Author: darran.lofthouse(a)jboss.com Date: 2009-01-06 10:29:01 -0500 (Tue, 06 Jan 2009) New Revision: 8971 Modified: stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java Log: Authentication and authorization. Modified: stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java 2009-01-06 14:20:15 UTC (rev 8970) +++ stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/AuthorizeOperation.java 2009-01-06 15:29:01 UTC (rev 8971) @@ -21,15 +21,33 @@ */ package org.jboss.ws.extensions.security.operation; +import java.security.AccessController; +import java.security.Principal; +import java.security.PrivilegedAction; +import java.util.HashSet; +import java.util.List; +import java.util.Set; + import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; +import javax.security.auth.Subject; +import javax.xml.soap.SOAPException; +import javax.xml.ws.soap.SOAPFaultException; import org.jboss.logging.Logger; import org.jboss.security.AuthenticationManager; import org.jboss.security.RealmMapping; +import org.jboss.security.SecurityContext; +import org.jboss.security.SecurityContextAssociation; +import org.jboss.security.SimplePrincipal; import org.jboss.ws.WSException; import org.jboss.ws.metadata.wsse.Authorize; +import org.jboss.ws.metadata.wsse.Role; +import org.jboss.wsf.spi.SPIProvider; +import org.jboss.wsf.spi.SPIProviderResolver; +import org.jboss.wsf.spi.invocation.SecurityAdaptor; +import org.jboss.wsf.spi.invocation.SecurityAdaptorFactory; /** * Operation to authenticate and check the authorisation of the @@ -49,6 +67,8 @@ private RealmMapping rm; + private SecurityAdaptorFactory secAdapterfactory; + public AuthorizeOperation(Authorize authorize) { this.authorize = authorize; @@ -65,17 +85,83 @@ throw new WSException("Unable to lookup AuthenticationManager", ne); } + SPIProvider spiProvider = SPIProviderResolver.getInstance().getProvider(); + secAdapterfactory = spiProvider.getSPI(SecurityAdaptorFactory.class); } public void process() { log.trace("About to check authorization, using security domain '" + am.getSecurityDomain() + "'"); // Step 1 - Authenticate using currently associated principals. + SecurityAdaptor securityAdaptor = secAdapterfactory.newSecurityAdapter(); + Principal principal = securityAdaptor.getPrincipal(); + Object credential = securityAdaptor.getCredential(); + Subject subject = new Subject(); + boolean authorized = am.isValid(principal, credential, subject); + + if (authorized == false) + { + throw new WSException("Authentication failed."); + } + + pushSubjectContext(principal, credential, subject); // Step 2 - If unchecked all ok so return. + if (authorize.isUnchecked()) + { + return; + } // Step 3 - If roles specified check user in role. + Set<Principal> expectedRoles = expectedRoles(); + System.out.println(subject.getPrincipals()); + if (rm.doesUserHaveRole(principal, expectedRoles) == false) + { + throw new WSException("User does not have required roles"); + } + } + private Set<Principal> expectedRoles() + { + List<Role> roles = authorize.getRoles(); + int rolesCount = (roles != null) ? roles.size() : 0; + log.info(rolesCount); + Set<Principal> expectedRoles = new HashSet<Principal>(rolesCount); + + if (roles != null) + { + for (Role current : roles) + { + expectedRoles.add(new SimplePrincipal(current.getName())); + } + } + + return expectedRoles; } + + static SecurityContext getSecurityContext() + { + return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction(){ + public Object run() + { + return SecurityContextAssociation.getSecurityContext(); + } + }); + } + + static void pushSubjectContext(final Principal p, final Object cred, final Subject s) + { + AccessController.doPrivileged(new PrivilegedAction(){ + public Object run() + { + SecurityContext sc = getSecurityContext(); + if(sc == null) + throw new IllegalStateException("Security Context is null"); + sc.getUtil().createSubjectInfo(p, cred, s); + return null; + }} + ); + } + } Modified: stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java =================================================================== --- stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java 2009-01-06 14:20:15 UTC (rev 8970) +++ stack/native/branches/dlofthouse/JBWS-1999/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java 2009-01-06 15:29:01 UTC (rev 8971) @@ -65,8 +65,6 @@ { UsernameToken user = (UsernameToken)token; SecurityAdaptor securityAdaptor = secAdapterfactory.newSecurityAdapter(); - Logger.getLogger(this.getClass()).info("Username: " + user.getUsername()); - Logger.getLogger(this.getClass()).info("Password: " + user.getPassword()); if (user.isDigest()) { verifyUsernameToken(user);