List of usage examples for javax.security.auth Subject getPrincipals
public Set<Principal> getPrincipals()
From source file:ca.nrc.cadc.vos.server.NodeDAO.java
private void getOwners(Node node, boolean resolve) { if (node == null || node.appData == null) return;//from w w w .j av a 2 s.c o m NodeID nid = (NodeID) node.appData; if (nid.owner != null) return; // already loaded (parent loop below) String ownerPropertyString = null; Subject s; if (resolve) { s = identityCache.get(nid.ownerObject); if (s == null) { log.debug("lookup subject for owner=" + nid.ownerObject); s = identManager.toSubject(nid.ownerObject); prof.checkpoint("IdentityManager.toSubject"); identityCache.put(nid.ownerObject, s); } else { log.debug("found cached subject for owner=" + nid.ownerObject); } ownerPropertyString = identManager.toOwnerString(s); } else { log.debug("creating numeric principal only subject."); s = new Subject(); if (nid.ownerObject != null) { Integer ownerInt = (Integer) nid.ownerObject; UUID numericID = new UUID(0L, (long) ownerInt); s.getPrincipals().add(new NumericPrincipal(numericID)); ownerPropertyString = ownerInt.toString(); } } nid.owner = s; if (ownerPropertyString != null) node.getProperties().add(new NodeProperty(VOS.PROPERTY_URI_CREATOR, ownerPropertyString)); Node parent = node.getParent(); while (parent != null) { getOwners(parent, resolve); parent = parent.getParent(); } }
From source file:gov.nih.nci.security.dao.AuthorizationDAOImpl.java
public boolean checkPermission(AccessPermission permission, Subject subject) throws CSException { boolean test = false; if (permission == null) { throw new CSException("permission can't be null!"); }//from w w w .j a v a2s .c om String objectId = permission.getName(); String privilege = permission.getActions(); if (subject == null) { throw new CSException("subject can't be null!"); } Set ps = subject.getPrincipals(); if (ps.size() == 0) { throw new CSException("The subject has no principals!"); } Iterator it = ps.iterator(); while (it.hasNext()) { Principal p = (Principal) it.next(); String userName = p.getName(); test = this.checkPermission(userName, objectId, privilege); if (test) break; } return test; }
From source file:org.josso.jaspi.agent.JASPISSOAuthModule.java
@Override public AuthStatus validateRequest(MessageInfo messageInfo, Subject clientSubject, Subject serviceSubject) throws AuthException { HttpServletRequest hreq = (HttpServletRequest) messageInfo.getRequestMessage(); HttpServletResponse hres = (HttpServletResponse) messageInfo.getResponseMessage(); if (log.isDebugEnabled()) { log.debug("Processing : " + hreq.getContextPath() + " [" + hreq.getRequestURL() + "]"); }/* w ww . ja v a 2 s .c o m*/ try { // ------------------------------------------------------------------ // Check with the agent if this context should be processed. // ------------------------------------------------------------------ String contextPath = hreq.getContextPath(); String vhost = hreq.getServerName(); // In catalina, the empty context is considered the root context if ("".equals(contextPath)) { contextPath = "/"; } if (!_agent.isPartnerApp(vhost, contextPath)) { if (log.isDebugEnabled()) { log.debug("Context is not a josso partner app : " + hreq.getContextPath()); } AuthStatus status = AuthStatus.SUCCESS; return status; } // ------------------------------------------------------------------ // Check some basic HTTP handling // ------------------------------------------------------------------ // P3P Header for IE 6+ compatibility when embedding JOSSO in a IFRAME SSOPartnerAppConfig cfg = _agent.getPartnerAppConfig(vhost, contextPath); if (cfg.isSendP3PHeader() && !hres.isCommitted()) { hres.setHeader("P3P", cfg.getP3PHeaderValue()); } // Get our session ... HttpSession session = hreq.getSession(true); // ------------------------------------------------------------------ // Check if the partner application required the login form // ------------------------------------------------------------------ if (log.isDebugEnabled()) { log.debug("Checking if its a josso_login_request for '" + hreq.getRequestURI() + "'"); } if (hreq.getRequestURI().endsWith(_agent.getJossoLoginUri()) || hreq.getRequestURI().endsWith(_agent.getJossoUserLoginUri())) { if (log.isDebugEnabled()) { log.debug("josso_login_request received for uri '" + hreq.getRequestURI() + "'"); } //save referer url in case the user clicked on Login from some public resource (page) //so agent can redirect the user back to that page after successful login if (hreq.getRequestURI().endsWith(_agent.getJossoUserLoginUri())) { saveLoginBackToURL(hreq, hres, session, true); } else { saveLoginBackToURL(hreq, hres, session, false); } String loginUrl = _agent.buildLoginUrl(hreq); if (log.isDebugEnabled()) { log.debug("Redirecting to login url '" + loginUrl + "'"); } //set non cache headers _agent.prepareNonCacheResponse(hres); hres.sendRedirect(hres.encodeRedirectURL(loginUrl)); // Request is authorized for this URI return AuthStatus.SEND_CONTINUE; } // ------------------------------------------------------------------ // Check if the partner application required a logout // ------------------------------------------------------------------ if (log.isDebugEnabled()) { log.debug("Checking if its a josso_logout request for '" + hreq.getRequestURI() + "'"); } if (hreq.getRequestURI().endsWith(_agent.getJossoLogoutUri())) { if (log.isDebugEnabled()) { log.debug("josso_logout request received for uri '" + hreq.getRequestURI() + "'"); } String logoutUrl = _agent.buildLogoutUrl(hreq, cfg); if (log.isDebugEnabled()) { log.debug("Redirecting to logout url '" + logoutUrl + "'"); } // Clear previous COOKIE ... Cookie ssoCookie = _agent.newJossoCookie(hreq.getContextPath(), "-", hreq.isSecure()); hres.addCookie(ssoCookie); // invalidate session (unbind josso security context) session.invalidate(); //set non cache headers _agent.prepareNonCacheResponse(hres); hres.sendRedirect(hres.encodeRedirectURL(logoutUrl)); // Request is authorized for this URI return AuthStatus.SEND_CONTINUE; } // ------------------------------------------------------------------ // Check for the single sign on cookie // ------------------------------------------------------------------ if (log.isDebugEnabled()) { log.debug("Checking for SSO cookie"); } Cookie cookie = null; Cookie cookies[] = hreq.getCookies(); if (cookies == null) { cookies = new Cookie[0]; } for (int i = 0; i < cookies.length; i++) { if (org.josso.gateway.Constants.JOSSO_SINGLE_SIGN_ON_COOKIE.equals(cookies[i].getName())) { cookie = cookies[i]; break; } } String jossoSessionId = (cookie == null) ? null : cookie.getValue(); if (log.isDebugEnabled()) { log.debug("Session is: " + session); } // Get session map for this servlet context. Map sessionMap = (Map) hreq.getSession().getServletContext().getAttribute(KEY_SESSION_MAP); if (sessionMap == null) { synchronized (this) { sessionMap = (Map) hreq.getSession().getServletContext().getAttribute(KEY_SESSION_MAP); if (sessionMap == null) { sessionMap = Collections.synchronizedMap(new HashMap()); hreq.getSession().getServletContext().setAttribute(KEY_SESSION_MAP, sessionMap); } } } LocalSession localSession = (LocalSession) sessionMap.get(session.getId()); if (localSession == null) { localSession = new JASPILocalSession(session); // the local session is new so, make the valve listen for its events so that it can // map them to local session events. // Not Supported : session.addSessionListener(this); sessionMap.put(session.getId(), localSession); } // ------------------------------------------------------------------ // Check if the partner application submitted custom login form // ------------------------------------------------------------------ if (log.isDebugEnabled()) { log.debug("Checking if its a josso_authentication for '" + hreq.getRequestURI() + "'"); } if (hreq.getRequestURI().endsWith(_agent.getJossoAuthenticationUri())) { if (log.isDebugEnabled()) { log.debug("josso_authentication received for uri '" + hreq.getRequestURI() + "'"); } JASPISSOAgentRequest customAuthRequest = (JASPISSOAgentRequest) doMakeSSOAgentRequest(cfg.getId(), SSOAgentRequest.ACTION_CUSTOM_AUTHENTICATION, jossoSessionId, localSession, null, hreq, hres); _agent.processRequest(customAuthRequest); // Request is authorized return AuthStatus.SEND_CONTINUE; } if (cookie == null || cookie.getValue().equals("-")) { // ------------------------------------------------------------------ // Trigger LOGIN OPTIONAL if required // ------------------------------------------------------------------ if (log.isDebugEnabled()) log.debug("SSO cookie is not present, verifying optional login process "); // We have no cookie, remember me is enabled and a security check without assertion was received ... // This means that the user could not be identified ... go back to the original resource if (hreq.getRequestURI().endsWith(_agent.getJossoSecurityCheckUri()) && hreq.getParameter("josso_assertion_id") == null) { if (log.isDebugEnabled()) log.debug(_agent.getJossoSecurityCheckUri() + " received without assertion. Login Optional Process failed"); String requestURI = this.getSavedRequestURL(hreq); _agent.prepareNonCacheResponse(hres); hres.sendRedirect(hres.encodeRedirectURL(requestURI)); AuthStatus status = AuthStatus.SEND_CONTINUE; return status; } // This is a standard anonymous request! if (!hreq.getRequestURI().endsWith(_agent.getJossoSecurityCheckUri())) { // If saved request is NOT null, we're in the middle of another process ... if (!_agent.isResourceIgnored(cfg, hreq) && _agent.isAutomaticLoginRequired(hreq, hres)) { if (log.isDebugEnabled()) { log.debug("SSO cookie is not present, attempting automatic login"); } // Save current request, so we can co back to it later ... saveRequestURL(hreq, hres); String loginUrl = _agent.buildLoginOptionalUrl(hreq); if (log.isDebugEnabled()) { log.debug("Redirecting to login url '" + loginUrl + "'"); } //set non cache headers _agent.prepareNonCacheResponse(hres); hres.sendRedirect(hres.encodeRedirectURL(loginUrl)); //hreq.getRequestDispatcher(loginUrl).forward(hreq, hres); AuthStatus status = AuthStatus.SEND_CONTINUE; return status; } else { if (log.isDebugEnabled()) { log.debug("SSO cookie is not present, but login optional process is not required"); } } } if (log.isDebugEnabled()) { log.debug("SSO cookie is not present, checking for outbound relaying"); } if (!(hreq.getRequestURI().endsWith(_agent.getJossoSecurityCheckUri()) && hreq.getParameter("josso_assertion_id") != null)) { log.debug("SSO cookie not present and relaying was not requested, skipping"); AuthStatus status = AuthStatus.SUCCESS; return status; } } // ------------------------------------------------------------------ // Check if this URI is subject to SSO protection // ------------------------------------------------------------------ if (_agent.isResourceIgnored(cfg, hreq)) { // Ignored resources are authorized return AuthStatus.SUCCESS; } // This URI should be protected by SSO, go on ... if (log.isDebugEnabled()) { log.debug("Session is: " + session); } // ------------------------------------------------------------------ // Invoke the SSO Agent // ------------------------------------------------------------------ if (log.isDebugEnabled()) { log.debug("Executing