[jboss-dev-forums] [Design of Security on JBoss] - Legacy client SecurityAssociation

Tuesday, 24 June 2008

This work:
http://jira.jboss.com/jira/browse/SECURITY-75
isn't much use without this:
http://jira.jboss.com/jira/browse/SECURITY-125

Most clients (if they used the SecurityAssociation api) will be using on the client
to do a single login for the entire jvm.

When the SecurityAssociation is not in server mode, it doesn't work at all with
JBoss5.

e.g. You can see this in org.jboss.test.jmx.test.DeployXMBeanUnitTestCase

The following patch makes it work:

  | [ejort@warjort testsuite]$ svn diff
  | Index: src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java
  | ===================================================================
  | --- src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java      (revision
74958)
  | +++ src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java      (working
copy)
  | @@ -487,6 +487,7 @@
  |           }
  |  
  |           SimplePrincipal jduke = new SimplePrincipal("jduke");
  | +         SecurityAssociation.setServer();
  |           SecurityAssociation.setPrincipal(jduke);
  |           SecurityAssociation.setCredential("theduke".toCharArray());
  |           naming.bind(hello, "HelloBinding", "java.lang.String");
  | @@ -536,6 +537,7 @@
  |           Name hello = ctx.getNameParser("").parse("Hello");
  |  
  |           SimplePrincipal jduke = new SimplePrincipal("jduke");
  | +         SecurityAssociation.setServer();
  |           SecurityAssociation.setPrincipal(jduke);
  |           SecurityAssociation.setCredential("theduke".toCharArray());
  | 

But that isn't the correct fix.

There's a tonne of other code in the JBoss5 testsuite still using the
SecurityAssoication:

  | [ejort@warjort test]$ grep -ri SecurityAssociation * | grep -v svn
  | aop/bean/SecurityTester.java:         //SecurityAssociation.pushSubjectContext(null,
new SimplePrincipal("somebody"), password);
  | aop/bean/SecurityTester.java:         /*SecurityAssociation.popSubjectContext();
  | aop/bean/SecurityTester.java:         SecurityAssociation.pushSubjectContext(null, new
SimplePrincipal("authfail"), password);
  | aop/bean/SecurityTester.java:         SecurityAssociation.popSubjectContext();
  | aop/bean/SecurityTester.java:         SecurityAssociation.pushSubjectContext(null, new
SimplePrincipal("rolefail"), password);
  | aop/bean/SecurityTester.java:         SecurityAssociation.popSubjectContext();
  | aop/bean/SecurityTester.java:         SecurityAssociation.pushSubjectContext(null, new
SimplePrincipal("pass"), password);
  | aop/bean/SimpleBeanTester.java:import org.jboss.security.SecurityAssociation;
  | cluster/invokerha/HAService.java:import org.jboss.security.SecurityAssociation;
  | cluster/invokerha/HAService.java:      SecurityAssociation.setPrincipal(principal);
  | cluster/invokerha/HAService.java:      SecurityAssociation.setCredential(credential);
  | cluster/invokerha/HAService.java:         SecurityAssociation.clear();
  | jacc/test/portal/BasePortalJaccTestCase.java:import
org.jboss.security.SecurityAssociation;
  | jacc/test/portal/BasePortalJaccTestCase.java:     
SecurityAssociation.setSubject(subject);
  | jmx/interceptors/PrincipalInterceptor.java:import
org.jboss.security.SecurityAssociation;
  | jmx/interceptors/PrincipalInterceptor.java:         Principal caller =
SecurityAssociation.getPrincipal();
  | jmx/interceptors/JNDISecurity.java:import org.jboss.security.SecurityAssociation;
  | jmx/interceptors/JNDISecurity.java:     
SecurityAssociation.pushSubjectContext(subject, principal, credential);
  | jmx/interceptors/JNDISecurity.java:         SecurityAssociation.popSubjectContext();  

