Author: clebert.suconic(a)jboss.com
Date: 2010-06-11 18:18:59 -0400 (Fri, 11 Jun 2010)
New Revision: 9309
Modified:
trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java
Log:
Security manager changes
Modified:
trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java
===================================================================
---
trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java 2010-06-11
15:36:20 UTC (rev 9308)
+++
trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java 2010-06-11
22:18:59 UTC (rev 9309)
@@ -13,7 +13,9 @@
package org.hornetq.integration.jboss.security;
+import java.security.AccessController;
import java.security.Principal;
+import java.security.PrivilegedAction;
import java.util.HashSet;
import java.util.Set;
@@ -88,9 +90,9 @@
final Set<Role> roles,
final CheckType checkType)
{
- if(allowClientLogin && SecurityContextAssociation.isClient())
+ if (allowClientLogin && SecurityContextAssociation.isClient())
{
- return authoriseOnClientLogin? useClientAuthentication(roles, checkType):true;
+ return authoriseOnClientLogin ? useClientAuthentication(roles, checkType) :
true;
}
else
{
@@ -98,63 +100,85 @@
}
}
- private boolean useConnectionAuthentication(final String user, final String password,
final Set<Role> roles, final CheckType checkType)
+ private boolean useConnectionAuthentication(final String user,
+ final String password,
+ final Set<Role> roles,
+ final CheckType checkType)
{
- SimplePrincipal principal = user == null ? null : new SimplePrincipal(user);
+ return AccessController.doPrivileged(new PrivilegedAction<Boolean>()
+ {
+ public Boolean run()
+ {
- char[] passwordChars = null;
+ SimplePrincipal principal = user == null ? null : new SimplePrincipal(user);
- if (password != null)
- {
- passwordChars = password.toCharArray();
- }
+ char[] passwordChars = null;
- Subject subject = new Subject();
+ if (password != null)
+ {
+ passwordChars = password.toCharArray();
+ }
- boolean authenticated = authenticationManager.isValid(principal, passwordChars,
subject);
- // Authenticate. Successful authentication will place a new SubjectContext on
thread local,
- // which will be used in the authorization process. However, we need to make sure
we clean up
- // thread local immediately after we used the information, otherwise some other
people
- // security my be screwed up, on account of thread local security stack being
corrupted.
- if (authenticated)
- {
- pushSecurityContext(principal, passwordChars, subject);
- Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles);
+ Subject subject = new Subject();
- authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
+ boolean authenticated = authenticationManager.isValid(principal,
passwordChars, subject);
+ // Authenticate. Successful authentication will place a new SubjectContext on
thread local,
+ // which will be used in the authorization process. However, we need to make
sure we clean up
+ // thread local immediately after we used the information, otherwise some
other people
+ // security my be screwed up, on account of thread local security stack being
corrupted.
+ if (authenticated)
+ {
+ pushSecurityContext(principal, passwordChars, subject);
+ Set<Principal> rolePrincipals = getRolePrincipals(checkType,
roles);
- if (trace)
- {
- JBossASSecurityManager.log.trace("user " + user + (authenticated ?
" is " : " is NOT ") + "authorized");
+ authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
+
+ if (trace)
+ {
+ JBossASSecurityManager.log.trace("user " + user +
+ (authenticated ? " is " :
" is NOT ") +
+ "authorized");
+ }
+ popSecurityContext();
+ }
+ return authenticated;
}
- popSecurityContext();
- }
- return authenticated;
+ });
}
private boolean useClientAuthentication(final Set<Role> roles, final CheckType
checkType)
{
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- Principal principal = sc.getUtil().getUserPrincipal();
+ return AccessController.doPrivileged(new PrivilegedAction<Boolean>()
+ {
+ public Boolean run()
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ Principal principal = sc.getUtil().getUserPrincipal();
- char[] passwordChars = (char[]) sc.getUtil().getCredential();
+ char[] passwordChars = (char[])sc.getUtil().getCredential();
- Subject subject = sc.getSubjectInfo().getAuthenticatedSubject();
+ Subject subject = sc.getSubjectInfo().getAuthenticatedSubject();
- boolean authenticated = authenticationManager.isValid(principal, passwordChars,
subject);
+ boolean authenticated = authenticationManager.isValid(principal,
passwordChars, subject);
- if (authenticated)
- {
- Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles);
+ if (authenticated)
+ {
+ Set<Principal> rolePrincipals = getRolePrincipals(checkType,
roles);
- authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
+ authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
- if (trace)
- {
- JBossASSecurityManager.log.trace("user " + principal.getName() +
(authenticated ? " is " : " is NOT ") + "authorized");
+ if (trace)
+ {
+ JBossASSecurityManager.log.trace("user " +
principal.getName() +
+ (authenticated ? " is " :
" is NOT ") +
+ "authorized");
+ }
+ }
+ return authenticated;
}
- }
- return authenticated;
+
+ });
+
}
private void popSecurityContext()