[jboss-cvs] Picketbox SVN: r222 - in trunk: security-jboss-sx/jbosssx/src/main/java/org/jboss/resource/security and 7 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon May 23 10:45:34 EDT 2011
Author: mmoyses
Date: 2011-05-23 10:45:33 -0400 (Mon, 23 May 2011)
New Revision: 222
Removed:
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationAuthenticator.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/securityassociation/
Modified:
trunk/picketbox-infinispan/src/main/java/org/jboss/security/authentication/SubjectActions.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/resource/security/GetPrincipalInfoAction.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationActions.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SubjectActions.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/auth/SubjectActions.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/ClientLoginModuleUnitTestCase.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java
trunk/security-spi/spi/src/main/java/org/jboss/security/SecurityContextAssociation.java
Log:
SECURITY-595: removing SecurityAssociation
Modified: trunk/picketbox-infinispan/src/main/java/org/jboss/security/authentication/SubjectActions.java
===================================================================
--- trunk/picketbox-infinispan/src/main/java/org/jboss/security/authentication/SubjectActions.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/picketbox-infinispan/src/main/java/org/jboss/security/authentication/SubjectActions.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -37,7 +37,6 @@
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
-import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
@@ -213,7 +212,7 @@
{
sc.getData().put(key, value);
}
- return SecurityAssociation.setContextInfo(key, value);
+ return SecurityContextAssociation.setContextInfo(key, value);
}
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/resource/security/GetPrincipalInfoAction.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/resource/security/GetPrincipalInfoAction.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/resource/security/GetPrincipalInfoAction.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -26,8 +26,9 @@
import java.security.Principal;
import java.security.PrivilegedAction;
+import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContextAssociation;
/** PrivilegedActions used by this package
*
@@ -41,7 +42,7 @@
*/
private static char[] getPassword()
{
- Object credential = SecurityAssociation.getCredential();
+ Object credential = SecurityContextAssociation.getCredential();
char[] password = null;
if( credential instanceof char[] )
{
@@ -77,7 +78,7 @@
{
public Object run()
{
- return SecurityAssociation.peekRunAsIdentity();
+ return SecurityContextAssociation.peekRunAsIdentity();
}
};
@@ -85,7 +86,7 @@
{
public Object run()
{
- return SecurityAssociation.getPrincipal();
+ return SecurityContextAssociation.getPrincipal();
}
};
@@ -115,14 +116,14 @@
PrincipalActions NON_PRIVILEGED = new PrincipalActions()
{
- public RunAsIdentity peek()
+ public RunAs peek()
{
- return SecurityAssociation.peekRunAsIdentity();
+ return SecurityContextAssociation.peekRunAsIdentity();
}
public Principal getPrincipal()
{
- return SecurityAssociation.getPrincipal();
+ return SecurityContextAssociation.getPrincipal();
}
public char[] getCredential()
@@ -133,7 +134,7 @@
Principal getPrincipal();
char[] getCredential();
- RunAsIdentity peek();
+ RunAs peek();
}
static Principal getPrincipal()
@@ -166,11 +167,11 @@
{
if(System.getSecurityManager() == null)
{
- return PrincipalActions.NON_PRIVILEGED.peek();
+ return (RunAsIdentity) PrincipalActions.NON_PRIVILEGED.peek();
}
else
{
- return PrincipalActions.PRIVILEGED.peek();
+ return (RunAsIdentity) PrincipalActions.PRIVILEGED.peek();
}
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -100,7 +100,6 @@
*/
if(trace)
log.trace("Enabling multi-threaded mode");
- SecurityAssociationActions.setServer();
}
/* Check for password sharing options. Any non-null value for
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -39,20 +39,19 @@
/** A simple implementation of LoginModule for use by JBoss clients for
the establishment of the caller identity and credentials. This simply sets
- the SecurityAssociation principal to the value of the NameCallback
- filled in by the CallbackHandler, and the SecurityAssociation credential
+ the SecurityContext principal to the value of the NameCallback
+ filled in by the CallbackHandler, and the SecurityContext credential
to the value of the PasswordCallback filled in by the CallbackHandler.
It has the following options:
<ul>
<li>multi-threaded=[true|false]
- When the multi-threaded option is set to true, the SecurityAssociation.setServer()
- so that each login thread has its own principal and credential storage.
+ When the multi-threaded option is set to true each login thread has its own principal and credential storage.
<li>restore-login-identity=[true|false]
- When restore-login-identity is true, the SecurityAssociation principal
+ When restore-login-identity is true, the SecurityContext principal
and credential seen on entry to the login() method are saved and restored
on either abort or logout. When false (the default), the abort and logout
- simply clears the SecurityAssociation. A restore-login-identity of true is
+ simply clears the SecurityContext. A restore-login-identity of true is
needed if one need to change identities and then restore the original
caller identity.
<li>password-stacking=tryFirstPass|useFirstPass
@@ -116,7 +115,6 @@
*/
if(trace)
log.trace("Enabling multi-threaded mode");
- SecurityAssociationActions.setServer();
}
/**
@@ -256,14 +254,12 @@
log.trace("abort");
if( restoreLoginIdentity == true )
{
- SecurityAssociationActions.popPrincipalInfo();
SecurityAssociationActions.setSecurityContext(this.cachedSecurityContext);
}
else
{
// Clear the entire security association stack
SecurityAssociationActions.clear();
- SecurityAssociationActions.popPrincipalInfo(); //SECURITY-339
}
return true;
@@ -275,14 +271,12 @@
log.trace("logout");
if( restoreLoginIdentity == true )
{
- SecurityAssociationActions.popPrincipalInfo();
SecurityAssociationActions.setSecurityContext(this.cachedSecurityContext);
}
else
{
// Clear the entire security association stack
SecurityAssociationActions.clear();
- SecurityAssociationActions.clearSecurityContext(null);
}
Set<Principal> principals = subject.getPrincipals();
principals.remove(loginPrincipal);
Deleted: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociation.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -1,1182 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security;
-
-import java.security.Principal;
-import java.util.ArrayList;
-import java.util.HashMap;
-
-import javax.security.auth.Subject;
-
-import org.jboss.logging.Logger;
-
-/**
- * The SecurityAssociation class maintains the security principal and
- * credentials. This can be done on either a singleton basis or a thread local
- * basis depending on the server property. When the server property has been set
- * to true, the security information is maintained in thread local storage. The
- * type of thread local storage depends on the org.jboss.security.SecurityAssociation.ThreadLocal
- * property. If this property is true, then the thread local storage object is
- * of type java.lang.ThreadLocal which results in the current thread's security
- * information NOT being propagated to child threads.
- *
- * When the property is false or does not exist, the thread local storage object
- * is of type java.lang.InheritableThreadLocal, and any threads spawned by the
- * current thread will inherit the security information of the current thread.
- * Subseqent changes to the current thread's security information are NOT
- * propagated to any previously spawned child threads.
- *
- * When the server property is false, security information is maintained in
- * class variables which makes the information available to all threads within
- * the current VM.
- *
- * Note that this is not a public API class. Its an implementation detail that
- * is subject to change without notice.
