/** * Creates a new instance based on the given <code>mechanismName</code> and <code>securityIdentity</code>. * * @param mechanismName the name of the authentication mechanism used to authenticate/authorize the identity * @param securityIdentity the identity to cache */ public CachedIdentity(String mechanismName, SecurityIdentity securityIdentity) { this(mechanismName, securityIdentity, () -> checkNotNullParam("securityIdentity", securityIdentity).getPrincipal()); }
Principal getAuthorizationPrincipal() { return authorizationNameForwardSecurityDomain != null ? authorizationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal() : setAuthzPrincipal; }
Principal getPrincipal() { return authenticationNameForwardSecurityDomain != null ? authenticationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal() : principal; }
private void handleUnknownEvent(SecurityEvent event, StringBuilder stringBuilder) { DateTimeFormatter dateFormat = dateFormatSupplier.get(); stringBuilder.append("event=").append(event.getClass().getSimpleName()); stringBuilder.append(",event-time=").append(dateFormat.format(event.getInstant())); SecurityIdentity securityIdentity = event.getSecurityIdentity(); stringBuilder.append(",security-identity=[name=").append(securityIdentity.getPrincipal().getName()); stringBuilder.append(",creation-time=").append(dateFormat.format(securityIdentity.getCreationTime())).append(']'); }
private void handleUnknownEvent(SecurityEvent event, JsonObjectBuilder objectBuilder) { DateTimeFormatter dateFormat = dateTimeFormatterSupplier.get(); objectBuilder.add("event", event.getClass().getSimpleName()); objectBuilder.add("event-time", dateFormat.format(event.getInstant())); JsonObjectBuilder securityIdentityBuilder = Json.createObjectBuilder(); SecurityIdentity securityIdentity = event.getSecurityIdentity(); securityIdentityBuilder.add("name", securityIdentity.getPrincipal().getName()); securityIdentityBuilder.add("creation-time", dateFormat.format(securityIdentity.getCreationTime())); objectBuilder.add("security-identity", securityIdentityBuilder); }
/** * If the {@linkplain #getSecurityDomain() security domain} is not {@code null} the current user is returned. * otherwise {@code null} is returned. * <p> * Note that if the current identity is anonymous {@code null} will be returned. * </p> * * @return the current user name or {@code null} */ default String getCurrentUserName() { final SecurityIdentity securityIdentity = getIdentity(); if (securityIdentity != null && !securityIdentity.isAnonymous()) { return securityIdentity.getPrincipal().getName(); } return null; }
public RemotingConnectionCredential(final RemoteConnection connection, final SecurityIdentity securityIdentity) { Assert.checkNotNullParam("connection", connection); Assert.checkNotNullParam("securityIdentity", securityIdentity); this.connection = connection; this.securityIdentity = securityIdentity; Subject subject = new Subject(); Set<Principal> principals = subject.getPrincipals(); principals.add(new RealmUser(securityIdentity.getPrincipal().getName())); for (String role : securityIdentity.getRoles()) { principals.add(new RealmGroup(role)); principals.add(new RealmRole(role)); } this.subject = subject; }
private void checkPermission(final String targetName) { if (permissionsCheckEnabled.get()) { final SecurityAwareBatchEnvironment environment = getBatchEnvironment(); final SecurityIdentity identity = environment.getIdentity(); if (identity != null) { final BatchPermission permission = BatchPermission.forName(targetName); if (!identity.implies(permission)) { throw BatchLogger.LOGGER.unauthorized(identity.getPrincipal().getName(), permission); } } } }
@Override public Principal getPrincipal() { SecurityDomain elytronDomain = getCurrentSecurityDomain(); if(elytronDomain != null) { return elytronDomain.getCurrentSecurityIdentity().getPrincipal(); } // Use 'Object' initially to avoid loading ServerSecurityManager (which may not be present) // until we know for sure we need it. final Object securityManager = securityManagerSupplier != null ? securityManagerSupplier.get() : null; if (securityManager == null) throw WeldLogger.ROOT_LOGGER.securityNotEnabled(); return ((ServerSecurityManager) securityManager).getCallerPrincipal(); }
