[jboss-cvs] JBossAS SVN: r65384 - in trunk/tomcat/src: main/org/jboss/web/tomcat/service/deployers and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Sep 13 18:06:43 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-09-13 18:06:43 -0400 (Thu, 13 Sep 2007)
New Revision: 65384
Modified:
trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossExtendedSecurityMgrRealm.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/RunAsListener.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java
trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/DeployerConfig.java
trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployer.java
trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployment.java
trunk/tomcat/src/resources/war-deployers-all-beans.xml
trunk/tomcat/src/resources/war-deployers-beans.xml
Log:
JBAS-4721: Usage of SecurityContextFactory and SecurityContext plus injection of SecurityManagement into ejb/web deployers
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossExtendedSecurityMgrRealm.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossExtendedSecurityMgrRealm.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossExtendedSecurityMgrRealm.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -137,11 +137,11 @@
Subject clientSubject = new Subject();
Subject serviceSubject = new Subject();
Map sharedState = getSharedState(request,config);
- AuthStatus status = AuthStatus.FAIL;
- while(!status.equals(AuthStatus.PROCEED))
+ AuthStatus status = AuthStatus.FAILURE;
+ while(!status.equals(AuthStatus.SEND_CONTINUE))
{
status = gam.validateRequest(authParam, clientSubject, serviceSubject);
- if(status.equals(AuthStatus.FAIL))
+ if(status.equals(AuthStatus.FAILURE))
throw new SecurityException("Authentication failed");
}
Principal authenticatedPrincipal = this.getAuthenticatedPrincipal(clientSubject);
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -62,6 +62,7 @@
import org.jboss.security.SubjectSecurityManager;
import org.jboss.security.audit.AuditEvent;
import org.jboss.security.audit.AuditLevel;
+import org.jboss.security.audit.AuditManager;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.auth.certs.SubjectDNMapping;
import org.jboss.security.authorization.AuthorizationContext;
@@ -892,7 +893,11 @@
SecurityContext sc = SecurityAssociationActions.getSecurityContext();
if(sc != null)
{
- sc.getAuditManager().audit(ae);
+ AuditManager auditManager = sc.getAuditManager();
+ if(auditManager != null)
+ auditManager.audit(ae);
+ else
+ log.trace("Audit Manager obtained from Security Context is null");
}
}
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JaccContextValve.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -33,11 +33,8 @@
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
import org.jboss.logging.Logger;
-import org.jboss.metadata.WebMetaData;
-import org.jboss.security.SecurityConstants;
-import org.jboss.security.SecurityContext;
-import org.jboss.security.SecurityRolesAssociation;
-import org.jboss.security.SecurityUtil;
+import org.jboss.metadata.WebMetaData;
+import org.jboss.security.SecurityRolesAssociation;
/**
* A Valve that sets the JACC context id and HttpServletRequest policy
@@ -45,6 +42,7 @@
* any authorization valves.
*
* @author Scott.Stark at jboss.org
+ * @author Anil.Saldhana at redhat.com
* @version $Revision$
*/
public class JaccContextValve extends ValveBase
@@ -79,22 +77,8 @@
Map principalToRoleSetMap = metaData.getPrincipalVersusRolesMap();
SecurityRolesAssociation.setSecurityRoles(principalToRoleSetMap);
if(trace)
- log.trace("MetaData:"+metaData+":principalToRoleSetMap"+principalToRoleSetMap);
+ log.trace("MetaData:"+metaData+":principalToRoleSetMap"+principalToRoleSetMap);
- //Set the security context if one is unavailable
- SecurityContext sc = SecurityAssociationActions.getSecurityContext();
- if(sc == null)
- {
- String securityDomain = metaData.getSecurityDomain();
- if(securityDomain == null)
- securityDomain = SecurityConstants.DEFAULT_APPLICATION_POLICY;
- else
- securityDomain = SecurityUtil.unprefixSecurityDomain(securityDomain);
- sc = SecurityAssociationActions.createSecurityContext(securityDomain);
- SecurityAssociationActions.setSecurityContext(sc);
- createdSecurityContext = true;
- }
-
try
{
// Set the JACC context id
@@ -109,11 +93,7 @@
SecurityAssociationActions.clear();
activeCS.set(null);
SecurityRolesAssociation.setSecurityRoles(null);
- HttpServletRequestPolicyContextHandler.setRequest(null);
- if(createdSecurityContext)
- {
- SecurityAssociationActions.clearSecurityContext();
- }
+ HttpServletRequestPolicyContextHandler.setRequest(null);
}
}
}
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/RunAsListener.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/RunAsListener.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/RunAsListener.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -21,6 +21,8 @@
*/
package org.jboss.web.tomcat.security;
+import java.security.PrivilegedActionException;
+
import org.apache.catalina.InstanceEvent;
import org.apache.catalina.InstanceListener;
import org.apache.catalina.Wrapper;
