From 0e513711f4c493d6b2e82bf7115556b26bc21436 Mon Sep 17 00:00:00 2001 From: Darran A Lofthouse Date: Mon, 25 Nov 2024 10:38:15 +0000 Subject: [PATCH] [ELYEE-50] Upgrade Jakarta Authentication to version 3.1.0 Includes removing security manager calls for Jakarta Authentication integration. --- authentication/pom.xml | 16 ++----- .../auth/jaspi/ElytronAuthConfigFactory.java | 26 +----------- .../impl/JaspiAuthenticationContext.java | 10 +---- .../auth/jaspi/impl/SecurityActions.java | 42 ------------------- pom.xml | 2 +- 5 files changed, 8 insertions(+), 88 deletions(-) delete mode 100644 authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/SecurityActions.java diff --git a/authentication/pom.xml b/authentication/pom.xml index d4114f8b2..9ade3c2a2 100644 --- a/authentication/pom.xml +++ b/authentication/pom.xml @@ -83,7 +83,7 @@ - + @@ -100,19 +100,11 @@ org.wildfly.security wildfly-elytron-credential - - org.wildfly.security - wildfly-elytron-permission - org.wildfly.security wildfly-elytron-realm - - org.wildfly.security - wildfly-elytron-security-manager-action - - + org.jboss.logging jboss-logging-annotations @@ -139,7 +131,7 @@ jakarta.servlet-api provided - + org.wildfly.common wildfly-common @@ -157,5 +149,5 @@ test - + diff --git a/authentication/src/main/java/org/wildfly/security/auth/jaspi/ElytronAuthConfigFactory.java b/authentication/src/main/java/org/wildfly/security/auth/jaspi/ElytronAuthConfigFactory.java index 3d0111a14..eabea5316 100644 --- a/authentication/src/main/java/org/wildfly/security/auth/jaspi/ElytronAuthConfigFactory.java +++ b/authentication/src/main/java/org/wildfly/security/auth/jaspi/ElytronAuthConfigFactory.java @@ -16,14 +16,11 @@ package org.wildfly.security.auth.jaspi; -import static java.lang.System.getSecurityManager; import static org.wildfly.common.Assert.checkNotNullParam; import static org.wildfly.security.auth.jaspi._private.ElytronMessages.log; import static org.wildfly.security.auth.jaspi._private.ElytronEEMessages.eeLog; import java.lang.reflect.Constructor; -import java.security.AccessController; -import java.security.SecurityPermission; import java.util.ArrayList; import java.util.Collections; import java.util.HashMap; @@ -35,7 +32,6 @@ import org.wildfly.security.auth.jaspi.impl.AuthenticationModuleDefinition; import org.wildfly.security.auth.jaspi.impl.ElytronAuthConfigProvider; -import org.wildfly.security.manager.action.GetContextClassLoaderAction; import jakarta.security.auth.message.config.AuthConfigFactory; import jakarta.security.auth.message.config.AuthConfigProvider; @@ -142,8 +138,6 @@ boolean matchesRegistration(final String layer, final String appContext) { */ @Override public String registerConfigProvider(AuthConfigProvider provider, String layer, String appContext, String description) { - checkPermission(providerRegistrationSecurityPermission); - return registerConfigProvider(provider, layer, appContext, description, false); } @@ -153,8 +147,6 @@ public String registerConfigProvider(AuthConfigProvider provider, String layer, @Override public String registerConfigProvider(String className, Map properties, String layer, String appContext, String description) { // TODO [ELY-1548] We should support persisting to configuration changes made by calling this method. - checkPermission(providerRegistrationSecurityPermission); - AuthConfigProvider authConfigProvider = null; if (className != null) { ClassLoader classLoader = identifyClassLoader(); @@ -234,8 +226,6 @@ public void removeServerAuthModule(Object context) { */ @Override public boolean removeRegistration(String registrationId) { - checkPermission(providerRegistrationSecurityPermission); - String layer = null; String appContext = null; boolean removed = false; @@ -271,7 +261,6 @@ public boolean removeRegistration(String registrationId) { @Override public String[] detachListener(RegistrationListener listener, String layer, String appContext) { checkNotNullParam("listener", listener); - checkPermission(providerRegistrationSecurityPermission); List registrationIDs = new ArrayList<>(); synchronized (layerContextRegistration) { for (Registration current : layerContextRegistration.values()) { @@ -335,23 +324,10 @@ public String[] getRegistrationIDs(AuthConfigProvider provider) { @Override public void refresh() { // [ELY-1538] Dynamic loading not presently supported, once supported refresh will reload the configuration. - checkPermission(providerRegistrationSecurityPermission); - } - - - - - private static void checkPermission(final SecurityPermission securityPermission) { - SecurityManager securityManager = getSecurityManager(); - if (securityManager != null) { - securityManager.checkPermission(securityPermission); - } } private static ClassLoader identifyClassLoader() { - ClassLoader classLoader = getSecurityManager() != null - ? AccessController.doPrivileged(GetContextClassLoaderAction.getInstance()) - : GetContextClassLoaderAction.getInstance().run(); + ClassLoader classLoader = Thread.currentThread().getContextClassLoader(); return classLoader != null ? classLoader : ClassLoader.getSystemClassLoader(); } diff --git a/authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/JaspiAuthenticationContext.java b/authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/JaspiAuthenticationContext.java index 32c3dde39..c9183a0d5 100644 --- a/authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/JaspiAuthenticationContext.java +++ b/authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/JaspiAuthenticationContext.java @@ -18,13 +18,10 @@ import static org.wildfly.common.Assert.checkNotNullParam; import static org.wildfly.security.auth.jaspi._private.ElytronMessages.log; -import static org.wildfly.security.auth.jaspi.impl.SecurityActions.doPrivileged; import java.io.IOException; import java.security.Principal; -import java.security.PrivilegedAction; import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.Arrays; import java.util.HashSet; import java.util.Iterator; @@ -134,10 +131,7 @@ private CallbackHandler createCommonCallbackHandler(final boolean integrated) { @Override public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException { try { - doPrivileged((PrivilegedExceptionAction) () -> { - handleOne(callbacks, 0); - return null; - }); + handleOne(callbacks, 0); } catch (Exception e) { if (e instanceof PrivilegedActionException) { if (e.getCause() instanceof UnsupportedCallbackException) { @@ -299,7 +293,7 @@ public SecurityIdentity getAuthorizedIdentity() throws IllegalStateException { Roles roles = Roles.fromSet(this.roles); RoleMapper roleMapper = RoleMapper.constant(roles); SecurityIdentity temp = securityIdentity; - securityIdentity = doPrivileged((PrivilegedAction) (() -> temp.withDefaultRoleMapper(roleMapper))); + securityIdentity = temp.withDefaultRoleMapper(roleMapper); } else { log.trace("No roles request of CallbackHandler."); } diff --git a/authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/SecurityActions.java b/authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/SecurityActions.java deleted file mode 100644 index 0e0238564..000000000 --- a/authentication/src/main/java/org/wildfly/security/auth/jaspi/impl/SecurityActions.java +++ /dev/null @@ -1,42 +0,0 @@ -/* - * JBoss, Home of Professional Open Source. - * Copyright 2015 Red Hat, Inc., and individual contributors - * as indicated by the @author tags. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.wildfly.security.auth.jaspi.impl; - -import static java.lang.System.getSecurityManager; - -import java.security.AccessController; -import java.security.PrivilegedAction; -import java.security.PrivilegedExceptionAction; - -/** - * Wrapper around {@link AccessController#doPrivileged(PrivilegedAction)} for the 'org.wildfly.extension.elytron' package. - * - * @author Darran Lofthouse - */ -final class SecurityActions { - - static T doPrivileged(final PrivilegedAction action) { - return getSecurityManager() != null ? AccessController.doPrivileged(action) : action.run(); - } - - static T doPrivileged(final PrivilegedExceptionAction action) throws Exception { - return getSecurityManager() != null ? AccessController.doPrivileged(action) : action.run(); - } - -} diff --git a/pom.xml b/pom.xml index 19eb12810..b3b12c8f3 100644 --- a/pom.xml +++ b/pom.xml @@ -59,7 +59,7 @@ 17 17 - 3.0.0 + 3.1.0 2.1.0 4.0.1 3.1.0