1 23 package com.sun.enterprise.security.auth; 24 25 import java.util.Set ; 26 import java.util.Iterator ; 27 import java.util.logging.*; 28 import java.security.AccessController ; 29 import java.security.PrivilegedAction ; 30 import javax.security.auth.Subject ; 31 import javax.security.auth.login.LoginContext ; 32 import sun.security.x509.X500Name; 33 import com.sun.logging.*; 34 import com.sun.enterprise.iiop.security.GSSUPName; 35 import com.sun.enterprise.iiop.security.AnonCredential; 36 import com.sun.enterprise.security.SecurityContext; 37 import com.sun.enterprise.security.auth.login.PasswordCredential; 38 import com.sun.enterprise.security.auth.login.X509CertificateCredential; 39 import com.sun.enterprise.security.auth.login.ServerLoginCallbackHandler; 40 import com.sun.enterprise.security.LoginException; 41 import com.sun.enterprise.security.auth.realm.Realm; 42 import com.sun.enterprise.security.Audit; 43 import com.sun.enterprise.security.auth.realm.certificate.CertificateRealm; 44 import com.sun.enterprise.security.audit.AuditManagerFactory; 45 import com.sun.enterprise.security.audit.AuditManager; 46 47 import com.sun.enterprise.security.ClientSecurityContext; 49 import com.sun.enterprise.appclient.AppContainer; 50 51 52 63 public class LoginContextDriver { 64 65 private static Logger _logger=null; 66 static { 67 _logger = LogDomains.getLogger(LogDomains.SECURITY_LOGGER); 68 } 69 70 private static ServerLoginCallbackHandler 71 dummyCallback = new ServerLoginCallbackHandler(); 72 73 private static String CLIENT_JAAS_PASSWORD = "default"; 74 private static String CLIENT_JAAS_CERTIFICATE = "certificate"; 75 76 public static String CERT_REALMNAME = "certificate"; 77 78 public static AuditManager AUDIT_MANAGER = 79 AuditManagerFactory.getAuditManagerInstance(); 80 83 private LoginContextDriver(){ 84 } 85 95 public static void login(String username, String password, String realmName){ 96 97 if(realmName == null || !(Realm.isValidRealm(realmName))){ 98 realmName = Realm.getDefaultRealm(); 99 } 100 final Subject fs = new Subject (); 101 final PasswordCredential pc = 102 new PasswordCredential(username, password, realmName); 103 104 AccessController.doPrivileged(new PrivilegedAction (){ 105 public java.lang.Object run(){ 106 fs.getPrivateCredentials().add(pc); 107 return fs; 108 } 109 }); 110 111 LoginContextDriver.login(fs, PasswordCredential.class); 112 } 113 114 115 148 public static void login(Subject subject, Class cls) 149 throws LoginException 150 { 151 if (_logger.isLoggable(Level.FINEST)) { 152 _logger.log(Level.FINEST, 153 "Processing login with credentials of type: "+ 154 cls.toString()); 155 } 156 157 if(cls.equals(PasswordCredential.class)) { 158 doPasswordLogin(subject); 159 160 } else if (cls.equals(X509CertificateCredential.class)) { 161 doCertificateLogin(subject); 162 163 } else if (cls.equals(AnonCredential.class)) { 164 doAnonLogin(); 165 166 } else if (cls.equals(GSSUPName.class)) { 167 doGSSUPLogin(subject); 168 169 } else if (cls.equals(X500Name.class)) { 170 doX500Login(subject); 171 172 } else { 173 _logger.log(Level.INFO, "java_security.unknown_credential", 174 cls.toString()); 175 throw new 176 LoginException("Unknown credential type, cannot login."); 177 } 178 } 179 180 181 187 public static void loginPrincipal(String username, String realmName) 188 throws LoginException { 189 190 if(realmName == null || realmName.length() == 0){ 192 realmName = Realm.getDefaultRealm(); 193 } 194 195 final Subject s = new Subject (); 196 197 final com.sun.enterprise.deployment.PrincipalImpl