[Jboss-cvs] JBossAS SVN: r56659 - in trunk/server: . src/etc/deploy src/main/org/jboss/ejb/plugins src/main/org/jboss/jmx/connector/invoker
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Sep 8 15:14:44 EDT 2006
Author: anil.saldhana at jboss.com
Date: 2006-09-08 15:14:42 -0400 (Fri, 08 Sep 2006)
New Revision: 56659
Added:
trunk/server/src/etc/deploy/security-policies-service.xml
Modified:
trunk/server/build.xml
trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java
trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java
trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java
Log:
JBAS-3576:Use the SecurityContext updates
Modified: trunk/server/build.xml
===================================================================
--- trunk/server/build.xml 2006-09-08 19:14:12 UTC (rev 56658)
+++ trunk/server/build.xml 2006-09-08 19:14:42 UTC (rev 56659)
@@ -102,6 +102,7 @@
<path refid="jboss.j2se.classpath"/>
<path refid="jboss.mbeans.classpath"/>
<path refid="jboss.naming.classpath"/>
+ <path refid="jboss.security.spi.classpath"/>
<path refid="jboss.security.classpath"/>
<path refid="jboss.transaction.classpath"/>
</path>
Added: trunk/server/src/etc/deploy/security-policies-service.xml
===================================================================
--- trunk/server/src/etc/deploy/security-policies-service.xml 2006-09-08 19:14:12 UTC (rev 56658)
+++ trunk/server/src/etc/deploy/security-policies-service.xml 2006-09-08 19:14:42 UTC (rev 56659)
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<server>
+ <!-- The custom JAAS login configuration that installs
+ a Configuration capable of dynamically updating the
+ config settings
+ -->
+ <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
+ name="jboss.security:service=StandardLoginConfig">
+ <attribute name="PolicyConfig" serialDataType="jbxb">
+ <jbsx:policy
+ xsi:schemaLocation="urn:jboss:security-config:5.0 resource:security-config_5_0.xsd"
+ xmlns:jbsx="urn:jboss:security-config:5.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ >
+ <jbsx:application-policy name="jboss-web-policy">
+ <jbsx:authentication>
+ <jbsx:login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
+ </jbsx:authentication>
+ <jbsx:authorization>
+ <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
+ </jbsx:authorization>
+ </jbsx:application-policy>
+ <jbsx:application-policy name="jboss-ejb-policy">
+ <jbsx:authentication>
+ <jbsx:login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"/>
+ </jbsx:authentication>
+ <jbsx:authorization>
+ <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
+ </jbsx:authorization>
+ </jbsx:application-policy>
+ </jbsx:policy>
+ </attribute>
+ <depends optional-attribute-name="LoginConfigService">
+ jboss.security:service=XMLLoginConfig
+ </depends>
+ <depends optional-attribute-name="SecurityManagerService">
+ jboss.security:service=JaasSecurityManager
+ </depends>
+ </mbean>
+</server>
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java 2006-09-08 19:14:12 UTC (rev 56658)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java 2006-09-08 19:14:42 UTC (rev 56659)
@@ -26,6 +26,7 @@
import java.security.Principal;
import java.security.AccessController;
import java.security.PrivilegedActionException;
+import java.util.HashMap;
import java.lang.reflect.UndeclaredThrowableException;
import javax.security.auth.Subject;
@@ -34,6 +35,7 @@
import org.jboss.security.SecurityAssociation;
import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
/** A collection of privileged actions for this package
@@ -477,55 +479,90 @@
}
private static class GetSecurityContextAction implements PrivilegedAction
- {
- static PrivilegedAction ACTION = new GetSecurityContextAction();
+ {
+ private String securityDomain;
+ GetSecurityContextAction(String sd)
+ {
+ this.securityDomain = sd;
+ }
public Object run()
{
- Object sc = SecurityAssociation.getSecurityContext();
- return sc;
+ String sc = SecurityConstants.SECURITY_CONTEXT;
+ HashMap map = (HashMap)SecurityAssociation.getContextInfo(sc);
+ if(map == null)
+ {
+ map = new HashMap();
+ SecurityAssociation.setContextInfo(sc, map);
+ }
+ SecurityAssociation.setContextInfo(sc, map);
+ return map.get(this.securityDomain);
}
}
private static class SetSecurityContextAction implements PrivilegedAction
{
private SecurityContext securityContext;
- SetSecurityContextAction(SecurityContext sc)
+ private String securityDomain;
+ SetSecurityContextAction(SecurityContext sc, String sd)
{
this.securityContext = sc;
+ this.securityDomain = sd;
}
public Object run()