- *
- * @author Daniel O'Connor (docodan at nycap.rr.com)
- * @author Scott.Stark at jboss.org
- * @author Anil.Saldhana at redhat.com
- * @version $Revision$
- */
-public final class SecurityAssociation
-{
- private static Logger log = Logger.getLogger(SecurityAssociation.class);
- /**
- * A flag indicating if trace level logging should be performed
- */
- private static boolean trace;
- /**
- * A flag indicating if security information is global or thread local
- */
- private static boolean server;
- /**
- * The SecurityAssociation principal used when the server flag is false
- */
- private static Principal principal;
- /**
- * The SecurityAssociation credential used when the server flag is false
- */
- private static Object credential;
-
- /**
- * The SecurityAssociation principal used when the server flag is true
- */
- private static ThreadLocal<Principal> threadPrincipal;
- /**
- * The SecurityAssociation credential used when the server flag is true
- */
- private static ThreadLocal<Object> threadCredential;
- /**
- * The SecurityAssociation HashMap<String, Object>
- */
- private static ThreadLocal<HashMap<String,Object>> threadContextMap;
-
- /**
- * Thread local stacks of run-as principal roles used to implement J2EE
- * run-as identity propagation
- */
- private static RunAsThreadLocalStack threadRunAsStacks;
- /**
- * Thread local stacks of authenticated subject used to control the current
- * caller security context
- */
- private static SubjectThreadLocalStack threadSubjectStacks;
-
- /**
- * The permission required to access getPrincpal, getCredential
- */
- private static final RuntimePermission getPrincipalInfoPermission =
- new RuntimePermission("org.jboss.security.SecurityAssociation.getPrincipalInfo");
- /**
- * The permission required to access getSubject
- */
- private static final RuntimePermission getSubjectPermission =
- new RuntimePermission("org.jboss.security.SecurityAssociation.getSubject");
- /**
- * The permission required to access setPrincpal, setCredential, setSubject
- * pushSubjectContext, popSubjectContext
- */
- private static final RuntimePermission setPrincipalInfoPermission =
- new RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo");
- /**
- * The permission required to access setServer
- */
- private static final RuntimePermission setServerPermission =
- new RuntimePermission("org.jboss.security.SecurityAssociation.setServer");
- /**
- * The permission required to access pushRunAsIdentity/popRunAsIdentity
- */
- private static final RuntimePermission setRunAsIdentity =
- new RuntimePermission("org.jboss.security.SecurityAssociation.setRunAsRole");
- /**
- * The permission required to get the current security context info
- */
- private static final RuntimePermission getContextInfo =
- new RuntimePermission("org.jboss.security.SecurityAssociation.accessContextInfo", "get");
- /**
- * The permission required to set the current security context info
- */
- private static final RuntimePermission setContextInfo =
- new RuntimePermission("org.jboss.security.SecurityAssociation.accessContextInfo", "set");
-
- static
- {
- String flag = SecurityActions.getProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "false");
- boolean useThreadLocal = Boolean.valueOf(flag).booleanValue();
- log.debug("Using ThreadLocal: "+useThreadLocal);
-
- trace = log.isTraceEnabled();
- if (useThreadLocal)
- {
- threadPrincipal = new ThreadLocal<Principal>();
- threadCredential = new ThreadLocal<Object>();
- threadContextMap = new ThreadLocal<HashMap<String,Object>>()
- {
- protected HashMap<String,Object> initialValue()
- {
- return new HashMap<String,Object>();
- }
- };
- }
- else
- {
- threadPrincipal = new InheritableThreadLocal<Principal>();
- threadCredential = new InheritableThreadLocal<Object>();
- threadContextMap = new HashMapInheritableLocal<HashMap<String,Object>>();
- }
- threadRunAsStacks = new RunAsThreadLocalStack(useThreadLocal);
- threadSubjectStacks = new SubjectThreadLocalStack(useThreadLocal);
- }
-
- /**
- * Get the current authentication principal information. If a security
- * manager is present, then this method calls the security manager's
- * <code>checkPermission</code> method with a
- * <code>RuntimePermission("org.jboss.security.SecurityAssociation.getPrincipalInfo")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- * @return Principal, the current principal identity.
- */
- public static Principal getPrincipal()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(getPrincipalInfoPermission);
-
- Principal thePrincipal = principal;
-
- if(!server)
- return principal;
-
- if( trace )
- log.trace("getPrincipal, principal="+thePrincipal);
-
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- if(sc != null)
- {
- if( trace )
- log.warn("You are using deprecated api to getPrincipal. Use security context based approach");
- thePrincipal = sc.getUtil().getUserPrincipal();
- }
- return thePrincipal;
- }
-
- /**
- * Get the caller's principal. If a security manager is present,
- * then this method calls the security manager's <code>checkPermission</code>
- * method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.getPrincipalInfo")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- *
- * @return Principal, the current principal identity.
- */
- public static Principal getCallerPrincipal()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(getPrincipalInfoPermission);
-
- /*Principal thePrincipal = peekRunAsIdentity(1);
- if( thePrincipal == null )
- {
- if (server)
- thePrincipal = (Principal) threadPrincipal.get();
- else
- thePrincipal = principal;
- }*/
-
- if(!server)
- return principal;
-
- //Just pluck it from the current security context
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- Principal thePrincipal = null;
- if(sc != null)
- {
- //Check for runas
- RunAs ras = sc.getIncomingRunAs();
- if(ras != null)
- thePrincipal = new SimplePrincipal(ras.getName());
- else
- thePrincipal = sc.getUtil().getUserPrincipal();
- }
- if( trace )
- log.trace("getCallerPrincipal, principal="+thePrincipal);
- return thePrincipal;
- }
-
- /**
- * Get the current authentication credential information. This can be of any type
- * including: a String password, a char[] password, an X509 cert, etc. If a
- * security manager is present, then this method calls the security manager's
- * <code>checkPermission</code> method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.getPrincipalInfo")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- * @return Object, the credential that proves the principal identity.
- */
- public static Object getCredential()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(getPrincipalInfoPermission);
-
- if(!server)
- return credential;
-
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- if(sc != null)
- {
- if(trace)
- log.warn("You are using deprecated api to getCredential. Use security context based approach");
- credential = sc.getUtil().getCredential();
- }
- return credential;
- }
-
- /**
- * Get the current Subject information. If a security manager is present,
- * then this method calls the security manager's checkPermission method with
- * a RuntimePermission("org.jboss.security.SecurityAssociation.getSubject")
- * permission to ensure it's ok to access principal information. If not, a
- * SecurityException will be thrown. Note that this method does not consider
- * whether or not a run-as identity exists. For access to this information
- * see the JACC PolicyContextHandler registered under the key
- * "javax.security.auth.Subject.container"
- * @return Subject, the current Subject identity.
- * @see javax.security.jacc.PolicyContext#getContext(String)
- */
- public static Subject getSubject()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(getSubjectPermission);
-
- SubjectContext sc = threadSubjectStacks.peek();
- if( trace )
- log.trace("getSubject, sc="+sc);
- Subject subject = null;
- /*if( sc != null )
- subject = sc.getSubject();
- return subject;*/
-
- SecurityContext secContext = SecurityAssociationActions.getSecurityContext();
- if(secContext != null)
- {
- if(trace)
- log.warn("You are using deprecated api to getSubject. Use security context based approach");
- subject = secContext.getUtil().getSubject();
- }
- return subject;
- }
-
- /**
- * Set the current principal information. If a security manager is present,
- * then this method calls the security manager's <code>checkPermission</code>
- * method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- * @param principal - the current principal identity.
- */
- public static void setPrincipal(Principal principal)
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setPrincipalInfoPermission);
-
- if (trace)
- log.trace("setPrincipal, p=" + principal + ", server=" + server);
- // Integrate with the new SubjectContext
- SubjectContext sc = threadSubjectStacks.peek();
- if( sc == null )
- {
- // There is no active security context
- sc = new SubjectContext();
- threadSubjectStacks.push(sc);
- }
- else if( (sc.getFlags() & SubjectContext.PRINCIPAL_WAS_SET) != 0 )
- {
- // The current security context has its principal set
- sc = new SubjectContext();
- threadSubjectStacks.push(sc);
- }
- sc.setPrincipal(principal);
-
- if(!server)
- {
- SecurityContextAssociation.setClient();
- SecurityAssociation.principal = principal;
- return;
- }
- SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
- //Clients code that may have set directly (Legacy)
- if(securityContext == null)
- {
- try
- {
- securityContext = SecurityContextFactory.createSecurityContext("CLIENT_SIDE");
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
- SecurityContextAssociation.setSecurityContext(securityContext);
- }
- if(trace)
- log.warn("Using deprecated API. Move to a security context based approach");
- Object cred = securityContext.getUtil().getCredential();
- Subject subj = securityContext.getUtil().getSubject();
- securityContext.getUtil().createSubjectInfo(principal,cred, subj);
-
- if (trace)
- log.trace("setPrincipal, sc="+sc);
-
- }
-
- /**
- * Set the current principal credential information. This can be of any type
- * including: a String password, a char[] password, an X509 cert, etc.
