private Set<SecurityIdentity> outflowIdentity(final SecurityIdentity securityIdentity) { Set<SecurityIdentity> outflowedIdentities = new HashSet<>(outflowSecurityDomains.size()); if (securityIdentity != null) { // Attempt to outflow the established identity to each domain in the list for (SecurityDomain outflowSecurityDomain : outflowSecurityDomains) { try { ServerAuthenticationContext serverAuthenticationContext = outflowSecurityDomain.createNewAuthenticationContext(); if (serverAuthenticationContext.importIdentity(securityIdentity)) { outflowedIdentities.add(serverAuthenticationContext.getAuthorizedIdentity()); } } catch (RealmUnavailableException | IllegalStateException e) { // Ignored } } } return outflowedIdentities; }
/** * Attempt to create a new identity that can be used to run as an anonymous user * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param authorize whether to check the anonymous identity is authorized to log in * (has {@link org.wildfly.security.auth.permission.LoginPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } try (final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY))) { if (! context.authorizeAnonymous(authorize)) { throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null); } return context.getAuthorizedIdentity(); } }
/** * Attempt to create a new identity that can be used to run as a user with the given principal. * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param principal the principal to attempt to run as * @param authorize whether to check the current identity is authorized to run as a user * with the given principal (has {@link RunAsPrincipalPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException { Assert.checkNotNullParam("principal", principal); final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } try (final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY))) { if (! (context.importIdentity(this) && context.authorize(principal, authorize))) { throw log.runAsAuthorizationFailed(this.principal, principal, null); } return context.getAuthorizedIdentity(); } catch (RealmUnavailableException e) { throw log.runAsAuthorizationFailed(this.principal, principal, e); } }
if (context.authorize()) { context.succeed(); return context.getAuthorizedIdentity(); } else { context.fail();
return serverAuthenticationContext.getAuthorizedIdentity(); } else { serverAuthenticationContext.fail();
private boolean restoreIdentity() { if (securityDomain == null) { return false; } HttpScope sessionScope = httpExchangeSpi.getScope(Scope.SESSION); if (sessionScope != null && sessionScope.supportsAttachments()) { String principalName = sessionScope.getAttachment(AUTHENTICATED_PRINCIPAL_KEY, String.class); if (principalName != null) { ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(); try { authenticationContext.setAuthenticationName(principalName); if (authenticationContext.authorize()) { SecurityIdentity authorizedIdentity = authenticationContext.getAuthorizedIdentity(); httpExchangeSpi.authenticationComplete(authorizedIdentity, programaticMechanismName); setupProgramaticLogout(sessionScope); return true; } else { sessionScope.setAttachment(AUTHENTICATED_PRINCIPAL_KEY, null); // Whatever was in there no longer works so just drop it. } } catch (IllegalArgumentException | RealmUnavailableException | IllegalStateException e) { httpExchangeSpi.authenticationFailed(e.getMessage(), programaticMechanismName); } } } return false; }
if (context.authorize()) { context.succeed(); return context.getAuthorizedIdentity(); } else { context.fail();
if (authenticationContext.verifyEvidence(evidence)) { if (authenticationContext.authorize()) { SecurityIdentity authorizedIdentity = authenticationContext.getAuthorizedIdentity(); HttpScope sessionScope = httpExchangeSpi.getScope(Scope.SESSION); if (sessionScope != null && sessionScope.supportsAttachments()
sac.importIdentity(securityIdentity); sac.authorize(); authorizedIdentity = sac.getAuthorizedIdentity(); } else { authorizedIdentity = securityIdentity; sac.setAuthenticationPrincipal(callerPrincipal); if (sac.authorize()) { authorizedIdentity = sac.getAuthorizedIdentity();
SecurityIdentity identity = getAuthorizedIdentity(); log.tracef("Handling SecurityIdentityCallback: identity = %s", identity); ((SecurityIdentityCallback) callback).setSecurityIdentity(identity); SecurityIdentity identity = authorizeCallback.getIdentity(); if (identity != null && importIdentity(identity)) { authorizedIdentity = getAuthorizedIdentity(); } else { principal = authorizeCallback.getPrincipal(); setAuthenticationPrincipal(principal); if (authorize()) { authorizedIdentity = getAuthorizedIdentity();
authenticationContext.succeed(); if (handshakeSession != null) { handshakeSession.putValue(SSLUtils.SSL_SESSION_IDENTITY_KEY, authenticationContext.getAuthorizedIdentity());
private static SecurityIdentity[] performOutflow(SecurityIdentity identity, boolean outflowAnonymous, Set<SecurityDomain> outflowDomains) { List<SecurityIdentity> outflowIdentities = new ArrayList<>(outflowDomains.size()); for (SecurityDomain d : outflowDomains) { ServerAuthenticationContext sac = d.createNewAuthenticationContext(); try { if (sac.importIdentity(identity)) { outflowIdentities.add(sac.getAuthorizedIdentity()); } else if (outflowAnonymous) { outflowIdentities.add(d.getAnonymousSecurityIdentity()); } } catch (RealmUnavailableException e) { throw ROOT_LOGGER.unableToPerformOutflow(identity.getPrincipal().getName(), e); } } return outflowIdentities.toArray(new SecurityIdentity[outflowIdentities.size()]); }
private static SecurityIdentity createSecurityIdentity(Principal principal, Set<String> roles) { ServerAuthenticationContext serverAuthenticationContext = INFLOW_SECURITY_DOMAIN.createNewAuthenticationContext(); try { serverAuthenticationContext.verifyEvidence(new EvidenceWithRoles(principal, roles)); serverAuthenticationContext.authorize(); } catch (RealmUnavailableException e) { // As the domain is backed by a dummy realm that never throws this Exception it is impossible for it to be thrown. throw new IllegalStateException(e); } return serverAuthenticationContext.getAuthorizedIdentity(); }