p 198 = new com.sun.enterprise.deployment.PrincipalImpl(username); 199 200 final GSSUPName name = new GSSUPName(username, realmName); 201 202 AccessController.doPrivileged(new PrivilegedAction () { 203 public java.lang.Object run() { 204 s.getPrincipals().add(p); 205 s.getPublicCredentials().add(name); 206 return null; 207 } 208 }); 209 210 setSecurityContext(username, s, realmName); 211 } 212 213 214 218 public static void logout() throws LoginException { 219 unsetSecurityContext(); 220 } 221 222 223 247 private static void doPasswordLogin(Subject subject) 248 throws LoginException 249 { 250 final Subject s = subject; 251 252 Object obj = getPrivateCredentials(s, PasswordCredential.class); 253 assert obj != null; 254 255 PasswordCredential p = (PasswordCredential) obj; 256 String user = p.getUser(); 257 String pwd = p.getPassword(); 258 String realm = p.getRealm(); 259 String jaasCtx = null; 260 try { 261 jaasCtx = Realm.getInstance(realm).getJAASContext(); 262 } catch(Exception ex) { 263 if( ex instanceof LoginException ) 264 throw (LoginException)ex; 265 else 266 throw (LoginException)new LoginException(ex.toString()).initCause(ex); 267 } 268 269 assert user != null; 270 assert pwd != null; 271 assert realm != null; 272 assert jaasCtx != null; 273 274 if (_logger.isLoggable(Level.FINE)) { 275 _logger.fine("Logging in user [" + user + "] into realm: " + 276 realm + " using JAAS module: "+jaasCtx); 277 } 278 279 try { 280 LoginContext lg = new LoginContext (jaasCtx, s, dummyCallback); 283 lg.login(); 284 285 } catch (Exception e) { 286 if (_logger.isLoggable(Level.INFO)) { 287 _logger.log(Level.INFO, "java_security.audit_auth_refused", 288 user); 289 } 290 if(AUDIT_MANAGER.isAuditOn()){ 291 AUDIT_MANAGER.authentication(user, realm, false); 292 } 293 if( e instanceof LoginException ) 294 throw (LoginException)e; 295 else 296 throw (LoginException) 297 new LoginException("Login failed: " + e.toString()).initCause(e); 298 } 299 if(AUDIT_MANAGER.isAuditOn()){ 300 AUDIT_MANAGER.authentication(user, realm, true); 301 } 302 if (_logger.isLoggable(Level.FINE)) { 303 _logger.fine("Password login succeeded for : " + user); 304 } 305 306 setSecurityContext(user, s, realm); 307 if (_logger.isLoggable(Level.FINE)) { 308 _logger.log(Level.FINE, "Set security context as user: "+user); 309 } 310 } 311 324 325 public static void wssLoginUsernamePassword(String username, String password, 326 String realmName) 327 throws LoginException 328 { 329 if(realmName == null || !(Realm.isValidRealm(realmName))){ 330 realmName = Realm.getDefaultRealm(); 331 } 332 final Subject fs = new Subject (); 333 final PasswordCredential pc = 334 new PasswordCredential(username, password, realmName); 335 336 AccessController.doPrivileged(new PrivilegedAction (){ 337 public java.lang.Object run(){ 338 fs.getPrivateCredentials().add(pc); 339 return fs; 340 } 341 }); 342 343 String jaasCtx = null; 344 try { 345 jaasCtx = Realm.getInstance(realmName).getJAASContext(); 346 } catch(Exception ex) { 347 if( ex instanceof LoginException ) 348 throw (LoginException)ex; 349 else 350 throw (LoginException) 351 new LoginException(ex.toString()).initCause(ex); 352 } 353 354 if (_logger.isLoggable(Level.FINE)) { 355 _logger.fine("Logging in user [" + username + "] into realm: " + 356 realmName + " using JAAS module: "+jaasCtx); 357 } 358 359 try{ 360 361 LoginContext lg = new LoginContext (jaasCtx, fs, dummyCallback); 364 lg.login(); 365 366 } catch (Exception e) { 367 if (_logger.isLoggable(Level.INFO)) { 368 _logger.log(Level.INFO, "java_security.audit_auth_refused", 