@Override public ServletRequestContext run() { return ServletRequestContext.current(); } };
public static ServletRequest getActiveRequest() { ServletRequestContext current; if(System.getSecurityManager() == null) { current = ServletRequestContext.current(); } else { current = AccessController.doPrivileged(CURRENT_CONTEXT); } if(current == null) { return null; } return current.getServletRequest(); } }
@Override public void handleRequest(HttpServerExchange exchange) throws Exception { String old = exchange.getAttachment(OLD_RELATIVE_PATH); if(!old.equals(exchange.getRelativePath())) { ServletRequestContext src = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); ServletPathMatch info = src.getDeployment().getServletPaths().getServletHandlerByPath(exchange.getRelativePath()); src.setCurrentServlet(info.getServletChain()); src.setServletPathMatch(info); } handler.handleRequest(exchange); } };
/** * <p> * Builds the {@code MessageInfo} instance for the {@code cleanSubject()} call. * </p> * * @return the constructed {@code MessageInfo} object. */ private MessageInfo buildMessageInfo() { ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); GenericMessageInfo messageInfo = new GenericMessageInfo(); messageInfo.setRequestMessage(servletRequestContext.getServletRequest()); messageInfo.setResponseMessage(servletRequestContext.getServletResponse()); // when calling cleanSubject, isMandatory must be set to true. messageInfo.getMap().put("javax.security.auth.message.MessagePolicy.isMandatory", "true"); return messageInfo; }
static String buildApplicationIdentifier(final ServletRequestContext attachment) { ServletRequest servletRequest = attachment.getServletRequest(); return servletRequest.getServletContext().getVirtualServerName() + " " + servletRequest.getServletContext().getContextPath(); }
@Override public boolean canAccessResource(List<SingleConstraintMatch> mappedConstraints, Account account, ServletInfo servletInfo, HttpServletRequest request, Deployment deployment) { ServletRequestContext src = ServletRequestContext.current(); boolean baseDecision = delegate.canAccessResource(mappedConstraints, account, servletInfo, request, deployment); boolean authzDecision = false; roles.addAll(account.getRoles()); authzDecision = helper.checkResourcePermission(contextMap, request, src.getServletResponse(), caller, PolicyContext.getContextID(), requestURI(src.getExchange()), roles); boolean finalDecision = baseDecision && authzDecision && hasUserDataPermission(request, src.getOriginalResponse(), account, mappedConstraints);
@Override public void handleRequest(final HttpServerExchange exchange) throws Exception { SecurityContext sc = exchange.getAttachment(UndertowSecurityAttachments.SECURITY_CONTEXT_ATTACHMENT); RunAsIdentityMetaData identity = null; RunAs old = null; try { final ServletChain servlet = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY).getCurrentServlet(); identity = runAsIdentityMetaDataMap.get(servlet.getManagedServlet().getServletInfo().getName()); RunAsIdentity runAsIdentity = null; if (identity != null) { UndertowLogger.ROOT_LOGGER.tracef("%s, runAs: %s", servlet.getManagedServlet().getServletInfo().getName(), identity); runAsIdentity = new RunAsIdentity(identity.getRoleName(), identity.getPrincipalName(), identity.getRunAsRoles()); } old = SecurityActions.setRunAsIdentity(runAsIdentity, sc); // Perform the request next.handleRequest(exchange); } finally { if (identity != null) { SecurityActions.setRunAsIdentity(old, sc); } } }
@Override public void handleRequest(HttpServerExchange exchange) throws Exception { try { next.handleRequest(exchange); } finally { try { JASPICContext context = exchange.getAttachment(JASPICContext.ATTACHMENT_KEY); if (!JASPICAuthenticationMechanism.wasAuthExceptionThrown(exchange) && context != null) { ServletRequestContext requestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); String applicationIdentifier = JASPICAuthenticationMechanism.buildApplicationIdentifier(requestContext); UndertowLogger.ROOT_LOGGER.debugf("secureResponse for layer [%s] and applicationContextIdentifier [%s].", JASPICAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, applicationIdentifier); context.getSam().secureResponse(context.getMessageInfo(), new Subject(), JASPICAuthenticationMechanism.JASPI_HTTP_SERVLET_LAYER, applicationIdentifier, context.getCbh()); // A SAM can unwrap the HTTP request/response objects - update the servlet request context with the values found in the message info. ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); servletRequestContext.setServletRequest((HttpServletRequest) context.getMessageInfo().getRequestMessage()); servletRequestContext.setServletResponse((HttpServletResponse) context.getMessageInfo().getResponseMessage()); } } catch (Exception e) { UndertowLogger.ROOT_LOGGER.errorInvokingSecureResponse(e); } } }
public void dispatchToPath(final HttpServerExchange exchange, final ServletPathMatch pathInfo, final DispatcherType dispatcherType) throws Exception { final ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); servletRequestContext.setServletPathMatch(pathInfo); dispatchRequest(exchange, servletRequestContext, pathInfo.getServletChain(), dispatcherType); }
