Examples of org.jboss.security.SecurityContext

• org.jboss.security.SecurityContext
  Encapsulation of Authentication, Authorization, Mapping and other security aspects at the level of a security domain @author Anil Saldhana @version $Revision$ @since Aug 24, 2006

     */
    protected ServerAuthenticationManager getServerAuthenticationManager() {
        ServerAuthenticationManager sam = null;
        // if the default authentication manager is to be used, just instantiate it.
        if (this.serverAuthenticationManagerClass ==  null) {
            SecurityContext context = SecurityActions.getSecurityContext();
            if (context != null) {
                WebLogger.WEB_SECURITY_LOGGER.debugf("Instantiating JASPI authentication manager with security domain %s",
                        context.getSecurityDomain());
                sam = new JASPIServerAuthenticationManager(context.getSecurityDomain(), new JBossCallbackHandler());
            }
            else {
                WebLogger.WEB_SECURITY_LOGGER.debugf("Security context is null, instantiating JASPI authentication manager with default domain");
                sam = new JASPIServerAuthenticationManager();
            }

            @Override
            public Object processInvocation(final InterceptorContext context) throws Exception {
                final InterceptorContext asyncInterceptorContext = context.clone();
                asyncInterceptorContext.putPrivateData(InvocationType.class, InvocationType.ASYNC);
                final CancellationFlag flag = new CancellationFlag();
                final SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
                final AsyncInvocationTask task = new AsyncInvocationTask( flag) {
                    @Override
                    protected Object runInvocation() throws Exception {
                        setSecurityContextOnAssociation(securityContext);
                        try {

      @SuppressWarnings("unchecked")
      public V call() throws Exception
      {
         // Get existing security context
         final SecurityContext oldSc = SecurityActions.getSecurityContext();

         try
         {
            // Set new sc
            SecurityActions.setSecurityContext(this.sc);

      // Get the ExecutorService
      final ExecutorService executorService = context.getAsynchronousExecutor();

      // Get the existing SecurityContext
      final SecurityContext sc = SecurityActions.getSecurityContext();

      // Copy the invocation (must be done for Thread safety, as we spawn this off and
      // subsequent calls can mess with the internal interceptor index
      final Invocation nextInvocation = invocation.copy();

    static Principal getPrincipal() {
        return AccessController.doPrivileged(new PrivilegedAction<Principal>() {
            public Principal run() {
                Principal principal = null;
                SecurityContext sc = getSecurityContext();
                if (sc != null) {
                    principal = sc.getUtil().getUserPrincipal();
                }
                return principal;
            }
        });
    }

    static Object getCredential() {
        return AccessController.doPrivileged(new PrivilegedAction<Object>() {
            public Object run() {
                Object credential = null;
                SecurityContext sc = getSecurityContext();
                if (sc != null) {
                    credential = sc.getUtil().getCredential();
                }
                return credential;
            }
        });
    }

    *
    * @return subject
    */
   protected Subject getCurrentSubject()
   {
      SecurityContext securityContext = AccessController.doPrivileged(new PrivilegedAction<SecurityContext>()
      {
         public SecurityContext run()
         {
            return SecurityContextAssociation.getSecurityContext();
         }
      });
      return securityContext.getSubjectInfo().getAuthenticatedSubject();
   }

      if(shelper.isEJBTimeOutCallback(method) ||
            shelper.containsTimeoutAnnotation(container, method) ||
            shelper.isMDB(container))
         return invocation.invokeNext();

      SecurityContext prevSC = SecurityActions.getSecurityContext();
      try
      {
         // See org.jboss.ejb3.security.client.SecurityClientInterceptor
         SecurityContext invSC = (SecurityContext) invocation.getMetaData("security","context");

         SecurityDomain domain = container.getAnnotation(SecurityDomain.class);

         boolean domainExists = domain != null && domain.value() != null
                       && domain.value().length() > 0;

         /**
          * TODO: Decide if you want to allow zero security based on non-availability
          * of a security domain, as per the configuration on the container
          */
         if(domainExists)
         {
            String domainValue = canonicalizeSecurityDomain(domain.value());

            /* Need to establish the security context. For local calls, we pick the outgoing runas
             * of the existing sc. For remote calls, we create a new security context with the information
             * from the invocation sc
             */
            final SecurityContext sc = SecurityActions.createSecurityContext(domainValue);

            if(invSC == null)
            {
               if(prevSC == null)
               {
                  log.trace("Local Call: Security Context is null");
                  populateSecurityContext(sc, sc);
               }
               else
                  populateSecurityContext(sc, prevSC);
            }
            else
            {
               populateSecurityContext(sc, invSC);
            }

            SecurityActions.setSecurityContext(sc);

