Author: mageshbk(a)jboss.com
Date: 2007-10-25 04:24:21 -0400 (Thu, 25 Oct 2007)
New Revision: 8771
Added:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/Permissions.java
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/SecurityContext.java
Modified:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManagerFactory.java
Log:
[JBPORTAL-1481] Reimplement portal security interface without JACC
Modified:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java 2007-10-25
05:49:35 UTC (rev 8770)
+++
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManager.java 2007-10-25
08:24:21 UTC (rev 8771)
@@ -68,6 +68,21 @@
/** Used to retrieve the subject in hte jacc portal permission collection. */
private static final ThreadLocal checkedSubjectLocal = new ThreadLocal();
+
+ /**
+ * JACC bypass
+ */
+ private SecurityContext securityContext = null;
+
+ /**
+ * JACC bypass
+ *
+ * @param securityContext
+ */
+ void setSecurityContext(SecurityContext securityContext)
+ {
+ this.securityContext = securityContext;
+ }
public JACCPortalAuthorizationManager(JACCPortalAuthorizationManagerFactory factory)
{
@@ -84,7 +99,7 @@
public void checkRoleConfig(String contextID, String roleName) throws
PortalSecurityException
{
- Map configuredRoles = factory.configuredRoles;
+ /*Map configuredRoles = factory.configuredRoles;
synchronized (configuredRoles)
{
// The policy configuration
@@ -145,6 +160,36 @@
log.error("Error when commiting policy config", e);
}
}
+ }*/
+
+ /**
+ * JACC bypass
+ */
+ Map configuredRoles = factory.configuredRoles;
+ synchronized (configuredRoles)
+ {
+ if (!configuredRoles.containsKey(roleName))
+ {
+ // Iterate over all domains to add their container
+ Collection domains = factory.getAuthorizationDomainRegistry().getDomains();
+ for (Iterator j = domains.iterator(); j.hasNext();)
+ {
+ AuthorizationDomain domain = (AuthorizationDomain)j.next();
+ JACCPortalPermissionCollection collection = new
JACCPortalPermissionCollection(roleName, domain);
+ PermissionFactory permissionFactory = domain.getPermissionFactory();
+ PortalPermission container =
permissionFactory.createPermissionContainer(collection);
+
+ if (SecurityConstants.UNCHECKED_ROLE_NAME.equals(roleName))
+ {
+ this.securityContext.addToUncheckedPolicy(container);
+ }
+ else
+ {
+ this.securityContext.addToRole(roleName, container);
+ }
+ }
+ configuredRoles.put(roleName, roleName);
+ }
}
}
@@ -209,10 +254,23 @@
principals = new Principal[0];
}
- //
+ //Bypass the JACC layer and go straight to the portal security permission layer
+ /*ProtectionDomain pd = new ProtectionDomain(null, null, null, principals);
+ Policy policy = Policy.getPolicy();
+ boolean implied = policy.implies(pd, permission);*/
+
+ /**
+ * alternately bypassing the call and not letting it go through the
+ * JACC system.
+ *
+ * There is not an issue with JBoss JACC implementation, but the Permissions
object
+ * in JDK5 which is leveraged by JACC. The synchrnozied block inside Permissions
object
+ * is causing performance bottleneck
+ */
ProtectionDomain pd = new ProtectionDomain(null, null, null, principals);
- Policy policy = Policy.getPolicy();
- return policy.implies(pd, permission);
+ boolean implied = this.securityContext.implies(pd, permission);
+
+ return implied;
}
Modified:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManagerFactory.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManagerFactory.java 2007-10-25
05:49:35 UTC (rev 8770)
+++
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/JACCPortalAuthorizationManagerFactory.java 2007-10-25
08:24:21 UTC (rev 8771)
@@ -51,6 +51,11 @@
/** The configured roles. */
final Map configuredRoles = new HashMap();
+
+ /**
+ * JACC bypass
+ */
+ private SecurityContext securityContext = null;
public AuthorizationDomainRegistry getAuthorizationDomainRegistry()
{
@@ -64,6 +69,14 @@
public PortalAuthorizationManager getManager()
{
+ JACCPortalAuthorizationManager manager = new JACCPortalAuthorizationManager(this);
+
+ if(this.securityContext == null)
+ {
+ this.securityContext = new SecurityContext();
+ }
+
+ manager.setSecurityContext(this.securityContext);
return manager;
}
@@ -95,5 +108,8 @@
// Refresh
policy.refresh();
+
+ //JACC bypass
+ this.securityContext = new SecurityContext();
}
}
Added:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/Permissions.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/Permissions.java
(rev 0)
+++
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/Permissions.java 2007-10-25
08:24:21 UTC (rev 8771)
@@ -0,0 +1,167 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.portal.security.impl.jacc;
+
+import java.util.Map;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+import EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ */
+public final class Permissions
+{
+ /**
+ * Key is permissions Class, value is PermissionCollection for that class.
