org.wildfly.security.auth.server.SecurityIdentity Java Examples

The following examples show how to use org.wildfly.security.auth.server.SecurityIdentity. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: ElytronToJaasFilter.java    From taskana with Apache License 2.0 7 votes vote down vote up
@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
    throws IOException, ServletException {
  SecurityIdentity securityIdentity = getSecurityIdentity();
  if (securityIdentity != null) {
    Roles roles = securityIdentity.getRoles();
    Subject subject = obtainSubject(request);
    if (subject != null) {
      if (subject.getPrincipals().size() == 0) {
        subject.getPrincipals().add(securityIdentity.getPrincipal());
      }
      if (subject.getPrincipals(GroupPrincipal.class).size() == 0) {
        roles.forEach(role -> subject.getPrincipals().add(new GroupPrincipal(role)));
      }
    }
  }
  chain.doFilter(request, response);
}
 
Example #2
Source File: MBeanServerService.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
private MBeanServerService(final String resolvedDomainName, final String expressionsDomainName, final boolean legacyWithProperPropertyFormat,
                           final boolean coreMBeanSensitivity,
                           final ManagedAuditLogger auditLoggerInfo, final JmxAuthorizer authorizer, final Supplier<SecurityIdentity> securityIdentitySupplier,
                           final JmxEffect jmxEffect,
                           final ProcessType processType, final boolean isMasterHc) {
    this.resolvedDomainName = resolvedDomainName;
    this.expressionsDomainName = expressionsDomainName;
    this.legacyWithProperPropertyFormat = legacyWithProperPropertyFormat;
    this.coreMBeanSensitivity = coreMBeanSensitivity;
    this.auditLoggerInfo = auditLoggerInfo;
    this.authorizer = authorizer;
    this.securityIdentitySupplier = securityIdentitySupplier;
    this.jmxEffect = jmxEffect;
    this.processType = processType;
    this.isMasterHc = isMasterHc;
}
 
Example #3
Source File: RoleMappersTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testKeepBothMappedRoleMapper() throws Exception {
    init("TestDomain4");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain4");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertTrue(roles.contains("firstGroup"));
    Assert.assertTrue(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 
Example #4
Source File: RoleMappersTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testRegexRoleMapper3() throws Exception {
    init("TestDomain7");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain7");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user3");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("admin"));
    Assert.assertTrue(roles.contains("user"));
    Assert.assertTrue(roles.contains("joe"));
    Assert.assertFalse(roles.contains("application-user"));
    Assert.assertFalse(roles.contains("123-admin-123"));
    Assert.assertFalse(roles.contains("aa-user-aa"));
    Assert.assertEquals("user3", identity.getPrincipal().getName());
}
 
Example #5
Source File: RoleMappersTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testRegexRoleMapper() throws Exception {
    init("TestDomain5");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain5");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user2");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("application-user"));
    Assert.assertFalse(roles.contains("123-user"));
    Assert.assertFalse(roles.contains("joe"));
    Assert.assertEquals("user2", identity.getPrincipal().getName());
}
 
Example #6
Source File: RoleMappersTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testKeepNonMappedRoleMapper() throws Exception {
    init("TestDomain3");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain3");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertFalse(roles.contains("firstGroup"));
    Assert.assertTrue(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 
Example #7
Source File: RoleMappersTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testKeepMappedRoleMapper() throws Exception {
    init("TestDomain2");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain2");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertTrue(roles.contains("firstGroup"));
    Assert.assertFalse(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 
Example #8
Source File: RoleMappersTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testMappedRoleMapper() throws Exception {
    init("TestDomain1");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain1");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user1");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("mappedGroup"));
    Assert.assertFalse(roles.contains("firstGroup"));
    Assert.assertFalse(roles.contains("secondGroup"));
    Assert.assertFalse(roles.contains("notInThisGroup"));
    Assert.assertEquals("user1", identity.getPrincipal().getName());
}
 