  | jmx/test/DeployXMBeanUnitTestCase.java:import org.jboss.security.SecurityAssociation;
  | jmx/test/DeployXMBeanUnitTestCase.java:         SecurityAssociation.setServer();
  | jmx/test/DeployXMBeanUnitTestCase.java:        
SecurityAssociation.setPrincipal(jduke);
  | jmx/test/DeployXMBeanUnitTestCase.java:        
SecurityAssociation.setCredential("theduke".toCharArray());
  | jmx/test/DeployXMBeanUnitTestCase.java:        
SecurityAssociation.setPrincipal(guest);
  | jmx/test/DeployXMBeanUnitTestCase.java:        
SecurityAssociation.setCredential("guest".toCharArray());
  | jmx/test/DeployXMBeanUnitTestCase.java:         SecurityAssociation.setServer();
  | jmx/test/DeployXMBeanUnitTestCase.java:        
SecurityAssociation.setPrincipal(jduke);
  | jmx/test/DeployXMBeanUnitTestCase.java:        
SecurityAssociation.setCredential("theduke".toCharArray());
  | naming/test/SecurityUnitTestCase.java:import org.jboss.security.SecurityAssociation;
  | naming/test/SecurityUnitTestCase.java:      Principal p =
SecurityAssociation.getPrincipal();
  | naming/test/SecurityUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal is null", p == null);
  | security/interceptors/ClientEncryptionInterceptor.java:import
org.jboss.security.SecurityAssociation;
  | security/interceptors/ClientEncryptionInterceptor.java:         Subject subject =
SecurityAssociation.getSubject();
  | security/interceptors/ServerEncryptionInterceptor.java:import
org.jboss.security.SecurityAssociation;
  | security/interceptors/ServerEncryptionInterceptor.java:         Subject subject =
SecurityAssociation.getSubject();
  | security/ejb/SubjectSessionBean.java:import org.jboss.security.SecurityAssociation;
  | security/ejb/SubjectSessionBean.java: * SecurityAssociation.getSubject and
PolicyContext. This will not run under
  | security/ejb/SubjectSessionBean.java:     
validateSecurityAssociationSubject("enter", callerPrincipals);
  | security/ejb/SubjectSessionBean.java:        
validateSecurityAssociationSubject("post stateless", callerPrincipals);
  | security/ejb/SubjectSessionBean.java:        
validateSecurityAssociationSubject("post stateful", callerPrincipals);
  | security/ejb/SubjectSessionBean.java:     
validateSecurityAssociationSubject("exit", callerPrincipals);
  | security/ejb/SubjectSessionBean.java:    * Get the active subject as seen by the jboss
SecurityAssociation
  | security/ejb/SubjectSessionBean.java:   protected void
validateSecurityAssociationSubject(String ctx, Set callerPrincipals)
  | security/ejb/SubjectSessionBean.java:      Subject caller =
SecurityAssociation.getSubject();
  | security/ejb/SubjectSessionBean.java:         String msg = ctx+",
SecurityAssociation subject: "+caller
  | security/ejb/SecuredBean.java: * SecurityAssociation.getSubject and PolicyContext.
This will not run under
  | security/test/SecurityMgrStressTestCase.java:import
org.jboss.security.auth.callback.SecurityAssociationHandler;
  | security/test/SecurityMgrStressTestCase.java:      //SecurityAssociation.setServer();
  | security/test/SecurityMgrStressTestCase.java:      JaasSecurityManager secMgr = new
JaasSecurityManager("testIdentity", new SecurityAssociationHandler());
  | security/test/SecurityMgrStressTestCase.java:              
//SecurityAssociation.pushSubjectContext(subject, user, "any");
  | security/test/ClientLoginModuleUnitTestCase.java:import
org.jboss.security.SecurityAssociation;
  | security/test/ClientLoginModuleUnitTestCase.java:
ClientLoginModuleUnitTestCase/SecurityAssociation interaction tests
  | security/test/ClientLoginModuleUnitTestCase.java:      //Clear SecurityAssociation
  | security/test/ClientLoginModuleUnitTestCase.java:      SecurityAssociation.clear();
  | security/test/ClientLoginModuleUnitTestCase.java:      Principal saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal == theduke",
saPrincipal.equals(theduke));
  | security/test/ClientLoginModuleUnitTestCase.java:      char[] password = (char[])
SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.setPrincipal(jduke1);
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.setCredential("theduke1");
  | security/test/ClientLoginModuleUnitTestCase.java:      Principal saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal == jduke2",
saPrincipal.equals(jduke2));
  | security/test/ClientLoginModuleUnitTestCase.java:      char[] password = (char[])
SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:      saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal == jduke1",
saPrincipal.equals(jduke1));
  | security/test/ClientLoginModuleUnitTestCase.java:      String theduke1 = (String)
SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
  | security/test/ClientLoginModuleUnitTestCase.java:      Principal saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal == jduke3",
saPrincipal.equals(jduke3));
  | security/test/ClientLoginModuleUnitTestCase.java:      char[] password = (char[])
SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:     