- *
- * If a security manager is present, then this method calls the security
- * manager's <code>checkPermission</code> method with a <code>
- * RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- * @param credential - the credential that proves the principal identity.
- */
- public static void setCredential(Object credential)
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setPrincipalInfoPermission);
-
- // Integrate with the new SubjectContext
- SubjectContext sc = threadSubjectStacks.peek();
- if( sc == null )
- {
- // There is no active security context
- sc = new SubjectContext();
- threadSubjectStacks.push(sc);
- }
- else if( (sc.getFlags() & SubjectContext.CREDENTIAL_WAS_SET) != 0 )
- {
- // The current security context has its principal set
- sc = new SubjectContext();
- threadSubjectStacks.push(sc);
- }
- sc.setCredential(credential);
- if (trace)
- log.trace("setCredential, sc="+sc);
-
- if(!server)
- {
- SecurityContextAssociation.setClient();
- SecurityAssociation.credential = credential;
- return;
- }
-
- SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
- //Clients code that may have set directly (Legacy)
- if(securityContext == null)
- {
- try
- {
- securityContext = SecurityContextFactory.createSecurityContext("CLIENT_SIDE");
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
- SecurityContextAssociation.setSecurityContext(securityContext);
- }
-
- if(trace)
- log.warn("Using deprecated API. Move to a security context based approach");
- Principal principal = securityContext.getUtil().getUserPrincipal();
- Subject subj = securityContext.getUtil().getSubject();
- securityContext.getUtil().createSubjectInfo(principal,credential, subj);
- }
-
- /**
- * Set the current Subject information. If a security manager is present,
- * then this method calls the security manager's <code>checkPermission</code>
- * method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- * @param subject - the current identity.
- */
- public static void setSubject(Subject subject)
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setPrincipalInfoPermission);
-
- if (trace)
- log.trace("setSubject, s=" + subject + ", server=" + server);
- // Integrate with the new SubjectContext
- SubjectContext sc = threadSubjectStacks.peek();
- if( sc == null )
- {
- // There is no active security context
- sc = new SubjectContext();
- threadSubjectStacks.push(sc);
- }
- else if( (sc.getFlags() & SubjectContext.SUBJECT_WAS_SET) != 0 )
- {
- // The current security context has its subject set
- sc = new SubjectContext();
- threadSubjectStacks.push(sc);
- }
- sc.setSubject(subject);
- if (trace)
- log.trace("setSubject, sc="+sc);
-
- SecurityContext sctx = SecurityContextAssociation.getSecurityContext();
- if(sctx != null)
- {
- SubjectInfo si = sctx.getSubjectInfo();
- if(si != null)
- {
- si.setAuthenticatedSubject(subject);
- }
- else
- sctx.getUtil().createSubjectInfo(null, null, subject);
- }
- }
-
- /**
- * Introduced for backward compatibility with older versions of security
- * @deprecated
- * @see {@code SecurityAssociation#getContextInfo(String)}
- * @param key
- * @return
- * @throws IllegalArgumentException if the passed key is not of type String
- */
- public static Object getContextInfo(Object key)
- {
- if(key instanceof String == false)
- throw new IllegalArgumentException("Key should be of type String");
-
- return getContextInfo((String)key);
- }
-
- /**
- * Get the current thread context info. If a security manager is present,
- * then this method calls the security manager's <code>checkPermission</code>
- * method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.accessContextInfo",
- * "get") </code> permission to ensure it's ok to access context information.
- * If not, a <code>SecurityException</code> will be thrown.
- * @param key - the context key
- * @return the mapping for the key in the current thread context
- */
- public static Object getContextInfo(String key)
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(getContextInfo);
-
- if(key == null)
- throw new IllegalArgumentException("key is null");
- //SECURITY-459 get it from the current security context
- SecurityContext sc = SecurityAssociationActions.getSecurityContext();
- if(sc != null)
- return sc.getData().get(key);
-
- //fall back
- HashMap<String,Object> contextInfo = (HashMap<String,Object>) threadContextMap.get();
- return contextInfo != null ? contextInfo.get(key) : null;
- }
-
- /**
- * Maintain backwards compatibility
- * @deprecated
- * @see {@code SecurityAssociation#setContextInfo(String, Object)}
- * @param key
- * @param value
- * @return
- * @throws IllegalArgumentException if the passed key is not of type String
- */
- public static Object setContextInfo(Object key, Object value)
- {
- if(key instanceof String == false)
- throw new IllegalArgumentException("key should be of type String");
- String keyStr = (String) key;
- return setContextInfo(keyStr, value);
- }
-
- /**
- * Set the current thread context info. If a security manager is present,
- * then this method calls the security manager's <code>checkPermission</code>
- * method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.accessContextInfo",
- * "set") </code> permission to ensure it's ok to access context information.
- * If not, a <code>SecurityException</code> will be thrown.
- * @param key - the context key
- * @param value - the context value to associate under key
- * @return the previous mapping for the key if one exists
- */
- public static Object setContextInfo(String key, Object value)
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setContextInfo);
-
- SecurityContext sc = SecurityAssociationActions.getSecurityContext();
- if(sc != null)
- return sc.getData().put(key, value);
-
- HashMap<String,Object> contextInfo = (HashMap<String,Object>) threadContextMap.get();
- return contextInfo.put(key, value);
- }
-
- /**
- * Push the current authenticated context. This sets the authenticated subject
- * along with the principal and proof of identity that was used to validate
- * the subject. This context is used for authorization checks. Typically
- * just the subject as seen by getSubject() is input into the authorization.
- * When run under a security manager this requires the
- * RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
- * permission.
- * @param subject - the authenticated subject
- * @param principal - the principal that was input into the authentication
- * @param credential - the credential that was input into the authentication
- * @deprecated
- */
- public static void pushSubjectContext(Subject subject,
- Principal principal, Object credential)
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setPrincipalInfoPermission);
-
- // Set the legacy single-value access points
- if (server)
- {
- threadPrincipal.set(principal);
- threadCredential.set(credential);
- }
- else
- {
- SecurityAssociation.principal = principal;
- SecurityAssociation.credential = credential;
- }
-
- // Push the subject context
- SubjectContext sc = new SubjectContext(subject, principal, credential);
- threadSubjectStacks.push(sc);
-
- if(server)
- {
- if (trace)
- log.trace("pushSubjectContext, subject=" + subject + ", sc="+sc);
-
- //Use the new method
- SecurityContext sctx = SecurityContextAssociation.getSecurityContext();
- if(sctx == null)
- {
- if(trace)
- log.trace("WARN::Deprecated usage of SecurityAssociation. Use SecurityContext");
- try
- {
- sctx = SecurityAssociationActions.createSecurityContext("FROM_SECURITY_ASSOCIATION");
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
- }
- sctx.getUtil().createSubjectInfo(principal, credential,subject);
- SecurityAssociationActions.setSecurityContext(sctx);
- }
- }
- /**
- * Push a duplicate of the current SubjectContext if one exists.
- * When run under a security manager this requires the
- * RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
- * permission.
- */
- public static void dupSubjectContext()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setPrincipalInfoPermission);
-
- SubjectContext sc = threadSubjectStacks.dup();
- if (trace)
- log.trace("dupSubjectContext, sc="+sc);
- }
-
- /**
- * Pop the current SubjectContext from the previous pushSubjectContext call
- * and return the pushed SubjectContext ig there was one.
- * When run under a security manager this requires the
- * RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
- * permission.