+ * Not serialized; see serialization section at end of class.
+ */
+ private transient Map permsMap = null;
+
+
+ /**
+ * Creates a new Permissions object containing no PermissionCollections.
+ */
+ public Permissions()
+ {
+ this.permsMap = new ConcurrentHashMap();
+ }
+
+ /**
+ * Adds a permission object to the PermissionCollection for the class the
+ * permission belongs to. For example, if <i>permission</i> is a
+ * FilePermission, it is added to the FilePermissionCollection stored in this
+ * Permissions object.
+ *
+ * This method creates a new PermissionCollection object (and adds the
+ * permission to it) if an appropriate collection does not yet exist.
+ * <p>
+ *
+ * @param permission
+ * the Permission object to add.
+ *
+ * @exception SecurityException
+ * if this Permissions object is marked as readonly.
+ *
+ * @see PermissionCollection#isReadOnly()
+ */
+ public void add(Permission permission)
+ {
+ PermissionCollection pc;
+ pc = getPermissionCollection(permission, true);
+ pc.add(permission);
+ }
+
+ /**
+ * Checks to see if this object's PermissionCollection for permissions of the
+ * specified permission's type implies the permissions expressed in the
+ * <i>permission</i> object. Returns true if the combination of
permissions
+ * in the appropriate PermissionCollection (e.g., a FilePermissionCollection
+ * for a FilePermission) together imply the specified permission.
+ *
+ * <p>
+ * For example, suppose there is a FilePermissionCollection in this
+ * Permissions object, and it contains one FilePermission that specifies
+ * "read" access for all files in all subdirectories of the "/tmp"
directory,
+ * and another FilePermission that specifies "write" access for all files
in
+ * the "/tmp/scratch/foo" directory. Then if the
<code>implies</code>
+ * method is called with a permission specifying both "read" and
"write"
+ * access to files in the "/tmp/scratch/foo" directory,
<code>true</code>
+ * is returned.
+ *
+ * <p>
+ * Additionally, if this PermissionCollection contains the AllPermission,
+ * this method will always return true.
+ * <p>
+ *
+ * @param permission
+ * the Permission object to check.
+ *
+ * @return true if "permission" is implied by the permissions in the
+ * PermissionCollection it belongs to, false if not.
+ */
+ public boolean implies(Permission permission)
+ {
+ PermissionCollection pc = getPermissionCollection(permission, false);
+ if (pc != null)
+ {
+ return pc.implies(permission);
+ }
+ else
+ {
+ // none found
+ return false;
+ }
+ }
+
+
+ /**
+ * Gets the PermissionCollection in this Permissions object for permissions
+ * whose type is the same as that of <i>p</i>. For example, if
<i>p</i> is
+ * a FilePermission, the FilePermissionCollection stored in this Permissions
+ * object will be returned.
+ *
+ * If createEmpty is true, this method creates a new PermissionCollection
+ * object for the specified type of permission objects if one does not yet
+ * exist. To do so, it first calls the
<code>newPermissionCollection</code>
+ * method on <i>p</i>. Subclasses of class Permission override that
method
+ * if they need to store their permissions in a particular
+ * PermissionCollection object in order to provide the correct semantics when
+ * the <code>PermissionCollection.implies</code> method is called. If the
+ * call returns a PermissionCollection, that collection is stored in this
+ * Permissions object. If the call returns null and createEmpty is true, then
+ * this method instantiates and stores a default PermissionCollection that
+ * uses a hashtable to store its permission objects.
+ *
+ * createEmpty is ignored when creating empty PermissionCollection for
+ * unresolved permissions because of the overhead of determining the
+ * PermissionCollection to use.
+ *
+ * createEmpty should be set to false when this method is invoked from
+ * implies() because it incurs the additional overhead of creating and adding
+ * an empty PermissionCollection that will just return false. It should be
+ * set to true when invoked from add().
