be {@code null}) * @return the matching configuration */ public AuthenticationConfiguration getAuthenticationConfigurationNoOverrides(URI uri, AuthenticationContext authenticationContext, String abstractType, String abstractTypeAuthority) { Assert.checkNotNullParam("uri", uri); Assert.checkNotNullParam("authenticationContext", authenticationContext); final RuleNode<AuthenticationConfiguration> node = authenticationContext.authRuleMatching(uri, abstractType, abstractTypeAuthority); AuthenticationConfiguration configuration = node != null ? node.getConfiguration() : AuthenticationConfiguration.empty(); configuration = initializeConfiguration(uri, configuration); log.tracef("getAuthenticationConfiguration uri=%s, abstractType=%s, abstractTypeAuthority=%s, MatchRule=[%s], AuthenticationConfiguration=[%s]", uri, abstractType, abstractTypeAuthority, node != null ? node.rule : null, configuration); return configuration; }
ExceptionUnaryOperator<AuthenticationConfiguration, ConfigXMLParseException> configuration = ignored -> AuthenticationConfiguration.empty(); DeferredSupplier<Provider[]> providerSupplier = new DeferredSupplier<>(providers); configuration = andThenOp(configuration, parent -> parent.useProviders(providerSupplier)); foundBits = setBit(foundBits, 0); final String hostName = parseNameType(reader); configuration = andThenOp(configuration, parentConfig -> parentConfig.useHost(hostName)); xmlLog.xmlDeprecatedElement(reader.getLocalName(), reader.getLocation()); break; foundBits = setBit(foundBits, 1); final int port = parsePortType(reader); configuration = andThenOp(configuration, parentConfig -> parentConfig.usePort(port)); xmlLog.xmlDeprecatedElement(reader.getLocalName(), reader.getLocation()); break; foundBits = setBit(foundBits, 2); final String userName = parseNameType(reader); configuration = andThenOp(configuration, parentConfig -> parentConfig.useName(userName)); break; foundBits = setBit(foundBits, 3); final String realm = parseNameType(reader); configuration = andThenOp(configuration, parentConfig -> parentConfig.useRealm(realm)); break; foundBits = setBit(foundBits, 4); final NameRewriter nameRewriter = parseRegexSubstitutionType(reader); configuration = andThenOp(configuration, parentConfig -> parentConfig.rewriteUser(nameRewriter));
configuration = anonymous ? configuration.andThen(c -> c.useAnonymous()) : configuration; configuration = authenticationName != null ? configuration.andThen(c -> c.useName(authenticationName)) : configuration; configuration = authorizationName != null ? configuration.andThen(c -> c.useAuthorizationName(authorizationName)) : configuration; configuration = host != null ? configuration.andThen(c -> c.useHost(host)) : configuration; configuration = protocol != null ? configuration.andThen(c -> c.useProtocol(protocol)) : configuration; configuration = port > 0 ? configuration.andThen(c -> c.usePort(port)) : configuration; configuration = realm != null ? configuration.andThen(c -> c.useRealm(realm)) : configuration; InjectedValue<SecurityDomain> securityDomainInjector = getSecurityDomain(serviceBuilder, context, securityDomain); if (ElytronDescriptionConstants.AUTHORIZATION.equals(forwardAuth)) { configuration = configuration.andThen(c -> c.useForwardedAuthorizationIdentity(securityDomainInjector.getValue())); } else { configuration = configuration.andThen(c -> c.useForwardedIdentity(securityDomainInjector.getValue())); if (saslMechanismSelector != null) { SaslMechanismSelector selector = SaslMechanismSelector.fromString(saslMechanismSelector); configuration = selector != null ? configuration.andThen(c -> c.setSaslMechanismSelector(selector)) : configuration; serviceBuilder.addDependency(context.getCapabilityServiceName(SECURITY_FACTORY_CREDENTIAL_CAPABILITY, kerberosSecurityFactory, CredentialSecurityFactory.class), CredentialSecurityFactory.class, kerberosFactoryInjector); configuration = configuration.andThen(c -> c.useKerberosSecurityFactory(kerberosFactoryInjector.getValue())); configuration = configuration.andThen(c -> c.useMechanismProperties(propertiesMap, parent == null));
/** * Create a new configuration which is the same as this configuration, but which uses the given callback handler to * acquire a password with which to authenticate, when a password-based authentication algorithm is in use. * * @param callbackHandler the password callback handler * @return the new configuration */ public AuthenticationConfiguration useCredentialCallbackHandler(CallbackHandler callbackHandler) { return useCallbackHandler(callbackHandler, EnumSet.of(CallbackKind.CREDENTIAL)); }