369 username); 370 } 371 if(AUDIT_MANAGER.isAuditOn()){ 372 AUDIT_MANAGER.authentication(username, realmName, false); 373 } 374 375 if( e instanceof LoginException ) 376 throw (LoginException)e; 377 else 378 throw (LoginException) 379 new LoginException("Login failed: " + e.toString()).initCause(e); 380 } 381 if(AUDIT_MANAGER.isAuditOn()){ 382 AUDIT_MANAGER.authentication(username, realmName, true); 383 } 384 if (_logger.isLoggable(Level.FINE)) { 385 _logger.fine("Password login succeeded for : " + username); 386 } 387 } 389 390 391 396 private static void doCertificateLogin(Subject s) 397 throws LoginException 398 { 399 if(_logger.isLoggable(Level.FINE)){ 400 _logger.log(Level.FINE, "Processing X509 certificate login."); 401 } 402 String realm = CertificateRealm.AUTH_TYPE; 403 String user = null; 404 try{ 405 Object obj = getPublicCredentials(s, X509CertificateCredential.class); 406 407 X509CertificateCredential xp = (X509CertificateCredential) obj; 408 user = xp.getAlias(); 409 if(_logger.isLoggable(Level.FINE)){ 410 _logger.log(Level.FINE,"Set security context as user: "+user); 411 } 412 setSecurityContext(user, s, realm); 413 if(AUDIT_MANAGER.isAuditOn()){ 414 AUDIT_MANAGER.authentication(user, realm, true); 415 } 416 } catch(LoginException le){ 417 if(AUDIT_MANAGER.isAuditOn()){ 418 AUDIT_MANAGER.authentication(user, realm, false); 419 } 420 throw le; 421 } 422 } 423 424 425 429 private static void doAnonLogin() 430 throws LoginException 431 { 432 SecurityContext.setUnauthenticatedContext(); 434 if(_logger.isLoggable(Level.FINE)){ 435 _logger.log(Level.FINE,"Set anonymous security context."); 436 } 437 } 438 439 440 444 private static void doGSSUPLogin(Subject s) 445 throws LoginException 446 { 447 if(_logger.isLoggable(Level.FINE)){ 448 _logger.fine("Processing GSSUP login."); 449 } 450 String user = null; 451 String realm = Realm.getDefaultRealm(); 452 try{ 453 Object obj = getPublicCredentials(s, GSSUPName.class); 454 455 user = ((GSSUPName)obj).getUser(); 456 457 setSecurityContext(user, s, realm); 458 if(AUDIT_MANAGER.isAuditOn()){ 459 AUDIT_MANAGER.authentication(user, realm, true); 460 } 461 if (_logger.isLoggable(Level.FINE)) { 462 _logger.fine("GSSUP login succeeded for : " + user); 463 } 464 } catch (LoginException le){ 465 if(AUDIT_MANAGER.isAuditOn()){ 466 AUDIT_MANAGER.authentication(user, realm, false); 467 } 468 throw le; 469 } 470 } 471 472 473 480 private static void doX500Login(Subject s) 481 throws LoginException 482 { 483 if(_logger.isLoggable(Level.FINE)){ 484 _logger.fine("Processing X.500 name login."); 485 } 486 String user = null; 487 String realm_name = null; 488 try{ 489 X500Name x500name = (X500Name)getPublicCredentials(s, X500Name.class); 490 user = x500name.getName(); 491 492 501 Realm realm = Realm.getInstance(CertificateRealm.AUTH_TYPE); 502 503 if (realm instanceof CertificateRealm) { 505 CertificateRealm certRealm = (CertificateRealm)realm; 506 certRealm.authenticate(s, x500name); 507 realm_name = CertificateRealm.AUTH_TYPE; 508 if(AUDIT_MANAGER.isAuditOn()){ 509 AUDIT_MANAGER.authentication(user, realm_name, true); 510 } 511 } else { 512 _logger.warning("certlogin.badrealm"); 513 setSecurityContext(user, s, realm_name); 514 realm_name = realm.getName(); 515 } 516 517 if (_logger.isLoggable(Level.FINE)) { 518 _logger.fine("X.500 name login succeeded for : " + user); 519 } 520 } catch (LoginException le){ 521 if(AUDIT_MANAGER.isAuditOn()){ 522 AUDIT_MANAGER.authentication(user, realm_name, false); 523 } 524 throw le; 525 } catch (Exception ex) { 526 