+ */
+ private PermissionCollection getPermissionCollection(Permission p,
+ boolean createEmpty)
+ {
+ Class c = p.getClass();
+
+ PermissionCollection pc = (PermissionCollection) permsMap.get(c);
+ if (!createEmpty)
+ {
+ return pc;
+ }
+ else if (pc == null)
+ {
+ pc = p.newPermissionCollection();
+ if (pc != null)
+ {
+ permsMap.put(c, pc);
+ }
+ }
+ return pc;
+ }
+}
\ No newline at end of file
Property changes on:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/Permissions.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF
Added:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/SecurityContext.java
===================================================================
---
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/SecurityContext.java
(rev 0)
+++
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/SecurityContext.java 2007-10-25
08:24:21 UTC (rev 8771)
@@ -0,0 +1,134 @@
+/******************************************************************************
+ * JBoss, a division of Red Hat *
+ * Copyright 2006, Red Hat Middleware, LLC, and individual *
+ * contributors as indicated by the @authors tag. See the *
+ * copyright.txt in the distribution for a full listing of *
+ * individual contributors. *
+ * *
+ * This is free software; you can redistribute it and/or modify it *
+ * under the terms of the GNU Lesser General Public License as *
+ * published by the Free Software Foundation; either version 2.1 of *
+ * the License, or (at your option) any later version. *
+ * *
+ * This software is distributed in the hope that it will be useful, *
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of *
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
+ * Lesser General Public License for more details. *
+ * *
+ * You should have received a copy of the GNU Lesser General Public *
+ * License along with this software; if not, write to the Free *
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA *
+ * 02110-1301 USA, or see the FSF site:
http://www.fsf.org. *
+ ******************************************************************************/
+package org.jboss.portal.security.impl.jacc;
+
+import java.security.Permission;
+import java.security.Principal;
+import java.security.ProtectionDomain;
+import java.security.acl.Group;
+import java.util.ArrayList;
+import java.util.Enumeration;
+import java.util.HashMap;
+
+/**
+ * @author <a href="mailto:sshah@redhat.com">Sohil Shah</a>
+ */
+public class SecurityContext
+{
+ private Permissions uncheckedPermissions = null;
+ private HashMap rolePermissions = null;
+
+ /**
+ *
+ *
+ */
+ SecurityContext()
+ {
+ this.uncheckedPermissions = new Permissions();
+ this.rolePermissions = new HashMap();
+ }
+
+ /**
+ *
+ * @param roleName
+ * @param permission
+ */
+ void addToRole(String roleName, Permission permission)
+ {
+ Permissions perms = (Permissions) this.rolePermissions.get(roleName);
+ if (perms == null)
+ {
+ perms = new Permissions();
+ this.rolePermissions.put(roleName, perms);
+ }
+ perms.add(permission);
+ }
+
+
+ /**
+ *
+ * @param permission
+ */
+ void addToUncheckedPolicy(Permission permission)
+ {
+ this.uncheckedPermissions.add(permission);
+ }
+
+ /**
+ *
+ * @param domain
+ * @param permission
+ * @return
+ */
+ boolean implies(ProtectionDomain domain, Permission permission)
+ {
+ boolean implied = false;
+
+ // Next see if this matches an unchecked permission
+ if( uncheckedPermissions.implies(permission) )
+ {
+ return true;
+ }
+
+ // Check principal to role permissions
+ Principal[] principals = domain.getPrincipals();
+ int length = principals != null ? principals.length : 0;
+ ArrayList princpalNames = new ArrayList();
+ for(int n = 0; n < length; n ++)
+ {
+ Principal p = principals[n];
+ if( p instanceof Group )
+ {
+ Group g = (Group) p;
+ Enumeration iter = g.members();
+ while( iter.hasMoreElements() )
+ {
+ p = (Principal) iter.nextElement();
+ String name = p.getName();
+ princpalNames.add(name);
+ }
+ }
+ else
+ {
+ String name = p.getName();
+ princpalNames.add(name);
+ }
+ }
+ if( princpalNames.size() > 0 )
+ {
+ for(int n = 0; implied == false && n < princpalNames.size(); n ++)
+ {
+ String name = (String) princpalNames.get(n);
+ Permissions perms = (Permissions) rolePermissions.get(name);
+
+ if( perms == null )
+ {
+ continue;
+ }
+ implied = perms.implies(permission);
+ }
+ }
+
+ return implied;
+ }
+}
Property changes on:
branches/JBoss_Portal_Branch_2_6/security/src/main/org/jboss/portal/security/impl/jacc/SecurityContext.java
___________________________________________________________________
Name: svn:keywords
+ Id Revision
Name: svn:eol-style
+ LF