Example #1
Source File: From openjdk-jdk8u-backup with GNU General Public License v2.0 | 9 votes |
public static void main(String[] args) throws Exception { // We don't care about clock difference new FileOutputStream("krb5.conf").write( "[libdefaults]\nclockskew=999999999".getBytes()); System.setProperty("", "krb5.conf"); Config.refresh(); Subject subj = new Subject(); KerberosPrincipal kp = new KerberosPrincipal(princ); KerberosKey kk = new KerberosKey( kp, key, EncryptedData.ETYPE_AES128_CTS_HMAC_SHA1_96, 0); subj.getPrincipals().add(kp); subj.getPrivateCredentials().add(kk); Subject.doAs(subj, new PrivilegedExceptionAction() { public Object run() throws Exception { GSSManager man = GSSManager.getInstance(); GSSContext ctxt = man.createContext(man.createCredential( null, GSSCredential.INDEFINITE_LIFETIME, GSSUtil.GSS_KRB5_MECH_OID, GSSCredential.ACCEPT_ONLY)); return ctxt.acceptSecContext(token, 0, token.length); } }); }
Example #2
Source File: From datacollector with Apache License 2.0 | 6 votes |
public static <T> T doAs( Subject subject, PrivilegedExceptionAction<T> privilegedExceptionAction ) throws PrivilegedActionException { checkDoAsPermission(); if (privilegedExceptionAction == null) { throw new RuntimeException("No privileged exception action provided"); } // The bug this class patches only affects JDK 8 & 9. In later JDK not only the issue is fixed but // the code collides with this patch causing strange behavior due to concurrency issues/race conditions. // Apply only the patch for versions <9, use the JDK AccessController directly for 9+ versions. if (getJavaVersion() <= 9) { return AccessController.doPrivileged(privilegedExceptionAction, createContext(subject, AccessController.getContext())); } else { return AccessController.doPrivileged(privilegedExceptionAction, AccessController.getContext()); } }
Example #3
Source File: From jdk8u60 with GNU General Public License v2.0 | 6 votes |
public Context impersonate(final String someone) throws Exception { try { GSSCredential creds = Subject.doAs(s, new PrivilegedExceptionAction<GSSCredential>() { @Override public GSSCredential run() throws Exception { GSSManager m = GSSManager.getInstance(); GSSName other = m.createName(someone, GSSName.NT_USER_NAME); if (Context.this.cred == null) { Context.this.cred = m.createCredential(GSSCredential.INITIATE_ONLY); } return ((ExtendedGSSCredential)Context.this.cred).impersonate(other); } }); Context out = new Context(); out.s = s; out.cred = creds; = name + " as " + out.cred.getName().toString(); return out; } catch (PrivilegedActionException pae) { throw pae.getException(); } }
Example #4
Source File: From lams with GNU General Public License v2.0 | 6 votes |
/** * Create a connection event listener * * @param subject the subject * @param cri the connection request information * @return the new listener * @throws ResourceException for any error */ private ConnectionListener createConnectionEventListener(Subject subject, ConnectionRequestInfo cri) throws ResourceException { long start = pool.getInternalStatistics().isEnabled() ? System.currentTimeMillis() : 0L; ManagedConnection mc = mcf.createManagedConnection(subject, cri); if (pool.getInternalStatistics().isEnabled()) { pool.getInternalStatistics().deltaTotalCreationTime(System.currentTimeMillis() - start); pool.getInternalStatistics().deltaCreatedCount(); } try { return cm.createConnectionListener(mc, this); } catch (ResourceException re) { if (pool.getInternalStatistics().isEnabled()) pool.getInternalStatistics().deltaDestroyedCount(); mc.destroy(); throw re; } }
Example #5
Source File: From openjdk-jdk8u with GNU General Public License v2.0 | 6 votes |
@Override public Object run() { AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); System.out.println("principals = " + subject.getPrincipals()); try { Utils.writeFile(filename); new File(filename).delete(); throw new RuntimeException( "Test failed: no AccessControlException thrown"); } catch (AccessControlException ace) { System.out.println( "AccessControlException thrown as expected: " + ace.getMessage()); } ReadFromFileNegativeAction readFromFile = new ReadFromFileNegativeAction(filename); return Subject.doAs(subject, readFromFile); }