agent..."); } // ------------------------------------------------------------------ // Check if a user has been authenticated and should be checked by the agent. // ------------------------------------------------------------------ if (log.isDebugEnabled()) { log.debug("Checking if its a josso_security_check for '" + hreq.getRequestURI() + "'"); } if (hreq.getRequestURI().endsWith(_agent.getJossoSecurityCheckUri()) && hreq.getParameter("josso_assertion_id") != null) { if (log.isDebugEnabled()) { log.debug("josso_security_check received for uri '" + hreq.getRequestURI() + "' assertion id '" + hreq.getParameter("josso_assertion_id")); } String assertionId = hreq.getParameter(Constants.JOSSO_ASSERTION_ID_PARAMETER); JASPISSOAgentRequest relayRequest; if (log.isDebugEnabled()) { log.debug("Outbound relaying requested for assertion id [" + assertionId + "]"); } relayRequest = (JASPISSOAgentRequest) doMakeSSOAgentRequest(cfg.getId(), SSOAgentRequest.ACTION_RELAY, null, localSession, assertionId, hreq, hres); SingleSignOnEntry entry = _agent.processRequest(relayRequest); if (entry == null) { // This is wrong! We should have an entry here! if (log.isDebugEnabled()) { log.debug("Outbound relaying failed for assertion id [" + assertionId + "], no Principal found."); } // Throw an exception, we will handle it below ! throw new RuntimeException( "Outbound relaying failed. No Principal found. Verify your SSO Agent Configuration!"); } else { // Add the SSOUser as a Principal if (!clientSubject.getPrincipals().contains(entry.principal)) { clientSubject.getPrincipals().add(entry.principal); } SSORole[] ssoRolePrincipals = _agent.getRoleSets(cfg.getId(), entry.ssoId, relayRequest.getNodeId()); List<String> rolesList = new ArrayList<String>(); for (int i = 0; i < ssoRolePrincipals.length; i++) { if (clientSubject.getPrincipals().contains(ssoRolePrincipals[i])) { continue; } rolesList.add(ssoRolePrincipals[i].getName()); clientSubject.getPrincipals().add(ssoRolePrincipals[i]); log.debug("Added SSORole Principal to the Subject : " + ssoRolePrincipals[i]); } registerWithCallbackHandler(entry.principal, entry.principal.getName(), entry.ssoId, rolesList.toArray(new String[rolesList.size()])); } if (log.isDebugEnabled()) { log.debug("Outbound relaying succesfull for assertion id [" + assertionId + "]"); } if (log.isDebugEnabled()) { log.debug("Assertion id [" + assertionId + "] mapped to SSO session id [" + entry.ssoId + "]"); } // The cookie is valid to for the partner application only ... in the future each partner app may // store a different auth. token (SSO SESSION) value cookie = _agent.newJossoCookie(hreq.getContextPath(), entry.ssoId, hreq.isSecure()); hres.addCookie(cookie); //Redirect user to the saved splash resource (in case of auth request) or to request URI otherwise String requestURI = getSavedSplashResource(hreq); if (requestURI == null) { requestURI = getSavedRequestURL(hreq); if (requestURI == null) { if (cfg.getDefaultResource() != null) { requestURI = cfg.getDefaultResource(); } else { // If no saved request is found, redirect to the partner app root : requestURI = hreq.getRequestURI().substring(0, (hreq.getRequestURI().length() - _agent.getJossoSecurityCheckUri().length())); } // If we're behind a reverse proxy, we have to alter the URL ... this was not necessary on tomcat 5.0 ?! String singlePointOfAccess = _agent.getSinglePointOfAccess(); if (singlePointOfAccess != null) { requestURI = singlePointOfAccess + requestURI; } else { String reverseProxyHost = hreq .getHeader(org.josso.gateway.Constants.JOSSO_REVERSE_PROXY_HEADER); if (reverseProxyHost != null) { requestURI = reverseProxyHost + requestURI; } } if (log.isDebugEnabled()) log.debug("No saved request found, using : '" + requestURI + "'"); } } _agent.clearAutomaticLoginReferer(hreq, hres); _agent.prepareNonCacheResponse(hres); // Check