- * @return the SubjectContext pushed previously by a pushSubjectContext call
- * @deprecated
- */
- public static SubjectContext popSubjectContext()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setPrincipalInfoPermission);
-
- SubjectContext sc = threadSubjectStacks.pop();
- if (trace)
- {
- log.trace("popSubjectContext, sc="+sc);
- }
-
- Principal principal = null;
- Object credential = null;
-
- SubjectContext top = threadSubjectStacks.peek();
-
- if (top != null)
- {
- principal = top.getPrincipal();
- credential = top.getCredential();
- }
-
- if (server)
- {
- threadPrincipal.set(principal);
- threadCredential.set(credential);
- }
- else
- {
- SecurityAssociation.principal = principal;
- SecurityAssociation.credential = credential;
- }
-
- if(server)
- {
- if(trace)
- log.trace("WARN::Deprecated usage of SecurityAssociation. Use SecurityContext");
- SecurityContext sctx = SecurityContextAssociation.getSecurityContext();
-
- if(sc == null)
- {
- if(sctx != null)
- {
- sc = new SubjectContext(sctx.getUtil().getSubject(),
- sctx.getUtil().getUserPrincipal(),
- sctx.getUtil().getCredential());
- }
- }
- //Now pop the subject context on the security context
- if(sctx != null)
- {
- sctx.getUtil().createSubjectInfo(null, null, null);
- }
- return sc;
- }
- return top;
- }
-
- /**
- * Look at the current thread of control's authenticated identity on the top
- * of the stack.
- * When run under a security manager this requires the
- * RuntimePermission("org.jboss.security.SecurityAssociation.getPrincipalInfo")
- * permission.
- * @return the SubjectContext pushed previously by a pushSubjectContext call
- */
- public static SubjectContext peekSubjectContext()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(getPrincipalInfoPermission);
-
- if(server)
- {
- //Get the subject context from the security context
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- SubjectContext subjectCtx = null;
- if( sc != null)
- {
- SecurityContextUtil util = sc.getUtil();
- subjectCtx = new SubjectContext(util.getSubject(), util.getUserPrincipal(), util.getCredential());
- }
- return subjectCtx;
- }
- return threadSubjectStacks.peek();
- }
-
- /**
- * Clear all principal information. If a security manager is present, then
- * this method calls the security manager's <code>checkPermission</code>
- * method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- */
- public static void clear()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setPrincipalInfoPermission);
-
- if (trace)
- log.trace("clear, server=" + server);
- if (server == true)
- {
- threadPrincipal.set(null);
- threadCredential.set(null);
- }
- else
- {
- SecurityAssociation.principal = null;
- SecurityAssociation.credential = null;
- }
- // Remove all subject contexts
- threadSubjectStacks.clear();
-
- //Clear the security context
- SecurityContextAssociation.clearSecurityContext();
- }
-
- /**
- * Push the current thread of control's run-as identity.
- */
- public static void pushRunAsIdentity(RunAsIdentity runAs)
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setRunAsIdentity);
- if (trace)
- log.trace("pushRunAsIdentity, runAs=" + runAs);
-
- threadRunAsStacks.push(runAs);
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- if( sc != null)
- {
- sc.setOutgoingRunAs(runAs);
- }
- }
-
- /**
- * Pop the current thread of control's run-as identity.
- */
- public static RunAsIdentity popRunAsIdentity()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setRunAsIdentity);
- /*RunAsIdentity runAs = threadRunAsStacks.pop();
- if (trace)
- log.trace("popRunAsIdentity, runAs=" + runAs);
- return runAs;*/
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- RunAsIdentity ra = null;
- if( sc != null)
- {
- ra = (RunAsIdentity) sc.getOutgoingRunAs();
- sc.setOutgoingRunAs(null);
- }
- return ra;
- }
-
- /**
- * Look at the current thread of control's run-as identity on the top of the
- * stack.
- */
- public static RunAsIdentity peekRunAsIdentity()
- {
- //return peekRunAsIdentity(0);
- RunAsIdentity ra = null;
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- if( sc != null)
- {
- ra = (RunAsIdentity) sc.getOutgoingRunAs();
- }
- return ra;
- }
-
- /**
- * Look at the current thread of control's run-as identity at the indicated
- * depth. Typically depth is either 0 for the identity the current caller
- * run-as that will be assumed, or 1 for the active run-as the previous
- * caller has assumed.
- * @return RunAsIdentity depth frames up.
- */
- public static RunAsIdentity peekRunAsIdentity(int depth)
- {
- //RunAsIdentity runAs = threadRunAsStacks.peek(depth);
- //return runAs;
- if(depth > 1)
- throw new IllegalArgumentException("Security Context approach needs to be used. Depth upto 1");
- if(depth == 0)
- return peekRunAsIdentity();
- else
- {
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- RunAsIdentity ra = null;
- if( sc != null)
- {
- RunAs ras = sc.getIncomingRunAs();
- if(ras instanceof RunAsIdentity)
- ra = (RunAsIdentity) ras;
- }
- return ra;
- }
- }
-
- /**
- * Indicate whether we are server side
- * @return flag set by a {@link #setServer()} call
- */
- public static boolean isServer()
- {
- return server;
- }
-
- /**
- * Set the server mode of operation. When the server property has been set to
- * true, the security information is maintained in thread local storage. This
- * should be called to enable property security semantics in any
- * multi-threaded environment where more than one thread requires that
- * security information be restricted to the thread's flow of control.
- *
- * If a security manager is present, then this method calls the security
- * manager's <code>checkPermission</code> method with a <code>
- * RuntimePermission("org.jboss.security.SecurityAssociation.setServer")
- * </code> permission to ensure it's ok to access principal information. If
- * not, a <code>SecurityException</code> will be thrown.
- */
- public static void setServer()
- {
- SecurityManager sm = System.getSecurityManager();
- if (sm != null)
- sm.checkPermission(setServerPermission);
-
- server = true;
- }
-
- /**
- * A subclass of ThreadLocal that implements a value stack using an ArrayList
- * and implements push, pop and peek stack operations on the thread local
- * ArrayList.
- */
- @SuppressWarnings( {"unchecked","unused", "rawtypes" } )
- private static class RunAsThreadLocalStack
- {
- ThreadLocal local;
-
- RunAsThreadLocalStack(boolean threadLocal)
- {
- if( threadLocal == true )
- local = new ArrayListLocal();
- else
- local = new ArrayListInheritableLocal();
- }
-
- int size()
- {
- ArrayList stack = (ArrayList) local.get();
- return stack.size();
- }
-
- void push(RunAsIdentity runAs)
- {
- ArrayList stack = (ArrayList) local.get();
- stack.add(runAs);
- }
-
- RunAsIdentity pop()
- {
- ArrayList stack = (ArrayList) local.get();
- RunAsIdentity runAs = null;
- int lastIndex = stack.size() - 1;
- if (lastIndex >= 0)
- runAs = (RunAsIdentity) stack.remove(lastIndex);
- return runAs;
- }
-
- /**
- * Look for the first non-null run-as identity on the stack starting
- * with the value at depth.
- * @return The run-as identity if one exists, null otherwise.
