All Downloads are FREE. Search and download functionalities are using the official Maven repository.

com.sun.enterprise.connectors.authentication.BasicPasswordAuthenticationService Maven / Gradle / Ivy

There is a newer version: 4.1.2.181
Show newest version
/*
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
 *
 * Copyright (c) 1997-2012 Oracle and/or its affiliates. All rights reserved.
 *
 * The contents of this file are subject to the terms of either the GNU
 * General Public License Version 2 only ("GPL") or the Common Development
 * and Distribution License("CDDL") (collectively, the "License").  You
 * may not use this file except in compliance with the License.  You can
 * obtain a copy of the License at
 * https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
 * or packager/legal/LICENSE.txt.  See the License for the specific
 * language governing permissions and limitations under the License.
 *
 * When distributing the software, include this License Header Notice in each
 * file and include the License file at packager/legal/LICENSE.txt.
 *
 * GPL Classpath Exception:
 * Oracle designates this particular file as subject to the "Classpath"
 * exception as provided by Oracle in the GPL Version 2 section of the License
 * file that accompanied this code.
 *
 * Modifications:
 * If applicable, add the following below the License Header, with the fields
 * enclosed by brackets [] replaced by your own identifying information:
 * "Portions Copyright [year] [name of copyright owner]"
 *
 * Contributor(s):
 * If you wish your version of this file to be governed by only the CDDL or
 * only the GPL Version 2, indicate your decision by adding "[Contributor]
 * elects to include this software in this distribution under the [CDDL or GPL
 * Version 2] license."  If you don't indicate a single choice of license, a
 * recipient has the option to distribute your version of this file under
 * either the CDDL, the GPL Version 2 or to extend the choice of license to
 * its licensees as provided above.  However, if you add GPL Version 2 code
 * and therefore, elected the GPL Version 2 license, then the option applies
 * only if the new code is made subject to such option by the copyright
 * holder.
 */

package com.sun.enterprise.connectors.authentication;

import com.sun.appserv.connectors.internal.api.ConnectorConstants;
import com.sun.enterprise.connectors.ConnectorRegistry;
import com.sun.enterprise.connectors.ConnectorRuntime;
import com.sun.enterprise.container.common.spi.util.ComponentEnvManager;
import com.sun.enterprise.deployment.WebBundleDescriptor;
import com.sun.logging.LogDomains;
import org.glassfish.api.invocation.ComponentInvocation;
import org.glassfish.deployment.common.SecurityRoleMapper;
import org.glassfish.deployment.common.SecurityRoleMapperFactory;
import org.glassfish.ejb.api.EJBInvocation;
import org.glassfish.resourcebase.resources.api.PoolInfo;

import javax.ejb.EJBContext;
import javax.security.auth.Subject;
import java.security.Principal;
import java.util.*;
import java.util.logging.Level;
import java.util.logging.Logger;


/**
 * This class does the functionality of security mapping of the
 * principal and userGroup to the backendPrincipal.
 *
 * @author Srikanth P
 */
public class BasicPasswordAuthenticationService
        implements AuthenticationService {

    private String rarName_;
    private PoolInfo poolInfo_;
    ConnectorRegistry connectorRegistry_ = ConnectorRegistry.getInstance();
    static Logger _logger = LogDomains.getLogger(BasicPasswordAuthenticationService.class, LogDomains.RSR_LOGGER);
    private Object containerContext = null;
    private SecurityRoleMapperFactory securityRoleMapperFactory;

    /**
     * Constructor
     *
     * @param rarName  Name of the rar
     * @param poolInfo Name of the pool.
     */
    public BasicPasswordAuthenticationService(String rarName, PoolInfo poolInfo) {
        rarName_ = rarName;
        poolInfo_ = poolInfo;
        if(_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "Constructor:BasicPasswordAuthenticationService");
        }
    }

    /**
     * Maps the principal to the backendPrincipal
     *
     * @param callerPrincipal Name of the principal to be mapped.
     * @return Mapped Backendprincipal
     */
    public Principal mapPrincipal(Principal callerPrincipal, Set principalSet) {

        // If no security maps are associated with this pool, return empty
        RuntimeSecurityMap runtimeSecurityMap =
                connectorRegistry_.getRuntimeSecurityMap(poolInfo_);
        if (runtimeSecurityMap == null) {
            return null;
        }

        String principalName = callerPrincipal.getName();

        // Create a list of Group Names from group Set
        List groupNames = new ArrayList();
        Iterator iter = principalSet.iterator();
        while (iter.hasNext()) {
            Principal p = (Principal) iter.next();
            // remove the caller principal (calling user) from the Set.
            if (p.equals(callerPrincipal)) {
                continue;
            }
            String groupName = p.getName();
            groupNames.add(groupName);
        }

        // if webmodule get roles from WebBundle Descriptor
        if (isContainerContextAWebModuleObject()) {
            String roleName = getRoleName(callerPrincipal);
            return doMap(principalName, groupNames, roleName, runtimeSecurityMap);
        } else {
            return doMap(principalName, groupNames, null, runtimeSecurityMap);
        }
    }

    /**
     * Performs the actual mapping of the principal/userGroup to the
     * backendPrincipal by checking at the connector registry for all the
     * existing mapping. If a map is found the backendPrincipal is
     * returned else null is returned .
     */
    private Principal doMap(String principalName, List groupNames,
            String roleName, RuntimeSecurityMap runtimeSecurityMap) {

        // Policy: 
        // user_1, user_2, ... user_n
        // group_1/role_1, group_2/role_2, ... group_n/role_n
        // user contains * 
        // role/group contains *

        HashMap userNameSecurityMap = (HashMap) runtimeSecurityMap.getUserMap();
        HashMap groupNameSecurityMap = (HashMap) runtimeSecurityMap.getGroupMap();

        // Check if caller's user-name is preset in the User Map
        if (userNameSecurityMap.containsKey(principalName)) {
            return (Principal) userNameSecurityMap.get(principalName);
        }

        // Check if caller's role is present in the Group Map
        if (isContainerContextAWebModuleObject() && roleName != null) {
            if (groupNameSecurityMap.containsKey(roleName)) {
                return (Principal) groupNameSecurityMap.get(roleName);
            }
        }

        // If ejb, use isCallerInRole  
        if (isContainerContextAEJBContainerObject() && roleName == null) {
            ComponentInvocation componentInvocation =
                    ConnectorRuntime.getRuntime().getInvocationManager().getCurrentInvocation();
            EJBInvocation ejbInvocation = (EJBInvocation) componentInvocation;
            EJBContext ejbcontext = ejbInvocation.getEJBContext();
            Set s = (Set) groupNameSecurityMap.entrySet();
            Iterator i = s.iterator();
            while(i.hasNext()) {
                Map.Entry mapEntry = (Map.Entry) i.next();
                String key = (String) mapEntry.getKey();
                Principal entry = (Principal) mapEntry.getValue();

                boolean isInRole = false;
                try {
                    isInRole = ejbcontext.isCallerInRole(key);
                } catch (Exception ex) {
                    if(_logger.isLoggable(Level.FINE)) {
                        _logger.log(Level.FINE, "BasicPasswordAuthentication::caller not in role " + key);
                    }
                }
                if (isInRole) {
                    return entry;
                }
            }
       }

        // Check if caller's group(s) is/are present in the Group Map
        for (int j = 0; j < groupNames.size(); j++) {
            String groupName = (String) groupNames.get(j);
            if (groupNameSecurityMap.containsKey(groupName)) {
                return (Principal) groupNameSecurityMap.get(groupName);
            }
        }

        // Check if user name is * in Security Map
        if (userNameSecurityMap.containsKey(ConnectorConstants.SECURITYMAPMETACHAR)) {
            return (Principal) userNameSecurityMap.get(ConnectorConstants.SECURITYMAPMETACHAR);
        }

        // Check if role/group name is * in Security Map
        if (groupNameSecurityMap.containsKey(ConnectorConstants.SECURITYMAPMETACHAR)) {
            return (Principal) groupNameSecurityMap.get(ConnectorConstants.SECURITYMAPMETACHAR);
        }

        return null;
    }

    private String getRoleName(Principal callerPrincipal) {

        String roleName = null;

        WebBundleDescriptor wbd = (WebBundleDescriptor) getComponentEnvManager().getCurrentJndiNameEnvironment();

        SecurityRoleMapperFactory securityRoleMapperFactory = getSecurityRoleMapperFactory();
        SecurityRoleMapper securityRoleMapper =
                securityRoleMapperFactory.getRoleMapper(wbd.getModuleID());

        Map map = securityRoleMapper.getRoleToSubjectMapping();
        for (Map.Entry entry : map.entrySet()) {
            roleName = entry.getKey();
            Subject subject = entry.getValue();
            Set principalSet = subject.getPrincipals();
            if (principalSet.contains(callerPrincipal)) {
                return roleName;
            }
        }
        return "";
    }

    private ComponentEnvManager getComponentEnvManager() {
        return ConnectorRuntime.getRuntime().getComponentEnvManager();
    }

    private ComponentInvocation getCurrentComponentInvocation() {
        return ConnectorRuntime.getRuntime().getInvocationManager().getCurrentInvocation();
    }

    private ComponentInvocation.ComponentInvocationType getCurrentComponentType() {
        return getCurrentComponentInvocation().getInvocationType();
    }

    private boolean isContainerContextAWebModuleObject() {
        return ComponentInvocation.ComponentInvocationType.SERVLET_INVOCATION.equals(getCurrentComponentType());
    }

    //TODO V3 use this instead of isContainerContextAContainerObject
    private boolean isContainerContextAEJBContainerObject() {
        return ComponentInvocation.ComponentInvocationType.EJB_INVOCATION.equals(getCurrentComponentType());
    }

    public SecurityRoleMapperFactory getSecurityRoleMapperFactory() {
        return ConnectorRuntime.getRuntime().getSecurityRoleMapperFactory();
    }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy