Skip to content

Commit

Permalink
Resolves#326 Remove the legacy "if JBoss" code.
Browse files Browse the repository at this point in the history 
This is predominantly PicketBox code which has now been completely
removed from WildFly.
  • Loading branch information
@darranl
darranl committed Jul 26, 2023
1 parent e5f8253 commit 94de749
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 114 deletions.
123 changes: 11 additions & 112 deletions impl/src/main/java/org/glassfish/soteria/authorization/spi/impl/SubjectParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import static java.lang.System.getProperty;
import static java.util.Arrays.asList;
import static java.util.Collections.emptyList;
import static java.util.Collections.list;

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
Expand All @@ -29,7 +28,6 @@
// import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
Expand All @@ -46,7 +44,6 @@
import jakarta.ejb.EJBContext;
import jakarta.security.enterprise.CallerPrincipal;
import jakarta.security.jacc.PolicyContext;
import jakarta.security.jacc.PolicyContextException;
import jakarta.servlet.http.HttpServletRequest;

public class SubjectParser {
Expand All @@ -56,7 +53,6 @@ public class SubjectParser {

private Map<String, List<String>> groupToRoles = new HashMap<>();

private boolean isJboss;
private boolean isLiberty;
private boolean oneToOneMapping;
private boolean anyAuthenticatedUserRoleMapped = false;
Expand Down Expand Up @@ -123,8 +119,6 @@ public SubjectParser(String contextID, Collection<String> allDeclaredRoles) {
// AS. Sad that this is needed :(
if (tryGlassFish(contextID, allDeclaredRoles)) {
return;
} else if (tryJBoss()) {
return;
} else if (tryLiberty()) {
return;
} else if (tryWebLogic(contextID, allDeclaredRoles)) {
Expand All @@ -145,30 +139,6 @@ public boolean isAnyAuthenticatedUserRoleMapped() {
}

public Principal getCallerPrincipalFromPrincipals(Iterable<Principal> principals) {

if (isJboss) {
try {

// The JACCAuthorizationManager that normally would call us in JBoss only passes
// either the role principals or the caller principal in, never both, and without any
// easy way to distinguish between them.
// So we're getting the principals from the Subject here. Do note that we miss the
// potential extra deployment roles here which may be in the principals collection we get
// passed in.
Subject subject = (Subject) PolicyContext.getContext(JACC.SUBJECT_CONTAINER_KEY);

if (subject == null) {
return null;
}

return doGetCallerPrincipalFromPrincipals(subject.getPrincipals());
} catch (PolicyContextException e1) {
// Ignore
}

return null;
}

return doGetCallerPrincipalFromPrincipals(principals);
}

Expand All @@ -177,37 +147,26 @@ public List<String> getMappedRolesFromPrincipals(Iterable<Principal> principals)

List<String> groups = null;

if (isLiberty || isJboss) {
if (isLiberty) {

try {
Subject subject = (Subject) PolicyContext.getContext(JACC.SUBJECT_CONTAINER_KEY);
if (subject == null) {
return emptyList();
}

if (isLiberty) {
// Liberty is the only known Jakarta EE server that doesn't put the groups in
// the principals collection, but puts them in the credentials of a Subject.
// This somewhat peculiar decision means a JACC provider never gets to see
// groups via the principals that are passed in and must get them from
// the current Subject.
// Liberty is the only known Jakarta EE server that doesn't put the groups in
// the principals collection, but puts them in the credentials of a Subject.
// This somewhat peculiar decision means a JACC provider never gets to see
// groups via the principals that are passed in and must get them from
// the current Subject.

@SuppressWarnings("rawtypes")
Set<Hashtable> tables = subject.getPrivateCredentials(Hashtable.class);
if (tables != null && !tables.isEmpty()) {
@SuppressWarnings("rawtypes")
Set<Hashtable> tables = subject.getPrivateCredentials(Hashtable.class);
if (tables != null && !tables.isEmpty()) {
@SuppressWarnings("rawtypes")
Hashtable table = tables.iterator().next();
groups = (List<String>) table.get("com.ibm.wsspi.security.cred.groups");
}
} else {
// The JACCAuthorizationManager that normally would call us in JBoss only passes
// either the role principals or the caller principal in, never both, and without any
// easy way to distinguish between them.