Example #6
Source File: From steady with Apache License 2.0 | 6 votes |
@Override public void handleMessage(SoapMessage msg) throws Fault { SecurityToken token = msg.get(SecurityToken.class); SecurityContext context = msg.get(SecurityContext.class); if (token == null || context == null || context.getUserPrincipal() == null) { super.handleMessage(msg); return; } UsernameToken ut = (UsernameToken)token; Subject subject = createSubject(ut.getName(), ut.getPassword(), ut.isHashed(), ut.getNonce(), ut.getCreatedTime()); SecurityContext sc = doCreateSecurityContext(context.getUserPrincipal(), subject); msg.put(SecurityContext.class, sc); }
Example #7
Source File: From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
@Override public void fetchNotification( String connectionId, ObjectName name, Notification notification, Subject subject) throws SecurityException { echo("fetchNotification:"); echo("\tconnectionId: " + connectionId); echo("\tname: " + name); echo("\tnotification: " + notification); echo("\tsubject: " + (subject == null ? null : subject.getPrincipals())); if (!throwException) if (name.getCanonicalName().equals("domain:name=2,type=NB") && subject != null && subject.getPrincipals().contains(new JMXPrincipal("role"))) throw new SecurityException(); }
Example #8
Source File: From lams with GNU General Public License v2.0 | 6 votes |
static LoginContext createLoginContext(String securityDomain, Subject subject, CallbackHandler handler) throws LoginException { LoginContextAction action = new LoginContextAction(securityDomain, subject, handler); try { LoginContext lc = AccessController.doPrivileged(action); return lc; } catch(PrivilegedActionException e) { Exception ex = e.getException(); if( ex instanceof LoginException ) throw (LoginException) ex; else throw new LoginException(ex.getLocalizedMessage()); } }
Example #9
Source File: From ironjacamar with Eclipse Public License 1.0 | 6 votes |
/** * Returns a matched connection from the candidate set of connections. * * @param connectionSet Candidate connection set * @param subject Caller's security information * @param cxRequestInfo Additional resource adapter specific connection request information * @throws ResourceException generic exception * @return ManagedConnection if resource adapter finds an acceptable match otherwise null */ public ManagedConnection matchManagedConnections(Set connectionSet, Subject subject, ConnectionRequestInfo cxRequestInfo) throws ResourceException { ManagedConnection result = null; Iterator it = connectionSet.iterator(); while (result == null && it.hasNext()) { ManagedConnection mc = (ManagedConnection); if (mc instanceof HelloWorldManagedConnection) { HelloWorldManagedConnection hwmc = (HelloWorldManagedConnection)mc; result = hwmc; } } return result; }
Example #10
Source File: From openjdk-8 with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { Subject s = new Subject(); s.getPrincipals().add (new"CN=test")); s.getPrivateCredentials().add(new String("test")); try { Subject.doAsPrivileged(s, new PrivilegedAction() { public Object run() { java.util.Iterator i = Subject.getSubject (AccessController.getContext ()).getPrivateCredentials().iterator(); return; } }, null); System.out.println("Test succeeded"); } catch (Exception e) { System.out.println("Test failed"); e.printStackTrace(); throw e; } }
Example #11
Source File: From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
