All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.jboss.as.webservices.security.ElytronSecurityDomainContextImpl.bak Maven / Gradle / Ivy

The newest version!
/*
 * JBoss, Home of Professional Open Source.
 * Copyright 2016, Red Hat Middleware LLC, and individual contributors
 * as indicated by the @author tags. See the copyright.txt file in the
 * distribution for a full listing of individual contributors.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, write to the Free
 * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
 * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
 */
package org.jboss.as.webservices.security;

import java.io.Serializable;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.Callable;

import javax.security.auth.Subject;

import org.jboss.as.webservices.logging.WSLogger;
import org.jboss.wsf.spi.security.SecurityDomainContext;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.ServerAuthenticationContext;
import org.wildfly.security.evidence.PasswordGuessEvidence;

public class ElytronSecurityDomainContextImpl implements SecurityDomainContext {

    private SecurityDomain securityDomain;
    private ThreadLocal currentIdentity = new ThreadLocal();

    public ElytronSecurityDomainContextImpl(SecurityDomain securityDomain) {
        this.securityDomain = securityDomain;
    }

    //TODO:deprecate this after elytron?
    @Override
    public boolean doesUserHaveRole(Principal principal, Set principals) {
        return true;
    }
    //TODO:deprecate this after elytron?
    @Override
    public String getSecurityDomain() {
        return this.securityDomain.toString();
    }
    //TODO:deprecate this after elytron?
    @Override
    public Set getUserRoles(Principal principal) {
        return null;
    }

    @Override
    public boolean isValid(Principal principal, Object password, Subject subject) {
        if (subject == null) {
            subject = new Subject();
        }
        String username = principal.getName();
        if (!(password instanceof String)) {
            throw new java.lang.IllegalArgumentException("only string password accepted");
        }
        SecurityIdentity identity = authenticate(username, (String) password);
        if (identity == null) {
            return false;
        }
        Set principals = subject.getPrincipals();
        principals.add(identity.getPrincipal());
        subject.getPublicCredentials().add(identity.getPublicCredentials());
        subject.getPrivateCredentials().add(identity.getPrivateCredentials());
        //TODO: improve this : convert securityIdentity to subject
        if (!identity.getRoles().isEmpty()) {
            identity.getRoles().forEach(name -> {
                principals.add(new SimpleGroup(name, identity.getPrincipal()));
            });
        } else {
            //if it's PicketBoxBasedIdentity.
            identity.getAttributes().get("Roles").forEach(role -> {
                principals.add(new SimpleGroup(role, identity.getPrincipal()));
            });
        }
        currentIdentity.set(identity);
        return true;
    }

    public void runAs(Callable action) throws Exception {
        if (currentIdentity.get() != null) {
            //there is no security constrains in servlet and directly with jaas
            currentIdentity.get().runAs(action);
        } else {
            //undertow's ElytronRunAsHandler will propagate the SecurityIndentity to SecurityDomain and directly run this action
            action.call();
        }
    }
    @Override
    public void pushSubjectContext(Subject arg0, Principal arg1, Object arg2) {

    }

    private SecurityIdentity authenticate(final String username, final String password) {

        ServerAuthenticationContext context = this.securityDomain.createNewAuthenticationContext();
        PasswordGuessEvidence evidence = new PasswordGuessEvidence(password != null ? password.toCharArray() : null);
        try {
            context.setAuthenticationName(username);
            if (context.verifyEvidence(evidence)) {
                if (context.authorize()) {
                    context.succeed();
                    return context.getAuthorizedIdentity();
                } else {
                    context.fail();
                    WSLogger.ROOT_LOGGER.failedAuthorization(username);
                }
            } else {
                context.fail();
                WSLogger.ROOT_LOGGER.failedAuthentication(username);
            }
        } catch (IllegalArgumentException | IllegalStateException | RealmUnavailableException e) {
            context.fail();
            WSLogger.ROOT_LOGGER.failedAuthenticationWithException(e, username, e.getMessage());
        } finally {
            evidence.destroy();
        }
        return null;
    }
    //TODO:create a util to build subject from SecurityIdentity
    public class SimplePrincipal implements Principal, Serializable {
        private static final long serialVersionUID = -7703975471290155466L;
        private String name;

        public SimplePrincipal(String name) {
            if (name == null) {
                throw new IllegalArgumentException("Principal name can not be null");
            }
            this.name = name;
        }

        public String getName() {
            return name;
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof SimplePrincipal)) {
                return false;
            }

            return name.equals(((SimplePrincipal) obj).name);
        }

        public int hashCode() {
            return name.hashCode();
        }

        public String toString() {
            return name;
        }
    }

    public class SimpleGroup extends SimplePrincipal implements Group {
        private static final long serialVersionUID = -6684520988041121094L;
        private Set members = new HashSet();

        public SimpleGroup(String groupName) {
            super(groupName);
        }

        public SimpleGroup(String groupName, Principal member) {
            super(groupName);
            members.add(member);
        }

        public boolean isMember(Principal p) {
            return members.contains(p);
        }

        public boolean addMember(Principal p) {
            return members.add(p);
        }

        public Enumeration members() {

            final Iterator it = members.iterator();

            return new Enumeration() {

                public boolean hasMoreElements() {
                    return it.hasNext();
                }

                public Principal nextElement() {
                    return it.next();
                }

            };
        }

        public boolean removeMember(Principal p) {
            return members.remove(p);
        }

        public boolean equals(Object obj) {
            if (!(obj instanceof SimpleGroup)) {
                return false;
            }
            SimpleGroup other = (SimpleGroup) obj;
            return getName().equals(other.getName()) && members.equals(other.members);
        }

        public int hashCode() {
            return getName().hashCode() + 37 * members.hashCode();
        }
    }

}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy