java.security.acl.Group Java Examples

The following examples show how to use java.security.acl.Group. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
Source File: DomainAuthorizationPolicy.java    From wildfly-camel with Apache License 2.0 6 votes vote down vote up
@Override
protected void authorize(LoginContext context) throws LoginException {
    HashSet<String> required = new HashSet<>(requiredRoles);
    Set<Group> groups = context.getSubject().getPrincipals(Group.class);
    if (groups != null) {
        for (Group group : groups) {
            if ("Roles".equals(group.getName())) {
                for (String role : requiredRoles) {
                    if (group.isMember(new SimplePrincipal(role))) {
                        required.remove(role);
                    }
                }
            }
        }
    }
    if (!required.isEmpty())
        throw new LoginException("User does not have required roles: " + required);
}
 
Example #2
Source File: CurrentUserContext.java    From taskana with Apache License 2.0 6 votes vote down vote up
private static String getUserIdFromJaasSubject() {
  Subject subject = Subject.getSubject(AccessController.getContext());
  LOGGER.trace("Subject of caller: {}", subject);
  if (subject != null) {
    Set<Principal> principals = subject.getPrincipals();
    LOGGER.trace("Public principals of caller: {}", principals);
    return principals.stream()
        .filter(principal -> !(principal instanceof Group))
        .map(Principal::getName)
        .filter(Objects::nonNull)
        .map(CurrentUserContext::convertAccessId)
        .findFirst()
        .orElse(null);
  }
  LOGGER.trace("No userId found in subject!");
  return null;
}
 
Example #3
Source File: GenericPrincipalFactory.java    From keycloak with Apache License 2.0 6 votes vote down vote up
protected Group createGroup(String name, Set<Principal> principals) {
    Group roles = null;
    Iterator<Principal> iter = principals.iterator();
    while (iter.hasNext()) {
        Object next = iter.next();
        if (!(next instanceof Group))
            continue;
        Group grp = (Group) next;
        if (grp.getName().equals(name)) {
            roles = grp;
            break;
        }
    }
    // If we did not find a group create one
    if (roles == null) {
        roles = new SimpleGroup(name);
        principals.add(roles);
    }
    return roles;
}
 
Example #4
Source File: SecurityInfoHelper.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * Get the Principal given the authenticated Subject. Currently the first subject that is not of type {@code Group} is
 * considered or the single subject inside the CallerPrincipal group.
 *
 * @param subject
 * @return the authenticated subject
 */
protected static Principal getPrincipal(Subject subject) {
    Principal principal = null;
    Principal callerPrincipal = null;
    if (subject != null) {
        Set<Principal> principals = subject.getPrincipals();
        if (principals != null && !principals.isEmpty()) {
            for (Principal p : principals) {
                if (!(p instanceof Group) && principal == null) {
                    principal = p;
                }
                if (p instanceof Group) {
                    Group g = Group.class.cast(p);
                    if (g.getName().equals(SecurityConstants.CALLER_PRINCIPAL_GROUP) && callerPrincipal == null) {
                        Enumeration<? extends Principal> e = g.members();
                        if (e.hasMoreElements())
                            callerPrincipal = e.nextElement();
                    }
                }
            }
        }
    }
    return callerPrincipal == null ? principal : callerPrincipal;
}
 
Example #5
Source File: AbstractServerLoginModule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** Find or create a Group with the given name. Subclasses should use this
 method to locate the 'Roles' group or create additional types of groups.
 @return A named Group from the principals set.
 */
protected Group createGroup(String name, Set<Principal> principals)
{
   Group roles = null;
   Iterator<Principal> iter = principals.iterator();
   while( iter.hasNext() )
   {
      Object next = iter.next();
      if( (next instanceof Group) == false )
         continue;
      Group grp = (Group) next;
      if( grp.getName().equals(name) )
      {
         roles = grp;
         break;
      }
   }
   // If we did not find a group create one
   if( roles == null )
   {
      roles = new SimpleGroup(name);
      principals.add(roles);
   }
   return roles;
}
 
Example #6
Source File: AbstractServerLoginModule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
protected Group getCallerPrincipalGroup(Set<Principal> principals)
{
   Group callerGroup = null;
   for (Principal principal : principals)
   {
      if (principal instanceof Group)
      {
         Group group = Group.class.cast(principal);
         if (group.getName().equals(SecurityConstants.CALLER_PRINCIPAL_GROUP))
         {
            callerGroup = group;
            break;
         }
      }
   }
   return callerGroup;
}
 
Example #7
Source File: RoleMappingLoginModule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get the Group called as "Roles" from the authenticated subject
 * 
 * @return Group representing Roles
 */
private Group getExistingRolesFromSubject()
{
   Iterator<? extends Principal> iter = subject.getPrincipals().iterator();
   while(iter.hasNext())
   {
      Principal p = iter.next();
      if(p instanceof Group)
      {
        Group g = (Group) p;
        if("Roles".equals(g.getName()))
           return g;
      } 
   }
   return null;
}
 
Example #8
Source File: RoleMappingLoginModule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Process the group with the roles that are mapped in the 
 * properies file
 * @param group Group that needs to be processed
 * @param props Properties file
 */
private void processRoles(Group group,Properties props) //throws Exception
{
   Enumeration<?> enumer = props.propertyNames();
   while(enumer.hasMoreElements())
   {
      String roleKey = (String)enumer.nextElement();
      String comma_separated_roles = props.getProperty(roleKey);
      try {
          Principal pIdentity = createIdentity(roleKey);
          if (group != null)
          {
              if(group.isMember(pIdentity))
                  Util.parseGroupMembers(group,comma_separated_roles,this);
              if(REPLACE_ROLE)
                  group.removeMember(pIdentity);
          }
      }
      catch(Exception e) {
          PicketBoxLogger.LOGGER.debugFailureToCreatePrincipal(roleKey, e);
      }
   }
}
 
Example #9
Source File: Util.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/** Parse the comma delimited roles names given by value and add them to
 * group. The type of Principal created for each name is determined by
 * the createIdentity method.
 *
 * @see AbstractServerLoginModule#createIdentity(String)
 * 
 * @param group - the Group to add the roles to.
 * @param roles - the comma delimited role names.
 */ 
static void parseGroupMembers(Group group, String roles, AbstractServerLoginModule aslm)
{
   StringTokenizer tokenizer = new StringTokenizer(roles, ",");
   while (tokenizer.hasMoreTokens())
   {
      String token = tokenizer.nextToken();
      try
      {
         Principal p = aslm.createIdentity(token);
         group.addMember(p);
      }
      catch (Exception e)
      {
         PicketBoxLogger.LOGGER.debugFailureToCreatePrincipal(token, e);
      }
   }
}
 
Example #10
Source File: GenericPrincipalFactory.java    From keycloak with Apache License 2.0 6 votes vote down vote up
public GenericPrincipal createPrincipal(Realm realm, final Principal identity, final Set<String> roleSet) {
    Subject subject = new Subject();
    Set<Principal> principals = subject.getPrincipals();
    principals.add(identity);
    Group[] roleSets = getRoleSets(roleSet);
    for (int g = 0; g < roleSets.length; g++) {
        Group group = roleSets[g];
        String name = group.getName();
        Group subjectGroup = createGroup(name, principals);
        // Copy the group members to the Subject group
        Enumeration<? extends Principal> members = group.members();
        while (members.hasMoreElements()) {
            Principal role = (Principal) members.nextElement();
            subjectGroup.addMember(role);
        }
    }
    
    Principal userPrincipal = getPrincipal(subject);
    List<String> rolesAsStringList = new ArrayList<String>();
    rolesAsStringList.addAll(roleSet);
    GenericPrincipal principal = createPrincipal(userPrincipal, rolesAsStringList);
    return principal;
}
 
Example #11
Source File: SecurityUtil.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get the Subject roles by looking for a Group called 'Roles'
 * 
 * @param theSubject - the Subject to search for roles
 * @return the Group contain the subject roles if found, null otherwise
 */
public static Group getSubjectRoles(Subject theSubject)
{
   if (theSubject == null)
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("theSubject");
   Set<Group> subjectGroups = theSubject.getPrincipals(Group.class);
   Iterator<Group> iter = subjectGroups.iterator();
   Group roles = null;
   while (iter.hasNext())
   {
      Group grp = iter.next();
      String name = grp.getName();
      if (name.equals("Roles"))
         roles = grp;
   }
   return roles;
}
 
