[jboss-cvs] JBossAS SVN: r58442 - trunk/tomcat/src/main/org/jboss/web/tomcat/security

Thu Nov 16 01:28:16 EST 2006

Author: anil.saldhana at jboss.com
Date: 2006-11-16 01:28:15 -0500 (Thu, 16 Nov 2006)
New Revision: 58442

Modified:
   trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
   trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java
Log:
merge from JEE_TCK branch -r 57088:HEAD

Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================

--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java	2006-11-16 06:27:24 UTC (rev 58441)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java	2006-11-16 06:28:15 UTC (rev 58442)
@@ -114,6 +114,11 @@
    /** Should Security Audit be done **/
    protected boolean enableAudit = true;
    
+   /** Should RealmBase Authorization decision be considered or not?
+    * false - consider, true - do not consider
+    */
+   protected boolean ignoreBaseDecision = false;
+   
    /**
     * Set the class name of the CertificatePrincipal used for mapping X509 cert
     * chains to a Princpal.
@@ -160,14 +165,18 @@
    {
       this.enableAudit = enableAudit;
    } 
+
+   public void setIgnoreBaseDecision(boolean ignoreBaseDecision) 
+   {
+	  this.ignoreBaseDecision = ignoreBaseDecision;
+   } 
    
-   
    //*************************************************************************
    //   Realm.Authenticate Methods
    //************************************************************************* 
 
 
-   /**
+/**
     * Return the Principal associated with the specified chain of X509 client
     * certificates.  If there is none, return <code>null</code>.
     *
@@ -470,8 +479,9 @@
          activeRequest.set(getServletName(servlet));
       }
       
-      boolean baseDecision =  super.hasResourcePermission(request,response,
-            securityConstraints, context);  
+      boolean baseDecision =  ignoreBaseDecision ? true :
+                   super.hasResourcePermission(request,response, 
+                                      securityConstraints, context);  
       
       Subject caller = this.establishSubjectContext(request.getPrincipal());
 
@@ -486,7 +496,7 @@
       boolean authzDecision = (permit == AuthorizationContext.PERMIT);
       boolean finalDecision = baseDecision && authzDecision; 
       if(trace)
-         log.trace("RealmBase says:" + baseDecision + 
+         log.trace("hasResourcePerm:RealmBase says:" + baseDecision + 
                "::Authz framework says:" + authzDecision + ":final=" + finalDecision); 
       if( finalDecision == false )
       {
@@ -534,7 +544,7 @@
          }
       }  
        
-      boolean baseDecision = super.hasRole(principal, role); 
+      boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role); 
       Map map =  new HashMap(); 
       map.put(ResourceKeys.ROLENAME, roleName);
       map.put(ResourceKeys.HASROLE_PRINCIPAL, principal);
@@ -545,7 +555,7 @@
       boolean authzDecision = (permit == AuthorizationContext.PERMIT);
       boolean finalDecision = baseDecision && authzDecision; 
       if(trace)
-         log.trace("RealmBase says:" + baseDecision + 
+         log.trace("hasRole:RealmBase says:" + baseDecision + 
                "::Authz framework says:" + authzDecision + ":final=" + finalDecision); 
        
       return finalDecision; 

Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java	2006-11-16 06:27:24 UTC (rev 58441)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java	2006-11-16 06:28:15 UTC (rev 58442)
@@ -23,6 +23,8 @@
 
 import java.io.IOException;
 import java.security.CodeSource;
+import java.util.Map;
+
 import javax.security.jacc.PolicyContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
@@ -31,6 +33,8 @@
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.valves.ValveBase;
 import org.jboss.logging.Logger;
+import org.jboss.metadata.WebMetaData;
+import org.jboss.security.SecurityRolesAssociation;
 
 /**
  * A Valve that sets the JACC context id and HttpServletRequest policy
@@ -49,14 +53,16 @@
    private String contextID;
    /** The web app deployment code source */
    private CodeSource warCS;
+   private WebMetaData metaData;
    private boolean trace;
 
-   public JaccContextValve(String contextID, CodeSource cs)
+   public JaccContextValve(WebMetaData wmd, CodeSource cs)
    {
-      this.contextID = contextID;
+      this.metaData = wmd;
+      this.contextID = metaData.getJaccContextID();
       this.warCS = cs;
       this.trace = log.isTraceEnabled();
-   }
+   } 
 
    public void invoke(Request request, Response response)
       throws IOException, ServletException
@@ -64,6 +70,12 @@
       activeCS.set(warCS);
       HttpServletRequest httpRequest = (HttpServletRequest) request.getRequest();
 
+      //Set the customized rolename-principalset mapping in jboss-app.xml
+      Map principalToRoleSetMap = metaData.getPrincipalVersusRolesMap();
+      SecurityRolesAssociation.setSecurityRoles(principalToRoleSetMap);
+      if(trace)
+         log.trace("MetaData:"+metaData+":principalToRoleSetMap"+principalToRoleSetMap);
+      
       try
       {
          // Set the JACC context id
@@ -77,7 +89,7 @@
       {
          SecurityAssociationActions.clear();
          activeCS.set(null);
+         SecurityRolesAssociation.setSecurityRoles(null);
       }
-   }
-
+   } 
 }