throw (LoginException)new LoginException(ex.toString()).initCause(ex); 527 } 528 } 529 530 531 539 private static Object getPublicCredentials(Subject s, Class cls) 540 throws LoginException 541 { 542 Set credset = s.getPublicCredentials(cls); 543 544 final Iterator iter = credset.iterator(); 545 546 if(!iter.hasNext()) { 547 String credmsg = cls.toString(); 548 if(_logger.isLoggable(Level.FINER)){ 549 _logger.finer("Expected public credentials of type : " + 550 credmsg + " but none found."); 551 } 552 throw new LoginException("Expected public credential of type: "+ 553 credmsg + " but none found."); 554 } 555 556 Object obj = null; 557 try{ 558 obj = AccessController.doPrivileged(new PrivilegedAction (){ 559 public java.lang.Object run(){ 560 return iter.next(); 561 } 562 }); 563 } catch (Exception e){ 564 if( e instanceof LoginException ) 566 throw (LoginException)e; 567 else 568 throw (LoginException) 569 new LoginException("Failed to retrieve public credential: "+ 570 e.toString()).initCause(e); 571 } 572 573 return obj; 574 } 575 576 577 585 private static Object getPrivateCredentials(Subject subject, 586 Class cls) 587 throws LoginException 588 { 589 final Subject s = subject; 590 final Class cl = cls; 591 592 final Set credset = (Set ) 593 AccessController.doPrivileged(new PrivilegedAction () { 594 public java.lang.Object run() { 595 return 596 s.getPrivateCredentials(cl); 597 } 598 }); 599 600 final Iterator iter = credset.iterator(); 601 602 if (!iter.hasNext()) { 603 String credmsg = cls.toString(); 604 if(_logger.isLoggable(Level.FINER)){ 605 _logger.finer("Expected private credential of type: "+ 606 credmsg + " but none found."); 607 } 608 throw new LoginException("Expected private credential of type: "+ 609 credmsg + " but none found."); 610 } 611 612 Object obj = null; 614 try{ 615 obj = AccessController.doPrivileged(new PrivilegedAction (){ 616 public java.lang.Object run(){ 617 return iter.next(); 618 } 619 }); 620 } catch (Exception e){ 621 if( e instanceof LoginException ) 623 throw (LoginException)e; 624 else 625 throw (LoginException) 626 new LoginException("Failed to retrieve private credential: "+ 627 e.toString()).initCause(e); 628 } 629 630 return obj; 631 } 632 633 634 641 private static void setSecurityContext(String userName, 642 Subject subject, String realm){ 643 644 SecurityContext securityContext = 645 new SecurityContext(userName, subject, realm); 646 SecurityContext.setCurrent(securityContext); 647 } 648 649 650 654 private static void unsetSecurityContext() { 655 SecurityContext.setCurrent((SecurityContext)null); 656 } 657 658 668 public static Subject doClientLogin(int type, 669 javax.security.auth.callback.CallbackHandler jaasHandler) 670 throws LoginException 671 { 672 final javax.security.auth.callback.CallbackHandler handler = 673 jaasHandler; 674 final Subject subject = new Subject (); 680 if (type == AppContainer.USERNAME_PASSWORD){ 681 AccessController.doPrivileged(new PrivilegedAction () { 682 public java.lang.Object run() { 683 try{ 684 LoginContext lg = 685 new LoginContext (CLIENT_JAAS_PASSWORD, 686 subject, handler); 687 lg.login(); 688 }catch(javax.security.auth.login.LoginException e){ 689 throw (LoginException) 690 new LoginException(e.toString()).initCause(e); 691 } 692 693 return null; 694 } 695 }); 696 postClientAuth(subject, PasswordCredential.class); 697 return subject; 698 } else if (type == AppContainer.CERTIFICATE){ 699 AccessController.doPrivileged(new PrivilegedAction () { 700 public java.lang.Object run() { 701 try{ 702 LoginContext lg = 703 new