in yoko-core/src/main/java/org/apache/yoko/orb/csi/CSIServerRequestInterceptor.java [202:391]
void acceptContext(ServerRequestInfo ri, EstablishContext establishMsg,
boolean support_gssup_authorization,
boolean require_gssup_authorization,
boolean support_gssup_principal_identity, String gssup_domain)
{
if (establishMsg.client_context_id != 0) {
// Error, we do not support stateful mode
log.severe("Stateful security contexts not supported");
throw new org.omg.CORBA.NO_PERMISSION(
"Stateful security contexts not supported");
}
log.fine("accepting context...");
// Ignore authorization token list (not supported)
// establishMsg.authorization_token;
// Ignore identity token for now
// establishMsg.identity_token;
// Extract client authentication token
if (support_gssup_authorization
&& establishMsg.identity_token.discriminator() == ITTAbsent.value
&& establishMsg.client_authentication_token.length > 0)
{
InitialContextToken gssupToken = decodeGSSUPToken(establishMsg.client_authentication_token);
String useratrealm = utf8decode(gssupToken.username);
String name;
String realm;
int idx = useratrealm.lastIndexOf('@');
if (idx == -1) {
name = useratrealm;
realm = "default";
} else {
name = useratrealm.substring(0, idx);
realm = useratrealm.substring(idx + 1);
}
if (!realm.equals(gssup_domain)) {
returnContextError(ri, 1, 1);
throw new org.omg.CORBA.NO_PERMISSION("bad domain: \"" + realm
+ "\"");
}
String password = utf8decode(gssupToken.password);
log.fine("GSSUP initial context token name=" + name
+ "; realm=" + realm + "; password=" + password);
try {
Subject subject = SecurityContext.login(name, realm, password);
// Login succeeded
SecurityContext.setAuthenticatedSubject(subject);
log.fine("Login succeeded");
returnCompleteEstablishContext(ri);
}
catch (LoginException ex) {
// Login failed
log.log(Level.SEVERE, "Login failed", ex);
returnContextError(ri, 1, 1);
throw new org.omg.CORBA.NO_PERMISSION("login failed");
}
catch (Exception ex) {
log.log(Level.SEVERE, "Exception occured: ", ex);
}
} else if (require_gssup_authorization) {
returnContextError(ri, 1, 1);
throw new org.omg.CORBA.NO_PERMISSION(
"GSSUP authorization required");
} else if (support_gssup_principal_identity
&& establishMsg.identity_token.discriminator() == ITTPrincipalName.value)
{
log.fine("accepting ITTPrincipalName");
byte[] name = establishMsg.identity_token.principal_name();
Any aa;
try {
aa = codec.decode_value(name, OctetSeqHelper.type());
}
catch (UserException e) {
MARSHAL me = new MARSHAL("cannot decode security descriptor",
0, CompletionStatus.COMPLETED_NO);
me.initCause(e);
throw me;
}
byte[] exported_name = OctetSeqHelper.extract(aa);
// byte[] exported_name = uncapsulateByteArray(name);
String userAtDomain = decodeGSSExportedName(exported_name);
log.fine("establish ITTPrincipalName " + userAtDomain);
int idx = userAtDomain.indexOf('@');
String user = "";
String domain;
if (idx == -1) {
user = userAtDomain;
domain = "default";
} else {
user = userAtDomain.substring(0, idx);
domain = userAtDomain.substring(idx + 1);
}
if (gssup_domain != null && !domain.equals(gssup_domain)) {
returnContextError(ri, 1, 1);
log.warning("request designates wrong domain: " + userAtDomain);
throw new org.omg.CORBA.NO_PERMISSION("bad domain");
}
// CSISubjectInfo.setPropagatedCaller (user, domain);
Subject subject = SecurityContext.delegate(user, domain);
SecurityContext.setAuthenticatedSubject(subject);
returnCompleteEstablishContext(ri);
} else if (establishMsg.identity_token.discriminator() == ITTAnonymous.value) {
// establish anoynous identity
log.fine("accepting ITTAnonymous");
// CSISubjectInfo.setAnonymousSubject ();
try {
Subject subject = SecurityContext.anonymousLogin();
SecurityContext.setAuthenticatedSubject(subject);
}
catch (LoginException ex) {
// Won't happen
}
returnCompleteEstablishContext(ri);
} else if (establishMsg.identity_token.discriminator() == ITTDistinguishedName.value) {
log.fine("accepting ITTDistinguishedName");
byte[] name_data = establishMsg.identity_token.dn();
Any aa;
try {
aa = codec.decode_value(name_data, OctetSeqHelper.type());
}
catch (UserException e) {
MARSHAL me = new MARSHAL("cannot encode security descriptor",
0, CompletionStatus.COMPLETED_NO);
me.initCause(e);
throw me;
}
byte[] x500name_data = OctetSeqHelper.extract(aa);
// byte[] x500name_data = uncapsulateByteArray(name_data);
try {
Subject subject = new Subject();
subject.getPrincipals().add(new X500Principal(x500name_data));
SecurityContext.setAuthenticatedSubject(subject);
}
catch (IllegalArgumentException ex) {
log.log(Level.FINE, "cannot decode X500 name", ex);
returnContextError(ri, 1, 1);
throw new org.omg.CORBA.NO_PERMISSION("cannot decode X500 name");
}
returnCompleteEstablishContext(ri);
} else {
returnContextError(ri, 2, 1);
throw new org.omg.CORBA.NO_PERMISSION("Unsupported IdentityToken");
}
}