Example #9
Source File: DomainDefinition.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
private static SecurityIdentity[] performOutflow(SecurityIdentity identity, boolean outflowAnonymous, Set<SecurityDomain> outflowDomains) {
    List<SecurityIdentity> outflowIdentities = new ArrayList<>(outflowDomains.size());
    for (SecurityDomain d : outflowDomains) {
        ServerAuthenticationContext sac = d.createNewAuthenticationContext();
        try {
            if (sac.importIdentity(identity)) {
                outflowIdentities.add(sac.getAuthorizedIdentity());
            } else if (outflowAnonymous) {
                outflowIdentities.add(d.getAnonymousSecurityIdentity());
            }
        } catch (RealmUnavailableException e) {
            throw ROOT_LOGGER.unableToPerformOutflow(identity.getPrincipal().getName(), e);
        }
    }

    return outflowIdentities.toArray(new SecurityIdentity[outflowIdentities.size()]);
}
 
Example #10
Source File: RoleMappersTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testRegexRoleMapper2() throws Exception {
    init("TestDomain6");

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("TestDomain6");
    Assert.assertNotNull(services.getContainer());
    Assert.assertNotNull(services.getContainer().getService(serviceName));
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("user3");
    Assert.assertTrue(context.exists());
    Assert.assertTrue(context.authorize());
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("admin"));
    Assert.assertTrue(roles.contains("user"));
    Assert.assertFalse(roles.contains("joe"));
    Assert.assertFalse(roles.contains("application-user"));
    Assert.assertFalse(roles.contains("123-admin-123"));
    Assert.assertFalse(roles.contains("aa-user-aa"));
    Assert.assertEquals("user3", identity.getPrincipal().getName());
}
 
Example #11
Source File: ModelControllerImpl.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
/**
 * Executes an operation on the controller
 * @param operation the operation
 * @param handler the handler
 * @param control the transaction control
 * @param attachments the operation attachments
 * @return the result of the operation
 */
@Override
public ModelNode execute(final ModelNode operation, final OperationMessageHandler handler, final OperationTransactionControl control, final OperationAttachments attachments) {
    SecurityIdentity securityIdentity = securityIdentitySupplier.get();
    OperationResponse or = securityIdentity.runAs((PrivilegedAction<OperationResponse>) () -> internalExecute(operation,
            handler, control, attachments, prepareStep, false, partialModelIndicator.isModelPartial()));

    ModelNode result = or.getResponseNode();
    try {
        or.close();
    } catch (IOException e) {
        ROOT_LOGGER.debugf(e, "Caught exception closing response to %s whose associated streams, " +
                "if any, were not wanted", operation);
    }
    return result;
}
 
Example #12
Source File: DomainTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testNonDefaultRealmIdentity() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    MechanismConfiguration mechConf = MechanismConfiguration.builder()
            .addMechanismRealm(MechanismRealmConfiguration.builder().setRealmName("FileRealm").build())
            .addMechanismRealm(MechanismRealmConfiguration.builder().setRealmName("PropRealm").build())
            .build();
    ServerAuthenticationContext context = domain.createNewAuthenticationContext(MechanismConfigurationSelector.constantSelector(mechConf));

    context.setMechanismRealmName("PropRealm");
    context.setAuthenticationName("xser1@PropRealm");
    Assert.assertTrue(context.exists());
    context.authorize();
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();
    Assert.assertEquals("yser1@PropRealm", identity.getPrincipal().getName()); // after pre-realm-name-rewriter only
}
 
Example #13
Source File: DomainTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testTrustedSecurityDomains() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain myDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(myDomain);

    serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("X500Domain");
    SecurityDomain x500Domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(x500Domain);

    serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("AnotherDomain");
    SecurityDomain anotherDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(anotherDomain);

    SecurityIdentity establishedIdentity = getIdentityFromDomain(myDomain, "firstUser");
    ServerAuthenticationContext authenticationContext = anotherDomain.createNewAuthenticationContext();

    // AnotherDomain trusts MyDomain
    Assert.assertTrue(authenticationContext.importIdentity(establishedIdentity));

    establishedIdentity = getIdentityFromDomain(anotherDomain, "firstUser");
    authenticationContext = x500Domain.createNewAuthenticationContext();
    // X500Domain does not trust AnotherDomain
    Assert.assertFalse(authenticationContext.importIdentity(establishedIdentity));
}
 