Example #12
Source File: WildflyRequestAuthenticator.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * Get the Principal given the authenticated Subject. Currently the first subject that is not of type {@code Group} is
 * considered or the single subject inside the CallerPrincipal group.
 *
 * @param subject
 * @return the authenticated subject
 */
protected Principal getPrincipal(Subject subject) {
    Principal principal = null;
    Principal callerPrincipal = null;
    if (subject != null) {
        Set<Principal> principals = subject.getPrincipals();
        if (principals != null && !principals.isEmpty()) {
            for (Principal p : principals) {
                if (!(p instanceof Group) && principal == null) {
                    principal = p;
                }
                if (p instanceof Group) {
                    Group g = Group.class.cast(p);
                    if (g.getName().equals(SecurityConstants.CALLER_PRINCIPAL_GROUP) && callerPrincipal == null) {
                        Enumeration<? extends Principal> e = g.members();
                        if (e.hasMoreElements())
                            callerPrincipal = e.nextElement();
                    }
                }
            }
        }
    }
    return callerPrincipal == null ? principal : callerPrincipal;
}
 
Example #13
Source File: SecurityInfoHelper.java    From keycloak with Apache License 2.0 6 votes vote down vote up
/**
 * Get the Principal given the authenticated Subject. Currently the first subject that is not of type {@code Group} is
 * considered or the single subject inside the CallerPrincipal group.
 *
 * @param subject
 * @return the authenticated subject
 */
protected static Principal getPrincipal(Subject subject) {
    Principal principal = null;
    Principal callerPrincipal = null;
    if (subject != null) {
        Set<Principal> principals = subject.getPrincipals();
        if (principals != null && !principals.isEmpty()) {
            for (Principal p : principals) {
                if (!(p instanceof Group) && principal == null) {
                    principal = p;
                }
                if (p instanceof Group) {
                    Group g = Group.class.cast(p);
                    if (g.getName().equals(SecurityConstants.CALLER_PRINCIPAL_GROUP) && callerPrincipal == null) {
                        Enumeration<? extends Principal> e = g.members();
                        if (e.hasMoreElements())
                            callerPrincipal = e.nextElement();
                    }
                }
            }
        }
    }
    return callerPrincipal == null ? principal : callerPrincipal;
}
 
Example #14
Source File: JBossAuthorizationManager.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 * Get the Subject roles by looking for a Group called 'Roles'
 * @param theSubject - the Subject to search for roles
 * @return the Group contain the subject roles if found, null otherwise
 */
private Group getGroupFromSubject(Subject theSubject)
{
   if(theSubject == null)
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("theSubject");
   Set<Group> subjectGroups = theSubject.getPrincipals(Group.class);
   Iterator<Group> iter = subjectGroups.iterator();
   Group roles = null;
   while( iter.hasNext() )
   {
      Group grp = iter.next();
      String name = grp.getName();
      if( name.equals(ROLES_IDENTIFIER) )
         roles = grp;
   }
   return roles;
}
 
Example #15
Source File: JBossSecurityContextUtil.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
@Override
public <T> void set(String key, T obj)
{   
   validateSecurityContext();
   if(key == null)
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("key");
   if(obj != null)
   {
      if(RUNAS_IDENTITY_IDENTIFIER.equals(key) && obj instanceof RunAsIdentity == false)
         throw PicketBoxMessages.MESSAGES.invalidType(RunAsIdentity.class.getName());
      if(ROLES_IDENTIFIER.equals(key) &&  obj instanceof Group == false)
         throw PicketBoxMessages.MESSAGES.invalidType(Group.class.getName());
   }
   if(RUNAS_IDENTITY_IDENTIFIER.equals(key))
      setRunAsIdentity( (RunAsIdentity) obj);
   else
      securityContext.getData().put(key, obj);
}
 
Example #16
Source File: PicketBoxAuthorizationModule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
public int authorize(Resource resource)
{ 
   Set<Principal> principals = subject.getPrincipals();
   for(Principal p: principals)
   {
      if(p instanceof Group)
      {
         Group group = (Group) p;
         if(group.getName().equalsIgnoreCase("Roles"))
         {
            Enumeration<? extends Principal> roles = group.members();
            while(roles.hasMoreElements())
            {
               Principal role = roles.nextElement();
               if(rolesSet.contains(role.getName()))
                  return AuthorizationContext.PERMIT;
            } 
         }
      }
   }
   return AuthorizationContext.DENY;
}
 
Example #17
Source File: UniversalLoginModule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
    * Find or create a Group with the given name. Subclasses should use this method to locate the 'Roles' group or
    * create additional types of groups.
    *
    * @return A named Group from the principals set.
    */
   private Group createGroup(String name, Set<Principal> principals) {
Group roles = null;
for (Principal principal : principals) {
    if (principal instanceof Group) {
	Group grp = (Group) principal;
	if (grp.getName().equals(name)) {
	    roles = grp;
	    break;
	}
    }
}