- */
- RunAsIdentity peek(int depth)
- {
- ArrayList stack = (ArrayList) local.get();
- RunAsIdentity runAs = null;
- final int stackSize = stack.size();
- do
- {
- int index = stackSize - 1 - depth;
- if( index >= 0 )
- runAs = (RunAsIdentity) stack.get(index);
- depth ++;
- }
- while (runAs == null && depth <= stackSize - 1);
- return runAs;
- }
- }
-
- /**
- * The encapsulation of the authenticated subject
- */
- public static class SubjectContext
- {
- public static final int SUBJECT_WAS_SET = 1;
- public static final int PRINCIPAL_WAS_SET = 2;
- public static final int CREDENTIAL_WAS_SET = 4;
-
- private Subject subject;
- private Principal principal;
- private Object credential;
- private int flags;
-
- public SubjectContext()
- {
- this.flags = 0;
- }
- public SubjectContext(Subject s, Principal p, Object cred)
- {
- this.subject = s;
- this.principal = p;
- this.credential = cred;
- this.flags = SUBJECT_WAS_SET | PRINCIPAL_WAS_SET | CREDENTIAL_WAS_SET;
- }
-
- public Subject getSubject()
- {
- return subject;
- }
- public void setSubject(Subject subject)
- {
- this.subject = subject;
- this.flags |= SUBJECT_WAS_SET;
- }
-
- public Principal getPrincipal()
- {
- return principal;
- }
- public void setPrincipal(Principal principal)
- {
- this.principal = principal;
- this.flags |= PRINCIPAL_WAS_SET;
- }
-
- public Object getCredential()
- {
- return credential;
- }
- public void setCredential(Object credential)
- {
- this.credential = credential;
- this.flags |= CREDENTIAL_WAS_SET;
- }
-
- public int getFlags()
- {
- return this.flags;
- }
-
- public String toString()
- {
- StringBuffer tmp = new StringBuffer(super.toString());
- tmp.append("{principal=");
- tmp.append(principal);
- tmp.append(",subject=");
- if( subject != null )
- tmp.append(System.identityHashCode(subject));
- else
- tmp.append("null");
- tmp.append("}");
- return tmp.toString();
- }
- }
-
- @SuppressWarnings({"unchecked", "rawtypes", "unused"})
- private static class SubjectThreadLocalStack
- {
- ThreadLocal local;
-
- SubjectThreadLocalStack(boolean threadLocal)
- {
- if( threadLocal == true )
- local = new ArrayListLocal();
- else
- local = new ArrayListInheritableLocal();
- }
-
- int size()
- {
- ArrayList stack = (ArrayList) local.get();
- return stack.size();
- }
-
- void push(SubjectContext context)
- {
- ArrayList stack = (ArrayList) local.get();
- stack.add(context);
- }
-
- SubjectContext dup()
- {
- ArrayList stack = (ArrayList) local.get();
- SubjectContext context = null;
- int lastIndex = stack.size() - 1;
- if (lastIndex >= 0)
- {
- context = (SubjectContext) stack.get(lastIndex);
- stack.add(context);
- }
- return context;
- }
-
- SubjectContext pop()
- {
- ArrayList stack = (ArrayList) local.get();
- SubjectContext context = null;
- int lastIndex = stack.size() - 1;
- if (lastIndex >= 0)
- context = (SubjectContext) stack.remove(lastIndex);
- return context;
- }
-
- /**
- * Look for the first non-null run-as identity on the stack starting
- * with the value at depth.
- * @return The run-as identity if one exists, null otherwise.
- */
- SubjectContext peek()
- {
- ArrayList stack = (ArrayList) local.get();
- SubjectContext context = null;
- int lastIndex = stack.size() - 1;
- if (lastIndex >= 0)
- context = (SubjectContext) stack.get(lastIndex);
- return context;
- }
- /**
- * Remove all SubjectContext from the current thread stack
- */
- void clear()
- {
- ArrayList stack = (ArrayList) local.get();
- stack.clear();
- }
- }
-
- @SuppressWarnings("rawtypes")
- private static class ArrayListLocal extends ThreadLocal
- {
- protected Object initialValue()
- {
- return new ArrayList();
- }
-
- }
-
- @SuppressWarnings({"unchecked", "rawtypes"})
- private static class ArrayListInheritableLocal extends InheritableThreadLocal
- {
- /**
- * Override to make a copy of the parent as not doing so results in multiple
- * threads sharing the unsynchronized list of the parent thread.
- * @param parentValue - the parent ArrayList
- * @return a copy of the parent thread list
- */
- protected Object childValue(Object parentValue)
- {
- ArrayList list = (ArrayList) parentValue;
- /* It seems there are scenarios where the size can change during the copy so there is
- a fallback to an empty list here.
- */
- ArrayList copy = null;
- try
- {
- copy = new ArrayList(list);
- }
- catch(Throwable t)
- {
- log.debug("Failed to copy parent list, using new list");
- copy = new ArrayList();
- }
- return copy;
- }
-
- protected Object initialValue()
- {
- return new ArrayList();
- }
-
- }
-
- private static class HashMapInheritableLocal<T>
- extends InheritableThreadLocal<HashMap<String,Object>>
- {
-
- /**
- * Override to make a copy of the parent as not doing so results in multiple
- * threads sharing the unsynchronized map of the parent thread.
- * @param parentValue - the parent HashMap
- * @return a copy of the parent thread map
- */
- @Override
- protected HashMap<String, Object> childValue(HashMap<String, Object> parentValue)
- {
- HashMap<String,Object> map = (HashMap<String,Object>) parentValue;
- /* It seems there are scenarios where the size can change during the copy so there is
- a fallback to an empty map here.
- */
- HashMap<String,Object> copy = null;
- try
- {
- copy = new HashMap<String,Object>(map);
- }
- catch(Throwable t)
- {
- log.debug("Failed to copy parent map, using new map");
- copy = new HashMap<String,Object>();
- }
- return copy;
- }
-
- protected HashMap<String,Object> initialValue()
- {
- return new HashMap<String,Object>();
- }
- }
-}
\ No newline at end of file
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationActions.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationActions.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationActions.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -49,15 +49,8 @@
this.subject = subject;
}
- @SuppressWarnings("deprecation")
public Object run()
{
- //Client Side usage
- if(!getServer())
- {
- SecurityAssociation.pushSubjectContext(subject, principal, credential);
- }
-
//Always create a new security context
SecurityContext sc = null;
try
@@ -79,30 +72,20 @@
}
private static class PopPrincipalInfoAction implements PrivilegedAction<Object>
{
- @SuppressWarnings("deprecation")
public Object run()
{
if(!getServer())
- SecurityAssociation.popSubjectContext();
+ popSecurityContext();
return null;
}
}
- private static class SetServerAction implements PrivilegedAction<Object>
- {
- static PrivilegedAction<Object> ACTION = new SetServerAction();
- public Object run()
- {
- SecurityAssociation.setServer();
- return null;
- }
- }
private static class ClearAction implements PrivilegedAction<Object>
{
static PrivilegedAction<Object> ACTION = new ClearAction();
public Object run()
{
if(!getServer())
- SecurityAssociation.clear();
+ SecurityContextAssociation.clearSecurityContext();
return null;
}
}
@@ -111,7 +94,7 @@
static PrivilegedAction<Subject> ACTION = new GetSubjectAction();
public Subject run()
{
- Subject subject = SecurityAssociation.getSubject();
+ Subject subject = SecurityContextAssociation.getSubject();
return subject;
}
}
@@ -120,7 +103,7 @@
static PrivilegedAction<Principal> ACTION = new GetPrincipalAction();
public Principal run()
{
- Principal principal = SecurityAssociation.getPrincipal();
+ Principal principal = SecurityContextAssociation.getPrincipal();
return principal;
}
}
@@ -129,7 +112,7 @@
static PrivilegedAction<Object> ACTION = new GetCredentialAction();
public Object run()
{
- Object credential = SecurityAssociation.getCredential();
+ Object credential = SecurityContextAssociation.getCredential();
return credential;
}
}
@@ -140,11 +123,7 @@
{
public Object run()
{
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- //The SecurityContext may have been cached somewhere
- if(sc != null)
- sc = null;
- setSecurityContext(sc);
+ SecurityContextAssociation.clearSecurityContext();
return null;
}
});
@@ -178,7 +157,6 @@
{
AccessController.doPrivileged(new PrivilegedAction<Object>()
{
- @SuppressWarnings("deprecation")
public Object run()
{
SecurityContext sc;
@@ -192,10 +170,21 @@
throw new RuntimeException(e);
}
setSecurityContext(sc);
- //For Client Side legacy usage
- if(getServer() == Boolean.FALSE)
+ return null;
+ }
+ });
+ }
+
+ static void popSecurityContext()
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ SecurityContext sc = getSecurityContext();
+ if (sc != null)
{
- SecurityAssociation.pushSubjectContext(subject, p, cred);
+ sc.getUtil().createSubjectInfo(null, null, null);
}
return null;
}
@@ -219,7 +208,7 @@
{
public Boolean run()
{
- return SecurityAssociation.isServer();
+ return !SecurityContextAssociation.isClient();
}
});
}
@@ -236,10 +225,6 @@
});
}
- static void setServer()
- {
- AccessController.doPrivileged(SetServerAction.ACTION);
- }
static void clear()
{
AccessController.doPrivileged(ClearAction.ACTION);
Deleted: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationAuthenticator.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationAuthenticator.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/SecurityAssociationAuthenticator.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -1,112 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security;
-
-import java.net.Authenticator;
-import java.net.PasswordAuthentication;
-import java.security.AccessController;
-import java.security.Principal;
-import java.security.PrivilegedAction;
-
-/** An implementation of Authenticator that obtains the username and password
- * from the current SecurityAssociation state.