assertTrue("SecurityAssociation.peekSubjectContext == jduke3",
sc3.getPrincipal().equals(jduke3));
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:     
assertTrue("SecurityAssociation.peekSubjectContext == jduke2",
sc2.getPrincipal().equals(jduke2));
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.popSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:     
SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:     
assertTrue("SecurityAssociation.peekSubjectContext == jduke1",
sc1.getPrincipal().equals(jduke1));
  | security/test/ClientLoginModuleUnitTestCase.java:            Principal saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:           
assertTrue("SecurityAssociation.getPrincipal == theduke",
saPrincipal.equals(theduke));
  | security/test/ClientLoginModuleUnitTestCase.java:            char[] password =
(char[]) SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.setPrincipal(jduke1);
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.setCredential("theduke1");
  | security/test/ClientLoginModuleUnitTestCase.java:            Principal saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:           
assertTrue("SecurityAssociation.getPrincipal == jduke2",
saPrincipal.equals(jduke2));
  | security/test/ClientLoginModuleUnitTestCase.java:            char[] password =
(char[]) SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:            saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:           
assertTrue("SecurityAssociation.getPrincipal == jduke1",
saPrincipal.equals(jduke1));
  | security/test/ClientLoginModuleUnitTestCase.java:            String theduke1 =
(String) SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
  | security/test/ClientLoginModuleUnitTestCase.java:            Principal saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/ClientLoginModuleUnitTestCase.java:           
assertTrue("SecurityAssociation.getPrincipal == jduke3",
saPrincipal.equals(jduke3));
  | security/test/ClientLoginModuleUnitTestCase.java:            char[] password =
(char[]) SecurityAssociation.getCredential();
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:           
assertTrue("SecurityAssociation.peekSubjectContext == jduke3",
sc3.getPrincipal().equals(jduke3));
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:           
assertTrue("SecurityAssociation.peekSubjectContext == jduke2",
sc2.getPrincipal().equals(jduke2));
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.popSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:           
SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
  | security/test/ClientLoginModuleUnitTestCase.java:           
assertTrue("SecurityAssociation.peekSubjectContext == jduke1",
sc1.getPrincipal().equals(jduke1));
  | security/test/SRPLoginModuleUnitTestCase.java:import
org.jboss.security.SecurityAssociation; 
  | security/test/SRPLoginModuleUnitTestCase.java:            Principal user =
SecurityAssociation.getPrincipal();
  | security/test/SRPLoginModuleUnitTestCase.java:            byte[] key = (byte[])
SecurityAssociation.getCredential();
  | security/test/SAThreadLocalUnitTestCase.java:import
org.jboss.security.SecurityAssociation;
  | security/test/SAThreadLocalUnitTestCase.java:     
SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
  | security/test/SAThreadLocalUnitTestCase.java:    * SecurityAssociation.getSubject() ==
authSubject
  | security/test/SAThreadLocalUnitTestCase.java:    * SecurityAssociation.getPrincipal()
== authPrincipal
  | security/test/SAThreadLocalUnitTestCase.java:      Subject s =
SecurityAssociation.getSubject();
  | security/test/SAThreadLocalUnitTestCase.java:      Principal p =
SecurityAssociation.getPrincipal();
  | security/test/SAThreadLocalUnitTestCase.java:     
System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal",
"true");
  | security/test/SAThreadLocalUnitTestCase.java:      SecurityAssociation.setServer();
  | security/test/LoginModulesUnitTestCase.java:import
org.jboss.security.SecurityAssociation;
  | security/test/LoginModulesUnitTestCase.java:import
org.jboss.security.auth.callback.SecurityAssociationHandler;
  | security/test/LoginModulesUnitTestCase.java:      Principal saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/LoginModulesUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal == scott",
saPrincipal.equals(scott));
  | security/test/LoginModulesUnitTestCase.java:      saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/LoginModulesUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal == scott2",
saPrincipal.equals(scott2));
  | security/test/LoginModulesUnitTestCase.java:      saPrincipal =
SecurityAssociation.getPrincipal();
  | security/test/LoginModulesUnitTestCase.java:     
assertTrue("SecurityAssociation.getPrincipal == scott",
saPrincipal.equals(scott));
  | security/test/LoginModulesUnitTestCase.java:      SecurityAssociation.setPrincipal(new
SimplePrincipal("jduke2"));
  | security/test/LoginModulesUnitTestCase.java:     