private void checkAccessFileEntries(Subject subject) { if (subject == null) { throw new SecurityException( "Access denied! No matching entries found in " + "the access file [" + accessFile + "] as the " + "authenticated Subject is null"); } final Set<Principal> principals = subject.getPrincipals(); for (Principal p1: principals) { if (properties.containsKey(p1.getName())) { return; } } final Set<String> principalsStr = new HashSet<>(); for (Principal p2: principals) { principalsStr.add(p2.getName()); } throw new SecurityException( "Access denied! No entries found in the access file [" + accessFile + "] for any of the authenticated identities " + principalsStr); }
Example #12
Source File: From knox with Apache License 2.0 | 6 votes |
@Test public void testNoGroups() throws Exception { FilterConfig config = EasyMock.createNiceMock( FilterConfig.class ); EasyMock.expect( config.getInitParameter( "" ) ).andReturn( "upper" ).anyTimes(); EasyMock.expect( config.getInitParameter( "" ) ).andReturn( "upper" ).anyTimes(); EasyMock.expect(config.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); ServletContext context = EasyMock.createNiceMock(ServletContext.class); EasyMock.expect(config.getServletContext() ).andReturn( context ).anyTimes(); EasyMock.expect(context.getInitParameter("principal.mapping") ).andReturn( "" ).anyTimes(); EasyMock.replay( config ); EasyMock.replay( context ); SwitchCaseIdentityAssertionFilter filter = new SwitchCaseIdentityAssertionFilter(); Subject subject = new Subject(); subject.getPrincipals().add(new PrimaryPrincipal( "" ) ); filter.init(config); String actual = filter.mapUserPrincipal(((Principal) subject.getPrincipals(PrimaryPrincipal.class).toArray()[0]).getName()); String[] groups = filter.mapGroupPrincipals(actual, subject); assertThat( actual, is( "MEMBER@US.APACHE.ORG" ) ); assertThat( groups, is( nullValue() ) ); }
Example #13
Source File: From jdk8u-jdk with GNU General Public License v2.0 | 6 votes |
@Override public void addNotificationListener( String connectionId, ObjectName name, Subject subject) throws SecurityException { echo("addNotificationListener:"); echo("\tconnectionId: " + connectionId); echo("\tname: " + name); echo("\tsubject: " + (subject == null ? null : subject.getPrincipals())); if (throwException) if (name.getCanonicalName().equals("domain:name=1,type=NB") && subject != null && subject.getPrincipals().contains(new JMXPrincipal("role"))) throw new SecurityException(); }
Example #14
Source File: From scheduling with GNU Affero General Public License v3.0 | 6 votes |
@Test public void selectWithDifferentPermissions() throws Exception { PAResourceManagerProperties.RM_SELECTION_MAX_THREAD_NUMBER.updateProperty("10"); System.out.println("PAResourceManagerProperties.RM_SELECTION_MAX_THREAD_NUMBER=" + PAResourceManagerProperties.RM_SELECTION_MAX_THREAD_NUMBER); System.setSecurityManager(securityManagerRejectingUser()); RMCore.topologyManager = mock(TopologyManager.class); RMCore rmCore = mock(RMCore.class); when(RMCore.topologyManager.getHandler(Matchers.<TopologyDescriptor> any())).thenReturn(selectAllTopology()); SelectionManager selectionManager = createSelectionManager(rmCore); ArrayList<RMNode> freeNodes = new ArrayList<>(); freeNodes.add(createMockedNode("admin")); freeNodes.add(createMockedNode("user")); when(rmCore.getFreeNodes()).thenReturn(freeNodes); Criteria criteria = new Criteria(2); criteria.setTopology(TopologyDescriptor.ARBITRARY); Subject subject = Subjects.create("admin"); NodeSet nodes = selectionManager.selectNodes(criteria, new Client(subject, false)); assertEquals(1, nodes.size()); }
Example #15
Source File: From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) throws Exception { X500Principal duke = new X500Principal("CN=Duke"); // should not throw NullPointerException testImplies(duke, (Subject)null, false); Set<Principal> principals = new HashSet<>(); principals.add(duke); testImplies(duke, principals, true); X500Principal tux = new X500Principal("CN=Tux"); principals.add(tux); testImplies(duke, principals, true); principals.add(new KerberosPrincipal("")); testImplies(duke, principals, true); principals.clear(); principals.add(tux); testImplies(duke, principals, false); System.out.println("test passed"); }