/** * Obtain a {@link Collection} containing the {@link Principal} instances for the user associated with the connection. * * Note: This method should be called from within a {@link PrivilegedAction}. * * @return The Collection of Principals for the user authenticated with the connection. An empty Collection will be returned * of no user is associated with the connection, {@code null} will be returned if no connection is associated with * the {@link Thread} */ public static Collection<Principal> getConnectionPrincipals() { RemoteConnection con = RemotingContext.getRemoteConnection(); if (con != null) { Collection<Principal> principals = new HashSet<>(); SecurityIdentity localIdentity = con.getSecurityIdentity(); if (localIdentity != null) { final Principal principal = localIdentity.getPrincipal(); final String realm = principal instanceof RealmPrincipal ? ((RealmPrincipal) principal).getRealm() : null; principals.add(new RealmUser(realm, principal.getName())); for (String role : localIdentity.getRoles()) { principals.add(new RealmGroup(role)); principals.add(new RealmRole(role)); } return principals; } else { return Collections.emptySet(); } } return null; }
PermissionVerifier mapPermissions(final SecurityIdentity securityIdentity) { Assert.checkNotNullParam("securityIdentity", securityIdentity); final Roles roles = securityIdentity.getRoles(); PermissionVerifier verifier = permissionMapper.mapPermissions(securityIdentity, roles); if (log.isTraceEnabled()) { return (permission) -> { boolean decision = verifier.implies(permission); log.tracef("Permission mapping: identity [%s] with roles [%s] implies %s = %b", securityIdentity.getPrincipal(), String.join(", ", roles), permission, decision); return decision; }; } else { return verifier; } }
@Override boolean authorize(final boolean requireLoginPermission) throws RealmUnavailableException { final SecurityIdentity capturedIdentity = this.capturedIdentity; if (capturedIdentity.isAnonymous()) { return authorizeAnonymous(requireLoginPermission); } final AtomicReference<State> stateRef = getStateRef(); return (! requireLoginPermission || capturedIdentity.implies(LoginPermission.getInstance())) && (stateRef.compareAndSet(this, new AuthorizedState(capturedIdentity, capturedIdentity.getPrincipal(), capturedIdentity.getRealmInfo(), mechanismConfiguration, getMechanismRealmConfiguration())) || stateRef.get().authorize(requireLoginPermission)); }
public Principal getCallerPrincipal() { if (isSecurityDomainKnown()) { return getCallerSecurityIdentity().getPrincipal(); } else if (WildFlySecurityManager.isChecking()) { return WildFlySecurityManager.doUnchecked(getCaller); } else { return this.serverSecurityManager.getCallerPrincipal(); } }
Roles mapRoles(SecurityIdentity securityIdentity) { Assert.checkNotNullParam("securityIdentity", securityIdentity); AuthorizationIdentity identity = securityIdentity.getAuthorizationIdentity(); RealmInfo realmInfo = securityIdentity.getRealmInfo(); // zeroth role mapping, just grab roles from the identity Roles decodedRoles = realmInfo.getRoleDecoder().decodeRoles(identity); // apply the first level mapping, which is based on the role mapper associated with a realm. Roles realmMappedRoles = realmInfo.getRoleMapper().mapRoles(decodedRoles); // apply the second level mapping, which is based on the role mapper associated with this security domain. Roles domainMappedRoles = roleMapper.mapRoles(realmMappedRoles); if (log.isTraceEnabled()) { log.tracef("Role mapping: principal [%s] -> decoded roles [%s] -> realm mapped roles [%s] -> domain mapped roles [%s]", securityIdentity.getPrincipal(), String.join(", ", decodedRoles), String.join(", ", realmMappedRoles), String.join(", ", domainMappedRoles)); } return domainMappedRoles; }
