Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Resolves#326 Remove the legacy "if JBoss" code. #364

Merged
merged 1 commit into from
Dec 7, 2023
Merged

Resolves#326 Remove the legacy "if JBoss" code. #364

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 11 additions & 112 deletions impl/src/main/java/org/glassfish/soteria/authorization/spi/impl/SubjectParser.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import static java.lang.System.getProperty;
import static java.util.Arrays.asList;
import static java.util.Collections.emptyList;
import static java.util.Collections.list;

import java.lang.reflect.InvocationHandler;
import java.lang.reflect.InvocationTargetException;
Expand All @@ -29,7 +28,6 @@
// import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
Expand All @@ -46,7 +44,6 @@
import jakarta.ejb.EJBContext;
import jakarta.security.enterprise.CallerPrincipal;
import jakarta.security.jacc.PolicyContext;
import jakarta.security.jacc.PolicyContextException;
import jakarta.servlet.http.HttpServletRequest;

public class SubjectParser {
Expand All @@ -56,7 +53,6 @@ public class SubjectParser {

private Map<String, List<String>> groupToRoles = new HashMap<>();

private boolean isJboss;
private boolean isLiberty;
private boolean oneToOneMapping;
private boolean anyAuthenticatedUserRoleMapped = false;
Expand Down Expand Up @@ -123,8 +119,6 @@ public SubjectParser(String contextID, Collection<String> allDeclaredRoles) {
// AS. Sad that this is needed :(
if (tryGlassFish(contextID, allDeclaredRoles)) {
return;
} else if (tryJBoss()) {
return;
} else if (tryLiberty()) {
return;
} else if (tryWebLogic(contextID, allDeclaredRoles)) {
Expand All @@ -145,30 +139,6 @@ public boolean isAnyAuthenticatedUserRoleMapped() {
}

public Principal getCallerPrincipalFromPrincipals(Iterable<Principal> principals) {

if (isJboss) {
try {

// The JACCAuthorizationManager that normally would call us in JBoss only passes
// either the role principals or the caller principal in, never both, and without any
// easy way to distinguish between them.
// So we're getting the principals from the Subject here. Do note that we miss the
// potential extra deployment roles here which may be in the principals collection we get
// passed in.
Subject subject = (Subject) PolicyContext.getContext(JACC.SUBJECT_CONTAINER_KEY);

if (subject == null) {
return null;
}

return doGetCallerPrincipalFromPrincipals(subject.getPrincipals());
} catch (PolicyContextException e1) {
// Ignore
}

return null;
}

return doGetCallerPrincipalFromPrincipals(principals);
}

Expand All @@ -177,37 +147,26 @@ public List<String> getMappedRolesFromPrincipals(Iterable<Principal> principals)

List<String> groups = null;

if (isLiberty || isJboss) {
if (isLiberty) {

try {
Subject subject = (Subject) PolicyContext.getContext(JACC.SUBJECT_CONTAINER_KEY);
if (subject == null) {
return emptyList();
}

if (isLiberty) {
// Liberty is the only known Jakarta EE server that doesn't put the groups in
// the principals collection, but puts them in the credentials of a Subject.
// This somewhat peculiar decision means a JACC provider never gets to see
// groups via the principals that are passed in and must get them from
// the current Subject.
// Liberty is the only known Jakarta EE server that doesn't put the groups in
// the principals collection, but puts them in the credentials of a Subject.
// This somewhat peculiar decision means a JACC provider never gets to see
// groups via the principals that are passed in and must get them from
// the current Subject.

@SuppressWarnings("rawtypes")
Set<Hashtable> tables = subject.getPrivateCredentials(Hashtable.class);
if (tables != null && !tables.isEmpty()) {
@SuppressWarnings("rawtypes")
Set<Hashtable> tables = subject.getPrivateCredentials(Hashtable.class);
if (tables != null && !tables.isEmpty()) {
@SuppressWarnings("rawtypes")
Hashtable table = tables.iterator().next();
groups = (List<String>) table.get("com.ibm.wsspi.security.cred.groups");
}
} else {
// The JACCAuthorizationManager that normally would call us in JBoss only passes
// either the role principals or the caller principal in, never both, and without any
// easy way to distinguish between them.

