[WFLY-8908] Fix PicketBoxBasedIdentity.exists() to return true if and…

… only if a valid JAAS Subject was previously established.
wildfly · Jun 22, 2017 · 3c261e5 · 3c261e5
1 parent ccfecfc
commit 3c261e5
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 21 deletions.
diff --git a/...ity/subsystem/src/main/java/org/jboss/as/security/elytron/SecurityDomainContextRealm.java b/...ity/subsystem/src/main/java/org/jboss/as/security/elytron/SecurityDomainContextRealm.java
@@ -24,6 +24,7 @@
 
 import javax.security.auth.Subject;
 
+import org.jboss.as.security.logging.SecurityLogger;
 import org.jboss.as.security.plugins.SecurityDomainContext;
 import org.wildfly.security.auth.SupportLevel;
 import org.wildfly.security.auth.server.RealmIdentity;
@@ -116,7 +117,7 @@ private class PicketBoxBasedIdentity implements RealmIdentity {
 
         private final Principal principal;
 
-        private Subject jaasSubject;
+        private Subject authenticatedSubject;
 
         private PicketBoxBasedIdentity(final Principal principal) {
             this.principal = principal;
@@ -151,41 +152,47 @@ public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableExceptio
                 throw new RealmUnavailableException();
             }
             else {
-                jaasSubject = new Subject();
+                final Subject jaasSubject = new Subject();
                 Object jaasCredential = evidence;
                 if (evidence instanceof PasswordGuessEvidence) {
                     jaasCredential = ((PasswordGuessEvidence) evidence).getGuess();
                 }
-                return domainContext.getAuthenticationManager().isValid(principal, jaasCredential, jaasSubject);
+                final boolean isValid = domainContext.getAuthenticationManager().isValid(principal, jaasCredential, jaasSubject);
+                if (isValid) {
+                    // set the authenticated subject when the authentication succeeds.
+                    this.authenticatedSubject = jaasSubject;
+                }
+                return isValid;
             }
         }
 
         @Override
         public boolean exists() throws RealmUnavailableException {
-            return true;
+            return this.authenticatedSubject != null;
         }
 
         @Override
         public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException {
+            if (this.authenticatedSubject == null){
+                throw SecurityLogger.ROOT_LOGGER.unableToCreateAuthorizationIdentity();
+            }
             Attributes attributes = null;
-            if (this.jaasSubject != null) {
+            /* process the JAAS subject, extracting attributes from groups that might have been set in the subject
-                /* process the JAAS subject, extracting attributes from groups that might have been set in the subject
+               by the JAAS login modules (e.g. caller principal, roles) */
-                   by the JAAS login modules (e.g. caller principal, roles) */
+            final Set<Principal> principals = authenticatedSubject.getPrincipals();
-                final Set<Principal> principals = jaasSubject.getPrincipals();
+            if (principals != null) {
-                if (principals != null) {
+                for (Principal principal : principals) {
-                    for (Principal principal : principals) {
+                    if (principal instanceof Group) {
-                        if (principal instanceof Group) {
+                        final String key = principal.getName();
-                            final String key = principal.getName();
+                        final Set<String> values = new HashSet<>();
-                            final Set<String> values = new HashSet<>();
+                        final Enumeration<? extends Principal> enumeration = ((Group) principal).members();
-                            final Enumeration<? extends Principal> enumeration = ((Group) principal).members();
+                        while (enumeration.hasMoreElements()) {
-                            while (enumeration.hasMoreElements()) {
+                            values.add(enumeration.nextElement().getName());
-                                values.add(enumeration.nextElement().getName());
+                        }
-                            }
+                        if (attributes == null) {
-                            if (attributes == null) {
+                            attributes = new MapAttributes();
-                                attributes = new MapAttributes();
-                            }
-                            attributes.addAll(key, values);
                         }
+                        attributes.addAll(key, values);
                     }
                 }
             }

diff --git a/security/subsystem/src/main/java/org/jboss/as/security/logging/SecurityLogger.java b/security/subsystem/src/main/java/org/jboss/as/security/logging/SecurityLogger.java
@@ -876,4 +876,13 @@ public interface SecurityLogger extends BasicLogger {
      */
     @Message(id = 102, value = "Could not find a %s of type %s in the JSSE security domain %s")
     StartException expectedManagerTypeNotFound(final String managerName, final String managerType, final String legacyDomainName);
+
+    /**
+     * Creates an exception indicating that an {@link org.wildfly.security.authz.AuthorizationIdentity} could not be created
+     * because a valid authenticated Subject was not established yet.
+     *
+     * @return a {@link IllegalStateException} instance.
+     */
+    @Message(id = 103, value = "Unable to create AuthorizationIdentity: no authenticated Subject was found")
+    IllegalStateException unableToCreateAuthorizationIdentity();
 }