// If we did not find a group create one
if (roles == null) {
    roles = new SimpleGroup(name);
    principals.add(roles);
}
return roles;
   }
 
Example #18
Source File: LdapExtLoginModule.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
/**
 Overridden by subclasses to return the Groups that correspond to the to the
 role sets assigned to the user. Subclasses should create at least a Group
 named "Roles" that contains the roles assigned to the user. A second common
 group is "CallerPrincipal" that provides the application identity of the user
 rather than the security domain identity.
 @return Group[] containing the sets of roles
 */
protected Group[] getRoleSets() throws LoginException
{
   // SECURITY-225: check if authentication was already done in a previous login module
   // and perform role mapping
   if (!isPasswordValidated && getIdentity() != unauthenticatedIdentity)
   {
      try
      {
         String username = getUsername();
         PicketBoxLogger.LOGGER.traceBindingLDAPUsername(username);
         createLdapInitContext(username, null);
         defaultRole();
      }
      catch (Exception e)
      {
         LoginException le = new LoginException();
         le.initCause(e);
         throw le;
      }
   }

   Group[] roleSets = {userRoles};
   return roleSets;
}
 
Example #19
Source File: Users.java    From lams with GNU General Public License v2.0 6 votes vote down vote up
public String[] getRoleNames(String roleGroup)
{
   Group group = roleGroups.get(roleGroup);
   String[] names = {};
   if( group != null )
   {
      ArrayList<String> tmp = new ArrayList<String>();
      Enumeration<? extends Principal> iter = group.members();
      while( iter.hasMoreElements() )
      {
         Principal p = iter.nextElement();
         tmp.add(p.getName());
      }
      names = new String[tmp.size()];
      tmp.toArray(names);
   }
   return names;
}
 
Example #20
Source File: DeploymentRolesMappingProvider.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Obtains the deployment roles via the context map and applies it
 * on the mappedObject
 * @see MappingProvider#performMapping(Map, Object)
 */ 
@SuppressWarnings("unchecked")
public void performMapping(Map<String,Object> contextMap, RoleGroup mappedObject)
{  
   if(contextMap == null || contextMap.isEmpty())
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("contextMap");

   //Obtain the principal to roles mapping
   Principal principal = (Principal) contextMap.get(SecurityConstants.PRINCIPAL_IDENTIFIER);
   Map<String,Set<String>> principalRolesMap = (Map<String,Set<String>>)contextMap.get(SecurityConstants.DEPLOYMENT_PRINCIPAL_ROLES_MAP);
   Set<Principal> subjectPrincipals = (Set<Principal>) contextMap.get(SecurityConstants.PRINCIPALS_SET_IDENTIFIER);
   PicketBoxLogger.LOGGER.debugMappingProviderOptions(principal, principalRolesMap, subjectPrincipals);

   if(principalRolesMap == null || principalRolesMap.isEmpty())
   {
      result.setMappedObject(mappedObject);
      return ; // No Mapping
   }
   
   if(principal != null)
   {
      mappedObject = mapGroup(principal, principalRolesMap, mappedObject);
   }
   
   if(subjectPrincipals != null)
   {
      for(Principal p: subjectPrincipals)
      {
         if(p instanceof Group)
            continue;
         mappedObject = mapGroup(p, principalRolesMap, mappedObject);
      } 
   }
       
   result.setMappedObject(mappedObject);
}
 
Example #21
Source File: JBossWebPrincipalFactory.java    From keycloak with Apache License 2.0 5 votes vote down vote up
protected Group[] getRoleSets(Collection<String> roleSet) {
    SimpleGroup roles = new SimpleGroup("Roles");
    Group[] roleSets = {roles};
    for (String role : roleSet) {
        roles.addMember(new SimplePrincipal(role));
    }
    return roleSets;
}
 
Example #22
Source File: DatabaseServerLoginModule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/** Execute the rolesQuery against the dsJndiName to obtain the roles for
 the authenticated user.
  
