Examples of org.jboss.security.SecurityContext

• org.jboss.security.SecurityContext
  Encapsulation of Authentication, Authorization, Mapping and other security aspects at the level of a security domain @author Anil Saldhana @version $Revision$ @since Aug 24, 2006

                        break;
                    }
                }
            }

            SecurityContext sc = SecurityActions.getSecurityContext();
            AbstractWebAuthorizationHelper helper = null;
            try {
                helper = SecurityHelperFactory.getWebAuthorizationHelper(sc);
            } catch (Exception e) {
                WebLogger.WEB_SECURITY_LOGGER.noAuthorizationHelper(e);
            }
            Subject callerSubject = sc.getUtil().getSubject();
            if (callerSubject == null) {
                // During hasResourcePermission check, Catalina calls hasRole. But we have not established
                // a subject yet in the security context. So we will get the subject from the cached principal
                callerSubject = getSubjectFromRequestPrincipal(principal);
            }

        if (ok && useJBossAuthorization) {
            Map<String, Object> map = new HashMap<String, Object>();
            map.put("securityConstraints", constraints);
            map.put(ResourceKeys.USERDATA_PERM_CHECK, Boolean.TRUE);

            SecurityContext sc = SecurityActions.getSecurityContext();
            AbstractWebAuthorizationHelper helper = null;
            try {
                helper = SecurityHelperFactory.getWebAuthorizationHelper(sc);
            } catch (Exception e) {
                WebLogger.WEB_SECURITY_LOGGER.noAuthorizationHelper(e);
            }

            Subject callerSubject = sc.getUtil().getSubject();
            // JBAS-6419:CallerSubject has no bearing on the user data permission check
            if (callerSubject == null)
                callerSubject = new Subject();

            ok = helper.hasUserDataPermission(map, request, response, PolicyContext.getContextID(), callerSubject,

        HttpSession hsession = request.getSession(false);

        WebLogger.WEB_SECURITY_LOGGER.tracef("Begin invoke, caller=" + caller);

        boolean createdSecurityContext = false;
        SecurityContext sc = SecurityActions.getSecurityContext();
        if (sc == null) {
            createdSecurityContext = true;
            String securityDomain = SecurityUtil.unprefixSecurityDomain(metaData.getSecurityDomain());
            if (securityDomain == null)
                securityDomain = SecurityConstants.DEFAULT_WEB_APPLICATION_POLICY;
            sc = SecurityActions.createSecurityContext(securityDomain);
            SecurityActions.setSecurityContextOnAssociation(sc);
        }

        try {
            Wrapper servlet = null;
            try {
                servlet = request.getWrapper();
                if (servlet != null) {
                    String name = servlet.getName();
                    RunAsIdentityMetaData identity = metaData.getRunAsIdentity(name);
                    RunAsIdentity runAsIdentity = null;
                    if (identity != null) {
                        WebLogger.WEB_SECURITY_LOGGER.tracef(name + ", runAs: " + identity);
                        runAsIdentity = new RunAsIdentity(identity.getRoleName(), identity.getPrincipalName(),
                                identity.getRunAsRoles());
                    }
                    SecurityActions.pushRunAsIdentity(runAsIdentity);
                }

                // If there is a session, get the tomcat session for the principal
                Manager manager = container.getManager();
                if (manager != null && hsession != null) {
                    try {
                        session = manager.findSession(hsession.getId());
                    } catch (IOException ignore) {
                    }
                }

                if (caller == null || !(caller instanceof JBossGenericPrincipal)) {
                    // Look to the session for the active caller security context
                    if (session != null) {
                        principal = (JBossGenericPrincipal) session.getPrincipal();
                    }
                    if (principal == null) {
                        Session sessionInternal = request.getSessionInternal(false);
                        if (sessionInternal != null) {
                           principal = (JBossGenericPrincipal) sessionInternal.getNote(Constants.FORM_PRINCIPAL_NOTE);
                        }
                    }
                } else {
                    // Use the request principal as the caller identity
                    principal = (JBossGenericPrincipal) caller;
                }

                // If there is a caller use this as the identity to propagate
                if (principal != null) {
                    WebLogger.WEB_SECURITY_LOGGER.tracef("Restoring principal info from cache");
                    if (createdSecurityContext) {
                        sc.getUtil().createSubjectInfo(principal.getUserPrincipal(), principal.getCredentials(),
                                principal.getSubject());
                    }
                }
            } catch (Throwable e) {
                //TODO:decide whether to log this as info or warn

