[hornetq-commits] JBoss hornetq SVN: r9225 - in trunk: src/config/jboss-as-5/clustered and 4 other directories.
do-not-reply at jboss.org
do-not-reply at jboss.org
Tue May 11 07:08:06 EDT 2010
Author: ataylor
Date: 2010-05-11 07:08:05 -0400 (Tue, 11 May 2010)
New Revision: 9225
Modified:
trunk/docs/user-manual/en/security.xml
trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml
trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml
trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml
trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml
trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java
Log:
https://jira.jboss.org/jira/browse/HORNETQ-340 - fixed jboss security manager to allow client login propogation
Modified: trunk/docs/user-manual/en/security.xml
===================================================================
--- trunk/docs/user-manual/en/security.xml 2010-05-11 00:51:32 UTC (rev 9224)
+++ trunk/docs/user-manual/en/security.xml 2010-05-11 11:08:05 UTC (rev 9225)
@@ -261,6 +261,20 @@
<para>Take a look at one of the default <literal>hornetq-jboss-beans.xml</literal> files for
JBoss Application Server that are bundled in the distribution for an example of how this
is configured.</para>
+ <section>
+ <title>Configuring Client Login</title>
+ <para>JBoss can be configured to allow client login, basically this is when a JEE component such as a Servlet
+ or EJB sets security credentials on the current security context and these are used throughout the call.
+ If you would like these credentials to be used by HornetQ when sending or consuming messages then
+ set <literal>allowClientLogin</literal> to true. This will bypass HornetQ authentication and propgate the
+ provided Security Context. If you woul like HornetQ to authenticate using the propogated security then set the
+ <literal>authoriseOnClientLogin</literal> to true also.</para>
+ <para>There is more info on using the JBoss client login module <ulink
+ url="http://community.jboss.org/wiki/ClientLoginModule">here</ulink> </para>
+ <note><para>If messages are sent non blocking then there is a chance that these could arrive on the server after
+ the calling thread has completed meaning that the security context has been cleared. If this is the case then messages
+ will need to be sent blocking</para></note>
+ </section>
</section>
<section>
<title>Changing the username/password for clustering</title>
Modified: trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml
===================================================================
--- trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224)
+++ trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225)
@@ -16,6 +16,8 @@
<depends>JBossSecurityJNDIContextEstablishment</depends>
<start ignored="true"/>
<stop ignored="true"/>
+ <property name="allowClientLogin">false</property>
+ <property name="authoriseOnClientLogin">false</property>
</bean>
<!-- The core server -->
Modified: trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml
===================================================================
--- trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224)
+++ trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225)
@@ -16,6 +16,8 @@
<depends>JBossSecurityJNDIContextEstablishment</depends>
<start ignored="true"/>
<stop ignored="true"/>
+ <property name="allowClientLogin">false</property>
+ <property name="authoriseOnClientLogin">false</property>
</bean>
<!-- The core server -->
Modified: trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml
===================================================================
--- trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224)
+++ trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225)
@@ -18,6 +18,8 @@
<start ignored="true"/>
<stop ignored="true"/>
<depends>JBossSecurityJNDIContextEstablishment</depends>
+ <property name="allowClientLogin">false</property>
+ <property name="authoriseOnClientLogin">false</property>
</bean>
<!-- The core server -->
Modified: trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml
===================================================================
--- trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224)
+++ trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225)
@@ -18,6 +18,8 @@
<start ignored="true"/>
<stop ignored="true"/>
<depends>JBossSecurityJNDIContextEstablishment</depends>
+ <property name="allowClientLogin">false</property>
+ <property name="authoriseOnClientLogin">false</property>
</bean>
<!-- The core server -->
Modified: trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java
===================================================================
--- trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java 2010-05-11 00:51:32 UTC (rev 9224)
+++ trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java 2010-05-11 11:08:05 UTC (rev 9225)
@@ -25,9 +25,7 @@
import org.hornetq.core.security.Role;
import org.hornetq.core.server.HornetQComponent;
import org.hornetq.spi.core.security.HornetQSecurityManager;
-import org.jboss.security.AuthenticationManager;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.SimplePrincipal;
+import org.jboss.security.*;
/**
* This implementation delegates to the JBoss AS security interfaces (which in turn use JAAS)
@@ -65,6 +63,10 @@
private boolean isAs5 = true;
+ private boolean allowClientLogin = false;
+
+ private boolean authoriseOnClientLogin = false;
+
public boolean validateUser(final String user, final String password)
{
SimplePrincipal principal = new SimplePrincipal(user);
@@ -86,6 +88,18 @@
final Set<Role> roles,
final CheckType checkType)
{
+ if(allowClientLogin && SecurityContextAssociation.isClient())
+ {
+ return authoriseOnClientLogin? useClientAuthentication(roles, checkType):true;
+ }
+ else
+ {
+ return useConnectionAuthentication(user, password, roles, checkType);
+ }
+ }
+
+ private boolean useConnectionAuthentication(final String user, final String password, final Set<Role> roles, final CheckType checkType)
+ {
SimplePrincipal principal = user == null ? null : new SimplePrincipal(user);
char[] passwordChars = null;
@@ -118,6 +132,31 @@
return authenticated;
}
+ private boolean useClientAuthentication(final Set<Role> roles, final CheckType checkType)
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ Principal principal = sc.getUtil().getUserPrincipal();
+
+ char[] passwordChars = (char[]) sc.getUtil().getCredential();
+
+ Subject subject = sc.getSubjectInfo().getAuthenticatedSubject();
+
+ boolean authenticated = authenticationManager.isValid(principal, passwordChars, subject);
+
+ if (authenticated)
+ {
+ Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles);
+
+ authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
+
+ if (trace)
+ {
+ JBossASSecurityManager.log.trace("user " + principal.getName() + (authenticated ? " is " : " is NOT ") + "authorized");
+ }
+ }
+ return authenticated;
+ }
+
private void popSecurityContext()
{
if (isAs5)
@@ -232,4 +271,14 @@
{
isAs5 = as5;
}
+
+ public void setAllowClientLogin(final boolean allowClientLogin)
+ {
+ this.allowClientLogin = allowClientLogin;
+ }
+
+ public void setAuthoriseOnClientLogin(final boolean authoriseOnClientLogin)
+ {
+ this.authoriseOnClientLogin = authoriseOnClientLogin;
+ }
}
More information about the hornetq-commits
mailing list