[teiid-commits] teiid SVN: r732 - in trunk/server/src: main/java/com/metamatrix/platform/security/membership/service and 2 other directories.
teiid-commits at lists.jboss.org
teiid-commits at lists.jboss.org
Wed Apr 8 16:38:18 EDT 2009
Author: shawkins
Date: 2009-04-08 16:38:18 -0400 (Wed, 08 Apr 2009)
New Revision: 732
Modified:
trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java
trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java
trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties
trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java
Log:
TEIID-476 adding a property to restrict root logons
Modified: trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java
===================================================================
--- trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java 2009-04-08 15:36:10 UTC (rev 731)
+++ trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java 2009-04-08 20:38:18 UTC (rev 732)
@@ -64,6 +64,7 @@
public static final String ADMIN_PASSWORD = ConfigurationPropertyNames.MEMBERSHIP_ADMIN_PASSWORD;
public static final String ADMIN_USERNAME = ConfigurationPropertyNames.MEMBERSHIP_ADMIN_USERNAME;
public static final String DOMAIN_ACTIVE = "activate"; //$NON-NLS-1$
+ public static final String ADMIN_HOSTS = "metamatrix.security.admin.allowedHosts"; //$NON-NLS-1$
public static final String SECURITY_ENABLED = ConfigurationPropertyNames.MEMBERSHIP_SECURITY_ENABLED;
public static final String DOMAIN_PROPERTIES = "propertiesFile"; //$NON-NLS-1$
Modified: trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java
===================================================================
--- trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java 2009-04-08 15:36:10 UTC (rev 731)
+++ trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java 2009-04-08 20:38:18 UTC (rev 732)
@@ -38,7 +38,10 @@
import java.util.List;
import java.util.Properties;
import java.util.Set;
+import java.util.regex.Pattern;
+import org.teiid.dqp.internal.process.DQPWorkContext;
+
import com.metamatrix.admin.api.exception.security.MetaMatrixSecurityException;
import com.metamatrix.api.exception.security.InvalidPrincipalException;
import com.metamatrix.api.exception.security.InvalidUserException;
@@ -111,6 +114,8 @@
private String adminUsername = DEFAULT_ADMIN_USERNAME;
private String adminCredentials;
+ private Pattern allowedAddresses;
+
private boolean isSecurityEnabled = true;
public MembershipServiceImpl() {
@@ -137,6 +142,11 @@
throw new ServiceException(PlatformPlugin.Util.getString("MembershipServiceImpl.Root_password_required")); //$NON-NLS-1$
}
+ String property = env.getProperty(ADMIN_HOSTS);
+ if (property != null && property.length() > 0) {
+ this.allowedAddresses = Pattern.compile(property);
+ }
+
isSecurityEnabled = Boolean.valueOf(env.getProperty(SECURITY_ENABLED)).booleanValue();
LogManager.logDetail(LogSecurityConstants.CTX_MEMBERSHIP, "Security Enabled: " + isSecurityEnabled); //$NON-NLS-1$
@@ -266,6 +276,14 @@
protected void killService() {
this.shutdownDomains();
}
+
+ void setAllowedAddresses(Pattern allowedAddresses) {
+ this.allowedAddresses = allowedAddresses;
+ }
+
+ void setAdminCredentials(String adminCredentials) {
+ this.adminCredentials = adminCredentials;
+ }
/**
* Authenticate a user with the specified username and credential
@@ -306,6 +324,17 @@
}
if (isSuperUser(username)) {
+ if (isSecurityEnabled && allowedAddresses != null) {
+ String address = DQPWorkContext.getWorkContext().getClientAddress();
+ if (address == null) {
+ LogManager.logWarning(LogSecurityConstants.CTX_MEMBERSHIP, PlatformPlugin.Util.getString("MembershipServiceImpl.unknown_host")); //$NON-NLS-1$
+ return new FailedAuthenticationToken();
+ }
+ if (!allowedAddresses.matcher(address).matches() || address.equals(CurrentConfiguration.getInstance().getHostAddress().getHostAddress())) {
+ LogManager.logWarning(LogSecurityConstants.CTX_MEMBERSHIP, PlatformPlugin.Util.getString("MembershipServiceImpl.invalid_host", address, allowedAddresses.pattern())); //$NON-NLS-1$
+ return new FailedAuthenticationToken();
+ }
+ }
// decrypt admin password for comparison
if ((credential != null && adminCredentials.equals(String.valueOf(credential.getCredentialsAsCharArray())))) {
return new SuccessfulAuthenticationToken(trustedPayload, username);
Modified: trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties
===================================================================
--- trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties 2009-04-08 15:36:10 UTC (rev 731)
+++ trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties 2009-04-08 20:38:18 UTC (rev 732)
@@ -1267,6 +1267,8 @@
MembershipServiceImpl.Decrypt_failed=Could not decrypt the encrypted password for user ''{0}''
MembershipServiceImpl.source_exception=Membership Domain ''{0}'' failed to perform the desired operation, please check the settings for this domain
MembershipServiceImpl.load_error=Could not load file ''{0}'' from the classpath, the file system, or as a URL.
+MembershipServiceImpl.unknown_host=Did not allow root user authentication attempt, since root logons are restricted and could not determine the remote host.
+MembershipServiceImpl.invalid_host=Could not authenticate root user, since the client address {0} is not in the allowed values {1}
LDAPMembershipDomain.No_annonymous=Annonymous user authentications are not allowed in domain {0}
LDAPMembershipDomain.Required_property=Required property {0} was missing.
Modified: trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java
===================================================================
--- trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java 2009-04-08 15:36:10 UTC (rev 731)
+++ trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java 2009-04-08 20:38:18 UTC (rev 732)
@@ -23,9 +23,12 @@
package com.metamatrix.platform.security.membership.service;
import java.util.Properties;
+import java.util.regex.Pattern;
import junit.framework.TestCase;
+import org.teiid.dqp.internal.process.DQPWorkContext;
+
import com.metamatrix.api.exception.security.InvalidPrincipalException;
import com.metamatrix.common.util.crypto.CryptoUtil;
import com.metamatrix.platform.security.api.Credentials;
@@ -86,6 +89,26 @@
return membershipService;
}
+ public void testSuperAuthenticate() throws Exception {
+ MembershipServiceImpl membershipService = createMembershipService();
+ membershipService.setAllowedAddresses(Pattern.compile("192[.]168[.]0[.]2")); //$NON-NLS-1$
+ membershipService.setAdminCredentials("pass1"); //$NON-NLS-1$
+
+ AuthenticationToken at = membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$
+
+ assertFalse(at.isAuthenticated());
+ DQPWorkContext.getWorkContext().setClientAddress("192.168.0.1"); //$NON-NLS-1$
+ at = membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$
+
+ assertFalse(at.isAuthenticated());
+ DQPWorkContext.getWorkContext().setClientAddress("192.168.0.2"); //$NON-NLS-1$
+ at = membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$
+
+ assertTrue(at.isAuthenticated());
+ }
+
+
+
public void testGetPrincipal() throws Exception {
MembershipServiceImpl membershipService = createMembershipService();
More information about the teiid-commits
mailing list