    }

    private static SecurityContext establishSecurityContext(final String securityDomain) {
        // Do not use SecurityFactory.establishSecurityContext, its static init is broken.
        try {
            final SecurityContext securityContext = SecurityContextFactory.createSecurityContext(securityDomain);
            SecurityContextAssociation.setSecurityContext(securityContext);
            return securityContext;
        } catch (Exception e) {
            throw new SecurityException(e);
        }

            throw new SecurityException(e);
        }
    }

    public Principal getCallerPrincipal() {
        final SecurityContext securityContext = doPrivileged(securityContext());
        if (securityContext == null)
            throw new IllegalStateException("No security context established");
        /*
        final Principal principal = getPrincipal(securityContext.getUtil().getSubject());
        */
        Principal principal = securityContext.getIncomingRunAs();
        if (principal == null)
            principal = getPrincipal(securityContext.getSubjectInfo().getAuthenticatedSubject());
        if (principal == null)
            throw new IllegalStateException("No principal available");
        return principal;
    }

     *
     * @param roleNames
     * @return true if the user is in any one of the roles listed
     */
    public boolean isCallerInRole(final String... roleNames) {
        final SecurityContext securityContext = doPrivileged(securityContext());
        if (securityContext == null)
            throw new IllegalStateException("No security context established");

        RoleGroup roleGroup = null;

        RunAs runAs = securityContext.getIncomingRunAs();
        if (runAs != null && runAs instanceof RunAsIdentity) {
            RunAsIdentity runAsIdentity = (RunAsIdentity) runAs;
            roleGroup = runAsIdentity.getRunAsRolesAsRoleGroup();
        } else {

            AuthorizationManager am = securityContext.getAuthorizationManager();
            SecurityContextCallbackHandler scb = new SecurityContextCallbackHandler(securityContext);

            roleGroup = am.getSubjectRoles(securityContext.getSubjectInfo().getAuthenticatedSubject(), scb);
        }

        List<Role> roles = roleGroup.getRoles();

        // TODO - Review most performant way.

     * @param runAs
     * @param runAsPrincipal
     */
    public void push(final String securityDomain, final String runAs, final String runAsPrincipal) {
        // TODO - Handle a null securityDomain here?  Yes I think so.
        final SecurityContext previous = SecurityContextAssociation.getSecurityContext();
        contexts.push(previous);
        SecurityContext current = establishSecurityContext(securityDomain);
        if (previous != null) {
            current.setSubjectInfo(previous.getSubjectInfo());
            current.setIncomingRunAs(previous.getOutgoingRunAs());
        }

        RunAs currentRunAs = current.getIncomingRunAs();
        boolean trusted = currentRunAs != null && currentRunAs instanceof RunAsIdentity;

        // TODO - Set unauthenticated identity if no auth to occur
        if (trusted == false) {
            // If we have a trusted identity no need for a re-auth.
            boolean authenticated = authenticate(current);
            if (authenticated == false) {
                // TODO - Better type needed.
                throw new SecurityException("Invalid User");
            }
        }

        if (runAs != null) {
            RunAs runAsIdentity = new RunAsIdentity(runAs, runAsPrincipal);
            current.setOutgoingRunAs(runAsIdentity);
        } else if (previous != null && previous.getOutgoingRunAs() != null) {
            // Ensure the propagation continues.
            current.setOutgoingRunAs(previous.getOutgoingRunAs());
        }
    }

    /**
     * Must be called from within a privileged action.
     */
    public void pop() {
        final SecurityContext sc = contexts.pop();
        SecurityContextAssociation.setSecurityContext(sc);
    }

    public void pushSecurityContext(final Subject subject, final Principal principal, final Object credential) {
        AccessController.doPrivileged(new PrivilegedAction<Void>() {

            public Void run() {
                SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
                if (securityContext == null) {
                    securityContext = createSecurityContext(subject, principal, credential, securityDomainContext.getAuthenticationManager().getSecurityDomain());
                } else {
                    securityContext.getUtil().createSubjectInfo(principal, credential, subject);
                }
                setSecurityContextOnAssociation(securityContext);
                return null;
            }
        });

      {
         Subject caller = this.establishSubjectContext(request.getPrincipal());

         PolicyRegistration policyRegistration = getPolicyRegistration();

         SecurityContext sc = SecurityAssociationActions.getSecurityContext();
         Map<String, Object> contextMap = new HashMap<String, Object>();
         contextMap.put(ResourceKeys.RESOURCE_PERM_CHECK, Boolean.TRUE);
         contextMap.put(ResourceKeys.POLICY_REGISTRATION, policyRegistration);
         contextMap.put("securityConstraints", securityConstraints);