protected AbstractManagedThread createThread(final Runnable r, final ContextHandle contextHandleForSetup) { boolean checking = WildFlySecurityManager.isChecking(); SecurityDomain domain = checking ? AccessController.doPrivileged((PrivilegedAction<SecurityDomain>) SecurityDomain::getCurrent) : SecurityDomain.getCurrent(); SecurityIdentity identity = domain == null ? null : domain.getCurrentSecurityIdentity(); if (checking) { return AccessController.doPrivileged((PrivilegedAction<ElytronManagedThread>) () -> new ElytronManagedThread(r, contextHandleForSetup, identity) ); } else { return new ElytronManagedThread(r, contextHandleForSetup, identity); } }
private ServerAuthenticationContext createServerAuthenticationContext() { if (WildFlySecurityManager.isChecking()) { return AccessController.doPrivileged((PrivilegedAction<ServerAuthenticationContext>) () -> securityDomain.createNewAuthenticationContext()); } return securityDomain.createNewAuthenticationContext(); }
private <V> V privilegedRunAs(final String user, final Callable<V> callable) throws Exception { final SecurityDomain securityDomain = getBatchEnvironment().getSecurityDomain(); if (securityDomain == null) { return callable.call(); } final SecurityIdentity securityIdentity; if (user != null) { if (WildFlySecurityManager.isChecking()) { securityIdentity = AccessController.doPrivileged((PrivilegedAction<SecurityIdentity>) () -> securityDomain.getAnonymousSecurityIdentity().createRunAsIdentity(user, false)); } else { securityIdentity = securityDomain.getAnonymousSecurityIdentity().createRunAsIdentity(user, false); } } else { securityIdentity = securityDomain.getCurrentSecurityIdentity(); } return securityIdentity.runAs(callable); }
private SecurityIdentity getCallerSecurityIdentity() { if (incomingRunAsIdentity != null) { return incomingRunAsIdentity; } else if (securityRequired) { return securityDomain.getCurrentSecurityIdentity(); } else { // unsecured EJB return securityDomain.getAnonymousSecurityIdentity(); } }
/** * @param contextService * @param proxiedObject * @param executionProperties */ IdentityAwareProxyInvocationHandler(ContextServiceImpl contextService, Object proxiedObject, Map<String, String> executionProperties) { super(contextService, proxiedObject, executionProperties); SecurityDomain securityDomain = SecurityDomain.getCurrent(); securityIdentity = securityDomain != null ? securityDomain.getCurrentSecurityIdentity() : null; }
private static SecurityIdentity getSecurityIdentity() { final SecurityManager sm = System.getSecurityManager(); final SecurityDomain securityDomain; if (sm != null) { securityDomain = AccessController.doPrivileged((PrivilegedAction<SecurityDomain>) () -> SecurityDomain.getCurrent()); } else { securityDomain = SecurityDomain.getCurrent(); } return securityDomain != null ? securityDomain.getCurrentSecurityIdentity() : null; }
private SecurityDomain getCurrentSecurityDomain() { if (WildFlySecurityManager.isChecking()) { return AccessController.doPrivileged((PrivilegedAction<SecurityDomain>) () -> SecurityDomain.getCurrent()); } else { return SecurityDomain.getCurrent(); } }
CredentialSource getCredentialSource() { if (authenticationCredentialsForwardSecurityDomain != null) { return doPrivileged((PrivilegedAction<IdentityCredentials>) () -> authenticationCredentialsForwardSecurityDomain.getCurrentSecurityIdentity().getPrivateCredentials(), capturedAccessContext); } else { return credentialSource; } }
public Object processInvocation(final InterceptorContext context) throws Exception { final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class); Assert.checkNotNullParam("securityDomain", securityDomain); final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); final Set<String> securityRoles = principalVsRolesMap.get(currentIdentity.getPrincipal().getName()); if (securityRoles != null && ! securityRoles.isEmpty()) { final RoleMapper roleMapper = RoleMapper.constant(Roles.fromSet(securityRoles)); final RoleMapper mergeMapper = roleMapper.or((roles) -> currentIdentity.getRoles(category)); final SecurityIdentity newIdentity; if(WildFlySecurityManager.isChecking()) { newIdentity = AccessController.doPrivileged((PrivilegedAction<SecurityIdentity>) () -> currentIdentity.withRoleMapper(category, mergeMapper)); } else { newIdentity = currentIdentity.withRoleMapper(category, mergeMapper);
if (this.securityDomain != null) { SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity(); AuthenticationConfiguration authenticationConfiguration = AuthenticationConfiguration.EMPTY; .usePassword(password); SecurityIdentity authenticatedIdentity = this.authenticate(principal, password); identity = authenticatedIdentity.createRunAsIdentity(identityPrincipal.getName(), true); } else { identity = this.securityDomain.getAnonymousSecurityIdentity().createRunAsIdentity(identityPrincipal.getName(), true); try { final AuthenticationContext context = AuthenticationContext.captureCurrent().with(MatchRule.ALL.matchProtocol("iiop"), authenticationConfiguration); retVal = identity.runAs((PrivilegedExceptionAction<Object>) () -> context.run((PrivilegedExceptionAction<Object>) () -> this.componentView.invoke(interceptorContext))); } catch (PrivilegedActionException e) { throw e.getCause(); if (WildFlySecurityManager.isChecking()) { legacyContext = AccessController.doPrivileged((PrivilegedExceptionAction<SecurityContext>) () -> { SecurityContext sc = SecurityContextFactory.createSecurityContext(this.legacySecurityDomain); sc.getUtil().createSubjectInfo(finalPrincipal, finalCredential, null);
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class); Assert.checkNotNullParam("securityDomain", securityDomain); final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); if(WildFlySecurityManager.isChecking()) { try { AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> { hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity); return null;
config.setClassCloner(new LocalInvocationClassCloner(WildFlySecurityManager.getClassLoaderPrivileged(invocation.getInvokedProxy().getClass()))); final ObjectCloner resultCloner = createCloner(config); if (async) { if (WildFlySecurityManager.isChecking()) { securityContext = AccessController.doPrivileged((PrivilegedAction<SecurityContext>) SecurityContextAssociation::getSecurityContext); securityDomain = AccessController.doPrivileged((PrivilegedAction<SecurityDomain>) SecurityDomain::getCurrent); } else { securityContext = SecurityContextAssociation.getSecurityContext(); securityDomain = SecurityDomain.getCurrent(); final SecurityIdentity securityIdentity = securityDomain != null ? securityDomain.getCurrentSecurityIdentity() : null; final StartupCountdown.Frame frame = StartupCountdown.current(); final Runnable task = () -> { executor.execute(securityIdentity == null ? task : () -> securityIdentity.runAs(task));
private ServerAuthenticationContext createServerAuthenticationContext() { if (getSecurityManager() != null) { return AccessController.doPrivileged((PrivilegedAction<ServerAuthenticationContext>) () -> securityDomain.createNewAuthenticationContext()); } return securityDomain.createNewAuthenticationContext(); }
SecurityIdentity authenticated = securityDomain.authenticate(username, evidence); pvc.setResult(true); if (securityIdentity != null) { if (callerPrincipal != null) { boolean authorizationRequired = (integrated && !securityIdentity.getPrincipal().equals(callerPrincipal)); authorizedIdentity = securityIdentity.createRunAsIdentity(callerPrincipal, authorizationRequired); } else if (integrated) { ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext(); sac.importIdentity(securityIdentity); sac.authorize(); } else { if (integrated) { ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext(); sac.setAuthenticationPrincipal(callerPrincipal); if (sac.authorize()) { authorizedIdentity = securityDomain.createAdHocIdentity(callerPrincipal); final Subject subject = cpc.getSubject(); if (subject != null && !subject.isReadOnly()) { subject.getPrincipals().add(authorizedIdentity.getPrincipal());
throw SUBSYSTEM_RA_LOGGER.executionSubjectNotSetInHandler(); SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity(); identity = securityDomain.createAdHocIdentity(callerPrincipal); if (!callerPrincipal.equals(identity.getPrincipal())) { identity = identity.createRunAsIdentity(callerPrincipal.getName()); Set<String> roles = new HashSet<>(Arrays.asList(groups)); identity = identity.withRoleMapper(ElytronSecurityIntegration.SECURITY_IDENTITY_ROLE, RoleMapper.constant(Roles.fromSet(roles)));
Principal getAuthorizationPrincipal() { return authorizationNameForwardSecurityDomain != null ? authorizationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal() : setAuthzPrincipal; }
final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); final SecurityIdentity oldIncomingRunAsIdentity = ejbComponent.getIncomingRunAsIdentity(); SecurityIdentity newIdentity; newIdentity = currentIdentity.createRunAsAnonymous(); } catch (AuthorizationFailureException ex) { newIdentity = currentIdentity.createRunAsAnonymous(false); newIdentity = securityDomain.createAdHocIdentity(runAsPrincipal); } else { try { newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal); } catch (AuthorizationFailureException ex) { newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal, false);
public Object processInvocation(final InterceptorContext context) throws Exception { final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class); Assert.checkNotNullParam("securityDomain", securityDomain); final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); final RoleMapper mergeMapper = roleMapper.or((roles) -> currentIdentity.getRoles(category)); final SecurityIdentity newIdentity = currentIdentity.withRoleMapper(category, mergeMapper); try { return newIdentity.runAs(context); } catch (PrivilegedActionException e) { Throwable cause = e.getCause(); if(cause != null) { if(cause instanceof Exception) { throw (Exception) cause; } else { throw new RuntimeException(e); } } else { throw e; } } } }
static SecurityIdentity performMapping(SecurityIdentity securityIdentity, SecurityDomain securityDomain, RunAsIdentityMetaData runAsMetaData) { if (runAsMetaData != null) { SecurityIdentity newIdentity = securityIdentity != null ? securityIdentity : securityDomain.getAnonymousSecurityIdentity(); String runAsPrincipal = runAsMetaData.getPrincipalName(); if (runAsPrincipal.equals(ANONYMOUS_PRINCIPAL)) { try { newIdentity = newIdentity.createRunAsAnonymous(); } catch (AuthorizationFailureException ex) { newIdentity = newIdentity.createRunAsAnonymous(false); newIdentity = securityDomain.createAdHocIdentity(runAsPrincipal); } else { try { newIdentity = newIdentity.createRunAsIdentity(runAsPrincipal); } catch (AuthorizationFailureException ex) { newIdentity = newIdentity.createRunAsIdentity(runAsPrincipal, false);
private static AuthenticationConfiguration initializeConfiguration(final URI uri, AuthenticationConfiguration configuration) { final SecurityDomain authenticationNameForwardSecurityDomain = configuration.authenticationNameForwardSecurityDomain; final String userInfo = uri.getUserInfo(); if (userInfo != null && configuration.getPrincipal() == AnonymousPrincipal.getInstance() && authenticationNameForwardSecurityDomain == null) { configuration = configuration.useName(userInfo); } // capture forwards if (authenticationNameForwardSecurityDomain != null) { configuration = configuration.useForwardedAuthenticationIdentity(null).usePrincipal(authenticationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal()); } final SecurityDomain authenticationCredentialsForwardSecurityDomain = configuration.authenticationCredentialsForwardSecurityDomain; if (authenticationCredentialsForwardSecurityDomain != null) { final SecurityIdentity securityIdentity = authenticationCredentialsForwardSecurityDomain.getCurrentSecurityIdentity(); final IdentityCredentials privateCredentials = securityIdentity.getPrivateCredentials(); final IdentityCredentials publicCredentials = securityIdentity.getPublicCredentials(); // private overrides public configuration = configuration.useForwardedAuthenticationCredentials(null).useCredentials(publicCredentials.with(privateCredentials)); } final SecurityDomain authorizationNameForwardSecurityDomain = configuration.authorizationNameForwardSecurityDomain; if (authorizationNameForwardSecurityDomain != null) { configuration = configuration.useForwardedAuthorizationIdentity(null).useAuthorizationPrincipal(authorizationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal()); } final AccessControlContext capturedContext = configuration.getCapturedContext(); if (capturedContext == null) { configuration = configuration.withCapturedAccessControlContext(); } return configuration; }