{
- SecurityAssociation.setSecurityContext(securityContext);
+ String sc = SecurityConstants.SECURITY_CONTEXT;
+ HashMap map = (HashMap)SecurityAssociation.getContextInfo(sc);
+ if(map == null)
+ {
+ map = new HashMap();
+ SecurityAssociation.setContextInfo(sc, map);
+ }
+ map.put(securityDomain, securityContext);
+ SecurityAssociation.setContextInfo(sc, map);
return null;
}
}
private static class ClearSecurityContextAction implements PrivilegedAction
- {
- static PrivilegedAction ACTION = new ClearSecurityContextAction();
+ {
+ private String securityDomain;
+ ClearSecurityContextAction(String sd)
+ {
+ this.securityDomain = sd;
+ }
public Object run()
{
- SecurityAssociation.setSecurityContext(null);
+ String sc = SecurityConstants.SECURITY_CONTEXT;
+ HashMap map = (HashMap)SecurityAssociation.getContextInfo(sc);
+ if(map == null)
+ {
+ map = new HashMap();
+ SecurityAssociation.setContextInfo(sc, map);
+ }
+ if(map.containsKey(securityDomain))
+ map.remove(securityDomain);
+
+ SecurityAssociation.setContextInfo(sc, map);
return null;
}
}
- static void clearSecurityContext()
+ static void clearSecurityContext(String securityDomain)
{
- ClearSecurityContextAction action = new ClearSecurityContextAction();
+ ClearSecurityContextAction action = new ClearSecurityContextAction(securityDomain);
AccessController.doPrivileged(action);
}
- static SecurityContext getSecurityContext()
+ static SecurityContext getSecurityContext(String securityDomain)
{
- GetSecurityContextAction action = new GetSecurityContextAction();
+ GetSecurityContextAction action = new GetSecurityContextAction(securityDomain);
return (SecurityContext)AccessController.doPrivileged(action);
}
- static void setSecurityContext(SecurityContext sc)
+ static void setSecurityContext(SecurityContext sc, String securityDomain)
{
- SetSecurityContextAction action = new SetSecurityContextAction(sc);
+ SetSecurityContextAction action = new SetSecurityContextAction(sc,securityDomain);
AccessController.doPrivileged(action);
}
}
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2006-09-08 19:14:12 UTC (rev 56658)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2006-09-08 19:14:42 UTC (rev 56659)
@@ -31,16 +31,18 @@
import org.jboss.security.AuthorizationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContext.SubjectInfo;
import org.jboss.security.audit.AuditContext;
import org.jboss.security.audit.AuditEvent;
-import org.jboss.security.audit.AuditLevel;
+import org.jboss.security.audit.AuditLevel;
import org.jboss.security.audit.AuditManager;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.EJBResource;
import org.jboss.security.authorization.ResourceKeys;
-import org.jboss.system.Registry;
+import org.jboss.security.plugins.JBossSecurityContext;
+import org.jboss.system.Registry;
import java.security.CodeSource;
import java.security.Principal;
@@ -105,12 +107,7 @@
protected String appSecurityDomain = null;
//Fallback Security Domain
protected String defaultAuthorizationSecurityDomain = SecurityConstants.DEFAULT_EJB_APPLICATION_POLICY;
-
- /**
- * Flag whether this interceptor added a fresh security context
- */
- protected boolean addedSecurityContext = false;
-
+
/** Called by the super class to set the container to which this interceptor
belongs. We obtain the security manager and runAs identity to use here.
*/
@@ -163,9 +160,7 @@
}
public Object invokeHome(Invocation mi) throws Exception
- {
- this.checkSecurityContext();
-
+ {
// Authenticate the subject and apply any declarative security checks
checkSecurityAssociation(mi);
@@ -181,8 +176,7 @@
return returnValue;
}
finally
- {
- clearSecurityContext();
+ {
SecurityActions.popRunAsIdentity();
SecurityActions.popSubjectContext();
}
@@ -190,8 +184,7 @@
public Object invoke(Invocation mi) throws Exception
- {
- this.checkSecurityContext();
+ {
// Authenticate the subject and apply any declarative security checks
checkSecurityAssociation(mi);
@@ -207,8 +200,7 @@
return returnValue;
}
finally
- {
- clearSecurityContext();
+ {
SecurityActions.popRunAsIdentity();
SecurityActions.popSubjectContext();
}
@@ -234,8 +226,8 @@
// Allow for the progatation of caller info to other beans
SecurityActions.pushSubjectContext(principal, credential, null);
return;
- }
-
+ }
+
if (realmMapping == null)
{
throw new SecurityException("Role mapping manager has not been set");
@@ -265,8 +257,9 @@
}
else
{
- successAudit(principal,m.getName());
SecurityActions.pushSubjectContext(principal, credential, subject);
+ establishSecurityContext(securityManager.getSecurityDomain(),principal, credential, subject);