- *
- * @author Scott.Stark at jboss.org
- * @version $Revision$
- */
-public class SecurityAssociationAuthenticator extends Authenticator
-{
- protected PasswordAuthentication getPasswordAuthentication()
- {
- SecurityActions sa = SecurityActions.UTIL.getSecurityActions();
- Principal principal = sa.getPrincipal();
- Object credential = sa.getCredential();
- String name = principal != null ? principal.getName() : null;
- char[] password = {};
- if( credential != null )
- {
- if( password.getClass().isInstance(credential) )
- password = (char[]) credential;
- else
- password = credential.toString().toCharArray();
- }
- PasswordAuthentication auth = new PasswordAuthentication(name, password);
- return auth;
- }
-
- interface SecurityActions
- {
- class UTIL
- {
- static SecurityActions getSecurityActions()
- {
- return System.getSecurityManager() == null ? NON_PRIVILEGED : PRIVILEGED;
- }
- }
-
- SecurityActions NON_PRIVILEGED = new SecurityActions()
- {
- public Principal getPrincipal()
- {
- return SecurityAssociation.getPrincipal();
- }
-
- public Object getCredential()
- {
- return SecurityAssociation.getCredential();
- }
- };
-
- SecurityActions PRIVILEGED = new SecurityActions()
- {
- private final PrivilegedAction<Principal> getPrincipalAction = new PrivilegedAction<Principal>()
- {
- public Principal run()
- {
- return SecurityAssociation.getPrincipal();
- }
- };
-
- private final PrivilegedAction<Object> getCredentialAction = new PrivilegedAction<Object>()
- {
- public Object run()
- {
- return SecurityAssociation.getCredential();
- }
- };
-
- public Principal getPrincipal()
- {
- return (Principal)AccessController.doPrivileged(getPrincipalAction);
- }
-
- public Object getCredential()
- {
- return AccessController.doPrivileged(getCredentialAction);
- }
- };
-
- Principal getPrincipal();
-
- Object getCredential();
- }
-}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -28,7 +28,8 @@
import javax.security.auth.spi.LoginModule;
import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextAssociation;
/** A login module that establishes a run-as role for the duration of the login
* phase of authentication. It can be used to allow another login module
@@ -64,7 +65,7 @@
public boolean login()
{
RunAsIdentity runAsRole = new RunAsIdentity(roleName, principalName);
- SecurityAssociation.pushRunAsIdentity(runAsRole);
+ SecurityContextAssociation.pushRunAsIdentity(runAsRole);
pushedRole = true;
return true;
}
@@ -84,7 +85,7 @@
if( pushedRole == false )
return false;
- SecurityAssociation.popRunAsIdentity();
+ SecurityContextAssociation.popRunAsIdentity();
return true;
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SubjectActions.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SubjectActions.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/SubjectActions.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -38,7 +38,6 @@
import javax.security.jacc.PolicyContextException;
import org.jboss.logging.Logger;
-import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
@@ -213,7 +212,7 @@
{
sc.getData().put(key, value);
}
- return SecurityAssociation.setContextInfo(key, value);
+ return SecurityContextAssociation.setContextInfo(key, value);
}
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/auth/SubjectActions.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/auth/SubjectActions.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/auth/SubjectActions.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -37,7 +37,6 @@
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
-import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
@@ -199,7 +198,7 @@
{
sc.getData().put(key, value);
}
- return SecurityAssociation.setContextInfo(key, value);
+ return SecurityContextAssociation.setContextInfo(key, value);
}
}
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/ClientLoginModuleUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/ClientLoginModuleUnitTestCase.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/ClientLoginModuleUnitTestCase.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -36,7 +36,6 @@
import junit.framework.TestCase;
import junit.framework.TestSuite;
-import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SecurityContextFactory;
@@ -45,7 +44,7 @@
import org.jboss.security.auth.callback.UsernamePasswordHandler;
/**
- ClientLoginModuleUnitTestCase/SecurityAssociation interaction tests
+ ClientLoginModuleUnitTestCase/SecurityContextAssociation interaction tests
@author Scott.Stark at jboss.org
@version $Revision: 68075 $
@@ -186,10 +185,8 @@
TestSuite suite = new TestSuite();
suite.addTest(new ClientLoginModuleUnitTestCase("testSingleThreaded"));
suite.addTest(new ClientLoginModuleUnitTestCase("testSingleThreadedRestoreIdentity"));
- suite.addTest(new ClientLoginModuleUnitTestCase("testSingleThreadedRestoreStack"));
suite.addTest(new ClientLoginModuleUnitTestCase("testMultiThreaded"));
suite.addTest(new ClientLoginModuleUnitTestCase("testMultiThreadedRestoreIdentity"));
- suite.addTest(new ClientLoginModuleUnitTestCase("testMultiThreadedRestoreStack"));
suite.addTest(new ClientLoginModuleUnitTestCase("testAbortWithRestore"));
suite.addTest(new ClientLoginModuleUnitTestCase("testAbortWithNoRestore"));
return suite;
@@ -203,8 +200,8 @@
protected void setUp() throws Exception
{
Configuration.setConfiguration(jaasConfig);
- //Clear SecurityAssociation
- SecurityAssociation.clear();
+ //Clear SecurityContextAssociation
+ SecurityContextAssociation.clearSecurityContext();
}
protected void tearDown()
{
@@ -221,9 +218,9 @@
System.out.println("LC.Subject: "+subject);
Principal theduke = new SimplePrincipal("jduke");
assertTrue("Principals contains theduke", subject.getPrincipals().contains(theduke));
- Principal saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
- char[] password = (char[]) SecurityAssociation.getCredential();
+ Principal saPrincipal = SecurityContextAssociation.getPrincipal();
+ assertTrue("SecurityContextAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
+ char[] password = (char[]) SecurityContextAssociation.getCredential();
assertTrue("password == theduke",
Arrays.equals(password, "theduke".toCharArray()));
@@ -239,8 +236,11 @@
System.out.println("+++ testSingleThreadedRestoreIdentity");
Principal jduke1 = new SimplePrincipal("jduke1");
- SecurityAssociation.setPrincipal(jduke1);
- SecurityAssociation.setCredential("theduke1");
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if (sc == null)
+ sc = SecurityContextFactory.createSecurityContext("test");
+ sc.getUtil().createSubjectInfo(jduke1, "theduke1", new Subject());
+ SecurityContextAssociation.setSecurityContext(sc);
UsernamePasswordHandler handler = new UsernamePasswordHandler("jduke2",
"theduke2");
@@ -251,72 +251,21 @@
Principal jduke2 = new SimplePrincipal("jduke2");
assertTrue("Principals contains jduke2", subject.getPrincipals().contains(jduke2));
- Principal saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
- char[] password = (char[]) SecurityAssociation.getCredential();
+ Principal saPrincipal = SecurityContextAssociation.getPrincipal();
+ assertTrue("SecurityContextAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
+ char[] password = (char[]) SecurityContextAssociation.getCredential();
assertTrue("password == theduke2",
Arrays.equals(password, "theduke2".toCharArray()));
lc.logout();
// Validate restored state
- saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
- String theduke1 = (String) SecurityAssociation.getCredential();
+ saPrincipal = SecurityContextAssociation.getPrincipal();
+ assertTrue("SecurityContextAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
+ String theduke1 = (String) SecurityContextAssociation.getCredential();
assertTrue("password == theduke1", theduke1.equals("theduke1"));
}
- @SuppressWarnings("deprecation")
- public void testSingleThreadedRestoreStack() throws Exception
- {
- System.out.println("+++ testSingleThreadedRestoreStack");
-
- Principal jduke1 = new SimplePrincipal("jduke1");
- Subject subject1 = new Subject();
- SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
-
- Principal jduke2 = new SimplePrincipal("jduke2");
- Subject subject2 = new Subject();
- SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
-
- UsernamePasswordHandler handler = new UsernamePasswordHandler("jduke3",
- "theduke3");
- LoginContext lc = new LoginContext("testSingleThreadedRestoreIdentity", handler);