Example #14
Source File: DomainTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testPermissionMappers() throws Exception {
    init();

    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain myDomain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    SecurityIdentity firstUser = getIdentityFromDomain(myDomain, "firstUser");
    Roles roles = Roles.fromSet(new HashSet<>(Arrays.asList(new String[]{"role1", "role2"})));

    serviceName = Capabilities.PERMISSION_MAPPER_RUNTIME_CAPABILITY.getCapabilityServiceName("SimplePermissionMapperRole");
    PermissionMapper mapper = (PermissionMapper) services.getContainer().getService(serviceName).getValue();
    PermissionVerifier verifier = mapper.mapPermissions(firstUser, roles);
    Assert.assertTrue(verifier.implies(new LoginPermission()));
    Assert.assertFalse(verifier.implies(new FilePermission("aaa", "read")));

    serviceName = Capabilities.PERMISSION_MAPPER_RUNTIME_CAPABILITY.getCapabilityServiceName("SimplePermissionMapperPrincipal");
    mapper = (PermissionMapper) services.getContainer().getService(serviceName).getValue();
    verifier = mapper.mapPermissions(firstUser, roles);
    Assert.assertTrue(verifier.implies(new LoginPermission()));
    Assert.assertFalse(verifier.implies(new FilePermission("aaa", "read")));
}
 
Example #15
Source File: ElytronIdentityHandler.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public void handleRequest(final HttpServerExchange exchange) throws Exception {
    SecurityIdentity securityIdentity = exchange.getAttachment(IDENTITY_KEY);


    SocketAddress peerSocketAddress = exchange.getConnection().getPeerAddress();
    InetAddress remoteAddress = peerSocketAddress instanceof InetSocketAddress ? ((InetSocketAddress) peerSocketAddress).getAddress() : null;

    try {
        AccessAuditContext.doAs(securityIdentity, remoteAddress, (PrivilegedExceptionAction<Void>) () -> {
            wrapped.handleRequest(exchange);
            return null;
        });
    } catch (PrivilegedActionException e) {
        throw e.getException();
    }
}
 
Example #16
Source File: PluggableMBeanServerImpl.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
private boolean authorizeMBeanOperation(MBeanServerPlugin delegate, ObjectName name, String methodName,
                                        String attributeName, JmxAction.Impact impact,
                                        boolean exception) throws MBeanException {
    if (authorizer != null && delegate.shouldAuthorize()) {
        JmxTarget target = new JmxTarget(methodName, name, isNonFacadeMBeansSensitive(), jmxEffect, jmxEffect);
        JmxAction action = new JmxAction(methodName, impact, attributeName);
        //TODO populate the 'environment' variable
        SecurityIdentity securityIdentity = securityIdentitySupplier != null ? securityIdentitySupplier.get() : null;
        AuthorizationResult authorizationResult = authorizer.authorizeJmxOperation(createCaller(securityIdentity), null, action, target);
        if (authorizationResult.getDecision() != Decision.PERMIT) {
            if (exception) {
                throw JmxLogger.ROOT_LOGGER.unauthorized();
            } else {
                return false;
            }
        }
    }
    return true;
}
 
Example #17
Source File: IdentityAddressProtocolUtilTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
private PropagatedIdentity writeAndRead(SecurityIdentity identity, InetAddress inetAddress) throws IOException {
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    DataOutputStream dos = new DataOutputStream(baos);
    IdentityAddressProtocolUtil.write(dos, identity, inetAddress);
    dos.close();
    baos.close();

    byte[] sent = baos.toByteArray();

    ByteArrayInputStream bais = new ByteArrayInputStream(sent);
    DataInputStream dis = new DataInputStream(bais);

    try {
        return IdentityAddressProtocolUtil.read(dis);
    } finally {
        dis.close();
        bais.close();
    }
}
 
Example #18
Source File: ModelControllerClientFactoryImpl.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Override
public OperationResponse executeOperation(Operation operation, OperationMessageHandler messageHandler) {
    Operation toExecute = sanitizeOperation(operation);
    OperationResponse response;
    if (forUserCalls) {
        final SecurityIdentity securityIdentity = securityIdentitySupplier.get();
        response = AccessAuditContext.doAs(securityIdentity, null, new PrivilegedAction<OperationResponse>() {