if we have a post login resource : String postAuthURI = cfg.getPostAuthenticationResource(); if (postAuthURI != null) { String postAuthURL = _agent.buildPostAuthUrl(hres, requestURI, postAuthURI); if (log.isDebugEnabled()) { log.debug("Redirecting to post-auth-resource '" + postAuthURL + "'"); } hres.sendRedirect(postAuthURL); } else { if (log.isDebugEnabled()) { log.debug("Redirecting to original '" + requestURI + "'"); } hres.sendRedirect(hres.encodeRedirectURL(requestURI)); } AuthStatus status = AuthStatus.SEND_SUCCESS; return status; } if (log.isDebugEnabled()) { log.debug("Creating Security Context for Session [" + session + "]"); } SSOAgentRequest r = doMakeSSOAgentRequest(cfg.getId(), SSOAgentRequest.ACTION_ESTABLISH_SECURITY_CONTEXT, jossoSessionId, localSession, null, hreq, hres); SingleSignOnEntry entry = _agent.processRequest(r); if (log.isDebugEnabled()) { log.debug("Executed agent."); } // ------------------------------------------------------------------ // Has a valid user already been authenticated? // ------------------------------------------------------------------ if (log.isDebugEnabled()) { log.debug("Process request for '" + hreq.getRequestURI() + "'"); } if (entry != null) { if (log.isDebugEnabled()) { log.debug("Principal '" + entry.principal + "' has already been authenticated"); } // Add the SSOUser as a Principal if (!clientSubject.getPrincipals().contains(entry.principal)) { clientSubject.getPrincipals().add(entry.principal); } SSORole[] ssoRolePrincipals = _agent.getRoleSets(cfg.getId(), entry.ssoId, r.getNodeId()); List<String> rolesList = new ArrayList<String>(); for (int i = 0; i < ssoRolePrincipals.length; i++) { if (clientSubject.getPrincipals().contains(ssoRolePrincipals[i])) { continue; } rolesList.add(ssoRolePrincipals[i].getName()); clientSubject.getPrincipals().add(ssoRolePrincipals[i]); log.debug("Added SSORole Principal to the Subject : " + ssoRolePrincipals[i]); } registerWithCallbackHandler(entry.principal, entry.principal.getName(), entry.ssoId, rolesList.toArray(new String[rolesList.size()])); } else { log.debug("No Valid SSO Session, attempt an optional login?"); // This is a standard anonymous request! if (cookie != null) { // cookie is not valid cookie = _agent.newJossoCookie(hreq.getContextPath(), "-", hreq.isSecure()); hres.addCookie(cookie); } if (cookie != null || (getSavedRequestURL(hreq) == null && _agent.isAutomaticLoginRequired(hreq, hres))) { if (log.isDebugEnabled()) { log.debug("SSO Session is not valid, attempting automatic login"); } // Save current request, so we can co back to it later ... saveRequestURL(hreq, hres); String loginUrl = _agent.buildLoginOptionalUrl(hreq); if (log.isDebugEnabled()) { log.debug("Redirecting to login url '" + loginUrl + "'"); } //set non cache headers _agent.prepareNonCacheResponse(hres); hres.sendRedirect(hres.encodeRedirectURL(loginUrl)); // Request is authorized for this URI return AuthStatus.SEND_CONTINUE; } else { if (log.isDebugEnabled()) { log.debug("SSO cookie is not present, but login optional process is not required"); } } } // propagate the login and logout URLs to // partner applications. hreq.setAttribute("org.josso.agent.gateway-login-url", _agent.getGatewayLoginUrl()); hreq.setAttribute("org.josso.agent.gateway-logout-url", _agent.getGatewayLogoutUrl()); hreq.setAttribute("org.josso.agent.ssoSessionid", jossoSessionId); clearSavedRequestURLs(hreq, hres); AuthStatus status = AuthStatus.SUCCESS; return status; } catch (Throwable t) { log.warn(t.getMessage(), t); throw new AuthException(t.getMessage()); //return AuthStatus.FAILURE; } finally { if (log.isDebugEnabled()) { log.debug("Processed : " + hreq.getContextPath() + " [" + hreq.getRequestURL() + "]"); } } }