Author: ataylor Date: 2010-05-11 07:08:05 -0400 (Tue, 11 May 2010) New Revision: 9225 Modified: trunk/docs/user-manual/en/security.xml trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java Log: https://jira.jboss.org/jira/browse/HORNETQ-340 - fixed jboss security manager to allow client login propogation Modified: trunk/docs/user-manual/en/security.xml =================================================================== --- trunk/docs/user-manual/en/security.xml 2010-05-11 00:51:32 UTC (rev 9224) +++ trunk/docs/user-manual/en/security.xml 2010-05-11 11:08:05 UTC (rev 9225) @@ -261,6 +261,20 @@ <para>Take a look at one of the default <literal>hornetq-jboss-beans.xml</literal> files for JBoss Application Server that are bundled in the distribution for an example of how this is configured.</para> + <section> + <title>Configuring Client Login</title> + <para>JBoss can be configured to allow client login, basically this is when a JEE component such as a Servlet + or EJB sets security credentials on the current security context and these are used throughout the call. + If you would like these credentials to be used by HornetQ when sending or consuming messages then + set <literal>allowClientLogin</literal> to true. This will bypass HornetQ authentication and propgate the + provided Security Context. If you woul like HornetQ to authenticate using the propogated security then set the + <literal>authoriseOnClientLogin</literal> to true also.</para> + <para>There is more info on using the JBoss client login module <ulink + url="http://community.jboss.org/wiki/ClientLoginModule">here... </para> + <note><para>If messages are sent non blocking then there is a chance that these could arrive on the server after + the calling thread has completed meaning that the security context has been cleared. If this is the case then messages + will need to be sent blocking</para></note> + </section> </section> <section> <title>Changing the username/password for clustering</title> Modified: trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml =================================================================== --- trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224) +++ trunk/src/config/jboss-as-5/clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225) @@ -16,6 +16,8 @@ <depends>JBossSecurityJNDIContextEstablishment</depends> <start ignored="true"/> <stop ignored="true"/> + <property name="allowClientLogin">false</property> + <property name="authoriseOnClientLogin">false</property> </bean> <!-- The core server --> Modified: trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml =================================================================== --- trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224) +++ trunk/src/config/jboss-as-5/non-clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225) @@ -16,6 +16,8 @@ <depends>JBossSecurityJNDIContextEstablishment</depends> <start ignored="true"/> <stop ignored="true"/> + <property name="allowClientLogin">false</property> + <property name="authoriseOnClientLogin">false</property> </bean> <!-- The core server --> Modified: trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml =================================================================== --- trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224) +++ trunk/src/config/jboss-as-6/clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225) @@ -18,6 +18,8 @@ <start ignored="true"/> <stop ignored="true"/> <depends>JBossSecurityJNDIContextEstablishment</depends> + <property name="allowClientLogin">false</property> + <property name="authoriseOnClientLogin">false</property> </bean> <!-- The core server --> Modified: trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml =================================================================== --- trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml 2010-05-11 00:51:32 UTC (rev 9224) +++ trunk/src/config/jboss-as-6/non-clustered/hornetq-jboss-beans.xml 2010-05-11 11:08:05 UTC (rev 9225) @@ -18,6 +18,8 @@ <start ignored="true"/> <stop ignored="true"/> <depends>JBossSecurityJNDIContextEstablishment</depends> + <property name="allowClientLogin">false</property> + <property name="authoriseOnClientLogin">false</property> </bean> <!-- The core server --> Modified: trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java =================================================================== --- trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java 2010-05-11 00:51:32 UTC (rev 9224) +++ trunk/src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java 2010-05-11 11:08:05 UTC (rev 9225) @@ -25,9 +25,7 @@ import org.hornetq.core.security.Role; import org.hornetq.core.server.HornetQComponent; import org.hornetq.spi.core.security.HornetQSecurityManager; -import org.jboss.security.AuthenticationManager; -import org.jboss.security.RealmMapping; -import org.jboss.security.SimplePrincipal; +import org.jboss.security.*; /** * This implementation delegates to the JBoss AS security interfaces (which in turn use JAAS) @@ -65,6 +63,10 @@ private boolean isAs5 = true; + private boolean allowClientLogin = false; + + private boolean authoriseOnClientLogin = false; + public boolean validateUser(final String user, final String password) { SimplePrincipal principal = new SimplePrincipal(user); @@ -86,6 +88,18 @@ final Set<Role> roles, final CheckType checkType) { + if(allowClientLogin && SecurityContextAssociation.isClient()) + { + return authoriseOnClientLogin? useClientAuthentication(roles, checkType):true; + } + else + { + return useConnectionAuthentication(user, password, roles, checkType); + } + } + + private boolean useConnectionAuthentication(final String user, final String password, final Set<Role> roles, final CheckType checkType) + { SimplePrincipal principal = user == null ? null : new SimplePrincipal(user); char[] passwordChars = null; @@ -118,6 +132,31 @@ return authenticated; } + private boolean useClientAuthentication(final Set<Role> roles, final CheckType checkType) + { + SecurityContext sc = SecurityContextAssociation.getSecurityContext(); + Principal principal = sc.getUtil().getUserPrincipal(); + + char[] passwordChars = (char[]) sc.getUtil().getCredential(); + + Subject subject = sc.getSubjectInfo().getAuthenticatedSubject(); + + boolean authenticated = authenticationManager.isValid(principal, passwordChars, subject); + + if (authenticated) + { + Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles); + + authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals); + + if (trace) + { + JBossASSecurityManager.log.trace("user " + principal.getName() + (authenticated ? " is " : " is NOT ") + "authorized"); + } + } + return authenticated; + } + private void popSecurityContext() { if (isAs5) @@ -232,4 +271,14 @@ { isAs5 = as5; } + + public void setAllowClientLogin(final boolean allowClientLogin) + { + this.allowClientLogin = allowClientLogin; + } + + public void setAuthoriseOnClientLogin(final boolean authoriseOnClientLogin) + { + this.authoriseOnClientLogin = authoriseOnClientLogin; + } }