@Override
public void execute(OperationContext context, ModelNode operation)
throws OperationFailedException {
ModelNode model = context.createResource(PathAddress.EMPTY_ADDRESS).getModel();
SecurityRealmResourceDefinition.MAP_GROUPS_TO_ROLES.validateAndSet(operation, model);
// Add a step validating that we have the correct authentication and authorization child
// resources
ModelNode validationOp = AuthenticationValidatingHandler.createOperation(operation);
context.addStep(
validationOp, AuthenticationValidatingHandler.INSTANCE, OperationContext.Stage.MODEL);
validationOp = AuthorizationValidatingHandler.createOperation(operation);
context.addStep(
validationOp, AuthorizationValidatingHandler.INSTANCE, OperationContext.Stage.MODEL);
context.addStep(
new OperationStepHandler() {
@Override
public void execute(OperationContext context, ModelNode operation)
throws OperationFailedException {
// Install another RUNTIME handler to actually install the services. This will run after
// the
// RUNTIME handler for any child resources. Doing this will ensure that child resource
// handlers don't
// see the installed services and can just ignore doing any RUNTIME stage work
context.addStep(ServiceInstallStepHandler.INSTANCE, OperationContext.Stage.RUNTIME);
context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
}
},
OperationContext.Stage.RUNTIME);
context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER);
}
protected void installServices(
final OperationContext context,
final String realmName,
final ModelNode model,
final ServiceVerificationHandler verificationHandler,
final List<ServiceController<?>> newControllers)
throws OperationFailedException {
final ModelNode plugIns = model.hasDefined(PLUG_IN) ? model.get(PLUG_IN) : null;
final ModelNode authentication =
model.hasDefined(AUTHENTICATION) ? model.get(AUTHENTICATION) : null;
final ModelNode authorization =
model.hasDefined(AUTHORIZATION) ? model.get(AUTHORIZATION) : null;
final ModelNode serverIdentities =
model.hasDefined(SERVER_IDENTITY) ? model.get(SERVER_IDENTITY) : null;
final ServiceTarget serviceTarget = context.getServiceTarget();
final boolean mapGroupsToRoles =
SecurityRealmResourceDefinition.MAP_GROUPS_TO_ROLES
.resolveModelAttribute(context, model)
.asBoolean();
final SecurityRealmService securityRealmService =
new SecurityRealmService(realmName, mapGroupsToRoles);
final ServiceName realmServiceName = SecurityRealm.ServiceUtil.createServiceName(realmName);
ServiceBuilder<?> realmBuilder =
serviceTarget.addService(realmServiceName, securityRealmService);
final boolean shareLdapConnections =
shareLdapConnection(context, authentication, authorization);
ModelNode authTruststore = null;
if (plugIns != null) {
addPlugInLoaderService(realmName, plugIns, serviceTarget, newControllers);
}
InjectedSetValue<CallbackHandlerService> injectorSet =
securityRealmService.getCallbackHandlerService();
if (authentication != null) {
// Authentication can have a truststore defined at the same time as a username/password based
// mechanism.
//
// In this case it is expected certificate based authentication will first occur with a
// fallback to username/password
// based authentication.
if (authentication.hasDefined(TRUSTSTORE)) {
authTruststore = authentication.require(TRUSTSTORE);
addClientCertService(
realmName, serviceTarget, newControllers, realmBuilder, injectorSet.injector());
}
if (authentication.hasDefined(LOCAL)) {
addLocalService(
context,
authentication.require(LOCAL),
realmName,
serviceTarget,
newControllers,
realmBuilder,
injectorSet.injector());
}
if (authentication.hasDefined(JAAS)) {
addJaasService(
context,
authentication.require(JAAS),
realmName,
serviceTarget,
newControllers,
context.isNormalServer(),
realmBuilder,
injectorSet.injector());
} else if (authentication.hasDefined(LDAP)) {
addLdapService(
context,
authentication.require(LDAP),
realmName,
serviceTarget,
newControllers,
realmBuilder,
injectorSet.injector(),
shareLdapConnections);
} else if (authentication.hasDefined(PLUG_IN)) {
addPlugInAuthenticationService(
context,
authentication.require(PLUG_IN),
realmName,
securityRealmService,
serviceTarget,
newControllers,
realmBuilder,
injectorSet.injector());
} else if (authentication.hasDefined(PROPERTIES)) {
addPropertiesAuthenticationService(
context,
authentication.require(PROPERTIES),
realmName,
serviceTarget,
newControllers,
realmBuilder,
injectorSet.injector());
} else if (authentication.hasDefined(USERS)) {
addUsersService(
context,
authentication.require(USERS),
realmName,
serviceTarget,
newControllers,
realmBuilder,
injectorSet.injector());
}
}
if (authorization != null) {
if (authorization.hasDefined(PROPERTIES)) {
addPropertiesAuthorizationService(
context,
authorization.require(PROPERTIES),
realmName,
serviceTarget,
newControllers,
realmBuilder,
securityRealmService.getSubjectSupplementalInjector());
} else if (authorization.hasDefined(PLUG_IN)) {
addPlugInAuthorizationService(
context,
authorization.require(PLUG_IN),
realmName,
serviceTarget,
newControllers,
realmBuilder,
securityRealmService.getSubjectSupplementalInjector());
} else if (authorization.hasDefined(LDAP)) {
addLdapAuthorizationService(
context,
authorization.require(LDAP),
realmName,
serviceTarget,
newControllers,
realmBuilder,
securityRealmService.getSubjectSupplementalInjector(),
shareLdapConnections);
}
}
ModelNode ssl = null;
if (serverIdentities != null) {
if (serverIdentities.hasDefined(SSL)) {
ssl = serverIdentities.require(SSL);
}
if (serverIdentities.hasDefined(SECRET)) {
addSecretService(
context,
serverIdentities.require(SECRET),
realmName,
serviceTarget,
newControllers,
realmBuilder,
securityRealmService.getSecretCallbackFactory());
}
}
if (ssl != null || authTruststore != null) {
addSSLService(
context,
ssl,
authTruststore,
realmName,
serviceTarget,
newControllers,
realmBuilder,
securityRealmService.getSSLIdentityInjector());
}
realmBuilder.setInitialMode(Mode.ACTIVE);
ServiceController<?> sc = realmBuilder.install();
if (newControllers != null) {
newControllers.add(sc);
}
}