- lc.login();
- Subject subject = lc.getSubject();
- System.out.println("LC.Subject: "+subject);
-
- Principal jduke3 = new SimplePrincipal("jduke3");
- assertTrue("Principals contains jduke3", subject.getPrincipals().contains(jduke3));
- Principal saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
- char[] password = (char[]) SecurityAssociation.getCredential();
- assertTrue("password == theduke3",
- Arrays.equals(password, "theduke3".toCharArray()));
- SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
- System.out.println(sc3);
- assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
- char[] theduke3 = (char[]) sc3.getCredential();
- assertTrue("password == theduke3",
- Arrays.equals(theduke3, "theduke3".toCharArray()));
-
- lc.logout();
-
- // Validate restored state
- SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
- System.out.println(sc2);
- assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
- String theduke2 = (String) sc2.getCredential();
- assertTrue("password == theduke2", theduke2.equals("theduke2"));
-
- SecurityAssociation.popSubjectContext();
- SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
- System.out.println(sc1);
- assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
- String theduke1 = (String) sc1.getCredential();
- assertTrue("password == theduke1", theduke1.equals("theduke1"));
- }
-
public void testMultiThreaded() throws Exception
{
TestMultiThreaded r0 = new TestMultiThreaded();
@@ -341,15 +290,15 @@
System.out.println("+++ testMultiThreadedRunnable");
UsernamePasswordHandler handler = new UsernamePasswordHandler("jduke",
"theduke");
- LoginContext lc = new LoginContext("testSingleThreaded", handler);
+ LoginContext lc = new LoginContext("testMultiThreaded", handler);
lc.login();
Subject subject = lc.getSubject();
System.out.println("LC.Subject: "+subject);
Principal theduke = new SimplePrincipal("jduke");
assertTrue("Principals contains theduke", subject.getPrincipals().contains(theduke));
- Principal saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
- char[] password = (char[]) SecurityAssociation.getCredential();
+ Principal saPrincipal = SecurityContextAssociation.getPrincipal();
+ assertTrue("SecurityContextAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
+ char[] password = (char[]) SecurityContextAssociation.getCredential();
assertTrue("password == theduke",
Arrays.equals(password, "theduke".toCharArray()));
}
@@ -384,29 +333,32 @@
System.out.println("+++ testMultiThreadedRestoreIdentity");
Principal jduke1 = new SimplePrincipal("jduke1");
- SecurityAssociation.setPrincipal(jduke1);
- SecurityAssociation.setCredential("theduke1");
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if (sc == null)
+ sc = SecurityContextFactory.createSecurityContext("test");
+ sc.getUtil().createSubjectInfo(jduke1, "theduke1", new Subject());
+ SecurityContextAssociation.setSecurityContext(sc);
UsernamePasswordHandler handler = new UsernamePasswordHandler("jduke2",
"theduke2");
- LoginContext lc = new LoginContext("testSingleThreadedRestoreIdentity", handler);
+ LoginContext lc = new LoginContext("testMultiThreadedRestoreIdentity", handler);
lc.login();
Subject subject = lc.getSubject();
System.out.println("LC.Subject: "+subject);
Principal jduke2 = new SimplePrincipal("jduke2");
assertTrue("Principals contains jduke2", subject.getPrincipals().contains(jduke2));
- Principal saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
- char[] password = (char[]) SecurityAssociation.getCredential();
+ Principal saPrincipal = SecurityContextAssociation.getPrincipal();
+ assertTrue("SecurityContextAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
+ char[] password = (char[]) SecurityContextAssociation.getCredential();
assertTrue("password == theduke2",
Arrays.equals(password, "theduke2".toCharArray()));
lc.logout();
// Validate restored state
- saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
- String theduke1 = (String) SecurityAssociation.getCredential();
+ saPrincipal = SecurityContextAssociation.getPrincipal();
+ assertTrue("SecurityContextAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
+ String theduke1 = (String) SecurityContextAssociation.getCredential();
assertTrue("password == theduke1", theduke1.equals("theduke1"));
}
@@ -417,82 +369,6 @@
}
}
- public void testMultiThreadedRestoreStack() throws Exception
- {
- TestMultiThreadedRestoreStack r0 = new TestMultiThreadedRestoreStack();
- Thread t0 = new Thread(r0, "testMultiThreadedRestoreIdentity#0");
- t0.start();
- TestMultiThreadedRestoreStack r1 = new TestMultiThreadedRestoreStack();
- Thread t1 = new Thread(r1, "testMultiThreadedRestoreIdentity#1");
- t1.start();
-
- t0.join();
- assertTrue(r0.failure == null);
- t1.join();
- assertTrue(r1.failure == null);
- }
- static class TestMultiThreadedRestoreStack implements Runnable
- {
- Exception failure;
- @SuppressWarnings("deprecation")
- public void run()
- {
- try
- {
- System.out.println("+++ testMultThreadedRestoreStack");
-
- Principal jduke1 = new SimplePrincipal("jduke1");
- Subject subject1 = new Subject();
- SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
-
- Principal jduke2 = new SimplePrincipal("jduke2");
- Subject subject2 = new Subject();
- SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
-
- UsernamePasswordHandler handler = new UsernamePasswordHandler("jduke3",
- "theduke3");
- LoginContext lc = new LoginContext("testSingleThreadedRestoreIdentity", handler);
- lc.login();
- Subject subject = lc.getSubject();
- System.out.println("LC.Subject: "+subject);
-
- Principal jduke3 = new SimplePrincipal("jduke3");
- assertTrue("Principals contains jduke3", subject.getPrincipals().contains(jduke3));
- Principal saPrincipal = SecurityAssociation.getPrincipal();
- assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
- char[] password = (char[]) SecurityAssociation.getCredential();
- assertTrue("password == theduke3",
- Arrays.equals(password, "theduke3".toCharArray()));
- SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
- System.out.println(sc3);
- assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
- char[] theduke3 = (char[]) sc3.getCredential();
- assertTrue("password == theduke3",
- Arrays.equals(theduke3, "theduke3".toCharArray()));
-
- lc.logout();
-
- // Validate restored state
- SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
- System.out.println(sc2);
- assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
- String theduke2 = (String) sc2.getCredential();
- assertTrue("password == theduke2", theduke2.equals("theduke2"));
-
- SecurityAssociation.popSubjectContext();
- SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
- System.out.println(sc1);
- assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
- String theduke1 = (String) sc1.getCredential();
- assertTrue("password == theduke1", theduke1.equals("theduke1"));
- }
- catch(Exception e)
- {
- failure = e;
- }
- }
- }
-
//SECURITY-339: ClientLoginModule abort should not clear security context
public void testAbortWithRestore() throws Exception
{
@@ -600,10 +476,9 @@
subject = lc.getSubject();
assertNull("Subject is null", subject);
- //We have to ensure that the first successful authentication has not been removed from the stack
+ //We have to ensure that the security context was cleared after abort
currentSC = SecurityContextAssociation.getSecurityContext();
- assertNotNull("Current Security Context is not null", currentSC);
- this.verifySubjectInfo(currentSC);
+ assertNull("Current Security Context is not null", currentSC);
//Let us go through some logout cycles
handler = new UsernamePasswordHandler("jduke", "jduke");
@@ -641,15 +516,9 @@
subject = lc.getSubject();
assertNull("Subject is null", subject);
- //We have to ensure that the first successful authentication has not been removed from the stack
+ //We have to ensure that the security context was cleared after abort
currentSC = SecurityContextAssociation.getSecurityContext();
- assertNotNull("Current Security Context is not null", currentSC);
- SubjectInfo subjectInfo = currentSC.getSubjectInfo();
- assertNotNull("SubjectInfo", subjectInfo);
- subject = subjectInfo.getAuthenticatedSubject();
- assertNull("Subject is null", subject);
- assertNull("Principal on security context is null", currentSC.getUtil().getUserPrincipal());
- assertNull("Principal on legacy security association is null", SecurityAssociation.getPrincipal());