// So we're getting the principals from the Subject here. Do note that we miss the
// potential extra deployment roles here which may be in the principals collection we get
// passed in.
groups = getGroupsFromPrincipals(subject.getPrincipals());
Hashtable table = tables.iterator().next();
groups = (List<String>) table.get("com.ibm.wsspi.security.cred.groups");
}
} catch (Exception e) {
e.printStackTrace();
Expand Down Expand Up @@ -242,23 +201,6 @@ private List<String> mapGroupsToRoles(List<String> groups) {
return roles;
}

private boolean tryJBoss() {
try {
Class.forName(className("org.jboss.as.security.service.JaccService"), false, Thread.currentThread().getContextClassLoader());

// For not only establish that we're running on JBoss, ignore the
// role mapper for now
isJboss = true;
oneToOneMapping = true;

return true;
} catch (Exception e) {
// ignore
}

return false;
}

private boolean tryLiberty() {
isLiberty = (getProperty("wlp.server.name") != null);

Expand Down Expand Up @@ -469,7 +411,6 @@ private Principal doGetCallerPrincipalFromPrincipals(Iterable<Principal> princip
* @param principal
* @return
*/
@SuppressWarnings("unchecked")
private Principal getVendorCallerPrincipal(Principal principal, boolean isEjb) {
switch (principal.getClass().getName()) {
case "org.glassfish.security.common.PrincipalImpl": // GlassFish/Payara
Expand All @@ -478,26 +419,6 @@ private Principal getVendorCallerPrincipal(Principal principal, boolean isEjb) {
return getAuthenticatedPrincipal(principal, "<anonymous>", isEjb);
case "com.ibm.ws.security.authentication.principals.WSPrincipal": // Liberty
return getAuthenticatedPrincipal(principal, "UNAUTHENTICATED", isEjb);
// JBoss EAP/WildFly convention 1 - single top level principal of the below type
case "org.jboss.security.SimplePrincipal":
return getAuthenticatedPrincipal(principal, "anonymous", isEjb);
// JBoss EAP/WildFly convention 2 - the one and only principal in group called CallerPrincipal
case "org.jboss.security.SimpleGroup":
if (principal.getName().equals("CallerPrincipal") && principal.getClass().getName().equals("org.jboss.security.SimpleGroup")) {
Enumeration<? extends Principal> groupMembers = null;
try {
groupMembers = (Enumeration<? extends Principal>) Class.forName(className("org.jboss.security.SimpleGroup"))
.getMethod("members")
.invoke(principal);
} catch (Exception e) {

}

if (groupMembers != null && groupMembers.hasMoreElements()) {
return getAuthenticatedPrincipal(groupMembers.nextElement(), "anonymous", isEjb);
}
}
break;
case "org.apache.tomee.catalina.TomcatSecurityService$TomcatUser": // TomEE
try {
Principal tomeePrincipal = (Principal) Class.forName(className("org.apache.catalina.realm.GenericPrincipal"))
Expand Down Expand Up @@ -530,7 +451,6 @@ private Principal getAuthenticatedPrincipal(Principal principal, String anonymou

}

@SuppressWarnings("unchecked")
public boolean principalToGroups(Principal principal, List<String> groups) {
switch (principal.getClass().getName()) {

Expand All @@ -540,27 +460,6 @@ public boolean principalToGroups(Principal principal, List<String> groups) {
case "jeus.security.resource.GroupPrincipalImpl": // JEUS
groups.add(principal.getName());
break;

case "org.jboss.security.SimpleGroup": // JBoss EAP/WildFly
if (principal.getName().equals("Roles") && principal.getClass().getName().equals("org.jboss.security.SimpleGroup")) {

try {
Enumeration<? extends Principal> groupMembers = (Enumeration<? extends Principal>)
Class.forName(className("org.jboss.security.SimpleGroup"))
.getMethod("members")
.invoke(principal);

for (Principal groupPrincipal : list(groupMembers)) {
groups.add(groupPrincipal.getName());
}
} catch (Exception e) {

}

// Should only be one group holding the roles, so can exit the loop
// early
return true;
}
case "org.apache.tomee.catalina.TomcatSecurityService$TomcatUser": // TomEE
try {
groups.addAll(
Expand Down
2 changes: 0 additions & 2 deletions ...incipal/src/test/java/org/glassfish/soteria/test/AppSecurityContextCallerPrincipalIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,6 @@ public boolean isContainerPrincipalTypeInResponse(String response, boolean isCal
boolean isContainerPricipalCorrect = containerPrincipal.contains("com.sun.enterprise.security.web.integration.WebPrincipal") ||
containerPrincipal.contains("weblogic.security.principal.WLSUserImpl") ||
containerPrincipal.contains("com.ibm.ws.security.authentication.principals.WSPrincipal") ||
containerPrincipal.contains("org.jboss.security.SimplePrincipal") ||
containerPrincipal.contains("org.jboss.security.SimpleGroup") ||
containerPrincipal.contains("org.apache.tomee.catalina.TomcatSecurityService$TomcatUser") ||
containerPrincipal.contains("jakarta.security.enterprise.CallerPrincipal") ||
containerPrincipal.contains(inputApplicationPrincipal);
Expand Down