SecurityAssociation.setCredential("theduke2".toCharArray());
  | security/test/LoginModulesUnitTestCase.java:      SecurityAssociationHandler handler =
new SecurityAssociationHandler(x509, cert);
  | security/test/LoginModulesUnitTestCase.java:      SecurityAssociationHandler handler =
new SecurityAssociationHandler(x509, cert);
  | security/test/SAInheritableThreadLocalUnitTestCase.java:import
org.jboss.security.SecurityAssociation;
  | security/test/SAInheritableThreadLocalUnitTestCase.java:    * Test the expected
security context exists via the SecurityAssociation accessors
  | security/test/SAInheritableThreadLocalUnitTestCase.java:     
SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
  | security/test/SAInheritableThreadLocalUnitTestCase.java:     
SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
  | security/test/SAInheritableThreadLocalUnitTestCase.java:    *
SecurityAssociation.getSubject() == authSubject
  | security/test/SAInheritableThreadLocalUnitTestCase.java:    *
SecurityAssociation.getPrincipal() == authPrincipal
  | security/test/SAInheritableThreadLocalUnitTestCase.java:      Subject s =
SecurityAssociation.getSubject();
  | security/test/SAInheritableThreadLocalUnitTestCase.java:      Principal p =
SecurityAssociation.getPrincipal();
  | security/test/SAInheritableThreadLocalUnitTestCase.java:     
System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal",
"false");
  | security/test/SAInheritableThreadLocalUnitTestCase.java:     
SecurityAssociation.setServer();
  | security/test/SubjectContextUnitTestCase.java:import
org.jboss.security.SecurityAssociation;
  | security/test/SubjectContextUnitTestCase.java:      SecurityAssociation.clear();
  | security/test/SubjectContextUnitTestCase.java:      SecurityAssociation.clear();
  | security/test/SubjectContextUnitTestCase.java:      SecurityAssociation.clear();
  | security/test/JaasSecurityManagerUnitTestCase.java:import
org.jboss.security.auth.callback.SecurityAssociationHandler;
  | security/test/JaasSecurityManagerUnitTestCase.java:      CallbackHandler handler = new
SecurityAssociationHandler(jduke, "theduke".toCharArray());
  | security/test/JaasSecurityManagerUnitTestCase.java:      CallbackHandler handler = new
SecurityAssociationHandler(jduke, "theduke".toCharArray());
  | securitymgr/ejb/IOStatelessSessionBean.java:import
org.jboss.security.SecurityAssociation;
  | securitymgr/ejb/BadBean.java:import org.jboss.security.SecurityAssociation;
  | securitymgr/ejb/BadBean.java:      return SecurityAssociation.getPrincipal();
  | securitymgr/ejb/BadBean.java:      return SecurityAssociation.getCredential();
  | securitymgr/ejb/BadBean.java:      SecurityAssociation.setPrincipal(user);
  | securitymgr/ejb/BadBean.java:      SecurityAssociation.setCredential(password);
  | securitymgr/ejb/BadBean.java:      Subject s = SecurityAssociation.getSubject();
  | securitymgr/ejb/BadBean.java:      Subject s = SecurityAssociation.getSubject();
  | securitymgr/ejb/BadBean.java:      SecurityAssociation.pushSubjectContext(s, null,
null);
  | securitymgr/ejb/BadBean.java:      SecurityAssociation.popRunAsIdentity();
  | securitymgr/ejb/BadBean.java:      SecurityAssociation.pushRunAsIdentity(runAs);
  | securitymgr/test/SecurityUnitTestCase.java:   /** Test that a bean cannot access the
SecurityAssociation class
  | securitymgr/test/PolicyUnitTestCase.java:   /** Test that a bean cannot access the
SecurityAssociation class
  | securitymgr/test/PolicyUnitTestCase.java:   public void testSecurityAssociation()
throws Exception
  | securitymgr/test/PolicyUnitTestCase.java:      log.debug("+++
testSecurityAssociation()");
  | web/test/FormAuthUnitTestCase.java:    * a SecurityAssociation setting Subject. 
  | web/security/JASPISecurityFilter.java:import
org.jboss.security.auth.callback.SecurityAssociationHandler;
  | web/security/JASPISecurityFilter.java:         CallbackHandler cbh = new
SecurityAssociationHandler();
  | web/servlets/SecureServlet.java:import org.jboss.security.SecurityAssociation;
  | web/servlets/SecureServlet.java:         // Assert that there is a valid
SecurityAssociation Subject
  | web/servlets/SecureServlet.java:         Subject subject =
SecurityAssociation.getSubject();
  | webservice/jbws309/JBWS309TestCase.java:import
org.jboss.security.SecurityAssociation;
  | webservice/jbws309/JBWS309TestCase.java:      SecurityAssociation.setPrincipal(null);
  | webservice/jbws309/JBWS309TestCase.java:     
SecurityAssociation.setCredential(null);
  | webservice/jbws309/JBWS309TestCase.java:         SecurityAssociation.setPrincipal(new
SimplePrincipal(USERNAME));
  | webservice/jbws309/JBWS309TestCase.java:        
SecurityAssociation.setCredential(PASSWORD);
  | 

Some of these are probably running on the server side so the mapping should work?

View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4160303#...

Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-dev-forums] [Design of Security on JBoss] - Legacy client SecurityAssociation