            @Override
            public OperationResponse run() {
                SecurityActions.currentAccessAuditContext().setAccessMechanism(AccessMechanism.IN_VM_USER);
                return executeInModelControllerCl(modelController::execute, toExecute, messageHandler, ModelController.OperationTransactionControl.COMMIT);
            }
        });

    }  else {
        response = executeInModelControllerCl(modelController::execute, toExecute, messageHandler, ModelController.OperationTransactionControl.COMMIT);
    }
    return response;
}
 
Example #19
Source File: MBeanServerService.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
public static ServiceController<?> addService(final OperationContext context, final String resolvedDomainName, final String expressionsDomainName, final boolean legacyWithProperPropertyFormat,
                                              final boolean coreMBeanSensitivity,
                                              final ManagedAuditLogger auditLoggerInfo,
                                              final JmxAuthorizer authorizer,
                                              final Supplier<SecurityIdentity> securityIdentitySupplier,
                                              final JmxEffect jmxEffect,
                                              final ProcessType processType, final boolean isMasterHc) {
    final MBeanServerService service = new MBeanServerService(resolvedDomainName, expressionsDomainName, legacyWithProperPropertyFormat,
            coreMBeanSensitivity, auditLoggerInfo, authorizer, securityIdentitySupplier, jmxEffect, processType, isMasterHc);
    final ServiceName modelControllerName = processType.isHostController() ?
            DOMAIN_CONTROLLER_NAME : Services.JBOSS_SERVER_CONTROLLER;
    return context.getServiceTarget().addService(MBeanServerService.SERVICE_NAME, service)
        .setInitialMode(ServiceController.Mode.ACTIVE)
        .addDependency(modelControllerName, ModelController.class, service.modelControllerValue)
        .addDependency(context.getCapabilityServiceName("org.wildfly.management.notification-handler-registry", null), NotificationHandlerRegistry.class, service.notificationRegistryValue)
        .addDependency(ManagementModelIntegration.SERVICE_NAME, ManagementModelIntegration.ManagementModelProvider.class, service.managementModelProviderValue)
        .addAliases(LEGACY_MBEAN_SERVER_NAME)
            .install();
}
 
Example #20
Source File: AccessAuditContext.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
private AccessAuditContext(final boolean inflowed, final SecurityIdentity securityIdentity, final InetAddress remoteAddress, final AccessAuditContext previous) {
    // This can only be instantiated as part of the doAs call.
    this.securityIdentity = securityIdentity;
    // The address would be set on the first context in the stack so use it.
    if (previous != null) {
        domainUuid = previous.domainUuid;
        accessMechanism = previous.accessMechanism;
        domainRollout = previous.domainRollout;
        this.remoteAddress = previous.remoteAddress;
        this.inflowed = previous.inflowed;
    } else {
        this.inflowed = inflowed;
        this.remoteAddress = remoteAddress;
    }

    // This is checked here so code can not obtain a reference to an AccessAuditContext with an inflowed identity and then
    // use it swap in any arbitrary identity.
    if (this.inflowed && WildFlySecurityManager.isChecking()) {
        System.getSecurityManager().checkPermission(ControllerPermission.INFLOW_SECURITY_IDENTITY);
    }
}
 
Example #21
Source File: DomainTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 6 votes vote down vote up
@Test
public void testDefaultRealmIdentity() throws Exception {
    init();
    ServiceName serviceName = Capabilities.SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName("MyDomain");
    SecurityDomain domain = (SecurityDomain) services.getContainer().getService(serviceName).getValue();
    Assert.assertNotNull(domain);

    ServerAuthenticationContext context = domain.createNewAuthenticationContext();
    context.setAuthenticationName("firstUser"); // from FileRealm
    Assert.assertTrue(context.exists());
    context.authorize();
    context.succeed();
    SecurityIdentity identity = context.getAuthorizedIdentity();
    Assert.assertEquals("John", identity.getAttributes().get("firstName").get(0));
    Assert.assertEquals("Smith", identity.getAttributes().get("lastName").get(0));