Assert.checkNotNullParam("securityDomain", securityDomain); final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity(); final Set<String> securityRoles = principalVsRolesMap.get(currentIdentity.getPrincipal().getName()); if (securityRoles != null && ! securityRoles.isEmpty()) { final RoleMapper roleMapper = RoleMapper.constant(Roles.fromSet(securityRoles));
private SecurityIdentity getSecurityIdentity(int msgId, int invId, int secContext, boolean hasSecContext) { SecurityIdentity securityIdentity; if (hasSecContext) { securityIdentity = channel.getConnection().getLocalIdentity(secContext); } else { securityIdentity = channel.getConnection().getLocalIdentity(); } if(!securityIdentity.implies(RemoteTransactionPermission.getInstance())) { writeExceptionResponse(msgId, invId, P_SEC_EXC, log.noPermission(securityIdentity.getPrincipal().getName(), RemoteTransactionPermission.getInstance())); return null; } return securityIdentity; }
private static AuthenticationConfiguration initializeConfiguration(final URI uri, AuthenticationConfiguration configuration) { final SecurityDomain authenticationNameForwardSecurityDomain = configuration.authenticationNameForwardSecurityDomain; final String userInfo = uri.getUserInfo(); if (userInfo != null && configuration.getPrincipal() == AnonymousPrincipal.getInstance() && authenticationNameForwardSecurityDomain == null) { configuration = configuration.useName(userInfo); } // capture forwards if (authenticationNameForwardSecurityDomain != null) { configuration = configuration.useForwardedAuthenticationIdentity(null).usePrincipal(authenticationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal()); } final SecurityDomain authenticationCredentialsForwardSecurityDomain = configuration.authenticationCredentialsForwardSecurityDomain; if (authenticationCredentialsForwardSecurityDomain != null) { final SecurityIdentity securityIdentity = authenticationCredentialsForwardSecurityDomain.getCurrentSecurityIdentity(); final IdentityCredentials privateCredentials = securityIdentity.getPrivateCredentials(); final IdentityCredentials publicCredentials = securityIdentity.getPublicCredentials(); // private overrides public configuration = configuration.useForwardedAuthenticationCredentials(null).useCredentials(publicCredentials.with(privateCredentials)); } final SecurityDomain authorizationNameForwardSecurityDomain = configuration.authorizationNameForwardSecurityDomain; if (authorizationNameForwardSecurityDomain != null) { configuration = configuration.useForwardedAuthorizationIdentity(null).useAuthorizationPrincipal(authorizationNameForwardSecurityDomain.getCurrentSecurityIdentity().getPrincipal()); } final AccessControlContext capturedContext = configuration.getCapturedContext(); if (capturedContext == null) { configuration = configuration.withCapturedAccessControlContext(); } return configuration; }
return stateRef.compareAndSet(this, newState) || stateRef.get().importIdentity(importedIdentity); final Principal importedPrincipal = importedIdentity.getPrincipal(); if (domain == importedIdentity.getSecurityDomain()) {
SecurityRealm.safeHandleRealmEvent(realmInfo.getSecurityRealm(), new RealmIdentityFailedAuthorizationEvent(authorizedIdentity.getAuthorizationIdentity(), authorizedIdentity.getPrincipal(), authenticationPrincipal)); ElytronMessages.log.trace("Authorization failed - identity does not have required LoginPermission"); return null; } else { SecurityRealm.safeHandleRealmEvent(realmInfo.getSecurityRealm(), new RealmIdentitySuccessfulAuthorizationEvent(authorizedIdentity.getAuthorizationIdentity(), authorizedIdentity.getPrincipal(), authenticationPrincipal));
p = new SimplePrincipal(localIdentity.getPrincipal().getName()); IdentityCredentials privateCredentials = localIdentity.getPrivateCredentials(); PasswordCredential passwordCredential = privateCredentials.getCredential(PasswordCredential.class, ClearPassword.ALGORITHM_CLEAR);