From 3c261e546badcde2e4a4b2bed112b9ed1078b206 Mon Sep 17 00:00:00 2001 From: Stefan Guilhen Date: Wed, 7 Jun 2017 15:13:28 -0300 Subject: [PATCH] [WFLY-8908] Fix PicketBoxBasedIdentity.exists() to return true if and only if a valid JAAS Subject was previously established. --- .../elytron/SecurityDomainContextRealm.java | 49 +++++++++++-------- .../as/security/logging/SecurityLogger.java | 9 ++++ 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/security/subsystem/src/main/java/org/jboss/as/security/elytron/SecurityDomainContextRealm.java b/security/subsystem/src/main/java/org/jboss/as/security/elytron/SecurityDomainContextRealm.java index 81aa85def00c..aa15d01fba72 100644 --- a/security/subsystem/src/main/java/org/jboss/as/security/elytron/SecurityDomainContextRealm.java +++ b/security/subsystem/src/main/java/org/jboss/as/security/elytron/SecurityDomainContextRealm.java @@ -24,6 +24,7 @@ import javax.security.auth.Subject; +import org.jboss.as.security.logging.SecurityLogger; import org.jboss.as.security.plugins.SecurityDomainContext; import org.wildfly.security.auth.SupportLevel; import org.wildfly.security.auth.server.RealmIdentity; @@ -116,7 +117,7 @@ private class PicketBoxBasedIdentity implements RealmIdentity { private final Principal principal; - private Subject jaasSubject; + private Subject authenticatedSubject; private PicketBoxBasedIdentity(final Principal principal) { this.principal = principal; @@ -151,41 +152,47 @@ public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableExceptio throw new RealmUnavailableException(); } else { - jaasSubject = new Subject(); + final Subject jaasSubject = new Subject(); Object jaasCredential = evidence; if (evidence instanceof PasswordGuessEvidence) { jaasCredential = ((PasswordGuessEvidence) evidence).getGuess(); } - return domainContext.getAuthenticationManager().isValid(principal, jaasCredential, jaasSubject); + final boolean isValid = domainContext.getAuthenticationManager().isValid(principal, jaasCredential, jaasSubject); + if (isValid) { + // set the authenticated subject when the authentication succeeds. + this.authenticatedSubject = jaasSubject; + } + return isValid; } } @Override public boolean exists() throws RealmUnavailableException { - return true; + return this.authenticatedSubject != null; } @Override public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException { + if (this.authenticatedSubject == null){ + throw SecurityLogger.ROOT_LOGGER.unableToCreateAuthorizationIdentity(); + } Attributes attributes = null; - if (this.jaasSubject != null) { - /* process the JAAS subject, extracting attributes from groups that might have been set in the subject - by the JAAS login modules (e.g. caller principal, roles) */ - final Set principals = jaasSubject.getPrincipals(); - if (principals != null) { - for (Principal principal : principals) { - if (principal instanceof Group) { - final String key = principal.getName(); - final Set values = new HashSet<>(); - final Enumeration enumeration = ((Group) principal).members(); - while (enumeration.hasMoreElements()) { - values.add(enumeration.nextElement().getName()); - } - if (attributes == null) { - attributes = new MapAttributes(); - } - attributes.addAll(key, values); + /* process the JAAS subject, extracting attributes from groups that might have been set in the subject + by the JAAS login modules (e.g. caller principal, roles) */ + final Set principals = authenticatedSubject.getPrincipals(); + if (principals != null) { + for (Principal principal : principals) { + if (principal instanceof Group) { + final String key = principal.getName(); + final Set values = new HashSet<>(); + final Enumeration enumeration = ((Group) principal).members(); + while (enumeration.hasMoreElements()) { + values.add(enumeration.nextElement().getName()); + } + if (attributes == null) { + attributes = new MapAttributes(); } + attributes.addAll(key, values); } } } diff --git a/security/subsystem/src/main/java/org/jboss/as/security/logging/SecurityLogger.java b/security/subsystem/src/main/java/org/jboss/as/security/logging/SecurityLogger.java index 391e5d9d69a9..5e383b7a2c39 100644 --- a/security/subsystem/src/main/java/org/jboss/as/security/logging/SecurityLogger.java +++ b/security/subsystem/src/main/java/org/jboss/as/security/logging/SecurityLogger.java @@ -876,4 +876,13 @@ public interface SecurityLogger extends BasicLogger { */ @Message(id = 102, value = "Could not find a %s of type %s in the JSSE security domain %s") StartException expectedManagerTypeNotFound(final String managerName, final String managerType, final String legacyDomainName); + + /** + * Creates an exception indicating that an {@link org.wildfly.security.authz.AuthorizationIdentity} could not be created + * because a valid authenticated Subject was not established yet. + * + * @return a {@link IllegalStateException} instance. + */ + @Message(id = 103, value = "Unable to create AuthorizationIdentity: no authenticated Subject was found") + IllegalStateException unableToCreateAuthorizationIdentity(); }