    Roles roles = identity.getRoles();
    Assert.assertTrue(roles.contains("prefixEmployeesuffix"));
    Assert.assertTrue(roles.contains("prefixManagersuffix"));
    Assert.assertTrue(roles.contains("prefixAdminsuffix"));
    Assert.assertEquals("firstUser", identity.getPrincipal().getName());

    Assert.assertTrue(identity.implies(new FilePermission("test", "read")));
    Assert.assertFalse(identity.implies(new FilePermission("test", "write")));
}
 
Example #22
Source File: SecurityActions.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
@Override
public Caller getCaller(final Caller currentCaller, final SecurityIdentity securityIdentity) {
    return doPrivileged(new PrivilegedAction<Caller>() {

        @Override
        public Caller run() {
            return NON_PRIVILEGED.getCaller(currentCaller, securityIdentity);
        }
    });
}
 
Example #23
Source File: SecurityActions.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
@Override
public Caller getCaller(Caller currentCaller, SecurityIdentity securityIdentity) {
    // This is deliberately checking the Subject is the exact same instance.
    if (currentCaller == null || securityIdentity != currentCaller.getSecurityIdentity()) {
        return Caller.createCaller(securityIdentity);
    }

    return currentCaller;
}
 
Example #24
Source File: ExtensionRegistry.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
/**
 * This method is only for internal use. We do NOT currently want to expose it on the ExtensionContext interface.
 */
@Override
public Supplier<SecurityIdentity> getSecurityIdentitySupplier() {
    if (!allowSupplement) {
        throw new UnsupportedOperationException();
    }
    return securityIdentitySupplier;
}
 
Example #25
Source File: JMXSubsystemRemove.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
JMXSubsystemRemove(ManagedAuditLogger auditLoggerInfo, JmxAuthorizer authorizer, Supplier<SecurityIdentity> securityIdentitySupplier, RuntimeHostControllerInfoAccessor hostInfoAccessor) {
    super(JMXSubsystemRootResource.JMX_CAPABILITY);
    this.auditLoggerInfo = auditLoggerInfo;
    this.authorizer = authorizer;
    this.securityIdentitySupplier = securityIdentitySupplier;
    this.hostInfoAccessor = hostInfoAccessor;
}
 
Example #26
Source File: SecurityActions.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
@Override
public Caller createCaller(final SecurityIdentity securityIdentity) {
    return doPrivileged(new PrivilegedAction<Caller>() {

        @Override
        public Caller run() {
            return NON_PRIVILEGED.createCaller(securityIdentity);
        }
    });
}
 
Example #27
Source File: AbstractOperationContext.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
AbstractOperationContext(final ProcessType processType,
                         final RunningMode runningMode,
                         final ModelController.OperationTransactionControl transactionControl,
                         final ControlledProcessState processState,
                         final boolean booting,
                         final AuditLogger auditLogger,
                         final NotificationSupport notificationSupport,
                         final ModelControllerImpl controller,
                         final boolean skipModelValidation,
                         final OperationStepHandler extraValidationStepHandler,
                         final OperationHeaders operationHeaders,
                         final Supplier<SecurityIdentity> securityIdentitySupplier) {
    this.processType = processType;
    this.runningMode = runningMode;
    this.transactionControl = transactionControl;
    this.processState = processState;
    this.booting = booting;
    this.auditLogger = auditLogger;
    this.notificationSupport = notificationSupport;
    this.notifications = new ConcurrentLinkedQueue<Notification>();
    this.missingNotificationDescriptionWarnings = new ConcurrentLinkedQueue<String>();
    this.controller = controller;
    steps = new EnumMap<Stage, Deque<Step>>(Stage.class);
    for (Stage stage : Stage.values()) {
        if (booting && stage == Stage.VERIFY) {
            // Use a concurrent structure as the parallel boot threads will
            // concurrently add steps
            steps.put(stage, new LinkedBlockingDeque<Step>());
        } else {
            steps.put(stage, new ArrayDeque<Step>());
        }
    }
    initiatingThread = Thread.currentThread();
    this.callEnvironment = new Environment(processState, processType);
    modifiedResourcesForModelValidation = skipModelValidation == false ?  new HashSet<PathAddress>() : null;
    this.extraValidationStepHandler = extraValidationStepHandler;
    this.operationHeaders = operationHeaders == null ? OperationHeaders.forInternalCall() : operationHeaders;
    this.securityIdentitySupplier = securityIdentitySupplier;
}
 