// So we're getting the principals from the Subject here. Do note that we miss the
// potential extra deployment roles here which may be in the principals collection we get
// passed in.
groups = getGroupsFromPrincipals(subject.getPrincipals());
Hashtable table = tables.iterator().next();
groups = (List<String>) table.get("com.ibm.wsspi.security.cred.groups");
}
} catch (Exception e) {
e.printStackTrace();
Expand Down Expand Up @@ -242,23 +201,6 @@ private List<String> mapGroupsToRoles(List<String> groups) {
return roles;
}

private boolean tryJBoss() {
try {
Class.forName(className("org.jboss.as.security.service.JaccService"), false, Thread.currentThread().getContextClassLoader());

// For not only establish that we're running on JBoss, ignore the
// role mapper for now
isJboss = true;
oneToOneMapping = true;

return true;
} catch (Exception e) {
// ignore
}

return false;
}

private boolean tryLiberty() {
isLiberty = (getProperty("wlp.server.name") != null);

Expand Down Expand Up @@ -469,7 +411,6 @@ private Principal doGetCallerPrincipalFromPrincipals(Iterable<Principal> princip
* @param principal
* @return
*/
@SuppressWarnings("unchecked")
private Principal getVendorCallerPrincipal(Principal principal, boolean isEjb) {
switch (principal.getClass().getName()) {
case "org.glassfish.security.common.PrincipalImpl": // GlassFish/Payara
Expand All @@ -478,26 +419,6 @@ private Principal getVendorCallerPrincipal(Principal principal, boolean isEjb) {
return getAuthenticatedPrincipal(principal, "<anonymous>", isEjb);
case "com.ibm.ws.security.authentication.principals.WSPrincipal": // Liberty
return getAuthenticatedPrincipal(principal, "UNAUTHENTICATED", isEjb);
// JBoss EAP/WildFly convention 1 - single top level principal of the below type
case "org.jboss.security.SimplePrincipal":
return getAuthenticatedPrincipal(principal, "anonymous", isEjb);
// JBoss EAP/WildFly convention 2 - the one and only principal in group called CallerPrincipal
case "org.jboss.security.SimpleGroup":
if (principal.getName().equals("CallerPrincipal") && principal.getClass().getName().equals("org.jboss.security.SimpleGroup")) {
Enumeration<? extends Principal> groupMembers = null;
try {
groupMembers = (Enumeration<? extends Principal>) Class.forName(className("org.jboss.security.SimpleGroup"))
.getMethod("members")
.invoke(principal);
} catch (Exception e) {

}

if (groupMembers != null && groupMembers.hasMoreElements()) {
return getAuthenticatedPrincipal(groupMembers.nextElement(), "anonymous", isEjb);
}
}
break;
case "org.apache.tomee.catalina.TomcatSecurityService$TomcatUser": // TomEE
try {
Principal tomeePrincipal = (Principal) Class.forName(className("org.apache.catalina.realm.GenericPrincipal"))
Expand Down Expand Up @@ -530,7 +451,6 @@ private Principal getAuthenticatedPrincipal(Principal principal, String anonymou

}

@SuppressWarnings("unchecked")
public boolean principalToGroups(Principal principal, List<String> groups) {
switch (principal.getClass().getName()) {

Expand All @@ -540,27 +460,6 @@ public boolean principalToGroups(Principal principal, List<String> groups) {
case "jeus.security.resource.GroupPrincipalImpl": // JEUS
groups.add(principal.getName());
break;

case "org.jboss.security.SimpleGroup": // JBoss EAP/WildFly
if (principal.getName().equals("Roles") && principal.getClass().getName().equals("org.jboss.security.SimpleGroup")) {

try {
Enumeration<? extends Principal> groupMembers = (Enumeration<? extends Principal>)
Class.forName(className("org.jboss.security.SimpleGroup"))
.getMethod("members")
.invoke(principal);

for (Principal groupPrincipal : list(groupMembers)) {
groups.add(groupPrincipal.getName());
}
} catch (Exception e) {

}

// Should only be one group holding the roles, so can exit the loop
// early
return true;
}
case "org.apache.tomee.catalina.TomcatSecurityService$TomcatUser": // TomEE
try {
groups.addAll(
Expand Down
2 changes: 0 additions & 2 deletions ...incipal/src/test/java/org/glassfish/soteria/test/AppSecurityContextCallerPrincipalIT.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,6 @@ public boolean isContainerPrincipalTypeInResponse(String response, boolean isCal
boolean isContainerPricipalCorrect = containerPrincipal.contains("com.sun.enterprise.security.web.integration.WebPrincipal") ||
containerPrincipal.contains("weblogic.security.principal.WLSUserImpl") ||
containerPrincipal.contains("com.ibm.ws.security.authentication.principals.WSPrincipal") ||
containerPrincipal.contains("org.jboss.security.SimplePrincipal") ||
containerPrincipal.contains("org.jboss.security.SimpleGroup") ||
containerPrincipal.contains("org.apache.tomee.catalina.TomcatSecurityService$TomcatUser") ||
containerPrincipal.contains("jakarta.security.enterprise.CallerPrincipal") ||
containerPrincipal.contains(inputApplicationPrincipal);
Expand Down

0 comments on commit 94de749

Please sign in to comment.