            //TODO: Need to get the SecurityManagement instance
            AccessController.doPrivileged(new PrivilegedExceptionAction<Object>()
            {
               public Object run() throws Exception
               {
                  sc.setSecurityManagement(getSecurityManagement());
                  return null;
               }
            });


            //Check if there is a RunAs configured and can be trusted
            EJBAuthenticationHelper helper = null;
            try
            {
               helper = SecurityHelperFactory.getEJBAuthenticationHelper(sc);
            }
            catch(Exception e)
            {
               throw new RuntimeException(e);
            }
            boolean trustedCaller = hasIncomingRunAsIdentity(sc) || helper.isTrusted();
            if(!trustedCaller)
            {
               Subject subject = new Subject();
               /**
                * Special Case: Invocation has no principal set,
                * but an unauthenticatedPrincipal has been configured in JBoss DD
                */
               Principal userPrincipal = sc.getUtil().getUserPrincipal();
               String unauthenticatedPrincipal = domain.unauthenticatedPrincipal();
               if(userPrincipal == null && unauthenticatedPrincipal !=null &&
                     unauthenticatedPrincipal.length() > 0)
               {
                  Identity unauthenticatedIdentity = new SimpleIdentity(unauthenticatedPrincipal);
                  sc.getSubjectInfo().addIdentity(unauthenticatedIdentity);
                  subject.getPrincipals().add(unauthenticatedIdentity.asPrincipal());
               }
               else
               {
                  //Authenticate the caller now

   /**
    * @see Interceptor#invoke(Invocation)
    */
   public Object invoke(Invocation invocation) throws Throwable
   {
      SecurityContext cachedContext = null;

      //Check for ejbTimeOut
      SecurityHelper shelper = new SecurityHelper();
      if(shelper.isEJBTimeOutCallback(((MethodInvocation) invocation).getMethod()))
         return invocation.invokeNext();

      SecurityContext sc = SecurityActions.getSecurityContext();

      cachedContext = sc;

      /**
       * An MDB always starts with a null security context coming in
       */
      if(container instanceof MessagingContainer)
      {
         sc = null;
      }

      if(sc == null)
      {
         SecurityDomain domain = (SecurityDomain)container.getAnnotation(SecurityDomain.class);
         if(domain != null)
         {
            sc = SecurityActions.createSecurityContext(domain.value());
            SecurityActions.setSecurityContext(sc);
         }
      }

      if(sc != null)
      {
        if( runAsIdentity == null && SecurityActions.peekRunAs() != null )
        {
          // Preserve the RunAs identity if one already exists
          sc.setOutgoingRunAs(SecurityActions.peekRunAs());
        }
        else
        {
          sc.setOutgoingRunAs(runAsIdentity);
        }
      }

      try
      {

         throw new IllegalStateException(e);
      }
      Group subjectRoles = getSubjectRoles(subject);

      //Deal with the security context
      SecurityContext sc = SubjectActions.getSecurityContext();
      if(sc == null)
      {
         sc = new JBossSecurityContext(securityDomain);
         SubjectActions.setSecurityContext(sc);
      }

      Group userRoles = (Group)sc.getData().get(ROLES_IDENTIFIER);
      if(userRoles == null || "true".equalsIgnoreCase(SubjectActions.getRefreshSecurityContextRoles()))
         emptyContextRoles = true;
      userRoles = copyGroups(userRoles, subjectRoles);

      /**
       * Update the roles in the SecurityContext and
       * allow mapping rules be applied only if the SC roles
       * and the subject roles are not the same
       */
      if(subjectRoles != userRoles || emptyContextRoles)
      {
         MappingManager mm = sc.getMappingManager();
         MappingContext mc = mm.getMappingContext(Group.class);
         Group mappedUserRoles = userRoles;
         if(mc != null)
         {
            Map contextMap = new HashMap();
            contextMap.put(SecurityConstants.ROLES_IDENTIFIER, userRoles);
            contextMap.put(SecurityConstants.PRINCIPAL_IDENTIFIER, principal);
            //Append any deployment role->principals configuration done by the user
            contextMap.put(SecurityConstants.DEPLOYMENT_PRINCIPAL_ROLES_MAP,
                  SecurityRolesAssociation.getSecurityRoles());

            //Append the principals also
            contextMap.put(SecurityConstants.PRINCIPALS_SET_IDENTIFIER, subject.getPrincipals());
            if(trace)
               log.trace("Roles before mapping:"+ userRoles);
            mc.performMapping(contextMap, userRoles);
            mappedUserRoles = (Group) mc.getMappingResult().getMappedObject();
            if(trace)
               log.trace("Roles after mapping:"+ userRoles);
         }
         sc.getData().put(ROLES_IDENTIFIER, mappedUserRoles);
      }

      //Send the final processed (mapping applied) roles
      return userRoles;
   }