@@ -102,7 +104,15 @@
if(SecurityAssociationActions.getSecurityContext() == null)
{
- SecurityContext sc = SecurityAssociationActions.createSecurityContext(securityDomain);
+ SecurityContext sc = null;
+ try
+ {
+ sc = SecurityAssociationActions.createSecurityContext(securityDomain);
+ }
+ catch (PrivilegedActionException e)
+ {
+ throw new RuntimeException(e);
+ }
SecurityAssociationActions.setSecurityContext(sc);
}
}
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -24,14 +24,16 @@
import java.security.PrivilegedAction;
import java.security.Principal;
import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextFactory;
import org.jboss.security.plugins.SecurityContextAssociation;
-import org.jboss.security.plugins.SecurityContextFactory;
/** A PrivilegedAction implementation for setting the SecurityAssociation
* principal and credential
@@ -208,17 +210,29 @@
});
}
- static SecurityContext createSecurityContext(final String securityDomain)
+ static SecurityContext createSecurityContext(final String securityDomain) throws PrivilegedActionException
{
- return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction()
+ return (SecurityContext)AccessController.doPrivileged(new PrivilegedExceptionAction()
{
- public Object run()
+ public Object run() throws Exception
{
return SecurityContextFactory.createSecurityContext(securityDomain);
}
});
}
+ static SecurityContext createSecurityContext(final String securityDomain,
+ final String fqnClassName) throws PrivilegedActionException
+ {
+ return (SecurityContext)AccessController.doPrivileged(new PrivilegedExceptionAction()
+ {
+ public Object run() throws Exception
+ {
+ return SecurityContextFactory.createSecurityContext(securityDomain, fqnClassName);
+ }
+ });
+ }
+
static void setSecurityContext(final SecurityContext sc)
{
//SetSecurityContextAction action = new SetSecurityContextAction(sc,securityDomain);
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/DeployerConfig.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/DeployerConfig.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/DeployerConfig.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -26,12 +26,14 @@
import javax.management.ObjectName;
import org.jboss.metadata.WebMetaData;
+import org.jboss.security.ISecurityManagement;
import org.jboss.security.plugins.JaasSecurityManagerServiceMBean;
/**
* The tomcat war deployer configuration passed in from the web container.
*
* @author Scott.Stark at jboss.org
+ * @author Anil.Saldhana at redhat.com
* @version $Revision: 56125 $
*/
public class DeployerConfig
@@ -109,6 +111,11 @@
/** The service used to flush authentication cache on session invalidation. */
private JaasSecurityManagerServiceMBean secMgrService;
+ /** The JBoss Security Manager Wrapper */
+ private ISecurityManagement securityManagement;
+ /** FQN of the SecurityContext Class */
+ private String securityContextClassName;
+
private URL xacmlPolicyURL = null;
public ClassLoader getServiceClassLoader()
@@ -273,8 +280,28 @@
public void setSecurityManagerService(JaasSecurityManagerServiceMBean mgr)
{
this.secMgrService = mgr;
+ }
+
+ public ISecurityManagement getSecurityManagement()
+ {
+ return securityManagement;
}
+ public void setSecurityManagement(ISecurityManagement securityManagement)
+ {
+ this.securityManagement = securityManagement;
+ }
+
+ public String getSecurityContextClassName()
+ {
+ return securityContextClassName;
+ }
+
+ public void setSecurityContextClassName(String securityContextClassName)
+ {
+ this.securityContextClassName = securityContextClassName;
+ }
+
public String[] getFilteredPackages()
{
return filteredPackages;
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployer.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployer.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployer.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -47,6 +47,7 @@
import org.jboss.metadata.web.ReplicationConfig;
import org.jboss.metadata.web.WebMetaDataObjectFactory;
import org.jboss.mx.util.MBeanServerLocator;
+import org.jboss.security.ISecurityManagement;
import org.jboss.security.plugins.JaasSecurityManagerServiceMBean;
import org.jboss.system.server.Server;
import org.jboss.system.server.ServerImplMBean;
@@ -182,7 +183,12 @@
/** The service used to flush authentication cache on session invalidation. */
private JaasSecurityManagerServiceMBean secMgrService;
/** The AbstractWarDeployment implementation class */
- private Class deploymentClass = TomcatDeployment.class;
+ private Class deploymentClass = TomcatDeployment.class;
+
+ /** The JBoss Security Manager Wrapper */
+ private ISecurityManagement securityManagement;
+ /** FQN of the SecurityContext Class */
+ private String securityContextClassName;
/** */
private String[] filteredPackages;
@@ -413,6 +419,16 @@
public void setSecurityManagerService(JaasSecurityManagerServiceMBean mgr)
{
this.secMgrService = mgr;
+ }
+
+ public void setSecurityManagement(ISecurityManagement securityManagement)
+ {
+ this.securityManagement = securityManagement;
+ }
+
+ public void setSecurityContextClassName(String securityContextClassName)