 @return Group[] containing the sets of roles
 */
protected Group[] getRoleSets() throws LoginException
{
   if (rolesQuery != null)
   {
      String username = getUsername();
      PicketBoxLogger.LOGGER.traceExecuteQuery(rolesQuery, username);
      Group[] roleSets = Util.getRoleSets(username, dsJndiName, txManagerJndiName, rolesQuery, this,
            suspendResume);
      return roleSets;
   }
   return new Group[0];
}
 
Example #23
Source File: AbstractPrincipalMappingProvider.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * @see MappingProvider#supports(Class)
 */
public boolean supports(Class<?> p)
{
   if(Group.class.isAssignableFrom(p))
      return false;
   
   if(Principal.class.isAssignableFrom(p))
      return true;
   
   return false;
}
 
Example #24
Source File: AnonLoginModule.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Override to return an empty Roles set.
 * @return an array comtaning an empty 'Roles' Group.
 */
protected Group[] getRoleSets() throws LoginException
{
   SimpleGroup roles = new SimpleGroup("Roles");
   Group[] roleSets = {roles};
   return roleSets;
}
 
Example #25
Source File: SimpleRoleGroup.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
public SimpleRoleGroup(Group rolesGroup)
{
   super(rolesGroup.getName());
   Enumeration<? extends Principal> principals = rolesGroup.members();
   while (principals.hasMoreElements())
   {
      SimpleRole role = new SimpleRole(principals.nextElement().getName());
      addRole(role);
   }
}
 
Example #26
Source File: JBossAuthorizationManager.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * @see AuthorizationManager#authorize(Resource, Subject, Group)
 */
public int authorize(Resource resource, Subject subject, 
      Group roleGroup) throws AuthorizationException
{ 
   this.validateResource(resource);
   return internalAuthorization(resource, subject, getRoleGroup(roleGroup));
}
 
Example #27
Source File: CurrentUserContext.java    From taskana with Apache License 2.0 5 votes vote down vote up
public static List<String> getGroupIds() {
  Subject subject = Subject.getSubject(AccessController.getContext());
  LOGGER.trace("Subject of caller: {}", subject);
  if (subject != null) {
    Set<Group> groups = subject.getPrincipals(Group.class);
    LOGGER.trace("Public groups of caller: {}", groups);
    return groups.stream()
        .map(Principal::getName)
        .filter(Objects::nonNull)
        .map(CurrentUserContext::convertAccessId)
        .collect(Collectors.toList());
  }
  LOGGER.trace("No groupIds found in subject!");
  return Collections.emptyList();
}
 
Example #28
Source File: JBossAuthorizationManager.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
/**
 * Copy the principals from the second group into the first.
 * If the first group is null and the second group is not, the
 * first group will be made equal to the second group
 * @param source
 * @param toCopy
 */
private RoleGroup copyGroups(RoleGroup source, Group toCopy)
{
   if(toCopy == null)
      return source;
   if(source == null && toCopy != null) 
      source = this.getEmptyRoleGroup();
   Enumeration<? extends Principal> en = toCopy.members();
   while(en.hasMoreElements())
   {
      source.addRole(new SimpleRole(en.nextElement().getName())); 
   }
    
   return source;
}
 
Example #29
Source File: JBossAuthorizationManager.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
private RoleGroup getRoleGroup(Group roleGroup)
{
   if(roleGroup == null)
      throw PicketBoxMessages.MESSAGES.invalidNullArgument("roleGroup");
   SimpleRoleGroup srg = new SimpleRoleGroup(roleGroup.getName());
   Enumeration<? extends Principal> principals = roleGroup.members();
   while(principals.hasMoreElements())
   {
      srg.addRole(new SimpleRole(principals.nextElement().getName()));
   }
   return srg;  
}
 
Example #30
Source File: AbstractRolesMappingProvider.java    From lams with GNU General Public License v2.0 5 votes vote down vote up
protected Principal getCallerPrincipal(Map<String, Object> map)
{
   Principal principal = (Principal) map.get(SecurityConstants.PRINCIPAL_IDENTIFIER);
   Principal callerPrincipal = null;
   if (principal == null)
   {
      @SuppressWarnings("unchecked")
      Set<Principal> principals = (Set<Principal>) map.get(SecurityConstants.PRINCIPALS_SET_IDENTIFIER);
      if (principals != null && !principals.isEmpty())
      {
         for (Principal p : principals) {
            if (!(p instanceof Group) && principal == null) {
               principal = p;
            }
            if (p instanceof Group) {
               Group g = Group.class.cast(p);
               if (g.getName().equals(SecurityConstants.CALLER_PRINCIPAL_GROUP) && callerPrincipal == null) {
                  Enumeration<? extends Principal> e = g.members();
                  if (e.hasMoreElements())
                     callerPrincipal = e.nextElement();
               }
            }
         }
      }
   }
   return callerPrincipal == null ? principal : callerPrincipal;
}