@Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { ModelNode model = context.createResource(PathAddress.EMPTY_ADDRESS).getModel(); SecurityRealmResourceDefinition.MAP_GROUPS_TO_ROLES.validateAndSet(operation, model); // Add a step validating that we have the correct authentication and authorization child // resources ModelNode validationOp = AuthenticationValidatingHandler.createOperation(operation); context.addStep( validationOp, AuthenticationValidatingHandler.INSTANCE, OperationContext.Stage.MODEL); validationOp = AuthorizationValidatingHandler.createOperation(operation); context.addStep( validationOp, AuthorizationValidatingHandler.INSTANCE, OperationContext.Stage.MODEL); context.addStep( new OperationStepHandler() { @Override public void execute(OperationContext context, ModelNode operation) throws OperationFailedException { // Install another RUNTIME handler to actually install the services. This will run after // the // RUNTIME handler for any child resources. Doing this will ensure that child resource // handlers don't // see the installed services and can just ignore doing any RUNTIME stage work context.addStep(ServiceInstallStepHandler.INSTANCE, OperationContext.Stage.RUNTIME); context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER); } }, OperationContext.Stage.RUNTIME); context.completeStep(OperationContext.RollbackHandler.NOOP_ROLLBACK_HANDLER); }
protected void installServices( final OperationContext context, final String realmName, final ModelNode model, final ServiceVerificationHandler verificationHandler, final List<ServiceController<?>> newControllers) throws OperationFailedException { final ModelNode plugIns = model.hasDefined(PLUG_IN) ? model.get(PLUG_IN) : null; final ModelNode authentication = model.hasDefined(AUTHENTICATION) ? model.get(AUTHENTICATION) : null; final ModelNode authorization = model.hasDefined(AUTHORIZATION) ? model.get(AUTHORIZATION) : null; final ModelNode serverIdentities = model.hasDefined(SERVER_IDENTITY) ? model.get(SERVER_IDENTITY) : null; final ServiceTarget serviceTarget = context.getServiceTarget(); final boolean mapGroupsToRoles = SecurityRealmResourceDefinition.MAP_GROUPS_TO_ROLES .resolveModelAttribute(context, model) .asBoolean(); final SecurityRealmService securityRealmService = new SecurityRealmService(realmName, mapGroupsToRoles); final ServiceName realmServiceName = SecurityRealm.ServiceUtil.createServiceName(realmName); ServiceBuilder<?> realmBuilder = serviceTarget.addService(realmServiceName, securityRealmService); final boolean shareLdapConnections = shareLdapConnection(context, authentication, authorization); ModelNode authTruststore = null; if (plugIns != null) { addPlugInLoaderService(realmName, plugIns, serviceTarget, newControllers); } InjectedSetValue<CallbackHandlerService> injectorSet = securityRealmService.getCallbackHandlerService(); if (authentication != null) { // Authentication can have a truststore defined at the same time as a username/password based // mechanism. // // In this case it is expected certificate based authentication will first occur with a // fallback to username/password // based authentication. if (authentication.hasDefined(TRUSTSTORE)) { authTruststore = authentication.require(TRUSTSTORE); addClientCertService( realmName, serviceTarget, newControllers, realmBuilder, injectorSet.injector()); } if (authentication.hasDefined(LOCAL)) { addLocalService( context, authentication.require(LOCAL), realmName, serviceTarget, newControllers, realmBuilder, injectorSet.injector()); } if (authentication.hasDefined(JAAS)) { addJaasService( context, authentication.require(JAAS), realmName, serviceTarget, newControllers, context.isNormalServer(), realmBuilder, injectorSet.injector()); } else if (authentication.hasDefined(LDAP)) { addLdapService( context, authentication.require(LDAP), realmName, serviceTarget, newControllers, realmBuilder, injectorSet.injector(), shareLdapConnections); } else if (authentication.hasDefined(PLUG_IN)) { addPlugInAuthenticationService( context, authentication.require(PLUG_IN), realmName, securityRealmService, serviceTarget, newControllers, realmBuilder, injectorSet.injector()); } else if (authentication.hasDefined(PROPERTIES)) { addPropertiesAuthenticationService( context, authentication.require(PROPERTIES), realmName, serviceTarget, newControllers, realmBuilder, injectorSet.injector()); } else if (authentication.hasDefined(USERS)) { addUsersService( context, authentication.require(USERS), realmName, serviceTarget, newControllers, realmBuilder, injectorSet.injector()); } } if (authorization != null) { if (authorization.hasDefined(PROPERTIES)) { addPropertiesAuthorizationService( context, authorization.require(PROPERTIES), realmName, serviceTarget, newControllers, realmBuilder, securityRealmService.getSubjectSupplementalInjector()); } else if (authorization.hasDefined(PLUG_IN)) { addPlugInAuthorizationService( context, authorization.require(PLUG_IN), realmName, serviceTarget, newControllers, realmBuilder, securityRealmService.getSubjectSupplementalInjector()); } else if (authorization.hasDefined(LDAP)) { addLdapAuthorizationService( context, authorization.require(LDAP), realmName, serviceTarget, newControllers, realmBuilder, securityRealmService.getSubjectSupplementalInjector(), shareLdapConnections); } } ModelNode ssl = null; if (serverIdentities != null) { if (serverIdentities.hasDefined(SSL)) { ssl = serverIdentities.require(SSL); } if (serverIdentities.hasDefined(SECRET)) { addSecretService( context, serverIdentities.require(SECRET), realmName, serviceTarget, newControllers, realmBuilder, securityRealmService.getSecretCallbackFactory()); } } if (ssl != null || authTruststore != null) { addSSLService( context, ssl, authTruststore, realmName, serviceTarget, newControllers, realmBuilder, securityRealmService.getSSLIdentityInjector()); } realmBuilder.setInitialMode(Mode.ACTIVE); ServiceController<?> sc = realmBuilder.install(); if (newControllers != null) { newControllers.add(sc); } }