diff --git a/auth/server/base/src/main/java/org/wildfly/security/auth/callback/PrincipalAuthorizeCallback.java b/auth/server/base/src/main/java/org/wildfly/security/auth/callback/PrincipalAuthorizeCallback.java new file mode 100644 index 00000000000..0351bc12593 --- /dev/null +++ b/auth/server/base/src/main/java/org/wildfly/security/auth/callback/PrincipalAuthorizeCallback.java @@ -0,0 +1,81 @@ +/* + * Copyright 2020 Red Hat, Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.wildfly.security.auth.callback; + +import java.security.Principal; +import org.wildfly.common.Assert; +import org.wildfly.security.auth.principal.NamePrincipal; + +/** + *
An authorization callback similar to javase {@link javax.security.sasl.AuthorizeCallback} + * but using a generic principal.
+ * + * @author rmartinc + */ +public class PrincipalAuthorizeCallback implements ExtendedCallback { + + private final Principal principal; + private boolean authorized; + + /** + * Creates a new instance to authorize the associatedname
.
+ * It will be transformed in a {@link NamePrincipal}.
+ *
+ * @param name the name to authorize
+ */
+ public PrincipalAuthorizeCallback(String name) {
+ Assert.checkNotNullParam("name", name);
+ this.principal = new NamePrincipal(name);
+ }
+
+ /**
+ * Creates a new instance to authorize the associated principal
.
+ *
+ * @param principal the principal to authorize
+ */
+ public PrincipalAuthorizeCallback(Principal principal) {
+ Assert.checkNotNullParam("principal", principal);
+ this.principal = principal;
+ }
+
+ /**
+ * Indicates if the principal was successfully authorized.
+ *
+ * @return true if the principal was successfully authorized. Otherwise, false
+ */
+ public boolean isAuthorized() {
+ return authorized;
+ }
+
+ /**
+ * Sets whether the authorization is allowed for the principal.
+ *
+ * @param authorized authorization result
+ */
+ public void setAuthorized(boolean authorized) {
+ this.authorized = authorized;
+ }
+
+ /**
+ * Returns the {@link Principal}.
+ *
+ * @return the principal (not {@code null})
+ */
+ public Principal getPrincipal() {
+ return this.principal;
+ }
+}
diff --git a/auth/server/base/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java b/auth/server/base/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java
index 39d74beee65..b7e749c75c9 100644
--- a/auth/server/base/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java
+++ b/auth/server/base/src/main/java/org/wildfly/security/auth/server/ServerAuthenticationContext.java
@@ -56,6 +56,7 @@
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.callback.ExclusiveNameCallback;
import org.wildfly.security.auth.callback.FastUnsupportedCallbackException;
+import org.wildfly.security.auth.callback.PrincipalAuthorizeCallback;
import org.wildfly.security.auth.callback.MechanismInformationCallback;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.auth.callback.PeerPrincipalCallback;
@@ -1115,6 +1116,15 @@ private void handleOne(final Callback[] callbacks, final int idx) throws IOExcep
addPublicCredential(credential);
}
handleOne(callbacks, idx + 1);
+ } else if (callback instanceof PrincipalAuthorizeCallback) {
+ PrincipalAuthorizeCallback authorizeCallback = (PrincipalAuthorizeCallback) callback;
+ Principal principal = authorizeCallback.getPrincipal();
+ // always re-set the principal to ensure it hasn't changed.
+ setAuthenticationPrincipal(principal);
+ boolean authorized = authorize();
+ log.tracef("Handling PrincipalAuthorizeCallback: principal = %s authorized = %b", principal, authorized);
+ authorizeCallback.setAuthorized(authorized);
+ handleOne(callbacks, idx + 1);
} else {
CallbackUtil.unsupported(callback);
handleOne(callbacks, idx + 1);
diff --git a/http/cert/src/main/java/org/wildfly/security/http/cert/ClientCertAuthenticationMechanism.java b/http/cert/src/main/java/org/wildfly/security/http/cert/ClientCertAuthenticationMechanism.java
index 662ad550fd7..73268d1b51c 100644
--- a/http/cert/src/main/java/org/wildfly/security/http/cert/ClientCertAuthenticationMechanism.java
+++ b/http/cert/src/main/java/org/wildfly/security/http/cert/ClientCertAuthenticationMechanism.java
@@ -31,12 +31,12 @@
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
-import javax.security.sasl.AuthorizeCallback;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.CachedIdentityAuthorizeCallback;
import org.wildfly.security.auth.callback.EvidenceDecodePrincipalCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
+import org.wildfly.security.auth.callback.PrincipalAuthorizeCallback;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.cache.CachedIdentity;
@@ -141,10 +141,9 @@ private boolean attemptAuthentication(HttpServerRequest request, Function