authenticationConfiguration = authenticationConfiguration.useName(principal.getName()) .usePassword(password); SecurityIdentity authenticatedIdentity = this.authenticate(principal, password); identity = authenticatedIdentity.createRunAsIdentity(identityPrincipal.getName(), true); char[] password = (char[]) credential; authenticationConfiguration = authenticationConfiguration.useName(principal.getName()) .usePassword(password); identity = this.authenticate(principal, password);
/** * Create a new configuration which is the same as this configuration, but which uses the given password to authenticate. * * @param password the password to use * @return the new configuration */ public AuthenticationConfiguration usePassword(String password) { return usePassword(password == null ? null : ClearPassword.createRaw(ClearPassword.ALGORITHM_CLEAR, password.toCharArray())); }
AuthenticationConfiguration mergedConfiguration = AUTH_CONFIGURATION_CLIENT.getAuthenticationConfiguration(uri, captured); if (handler != null) { mergedConfiguration = mergedConfiguration.useCallbackHandler(handler, DEFAULT_CALLBACK_KINDS); mergedConfiguration = mergedConfiguration.useMechanismProperties(saslOptions);
authContext = AuthenticationContext.captureCurrent(); } else { authContext = AuthenticationContext.empty().with(MatchRule.ALL, AuthenticationConfiguration.empty().useForwardedIdentity(domain));
public void accept(final ConnectionHandlerFactory connectionHandlerFactory, final SaslAuthenticationFactory authenticationFactory) { synchronized (connectionLock) { try { resourceUntick("an inbound connection"); } catch (NotOpenException e) { throw new IllegalStateException("Accept after endpoint close", e); } boolean ok = false; try { final ConnectionImpl connection = new ConnectionImpl(EndpointImpl.this, connectionHandlerFactory, this, null, authenticationFactory, AuthenticationConfiguration.empty(), saslProtocol); connections.add(connection); connection.getConnectionHandler().addCloseHandler(SpiUtils.asyncClosingCloseHandler(connection)); connection.addCloseHandler(connectionCloseHandler); connection.addCloseHandler(resourceCloseHandler); ok = true; } finally { if (! ok) closeTick1("a failed inbound connection"); } } }
private static AuthenticationConfiguration configureSaslMechanisms(Map<String, String> saslOptions, boolean isLocal, AuthenticationConfiguration authenticationConfiguration) { String[] mechanisms = null; String listed; if (saslOptions != null && (listed = saslOptions.get(Options.SASL_DISALLOWED_MECHANISMS.getName())) != null) { // Disallowed mechanisms were passed via the saslOptions map; need to convert to an XNIO option String[] split = listed.split(" "); if (isLocal) { mechanisms = new String[split.length + 1]; mechanisms[0] = JBOSS_LOCAL_USER; System.arraycopy(split, 0, mechanisms, 1, split.length); } else { mechanisms = split; } } else if (!isLocal) { mechanisms = new String[]{ JBOSS_LOCAL_USER }; } return (mechanisms != null && mechanisms.length > 0) ? authenticationConfiguration.setSaslMechanismSelector(SaslMechanismSelector.DEFAULT.forbidMechanisms(mechanisms)) : authenticationConfiguration; }
authConfigUri = (URI) authConfig; } else { authConfigUri = URI.create(authConfig.toString()); handler = (CallbackHandler) env.get(CallbackHandler.class.getName()); if (handler != null) { mergedConfiguration = mergedConfiguration.useCallbackHandler(handler); } else { if (env.containsKey(CREDENTIALS)) { String[] credentials = (String[]) env.get(CREDENTIALS); mergedConfiguration = mergedConfiguration.useName(credentials[0]).usePassword(credentials[1]).useRealm(null); disabledMechanisms.add(JBOSS_LOCAL_USER);
AuthenticationContextConfigurationClient client = AccessController.doPrivileged(AuthenticationContextConfigurationClient.ACTION); AuthenticationConfiguration configuration = client.getAuthenticationConfiguration(URI.create(connectionAddress.toString()), context); CallbackHandler callbackHandler = client.getCallbackHandler(configuration); context.with(MatchRule.ALL, configuration.useCallbackHandler(this)).run((PrivilegedAction<Object>) () -> { try { callbackHandler.handle(callbacks);