Example #16
Source File: From streamline with Apache License 2.0 | 6 votes |
private Map doGetRequest(String requestUrl) { try { LOG.debug("GET request to Storm cluster: " + requestUrl); return Subject.doAs(subject, new PrivilegedAction<Map>() { @Override public Map run() { return JsonClientUtil.getEntity(, STORM_REST_API_MEDIA_TYPE, Map.class); } }); } catch (RuntimeException ex) { Throwable cause = ex.getCause(); // JsonClientUtil wraps exception, so need to compare if (cause instanceof { if (ex.getCause().getCause() instanceof IOException) { throw new StormNotReachableException("Exception while requesting " + requestUrl, ex); } } else if (cause instanceof WebApplicationException) { throw WrappedWebApplicationException.of((WebApplicationException)cause); } throw ex; } }
Example #17
Source File: From jdk8u_jdk with GNU General Public License v2.0 | 6 votes |
@Override public Object run() { AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); System.out.println("principals = " + subject.getPrincipals()); try { Utils.writeFile(filename); new File(filename).delete(); throw new RuntimeException( "Test failed: no AccessControlException thrown"); } catch (AccessControlException ace) { System.out.println( "AccessControlException thrown as expected: " + ace.getMessage()); } ReadFromFileNegativeAction readFromFile = new ReadFromFileNegativeAction(filename); return Subject.doAs(subject, readFromFile); }
Example #18
Source File: From ranger with Apache License 2.0 | 6 votes |
@SuppressWarnings("unchecked") @Override public void initialize(Subject subject, CallbackHandler callbackhandler, Map<String, ?> sharedMap, Map<String, ?> options) { this.sharedState = sharedMap; String userName = (options != null) ? (String)options.get(USERNAME_PARAM) : null; if (userName != null) { this.sharedState.put(USERNAME_PARAM,userName); } String password = (options != null) ? (String)options.get(PASSWORD_PARAM) : null; if (password != null) { this.sharedState.put(PASSWORD_PARAM,password.toCharArray()); } }
Example #19
Source File: From jdk8u-dev-jdk with GNU General Public License v2.0 | 6 votes |
public static void main(String[] args) { Subject subject = new Subject(); final Set principals = subject.getPrincipals(); principals.add(new X500Principal("CN=Alice")); new Thread() { { start(); } public void run() { X500Principal p = new X500Principal("CN=Bob"); while (!finished) { principals.add(p); principals.remove(p); } } }; for (int i = 0; i < 1000; i++) { subject.getPrincipals(X500Principal.class); } finished = true; }
Example #20
Source File: From openjdk-8-source with GNU General Public License v2.0 | 5 votes |
protected Integer addListenerForMBeanRemovedNotif() throws IOException, InstanceNotFoundException { NotificationFilterSupport clientFilter = new NotificationFilterSupport(); clientFilter.enableType( MBeanServerNotification.UNREGISTRATION_NOTIFICATION); MarshalledObject<NotificationFilter> sFilter = new MarshalledObject<NotificationFilter>(clientFilter); Integer[] listenerIDs; final ObjectName[] names = new ObjectName[] {MBeanServerDelegate.DELEGATE_NAME}; final MarshalledObject<NotificationFilter>[] filters = Util.cast(new MarshalledObject<?>[] {sFilter}); final Subject[] subjects = new Subject[] {null}; try { listenerIDs = connection.addNotificationListeners(names, filters, subjects); } catch (IOException ioe) { communicatorAdmin.gotIOException(ioe); listenerIDs = connection.addNotificationListeners(names, filters, subjects); } return listenerIDs[0]; }
Example #21
Source File: From ci.maven with Apache License 2.0 | 5 votes |
/** * @see ManagedConnection#getConnection(Subject, ConnectionRequestInfo) */ public Object getConnection( Subject subject, ConnectionRequestInfo cxRequestInfo) throws ResourceException { connection = new HelloWorldConnectionImpl(this); return connection; }
Example #22
Source File: From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
