Refine search
private void checkPermission(final String targetName) { if (permissionsCheckEnabled.get()) { final SecurityAwareBatchEnvironment environment = getBatchEnvironment(); final SecurityIdentity identity = environment.getIdentity(); if (identity != null) { final BatchPermission permission = BatchPermission.forName(targetName); if (!identity.implies(permission)) { throw BatchLogger.LOGGER.unauthorized(identity.getPrincipal().getName(), permission); } } } }
public Object processInvocation(final InterceptorContext context) throws Exception { final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class); Assert.checkNotNullParam("securityDomain", securityDomain); final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); final Set<String> securityRoles = principalVsRolesMap.get(currentIdentity.getPrincipal().getName()); if (securityRoles != null && ! securityRoles.isEmpty()) { final RoleMapper roleMapper = RoleMapper.constant(Roles.fromSet(securityRoles)); final RoleMapper mergeMapper = roleMapper.or((roles) -> currentIdentity.getRoles(category)); final SecurityIdentity newIdentity; if(WildFlySecurityManager.isChecking()) { newIdentity = AccessController.doPrivileged((PrivilegedAction<SecurityIdentity>) () -> currentIdentity.withRoleMapper(category, mergeMapper)); } else { newIdentity = currentIdentity.withRoleMapper(category, mergeMapper); return newIdentity.runAs(context); } catch (PrivilegedActionException e) { Throwable cause = e.getCause();
/** * Attempt to create a new identity that can be used to run as a user with the given name. * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param name the name to attempt to run as * @param authorize whether to check the current identity is authorized to run as a user * with the given principal (has {@link RunAsPrincipalPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsIdentity(String name, boolean authorize) throws SecurityException { Assert.checkNotNullParam("name", name); return createRunAsIdentity(new NamePrincipal(name), authorize); }
/** * Attempt to create a new identity which wraps the default roles with a default role mapper. * * @param roleMapper the roleMapper to map the roles. * @return the new identity * @throws SecurityException if the calling class is not granted the withDefaultRoleMapper permission. */ public SecurityIdentity withDefaultRoleMapper(final RoleMapper roleMapper) { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(WITH_DEFAULT_ROLE_MAPPER_PERMISSION); } return new SecurityIdentity(this, (SecurityIdentity si) -> roleMapper.mapRoles(this.getRoles())); }
/** * If the {@linkplain #getSecurityDomain() security domain} is not {@code null} the current user is returned. * otherwise {@code null} is returned. * <p> * Note that if the current identity is anonymous {@code null} will be returned. * </p> * * @return the current user name or {@code null} */ default String getCurrentUserName() { final SecurityIdentity securityIdentity = getIdentity(); if (securityIdentity != null && !securityIdentity.isAnonymous()) { return securityIdentity.getPrincipal().getName(); } return null; }
private void handleUnknownEvent(SecurityEvent event, StringBuilder stringBuilder) { DateTimeFormatter dateFormat = dateFormatSupplier.get(); stringBuilder.append("event=").append(event.getClass().getSimpleName()); stringBuilder.append(",event-time=").append(dateFormat.format(event.getInstant())); SecurityIdentity securityIdentity = event.getSecurityIdentity(); stringBuilder.append(",security-identity=[name=").append(securityIdentity.getPrincipal().getName()); stringBuilder.append(",creation-time=").append(dateFormat.format(securityIdentity.getCreationTime())).append(']'); }
throw SUBSYSTEM_RA_LOGGER.executionSubjectNotSetInHandler(); SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity(); if (callerPrincipalCallback != null) { Principal callbackPrincipal = callerPrincipalCallback.getPrincipal(); callerPrincipal = callbackPrincipal != null ? new NamePrincipal(callbackPrincipal.getName()) : callerPrincipalCallback.getName() != null ? new NamePrincipal(callerPrincipalCallback.getName()) : null; identity = securityDomain.createAdHocIdentity(callerPrincipal); if (!callerPrincipal.equals(identity.getPrincipal())) { identity = identity.createRunAsIdentity(callerPrincipal.getName()); Set<String> roles = new HashSet<>(Arrays.asList(groups)); identity = identity.withRoleMapper(ElytronSecurityIntegration.SECURITY_IDENTITY_ROLE, RoleMapper.constant(Roles.fromSet(roles))); this.executionSubject.getPrincipals().add(identity.getPrincipal()); this.addPrivateCredential(executionSubject, identity);