+ successAudit(principal,m.getName());
if (trace)
{
log.trace("Authenticated principal=" + principal);
@@ -348,7 +341,10 @@
Map contextMap, Exception e)
{
contextMap.put("Source", getClass().getName());
- AuditContext ac = AuditManager.getAuditContext(securityManager.getSecurityDomain());
+ String secDomain = securityManager.getSecurityDomain();
+ SecurityContext sc = SecurityActions.getSecurityContext(secDomain);
+ AuditContext ac = sc != null ? sc.getAuditContext() :
+ AuditManager.getAuditContext(secDomain);
AuditEvent ae = new AuditEvent(level);
ae.setContextMap(contextMap);
ae.setUnderlyingException(e);
@@ -388,22 +384,18 @@
cmap.put("principal", principal);
cmap.put("method", methodName);
return cmap;
- }
+ }
- private void checkSecurityContext()
- {
- SecurityContext sc = SecurityActions.getSecurityContext();
- if(sc == null)
- {
- SecurityActions.setSecurityContext(new SecurityContext());
- this.addedSecurityContext = true;
- }
- }
-
- private void clearSecurityContext()
+ //Security Context
+ private void establishSecurityContext(String domain, Principal p, Object cred,
+ Subject subject)
{
- if(addedSecurityContext)
- SecurityActions.clearSecurityContext();
+ JBossSecurityContext jsc = new JBossSecurityContext(domain);
+ SubjectInfo si = jsc.new SubjectInfo();
+ si.setAuthenticatedSubject(subject);
+ si.setAuthenticationCredential(cred);
+ si.setAuthenticationPrincipal(p);
+ jsc.setSubjectInfo(si);
+ SecurityActions.setSecurityContext(jsc, domain);
}
-
}
Modified: trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java 2006-09-08 19:14:12 UTC (rev 56658)
+++ trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java 2006-09-08 19:14:42 UTC (rev 56659)
@@ -24,11 +24,13 @@
import java.security.Principal;
import javax.naming.InitialContext;
import javax.security.auth.Subject;
-
+
import org.jboss.mx.server.Invocation;
import org.jboss.mx.interceptor.AbstractInterceptor;
import org.jboss.mx.interceptor.Interceptor;
import org.jboss.security.SubjectSecurityManager;
+import org.jboss.security.SecurityContext.SubjectInfo;
+import org.jboss.security.plugins.JBossSecurityContext;
/** A security interceptor that requires an authorized user for invoke(Invocation)
@@ -93,6 +95,9 @@
}
// Push the caller security context
SecurityActions.pushSubjectContext(caller, credential, subject);
+ //Establish the Security Context
+ establishSecurityContext(securityMgr.getSecurityDomain(), caller,
+ credential, subject);
}
}
@@ -108,4 +113,16 @@
SecurityActions.popSubjectContext();
}
}
+ // Security Context
+ private void establishSecurityContext(String domain, Principal p, Object cred,
+ Subject subject)
+ {
+ JBossSecurityContext jsc = new JBossSecurityContext(domain);
+ SubjectInfo si = jsc.new SubjectInfo();
+ si.setAuthenticatedSubject(subject);
+ si.setAuthenticationCredential(cred);
+ si.setAuthenticationPrincipal(p);
+ jsc.setSubjectInfo(si);
+ SecurityActions.setSecurityContext(jsc, domain);
+ }
}
Modified: trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java 2006-09-08 19:14:12 UTC (rev 56658)
+++ trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java 2006-09-08 19:14:42 UTC (rev 56659)
@@ -24,9 +24,13 @@
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
+import java.util.HashMap;
+
import javax.security.auth.Subject;
-
+
import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityContext;
/** Common PrivilegedAction used by classes in this package.
*
@@ -115,6 +119,31 @@
void push(Principal principal, Object credential, Subject subject);
void pop();
}
+
+ static class SetSecurityContextAction implements PrivilegedAction
+ {
+ private SecurityContext securityContext;
+ private String securityDomain;
+ SetSecurityContextAction(SecurityContext sc, String sd)
+ {
+ this.securityContext = sc;
+ this.securityDomain = sd;
+ }
+
+ public Object run()
+ {
+ String sc = SecurityConstants.SECURITY_CONTEXT;
+ HashMap map = (HashMap)SecurityAssociation.getContextInfo(sc);
+ if(map == null)
+ {
+ map = new HashMap();
+ SecurityAssociation.setContextInfo(sc, map);
+ }
+ map.put(securityDomain, securityContext);
+ SecurityAssociation.setContextInfo(sc, map);
+ return null;
+ }
+ }
static Subject getActiveSubject()
{
@@ -155,4 +184,9 @@
PrincipalInfoAction.PRIVILEGED.pop();
}
}
+ static void setSecurityContext(SecurityContext sc, String securityDomain)
+ {
+ SetSecurityContextAction action = new SetSecurityContextAction(sc,securityDomain);
+ AccessController.doPrivileged(action);
+ }
}
More information about the jboss-cvs-commits
mailing list