+ assertNull("Current Security Context is not null", currentSC);
}
private void verifySubjectInfo(SecurityContext currentSC)
@@ -661,6 +530,6 @@
Principal jduke = new SimplePrincipal("jduke");
assertTrue("jduke exists in the subject",subject.getPrincipals().contains(jduke));
assertEquals("jduke exists", jduke, currentSC.getUtil().getUserPrincipal());
- assertEquals("jduke exists", jduke, SecurityAssociation.getPrincipal());
+ assertEquals("jduke exists", jduke, SecurityContextAssociation.getPrincipal());
}
}
\ No newline at end of file
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authentication/jaas/LoginModulesUnitTestCase.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -38,7 +38,7 @@
import org.jboss.crypto.CryptoUtil;
import org.jboss.logging.Logger;
-import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SimpleGroup;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.callback.UsernamePasswordHandler;
@@ -338,17 +338,17 @@
Subject subject = lc.getSubject();
Principal scott = new SimplePrincipal("scott");
assertTrue("Principals contains scott", subject.getPrincipals().contains(scott));
- Principal saPrincipal = SecurityAssociation.getPrincipal();
+ Principal saPrincipal = SecurityContextAssociation.getPrincipal();
assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
UsernamePasswordHandler handler2 = new UsernamePasswordHandler("scott2", "secret2".toCharArray());
LoginContext lc2 = new LoginContext("testClientLogin", handler2);
lc2.login();
Principal scott2 = new SimplePrincipal("scott2");
- saPrincipal = SecurityAssociation.getPrincipal();
+ saPrincipal = SecurityContextAssociation.getPrincipal();
assertTrue("SecurityAssociation.getPrincipal == scott2", saPrincipal.equals(scott2));
lc2.logout();
- saPrincipal = SecurityAssociation.getPrincipal();
+ saPrincipal = SecurityContextAssociation.getPrincipal();
assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
lc.logout();
Modified: trunk/security-spi/spi/src/main/java/org/jboss/security/SecurityContextAssociation.java
===================================================================
--- trunk/security-spi/spi/src/main/java/org/jboss/security/SecurityContextAssociation.java 2011-05-17 18:09:07 UTC (rev 221)
+++ trunk/security-spi/spi/src/main/java/org/jboss/security/SecurityContextAssociation.java 2011-05-23 14:45:33 UTC (rev 222)
@@ -22,9 +22,13 @@
package org.jboss.security;
import java.security.AccessController;
+import java.security.Principal;
import java.security.PrivilegedAction;
+import javax.security.auth.Subject;
+
import org.jboss.security.SecurityContext;
+import org.jboss.security.RunAs;
/**
@@ -51,6 +55,15 @@
private static RuntimePermission ClearSecurityContextPermission =
new RuntimePermission("org.jboss.security.clearSecurityContext");
+ private static final RuntimePermission SetRunAsIdentity =
+ new RuntimePermission("org.jboss.security.setRunAsRole");
+
+ private static final RuntimePermission GetContextInfo =
+ new RuntimePermission("org.jboss.security.accessContextInfo", "get");
+
+ private static final RuntimePermission SetContextInfo =
+ new RuntimePermission("org.jboss.security.accessContextInfo", "set");
+
/**
* Flag to indicate whether threads that are spawned inherit the security context from parent
* Set this to false if you do not want inheritance. By default the context is inherited.
@@ -150,8 +163,106 @@
else
securityContextLocal.remove();
}
-
+ /**
+ * Pushes a RunAs identity
+ *
+ * @param runAs
+ */
+ public static void pushRunAsIdentity(RunAs runAs)
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(SetRunAsIdentity);
+
+ SecurityContext sc = getSecurityContext();
+ if (sc != null)
+ {
+ sc.setOutgoingRunAs(runAs);
+ }
+ }
+
+ /**
+ * Pops a RunAs identity
+ *
+ * @return
+ */
+ public static RunAs popRunAsIdentity()
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(SetRunAsIdentity);
+
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ RunAs ra = null;
+ if (sc != null)
+ {
+ ra = (RunAs) sc.getOutgoingRunAs();
+ sc.setOutgoingRunAs(null);
+ }
+ return ra;
+ }
+
+ /**
+ * Look at the current thread of control's run-as identity
+ */
+ public static RunAs peekRunAsIdentity()
+ {
+ RunAs ra = null;
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if (sc != null)
+ {
+ ra = (RunAs) sc.getOutgoingRunAs();
+ }
+ return ra;
+ }
+
+ /**
+ * Get the current thread context info. If a security manager is present,
+ * then this method calls the security manager's <code>checkPermission</code>
+ * method with a <code> RuntimePermission("org.jboss.security.accessContextInfo",
+ * "get") </code> permission to ensure it's ok to access context information.
+ * If not, a <code>SecurityException</code> will be thrown.
+ * @param key - the context key
+ * @return the mapping for the key in the current thread context
+ */
+ public static Object getContextInfo(String key)
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(GetContextInfo);
+
+ if (key == null)
+ throw new IllegalArgumentException("key is null");
+ //SECURITY-459 get it from the current security context
+ SecurityContext sc = getSecurityContext();
+ if (sc != null)
+ return sc.getData().get(key);
+ return null;
+ }
+
+ /**
+ * Set the current thread context info. If a security manager is present,
+ * then this method calls the security manager's <code>checkPermission</code>
+ * method with a <code> RuntimePermission("org.jboss.security.accessContextInfo",
+ * "set") </code> permission to ensure it's ok to access context information.
+ * If not, a <code>SecurityException</code> will be thrown.
+ * @param key - the context key
+ * @param value - the context value to associate under key
+ * @return the previous mapping for the key if one exists
+ */
+ public static Object setContextInfo(String key, Object value)
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(SetContextInfo);
+
+ SecurityContext sc = getSecurityContext();
+ if (sc != null)
+ return sc.getData().put(key, value);
+ return null;
+ }
+
private static String getSystemProperty(final String propertyName, final String defaultString)
{
return AccessController.doPrivileged(new PrivilegedAction<String>()
@@ -162,4 +273,88 @@
}
});
}
+
+ public static Subject getSubject()
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(GetSecurityContextPermission);
+
+ SecurityContext sc = getSecurityContext();
+ if (sc != null)
+ return sc.getUtil().getSubject();
+ return null;
+ }
+
+ public static Principal getPrincipal()
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(GetSecurityContextPermission);
+
+ SecurityContext sc = getSecurityContext();
+ if (sc != null)
+ return sc.getUtil().getUserPrincipal();
+ return null;
+ }
+
+ public static void setPrincipal(Principal principal)
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(SetSecurityContextPermission);
+
+ SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
+ if (securityContext == null)
+ {
+ try
+ {
+ securityContext = SecurityContextFactory.createSecurityContext("CLIENT_SIDE");
+ }
+ catch (Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+ SecurityContextAssociation.setSecurityContext(securityContext);
+ }
+ Object credential = securityContext.getUtil().getCredential();
+ Subject subj = securityContext.getUtil().getSubject();
+ securityContext.getUtil().createSubjectInfo(principal, credential, subj);
+ }
+
+ public static Object getCredential()
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(GetSecurityContextPermission);
+
+ SecurityContext sc = getSecurityContext();
+ if (sc != null)
+ return sc.getUtil().getCredential();
+ return null;
+ }
+
+ public static void setCredential(Object credential)
+ {
+ SecurityManager sm = System.getSecurityManager();
+ if (sm != null)
+ sm.checkPermission(SetSecurityContextPermission);
+
+ SecurityContext securityContext = SecurityContextAssociation.getSecurityContext();
+ if (securityContext == null)
+ {
+ try
+ {
+ securityContext = SecurityContextFactory.createSecurityContext("CLIENT_SIDE");
+ }
+ catch (Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+ SecurityContextAssociation.setSecurityContext(securityContext);
+ }
+ Principal principal = securityContext.getUtil().getUserPrincipal();
+ Subject subj = securityContext.getUtil().getSubject();
+ securityContext.getUtil().createSubjectInfo(principal, credential, subj);
+ }
}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list