+ {
+ this.securityContextClassName = securityContextClassName;
}
public String[] getFilteredPackages()
@@ -740,6 +756,9 @@
config.setFilteredPackages(filteredPackages);
config.setSharedMetaData(sharedMetaData);
+ config.setSecurityContextClassName(securityContextClassName);
+ config.setSecurityManagement(securityManagement);
+
// Inject our defaults into the WebMetaData
if (metaData.getDistributable())
{
@@ -775,4 +794,4 @@
if (server != null)
server.unregisterMBean(OBJECT_NAME);
}
-}
\ No newline at end of file
+}
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployment.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployment.java 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/service/deployers/TomcatDeployment.java 2007-09-13 22:06:43 UTC (rev 65384)
@@ -50,7 +50,6 @@
import org.apache.catalina.Loader;
import org.apache.catalina.core.StandardContext;
import org.apache.tomcat.util.modeler.Registry;
-import org.jboss.deployers.spi.DeploymentException;
import org.jboss.deployers.vfs.spi.structure.VFSDeploymentUnit;
import org.jboss.logging.Logger;
import org.jboss.metadata.WebMetaData;
@@ -60,6 +59,7 @@
import org.jboss.mx.util.MBeanServerLocator;
import org.jboss.naming.NonSerializableFactory;
import org.jboss.security.AuthorizationManager;
+import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityUtil;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.virtual.VirtualFile;
@@ -68,6 +68,7 @@
import org.jboss.web.tomcat.security.JaccContextValve;
import org.jboss.web.tomcat.security.RunAsListener;
import org.jboss.web.tomcat.security.SecurityAssociationValve;
+import org.jboss.web.tomcat.security.SecurityContextEstablishmentValve;
import org.jboss.web.tomcat.service.TomcatInjectionContainer;
import org.jboss.web.tomcat.service.WebAppLoader;
import org.jboss.web.tomcat.service.WebCtxLoader;
@@ -280,7 +281,15 @@
break;
default:
log.debug("Using session cookies default setting");
- }
+ }
+
+ //Add a valve to establish security context
+ SecurityContextEstablishmentValve scevalve = new SecurityContextEstablishmentValve(
+ metaData.getSecurityDomain(),
+ SecurityUtil.unprefixSecurityDomain(config.getDefaultSecurityDomain()),
+ config.getSecurityContextClassName(),
+ config.getSecurityManagement());
+ context.addValve(scevalve);
// Add a valve to estalish the JACC context before authorization valves
Certificate[] certs = null;
@@ -385,7 +394,12 @@
URL xacmlPolicyFile = this.config.getXacmlPolicyURL();
if (xacmlPolicyFile != null)
{
- AuthorizationManager authzmgr = SecurityUtil.getAuthorizationManager(secDomain);
+ //Look up JNDI for the AuthorizationManager
+ InitialContext ic = new InitialContext();
+ String amCtx = SecurityConstants.JAAS_CONTEXT_ROOT + "/" + secDomain + "/authorizationMgr";
+ AuthorizationManager authzmgr = (AuthorizationManager)ic.lookup(amCtx);
+ /**AuthorizationManager authzmgr =
+ org.jboss.security.SecurityUtil.getAuthorizationManager(secDomain);*/
if (authzmgr instanceof PolicyRegistration)
{
PolicyRegistration xam = (PolicyRegistration)authzmgr;
@@ -597,7 +611,7 @@
WebMetaData metaData = warInfo.getMetaData();
String ctxPath = metaData.getContextRoot();
-
+
// TODO: Need to remove the dependency on MBeanServer
MBeanServer server = MBeanServerLocator.locateJBoss();
// If the server is gone, all apps were stopped already
Modified: trunk/tomcat/src/resources/war-deployers-all-beans.xml
===================================================================
--- trunk/tomcat/src/resources/war-deployers-all-beans.xml 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/resources/war-deployers-all-beans.xml 2007-09-13 22:06:43 UTC (rev 65384)
@@ -177,6 +177,14 @@
<!-- TODO determine how to express this dependency
<depends>jboss.cache:service=TomcatClusteringCache</depends>
-->
+
+ <!-- Specify a SecurityManagement Wrapper -->
+ <property name="securityManagement">
+ <inject bean="JNDIBasedSecurityManagement"/>
+ </property>
+
+ <!-- Specify a SecurityContext FQN class name -->
+ <property name="securityContextClassName">org.jboss.security.plugins.JBossSecurityContext</property>
<depends>jboss:service=TransactionManager</depends>
<depends>SecurityDeployer</depends>
Modified: trunk/tomcat/src/resources/war-deployers-beans.xml
===================================================================
--- trunk/tomcat/src/resources/war-deployers-beans.xml 2007-09-13 22:03:02 UTC (rev 65383)
+++ trunk/tomcat/src/resources/war-deployers-beans.xml 2007-09-13 22:06:43 UTC (rev 65384)
@@ -201,6 +201,14 @@
<property name="securityManagerService">
<inject bean="jboss.security:service=JaasSecurityManager" />
</property>
+
+ <!-- Specify a SecurityManagement Wrapper -->
+ <property name="securityManagement">
+ <inject bean="JNDIBasedSecurityManagement"/>
+ </property>
+
+ <!-- Specify a SecurityContext FQN class name -->
+ <property name="securityContextClassName">org.jboss.security.plugins.JBossSecurityContext</property>
<depends>jboss:service=TransactionManager</depends>
<depends>SecurityDeployer</depends>
More information about the jboss-cvs-commits
mailing list