Example #28
Source File: ParallelBootOperationContext.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
ParallelBootOperationContext(final ModelController.OperationTransactionControl transactionControl,
                             final ControlledProcessState processState, final OperationContextImpl primaryContext,
                             final List<ParsedBootOp> runtimeOps,
                             final ModelControllerImpl controller, final int operationId, final AuditLogger auditLogger,
                             final OperationStepHandler extraValidationStepHandler, final Supplier<SecurityIdentity> securityIdentitySupplier) {
    super(primaryContext.getProcessType(), primaryContext.getRunningMode(), transactionControl, processState, true, auditLogger,
            controller.getNotificationSupport(), controller, true, extraValidationStepHandler, null, securityIdentitySupplier);
    this.primaryContext = primaryContext;
    this.runtimeOps = runtimeOps;
    this.controller = controller;
    this.operationId = operationId;
    this.controllingThread = Thread.currentThread();
}
 
Example #29
Source File: OperationContextImpl.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
OperationContextImpl(final Integer operationId,
                     final String operationName, final ModelNode operationAddress,
                     final ModelControllerImpl modelController, final ProcessType processType,
                     final RunningMode runningMode,
                     final OperationHeaders operationHeaders,
                     final OperationMessageHandler messageHandler, final OperationAttachments attachments,
                     final ModelControllerImpl.ManagementModelImpl managementModel, final ModelController.OperationTransactionControl transactionControl,
                     final ControlledProcessState processState, final AuditLogger auditLogger, final boolean booting,
                     final HostServerGroupTracker hostServerGroupTracker,
                     final AccessAuditContext accessAuditContext,
                     final NotificationSupport notificationSupport,
                     final boolean skipModelValidation,
                     final OperationStepHandler extraValidationStepHandler,
                     final boolean partialModel,
                     final Supplier<SecurityIdentity> securityIdentitySupplier) {
    super(processType, runningMode, transactionControl, processState, booting, auditLogger, notificationSupport,
            modelController, skipModelValidation, extraValidationStepHandler, operationHeaders, securityIdentitySupplier);
    this.operationId = operationId;
    this.operationName = operationName;
    this.operationAddress = operationAddress.isDefined()
            ? operationAddress : ModelControllerImpl.EMPTY_ADDRESS;
    this.managementModel = managementModel;
    this.originalModel = managementModel;
    this.modelController = modelController;
    this.messageHandler = messageHandler;
    this.attachments = attachments;
    this.affectsModel = booting ? new ConcurrentHashMap<>(16 * 16) : new HashMap<>(1);
    this.hostServerGroupTracker = hostServerGroupTracker;
    this.activeOperationResource = new ActiveOperationResource();
    this.accessAuditContext = accessAuditContext;
    this.partialModel = partialModel;
    if(runningMode == RunningMode.ADMIN_ONLY) {
        boolean hostXmlOnly = booting && !processType.isServer() && partialModel;
        CapabilityRegistry.CapabilityValidation validation = managementModel.validateCapabilityRegistry(true, hostXmlOnly);
        this.capabilitiesAlreadyBroken = !validation.isValid();
    } else {
        this.capabilitiesAlreadyBroken = false;
    }
}
 
Example #30
Source File: JmxRbacTestCase.java    From wildfly-core with GNU Lesser General Public License v2.1 5 votes vote down vote up
private static SecurityIdentity roleToSecurityIdentity(StandardRole role) throws RealmUnavailableException {
    if (role == null) {
        return testDomain.getAnonymousSecurityIdentity();
    }

    ServerAuthenticationContext authenticationContext = testDomain.createNewAuthenticationContext();
    authenticationContext.setAuthenticationName(roleToUserName(role));
    assertTrue("Authorized", authenticationContext.authorize());

    return authenticationContext.getAuthorizedIdentity();
}