LoginContext (CLIENT_JAAS_CERTIFICATE, 704 subject, handler); 705 lg.login(); 706 }catch(javax.security.auth.login.LoginException e){ 707 throw (LoginException) 708 new LoginException(e.toString()).initCause(e); 709 } 710 711 return null; 712 } 713 }); 714 postClientAuth(subject, X509CertificateCredential.class); 715 return subject; 716 } else if (type == AppContainer.ALL){ 717 AccessController.doPrivileged(new PrivilegedAction () { 718 public java.lang.Object run() { 719 try{ 720 LoginContext lgup = 721 new LoginContext (CLIENT_JAAS_PASSWORD, 722 subject, handler); 723 LoginContext lgc = 724 new LoginContext (CLIENT_JAAS_CERTIFICATE, 725 subject, handler); 726 lgup.login(); 727 postClientAuth(subject, PasswordCredential.class); 728 729 lgc.login(); 730 postClientAuth(subject, 731 X509CertificateCredential.class); 732 }catch(javax.security.auth.login.LoginException e){ 733 throw (LoginException) 734 new LoginException(e.toString()).initCause(e); 735 } 736 737 return null; 738 } 739 }); 740 return subject; 741 } else{ 742 AccessController.doPrivileged(new PrivilegedAction () { 743 public java.lang.Object run() { 744 try{ 745 LoginContext lg = 746 new LoginContext (CLIENT_JAAS_PASSWORD, 747 subject, handler); 748 lg.login(); 749 postClientAuth(subject, PasswordCredential.class); 750 }catch(javax.security.auth.login.LoginException e){ 751 throw (LoginException) 752 new LoginException(e.toString()).initCause(e); 753 } 754 return null; 755 } 756 }); 757 return subject; 758 } 759 } 760 761 765 public static void doClientLogout() throws LoginException { 766 unsetClientSecurityContext(); 767 } 768 769 779 private static void postClientAuth(Subject subject, Class clazz){ 780 final Class clas = clazz; 781 final Subject fs = subject; 782 Set credset = 783 (Set ) AccessController.doPrivileged(new PrivilegedAction () { 784 public java.lang.Object run() { 785 if(_logger.isLoggable(Level.FINEST)){ 786 _logger.log(Level.FINEST,"LCD post login subject :" + fs); 787 } 788 return fs.getPrivateCredentials(clas); 789 } 790 }); 791 final Iterator iter = credset.iterator(); 792 while(iter.hasNext()) { 793 Object obj = null; 794 try{ 795 obj = AccessController.doPrivileged(new PrivilegedAction (){ 796 public java.lang.Object run(){ 797 return iter.next(); 798 } 799 }); 800 } catch (Exception e){ 801 _logger.log(Level.SEVERE, 803 "java_security.accesscontroller_action_exception", 804 e); 805 } 806 if(obj instanceof PasswordCredential) { 807 PasswordCredential p = (PasswordCredential) obj; 808 String user = p.getUser(); 809 if(_logger.isLoggable(Level.FINEST)){ 810 String realm = p.getRealm(); 811 _logger.log(Level.FINEST,"In LCD user-pass login:" + 812 user +" realm :" + realm); 813 } 814 setClientSecurityContext(user, fs); 815 return; 816 } else if (obj instanceof X509CertificateCredential){ 817 X509CertificateCredential p = (X509CertificateCredential) obj; 818 String user = p.getAlias(); 819 if(_logger.isLoggable(Level.FINEST)){ 820 String realm = p.getRealm(); 821 _logger.log(Level.FINEST,"In LCD cert-login::" + 822 user +" realm :" + realm); 823 } 824 setClientSecurityContext(user, fs); 825 return; 826 } 827 } 828 } 829 830 831 838 private static void setClientSecurityContext(String username, 839 Subject subject) { 840 841 ClientSecurityContext securityContext = 842 new ClientSecurityContext(username, subject); 843 ClientSecurityContext.setCurrent(securityContext); 844 } 845 846 847 851 private static void unsetClientSecurityContext() { 852 ClientSecurityContext.setCurrent(null); 853 } 854 855 856 857 } 858 | Popular Tags |