[jboss-cvs] JBoss Messaging SVN: r8441 - branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Sep 16 10:06:15 EDT 2011
Author: dehort
Date: 2011-09-16 10:06:15 -0400 (Fri, 16 Sep 2011)
New Revision: 8441
Modified:
branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityActions.java
branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityAspect.java
Log:
Adding some privileged blocks that are required when running under the java security manager
[JBPAPP-6739]
Modified: branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityActions.java
===================================================================
--- branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityActions.java 2011-09-16 13:58:30 UTC (rev 8440)
+++ branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityActions.java 2011-09-16 14:06:15 UTC (rev 8441)
@@ -24,11 +24,19 @@
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
+import java.util.Set;
import org.jboss.security.SecurityAssociation;
+import org.jboss.jms.server.SecurityStore;
+import org.jboss.jms.server.security.SecurityMetadata;
+import org.jboss.jms.server.security.CheckType;
+import java.security.Principal;
+import javax.jms.JMSSecurityException;
/** A collection of privileged actions for this package
* @author Scott.Stark at jboss.org
@@ -83,6 +91,57 @@
}
);
}
+
+ public SecurityMetadata getSecurityMetadata( final SecurityStore sm,
+ final boolean isQueue,
+ final String name )
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<SecurityMetadata>() {
+ public SecurityMetadata run() {
+ return sm.getSecurityMetadata(isQueue, name);
+ }
+ });
+ }
+
+ public void authenticate( final SecurityStore sm,
+ final String username,
+ final String password ) throws JMSSecurityException
+ {
+ try
+ {
+ AccessController.doPrivileged(new PrivilegedExceptionAction()
+ {
+ public Object run() throws Exception {
+ sm.authenticate(username, password);
+ return null;
+ }
+ });
+ }
+ catch( PrivilegedActionException pae )
+ {
+ throw new JMSSecurityException(pae.toString());
+ }
+ }
+
+ public boolean authorize( final SecurityStore sm,
+ final String username,
+ final Set principals,
+ final CheckType checkType ) throws JMSSecurityException
+ {
+ try
+ {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<Boolean>() {
+ public Boolean run() throws Exception {
+ return sm.authorize(username, principals, checkType);
+ }
+ });
+ }
+ catch( PrivilegedActionException pae )
+ {
+ throw new JMSSecurityException(pae.toString());
+ }
+ }
+
};
PrincipalInfoAction NON_PRIVILEGED = new PrincipalInfoAction()
@@ -99,11 +158,45 @@
{
SecurityAssociation.popSubjectContext();
}
+ public SecurityMetadata getSecurityMetadata( final SecurityStore sm,
+ final boolean isQueue,
+ final String name )
+ {
+ return sm.getSecurityMetadata(isQueue, name);
+ }
+ public void authenticate( final SecurityStore sm,
+ final String username,
+ final String password ) throws JMSSecurityException
+ {
+ sm.authenticate(username, password);
+ }
+
+ public boolean authorize( final SecurityStore sm,
+ final String username,
+ final Set principals,
+ final CheckType checkType ) throws JMSSecurityException
+ {
+ return sm.authorize(username, principals, checkType);
+ }
+
};
void push(Principal principal, Object credential, Subject subject);
void dup();
void pop();
+
+ public SecurityMetadata getSecurityMetadata( final SecurityStore sm,
+ final boolean isQueue,
+ final String name );
+
+ public void authenticate( final SecurityStore sm,
+ final String username,
+ final String password ) throws JMSSecurityException;
+
+ public boolean authorize( final SecurityStore sm,
+ final String username,
+ final Set principals,
+ final CheckType checkType ) throws JMSSecurityException;
}
static void pushSubjectContext(Principal principal, Object credential,
@@ -130,4 +223,48 @@
PrincipalInfoAction.PRIVILEGED.pop();
}
}
+
+ static SecurityMetadata getSecurityMetadata( final SecurityStore sm,
+ final boolean isQueue,
+ final String name )
+ {
+ if(System.getSecurityManager() == null)
+ {
+ return PrincipalInfoAction.NON_PRIVILEGED.getSecurityMetadata( sm, isQueue, name );
+ }
+ else
+ {
+ return PrincipalInfoAction.PRIVILEGED.getSecurityMetadata( sm, isQueue, name );
+ }
+ }
+
+ static void authenticate( final SecurityStore sm,
+ final String username,
+ final String password ) throws JMSSecurityException
+ {
+ if(System.getSecurityManager() == null)
+ {
+ PrincipalInfoAction.NON_PRIVILEGED.authenticate( sm, username, password);
+ }
+ else
+ {
+ PrincipalInfoAction.PRIVILEGED.authenticate( sm, username, password );
+ }
+ }
+
+ static public boolean authorize( final SecurityStore sm,
+ final String username,
+ final Set principals,
+ final CheckType checkType ) throws JMSSecurityException
+ {
+ if(System.getSecurityManager() == null)
+ {
+ return PrincipalInfoAction.NON_PRIVILEGED.authorize( sm, username, principals, checkType );
+ }
+ else
+ {
+ return PrincipalInfoAction.PRIVILEGED.authorize( sm, username, principals, checkType );
+ }
+ }
+
}
Modified: branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityAspect.java
===================================================================
--- branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityAspect.java 2011-09-16 13:58:30 UTC (rev 8440)
+++ branches/JBossMessaging_1_4_6_GA_JBPAPP-6739/src/main/org/jboss/jms/server/container/SecurityAspect.java 2011-09-16 14:06:15 UTC (rev 8441)
@@ -29,6 +29,10 @@
import javax.jms.JMSSecurityException;
import javax.jms.Message;
+import java.security.AccessController;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+
import org.jboss.aop.joinpoint.Invocation;
import org.jboss.aop.joinpoint.MethodInvocation;
import org.jboss.jms.destination.JBossDestination;
@@ -277,12 +281,13 @@
return;
}
- boolean isQueue = jbd.isQueue();
- String name = jbd.getName();
+ final boolean isQueue = jbd.isQueue();
+ final String name = jbd.getName();
- SecurityStore sm = conn.getSecurityManager();
- SecurityMetadata securityMetadata = sm.getSecurityMetadata(isQueue, name);
+ final SecurityStore sm = conn.getSecurityManager();
+ SecurityMetadata securityMetadata = SecurityActions.getSecurityMetadata(sm, isQueue, name);
+
if (securityMetadata == null)
{
throw new JMSSecurityException("No security configuration avaliable for " + name);
@@ -292,16 +297,21 @@
// which will be used in the authorization process. However, we need to make sure we clean up
// thread local immediately after we used the information, otherwise some other people
// security my be screwed up, on account of thread local security stack being corrupted.
-
- sm.authenticate(conn.getUsername(), conn.getPassword());
+ final String username = conn.getUsername();
+ final String password = conn.getPassword();
+
+ SecurityActions.authenticate(sm, username, password);
+
// Authorize
- Set principals = checkType == CheckType.READ ? securityMetadata.getReadPrincipals() :
+ final Set principals = checkType == CheckType.READ ? securityMetadata.getReadPrincipals() :
checkType == CheckType.WRITE ? securityMetadata.getWritePrincipals() :
securityMetadata.getCreatePrincipals();
try
{
- if (!sm.authorize(conn.getUsername(), principals, checkType))
+ final CheckType tmpCheckType = checkType;
+
+ if (!SecurityActions.authorize(sm, conn.getUsername(), principals, checkType))
{
String msg = "User: " + conn.getUsername() +
" is not authorized to " +
More information about the jboss-cvs-commits
mailing list