/** * Check that the principal contained in the Subject is of * type JMXPrincipal and refers to the "monitorRole" identity. */ private void checkSubject() { AccessControlContext acc = AccessController.getContext(); Subject subject = Subject.getSubject(acc); Set principals = subject.getPrincipals(); Principal principal = (Principal) principals.iterator().next(); if (!(principal instanceof JMXPrincipal)) throw new SecurityException("Authenticated subject contains " + "invalid principal type = " + principal.getClass().getName()); String identity = principal.getName(); if (!identity.equals("monitorRole")) throw new SecurityException("Authenticated subject contains " + "invalid principal name = " + identity); }
Example #23
Source File: From qpid-broker-j with Apache License 2.0 | 5 votes |
@Test public void testAccessIsDeniedIfRuleThrowsException() throws Exception { final Subject subject = TestPrincipalUtils.createTestSubject("user1"); final InetAddress inetAddress = InetAddress.getLocalHost(); final InetSocketAddress inetSocketAddress = new InetSocketAddress(inetAddress, 1); AMQPConnection connectionModel = mock(AMQPConnection.class); when(connectionModel.getRemoteSocketAddress()).thenReturn(inetSocketAddress); subject.getPrincipals().add(new ConnectionPrincipal(connectionModel)); Subject.doAs(subject, new PrivilegedExceptionAction<Object>() { @Override public Object run() throws Exception { RuleSet mockRuleSet = mock(RuleSet.class); when(mockRuleSet.check( subject, LegacyOperation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY)).thenThrow(new RuntimeException()); RuleBasedAccessControl accessControl = new RuleBasedAccessControl(mockRuleSet, BrokerModel.getInstance()); Result result = accessControl.authorise(LegacyOperation.ACCESS, ObjectType.VIRTUALHOST, ObjectProperties.EMPTY); assertEquals(Result.DENIED, result); return null; } }); }
Example #24
Source File: From openjdk-8 with GNU General Public License v2.0 | 5 votes |
protected Integer addListenerForMBeanRemovedNotif() throws IOException, InstanceNotFoundException { NotificationFilterSupport clientFilter = new NotificationFilterSupport(); clientFilter.enableType( MBeanServerNotification.UNREGISTRATION_NOTIFICATION); MarshalledObject<NotificationFilter> sFilter = new MarshalledObject<NotificationFilter>(clientFilter); Integer[] listenerIDs; final ObjectName[] names = new ObjectName[] {MBeanServerDelegate.DELEGATE_NAME}; final MarshalledObject<NotificationFilter>[] filters = Util.cast(new MarshalledObject<?>[] {sFilter}); final Subject[] subjects = new Subject[] {null}; try { listenerIDs = connection.addNotificationListeners(names, filters, subjects); } catch (IOException ioe) { communicatorAdmin.gotIOException(ioe); listenerIDs = connection.addNotificationListeners(names, filters, subjects); } return listenerIDs[0]; }
Example #25
Source File: From qpid-broker-j with Apache License 2.0 | 5 votes |
@Test public void testAttemptAuthenticationUnauthorizedUser() throws Exception { HttpServletRequest mockRequest = mock(HttpServletRequest.class); when(mockRequest.getServerName()).thenReturn("localhost"); when(mockRequest.getHeader("Authorization")).thenReturn("Bearer " + TEST_UNAUTHORIZED_ACCESS_TOKEN); Subject subject = _authenticator.attemptAuthentication(mockRequest, _mockConfiguration); assertNotNull("Authenticator failed unexpectedly", subject); final Set<Principal> principals = subject.getPrincipals(); assertEquals("Subject created with unexpected principal", TEST_UNAUTHORIZED_USER, principals.iterator().next().getName()); }
Example #26
Source File: From JDKSourceCode1.8 with MIT License | 5 votes |