private void sessionDestroyedImpl(HttpSessionEvent se) { //we need to get the current account //there are two options here, we can look for the account in the current request //or we can look for the account that has been saved in the session //for maximum compatibility we do both ServletRequestContext src = ServletRequestContext.current(); Account requestAccount = null; if (src != null) { SecurityContext securityContext = src.getExchange().getSecurityContext(); if(securityContext != null) { requestAccount = securityContext.getAuthenticatedAccount(); if (requestAccount != null) { clearAccount(requestAccount); } } } if (se.getSession() instanceof HttpSessionImpl) { final HttpSessionImpl impl = (HttpSessionImpl) se.getSession(); Session session = impl.getSession(); if (session != null) { AuthenticatedSessionManager.AuthenticatedSession authenticatedSession = (AuthenticatedSessionManager.AuthenticatedSession) session.getAttribute(CachedAuthenticatedSessionHandler.class.getName() + ".AuthenticatedSession"); if(authenticatedSession != null) { Account sessionAccount = authenticatedSession.getAccount(); if (sessionAccount != null && !sessionAccount.equals(requestAccount)) { clearAccount(sessionAccount); } } } } }
static boolean isFormAuthentication(HttpServerExchange exchange) { ServletRequestContext src = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); List<AuthenticationMechanism> mechanisms = src.getDeployment().getAuthenticationMechanisms(); for (AuthenticationMechanism mech : mechanisms) { if (mech instanceof ServletFormAuthenticationMechanism) return true; } return false; } }
/** * <p>The authentication is mandatory if the servlet has http constraints (eg.: {@link * javax.servlet.annotation.HttpConstraint}).</p> * * @param attachment * @return */ private Boolean isMandatory(final ServletRequestContext attachment) { return attachment.getExchange().getSecurityContext() != null && attachment.getExchange().getSecurityContext().isAuthenticationRequired(); }
@Override public ServletRequestContext run() { return ServletRequestContext.requireCurrent(); } });
private GenericMessageInfo createMessageInfo(final HttpServerExchange exchange, final SecurityContext securityContext) { ServletRequestContext servletRequestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); GenericMessageInfo messageInfo = new GenericMessageInfo(); messageInfo.setRequestMessage(servletRequestContext.getServletRequest()); messageInfo.setResponseMessage(servletRequestContext.getServletResponse()); messageInfo.getMap().put("javax.security.auth.message.MessagePolicy.isMandatory", isMandatory(servletRequestContext).toString()); // additional context data, useful to provide access to Undertow resources during the modules processing messageInfo.getMap().put(SECURITY_CONTEXT_ATTACHMENT_KEY, securityContext); messageInfo.getMap().put(HTTP_SERVER_EXCHANGE_ATTACHMENT_KEY, exchange); return messageInfo; }
/** * <p> * Builds the JASPIC application context. * </p> * * @return a {@code String} representing the application context. */ private String buildAppContext() { final ServletRequestContext requestContext = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); ServletRequest servletRequest = requestContext.getServletRequest(); return servletRequest.getServletContext().getVirtualServerName() + " " + servletRequest.getServletContext().getContextPath(); }
servletRequestContext.setServletRequest((HttpServletRequest) messageInfo.getRequestMessage()); servletRequestContext.setServletResponse((HttpServletResponse) messageInfo.getResponseMessage());
SecurityContext securityContext = (SecurityContext) messageInfo.getMap().get(JASPICAuthenticationMechanism.SECURITY_CONTEXT_ATTACHMENT_KEY); ServletRequestContext src = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); List<AuthenticationMechanism> mechanisms = src.getDeployment().getAuthenticationMechanisms();
@Override public ServletRequestContext run() { return ServletRequestContext.current(); } });
@Override public void handleNotification(SecurityNotification notification) { EventType event = notification.getEventType(); if (event == EventType.AUTHENTICATED || event == EventType.FAILED_AUTHENTICATION) { AuditEvent auditEvent = new AuditEvent(event == EventType.AUTHENTICATED ? AuditLevel.SUCCESS : AuditLevel.FAILURE); Map<String, Object> ctxMap = new HashMap<String, Object>(); Account account = notification.getAccount(); if (account != null) { ctxMap.put("principal", account.getPrincipal().getName()); } ctxMap.put("message", notification.getMessage()); ServletRequestContext src = notification.getExchange().getAttachment(ServletRequestContext.ATTACHMENT_KEY); if(src != null) { ServletRequest hsr = src.getServletRequest(); if (hsr instanceof HttpServletRequest) { ctxMap.put("request", deriveUsefulInfo((HttpServletRequest) hsr)); } } ctxMap.put("Source", getClass().getCanonicalName()); auditEvent.setContextMap(ctxMap); auditManager.audit(auditEvent); } }
ServletRequestContext src = exchange.getAttachment(ServletRequestContext.ATTACHMENT_KEY); if(src != null) { src.getServletRequest().setAttribute(ORG_WILDFLY_SUSPENDED, "true");