public RemotingConnectionCredential(final RemoteConnection connection, final SecurityIdentity securityIdentity) { Assert.checkNotNullParam("connection", connection); Assert.checkNotNullParam("securityIdentity", securityIdentity); this.connection = connection; this.securityIdentity = securityIdentity; Subject subject = new Subject(); Set<Principal> principals = subject.getPrincipals(); principals.add(new RealmUser(securityIdentity.getPrincipal().getName())); for (String role : securityIdentity.getRoles()) { principals.add(new RealmGroup(role)); principals.add(new RealmRole(role)); } this.subject = subject; }
Object credential = null; SecurityIdentity localIdentity = SecurityDomain.forIdentity(connection.getSecurityIdentity()).getCurrentSecurityIdentity(); if (localIdentity != null) { p = new SimplePrincipal(localIdentity.getPrincipal().getName()); IdentityCredentials privateCredentials = localIdentity.getPrivateCredentials(); PasswordCredential passwordCredential = privateCredentials.getCredential(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR); if (passwordCredential != null) {
return; SecurityDomain domain = SecurityDomain.getCurrent(); SecurityIdentity currentIdentity = null; if(domain != null) { currentIdentity = domain.getCurrentSecurityIdentity(); } else if(currentIdentity == null || currentIdentity.isAnonymous()) { authContext = AuthenticationContext.captureCurrent(); } else { String name = principal.getName(); if (name.indexOf('@') < 0) { name += "@default"; // hardcoded (REVISIT!)
final Principal authenticationPrincipal = this.authenticationPrincipal; final AuthorizationIdentity authorizationIdentity = realmIdentity.getAuthorizationIdentity(); final SecurityDomain domain = capturedIdentity.getSecurityDomain(); SecurityIdentity authorizedIdentity = Assert.assertNotNull(domain.transform(new SecurityIdentity(domain, authenticationPrincipal, realmInfo, authorizationIdentity, domain.getCategoryRoleMappers(), IdentityCredentials.NONE, IdentityCredentials.NONE))); authorizedIdentity = authorizedIdentity.withPublicCredentials(publicCredentials).withPrivateCredentials(privateCredentials); if (log.isTraceEnabled()) { log.tracef("Authorizing principal %s.", authenticationPrincipal.getName()); if (authorizationIdentity != null) { log.tracef("Authorizing against the following attributes: %s => %s", if (! authorizedIdentity.implies(LoginPermission.getInstance())) { SecurityRealm.safeHandleRealmEvent(realmInfo.getSecurityRealm(), new RealmIdentityFailedAuthorizationEvent(authorizedIdentity.getAuthorizationIdentity(), authorizedIdentity.getPrincipal(), authenticationPrincipal)); ElytronMessages.log.trace("Authorization failed - identity does not have required LoginPermission"); return null; } else { SecurityRealm.safeHandleRealmEvent(realmInfo.getSecurityRealm(), new RealmIdentitySuccessfulAuthorizationEvent(authorizedIdentity.getAuthorizationIdentity(), authorizedIdentity.getPrincipal(), authenticationPrincipal));
/** * Obtain a {@link Collection} containing the {@link Principal} instances for the user associated with the connection. * * Note: This method should be called from within a {@link PrivilegedAction}. * * @return The Collection of Principals for the user authenticated with the connection. An empty Collection will be returned * of no user is associated with the connection, {@code null} will be returned if no connection is associated with * the {@link Thread} */ public static Collection<Principal> getConnectionPrincipals() { RemoteConnection con = RemotingContext.getRemoteConnection(); if (con != null) { Collection<Principal> principals = new HashSet<>(); SecurityIdentity localIdentity = con.getSecurityIdentity(); if (localIdentity != null) { final Principal principal = localIdentity.getPrincipal(); final String realm = principal instanceof RealmPrincipal ? ((RealmPrincipal) principal).getRealm() : null; principals.add(new RealmUser(realm, principal.getName())); for (String role : localIdentity.getRoles()) { principals.add(new RealmGroup(role)); principals.add(new RealmRole(role)); } return principals; } else { return Collections.emptySet(); } } return null; }
final RemotingConnectionCredential remotingConnectionCredential = (RemotingConnectionCredential) credential; SecurityIdentity localIdentity = remotingConnectionCredential.getSecurityIdentity(); identity = new RealmUser(localIdentity.getPrincipal().getName()); if (getUseFirstPass()) { String userName = identity.getName(); log.debugf("Storing username '%s'", userName);
if (this.securityDomain != null) { SecurityIdentity identity = this.securityDomain.getAnonymousSecurityIdentity(); AuthenticationConfiguration authenticationConfiguration = AuthenticationConfiguration.EMPTY; authenticationConfiguration = authenticationConfiguration.useName(principal.getName()) .usePassword(password); SecurityIdentity authenticatedIdentity = this.authenticate(principal, password); identity = authenticatedIdentity.createRunAsIdentity(identityPrincipal.getName(), true); } else { identity = this.securityDomain.getAnonymousSecurityIdentity().createRunAsIdentity(identityPrincipal.getName(), true); try { final AuthenticationContext context = AuthenticationContext.captureCurrent().with(MatchRule.ALL.matchProtocol("iiop"), authenticationConfiguration); retVal = identity.runAs((PrivilegedExceptionAction<Object>) () -> context.run((PrivilegedExceptionAction<Object>) () -> this.componentView.invoke(interceptorContext))); } catch (PrivilegedActionException e) { throw e.getCause();
PermissionVerifier mapPermissions(final SecurityIdentity securityIdentity) { Assert.checkNotNullParam("securityIdentity", securityIdentity); final Roles roles = securityIdentity.getRoles(); PermissionVerifier verifier = permissionMapper.mapPermissions(securityIdentity, roles); if (log.isTraceEnabled()) { return (permission) -> { boolean decision = verifier.implies(permission); log.tracef("Permission mapping: identity [%s] with roles [%s] implies %s = %b", securityIdentity.getPrincipal(), String.join(", ", roles), permission, decision); return decision; }; } else { return verifier; } }
/** * Creates a new instance based on the given <code>mechanismName</code> and <code>securityIdentity</code>. * * @param mechanismName the name of the authentication mechanism used to authenticate/authorize the identity * @param securityIdentity the identity to cache */ public CachedIdentity(String mechanismName, SecurityIdentity securityIdentity) { this(mechanismName, securityIdentity, () -> checkNotNullParam("securityIdentity", securityIdentity).getPrincipal()); }
public Object processInvocation(final InterceptorContext context) throws Exception { final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class); Assert.checkNotNullParam("securityDomain", securityDomain); final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); final RoleMapper mergeMapper = roleMapper.or((roles) -> currentIdentity.getRoles(category)); final SecurityIdentity newIdentity = currentIdentity.withRoleMapper(category, mergeMapper); try { return newIdentity.runAs(context); } catch (PrivilegedActionException e) { Throwable cause = e.getCause(); if(cause != null) { if(cause instanceof Exception) { throw (Exception) cause; } else { throw new RuntimeException(e); } } else { throw e; } } } }
SecurityIdentity authenticated = securityDomain.authenticate(username, evidence); pvc.setResult(true); if (securityIdentity != null) { if (callerPrincipal != null) { boolean authorizationRequired = (integrated && !securityIdentity.getPrincipal().equals(callerPrincipal)); authorizedIdentity = securityIdentity.createRunAsIdentity(callerPrincipal, authorizationRequired); } else if (integrated) { ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext(); sac.importIdentity(securityIdentity); sac.authorize(); } else { if (integrated) { ServerAuthenticationContext sac = securityDomain.createNewAuthenticationContext(); sac.setAuthenticationPrincipal(callerPrincipal); if (sac.authorize()) { final Subject subject = cpc.getSubject(); if (subject != null && !subject.isReadOnly()) { subject.getPrincipals().add(authorizedIdentity.getPrincipal());
Assert.checkNotNullParam("securityDomain", securityDomain); final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); final SecurityIdentity oldIncomingRunAsIdentity = ejbComponent.getIncomingRunAsIdentity(); SecurityIdentity newIdentity; newIdentity = currentIdentity.createRunAsAnonymous(); } catch (AuthorizationFailureException ex) { newIdentity = currentIdentity.createRunAsAnonymous(false); newIdentity = securityDomain.createAdHocIdentity(runAsPrincipal); } else { try { newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal); } catch (AuthorizationFailureException ex) { newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal, false); return newIdentity.runAs(context); } catch (PrivilegedActionException e) { Throwable cause = e.getCause();