public AccessControlContext delegatedContext(AccessControlContext authenticatedACC, Subject delegatedSubject, boolean removeCallerContext) throws SecurityException { if (System.getSecurityManager() != null && authenticatedACC == null) { throw new SecurityException("Illegal AccessControlContext: null"); } // Check if the subject delegation permission allows the // authenticated subject to assume the identity of each // principal in the delegated subject // Collection<Principal> ps = getSubjectPrincipals(delegatedSubject); final Collection<Permission> permissions = new ArrayList<>(ps.size()); for(Principal p : ps) { final String pname = p.getClass().getName() + "." + p.getName(); permissions.add(new SubjectDelegationPermission(pname)); } PrivilegedAction<Void> action = new PrivilegedAction<Void>() { public Void run() { for (Permission sdp : permissions) { AccessController.checkPermission(sdp); } return null; } }; AccessController.doPrivileged(action, authenticatedACC); return getDelegatedAcc(delegatedSubject, removeCallerContext); }
Example #27
Source File: From jdk8u-jdk with GNU General Public License v2.0 | 5 votes |
/** * Does something using the Subject inside * @param action the action * @param in the input byte * @return the output byte * @throws java.lang.Exception */ public byte[] doAs(final Action action, final byte[] in) throws Exception { try { return Subject.doAs(s, new PrivilegedExceptionAction<byte[]>() { @Override public byte[] run() throws Exception { return, in); } }); } catch (PrivilegedActionException pae) { throw pae.getException(); } }
Example #28
Source File: From hottub with GNU General Public License v2.0 | 5 votes |
public static void main(String[] args) throws Exception { // try setting the local hostname InetAddress localHost = InetAddress.getLocalHost(); if (localHost.isLoopbackAddress()) { System.err.println("Local host name is resolved into a loopback address. Quit now!"); return; } System.setProperty("", localHost. getHostName()); String policyFileName = System.getProperty("test.src", ".") + "/" + "policy.file"; System.setProperty("", policyFileName); System.setSecurityManager(new SecurityManager()); InetAddress localHost1 = null; InetAddress localHost2 = null; localHost1 = InetAddress.getLocalHost(); Subject mySubject = new Subject(); MyPrincipal userPrincipal = new MyPrincipal("test"); mySubject.getPrincipals().add(userPrincipal); localHost2 = (InetAddress)Subject.doAsPrivileged(mySubject, new MyAction(), null); if (localHost1.equals(localHost2)) { System.out.println("localHost1 = " + localHost1); throw new RuntimeException("InetAddress.getLocalHost() test " + " fails. localHost2 should be " + " the real address instead of " + " the loopback address."+localHost2); } }
Example #29
Source File: From jdk1.8-source-analysis with Apache License 2.0 | 5 votes |
public boolean isInstanceOf(ObjectName name, String className, Subject delegationSubject) throws InstanceNotFoundException, IOException { checkNonNull("ObjectName", name); try { final Object params[] = new Object[] { name, className }; if (logger.debugOn()) logger.debug("isInstanceOf", "connectionId=" + connectionId +", name="+name +", className="+className); return ((Boolean) doPrivilegedOperation( IS_INSTANCE_OF, params, delegationSubject)).booleanValue(); } catch (PrivilegedActionException pe) { Exception e = extractException(pe); if (e instanceof InstanceNotFoundException) throw (InstanceNotFoundException) e; if (e instanceof IOException) throw (IOException) e; throw newIOException("Got unexpected server exception: " + e, e); } }
Example #30
Source File: From keycloak with Apache License 2.0 | 5 votes |
/** * Returns true if user was successfully authenticated against Kerberos * * @param username username without Kerberos realm attached * @param password kerberos password * @return true if user was successfully authenticated */ public Subject authenticateSubject(String username, String password) throws LoginException { String principal = getKerberosPrincipal(username); logger.debug("Validating password of principal: " + principal); loginContext = new LoginContext("does-not-matter", null, createJaasCallbackHandler(principal, password), createJaasConfiguration()); loginContext.login(); logger.debug("Principal " + principal + " authenticated succesfully"); return loginContext.getSubject(); }