private static SecurityIdentity createSecurityIdentity(Principal principal, Set<String> roles) { ServerAuthenticationContext serverAuthenticationContext = INFLOW_SECURITY_DOMAIN.createNewAuthenticationContext(); try { serverAuthenticationContext.verifyEvidence(new EvidenceWithRoles(principal, roles)); serverAuthenticationContext.authorize(); } catch (RealmUnavailableException e) { // As the domain is backed by a dummy realm that never throws this Exception it is impossible for it to be thrown. throw new IllegalStateException(e); } return serverAuthenticationContext.getAuthorizedIdentity(); }
/** * Attempt to create a new identity that can be used to run as an anonymous user * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param authorize whether to check the anonymous identity is authorized to log in * (has {@link org.wildfly.security.auth.permission.LoginPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } try (final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY))) { if (! context.authorizeAnonymous(authorize)) { throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null); } return context.getAuthorizedIdentity(); } }
/** * Attempt to create a new identity that can be used to run as an anonymous user * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param authorize whether to check the anonymous identity is authorized to log in * (has {@link org.wildfly.security.auth.permission.LoginPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } try (final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY))) { if (! context.authorizeAnonymous(authorize)) { throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null); } return context.getAuthorizedIdentity(); } }
/** * Attempt to create a new identity that can be used to run as an anonymous user * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param authorize whether to check the anonymous identity is authorized to log in * (has {@link org.wildfly.security.auth.permission.LoginPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsAnonymous(boolean authorize) throws SecurityException { final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } try (final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY))) { if (! context.authorizeAnonymous(authorize)) { throw log.runAsAuthorizationFailed(principal, AnonymousPrincipal.getInstance(), null); } return context.getAuthorizedIdentity(); } }
/** * Attempt to create a new identity that can be used to run as a user with the given principal. * * Calling with enabled security manager requires {@code setRunAsPrincipal} {@link ElytronPermission}. * * @param principal the principal to attempt to run as * @param authorize whether to check the current identity is authorized to run as a user * with the given principal (has {@link RunAsPrincipalPermission}) * @return the new security identity * @throws SecurityException if the caller does not have the {@code setRunAsPrincipal} * {@link ElytronPermission} or if the operation authorization failed for any other reason */ public SecurityIdentity createRunAsIdentity(Principal principal, boolean authorize) throws SecurityException { Assert.checkNotNullParam("principal", principal); final SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(SET_RUN_AS_PERMISSION); } try (final ServerAuthenticationContext context = securityDomain.createNewAuthenticationContext(this, MechanismConfigurationSelector.constantSelector(MechanismConfiguration.EMPTY))) { if (! (context.importIdentity(this) && context.authorize(principal, authorize))) { throw log.runAsAuthorizationFailed(this.principal, principal, null); } return context.getAuthorizedIdentity(); } catch (RealmUnavailableException e) { throw log.runAsAuthorizationFailed(this.principal, principal, e); } }
private boolean restoreIdentity() { if (securityDomain == null) { return false; } HttpScope sessionScope = httpExchangeSpi.getScope(Scope.SESSION); if (sessionScope != null && sessionScope.supportsAttachments()) { String principalName = sessionScope.getAttachment(AUTHENTICATED_PRINCIPAL_KEY, String.class); if (principalName != null) { ServerAuthenticationContext authenticationContext = securityDomain.createNewAuthenticationContext(); try { authenticationContext.setAuthenticationName(principalName); if (authenticationContext.authorize()) { SecurityIdentity authorizedIdentity = authenticationContext.getAuthorizedIdentity(); httpExchangeSpi.authenticationComplete(authorizedIdentity, programaticMechanismName); setupProgramaticLogout(sessionScope); return true; } else { sessionScope.setAttachment(AUTHENTICATED_PRINCIPAL_KEY, null); // Whatever was in there no longer works so just drop it. } } catch (IllegalArgumentException | RealmUnavailableException | IllegalStateException e) { httpExchangeSpi.authenticationFailed(e.getMessage(), programaticMechanismName); } } } return false; }
private SecurityIdentity authenticate(final String username, final String password) { ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext(); PasswordGuessEvidence evidence = new PasswordGuessEvidence(password != null ? password.toCharArray() : null); try { context.setAuthenticationName(username); if (context.verifyEvidence(evidence)) { if (context.authorize()) { context.succeed(); return context.getAuthorizedIdentity(); } else { context.fail(); WSLogger.ROOT_LOGGER.failedAuthorization(username); } } else { context.fail(); WSLogger.ROOT_LOGGER.failedAuthentication(username); } } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) { context.fail(); WSLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage()); } finally { if (!context.isDone()) context.fail(); //prevent leaks of RealmIdentity instances evidence.destroy(); } return null; }