12:23 a.m.
Author: dan.j.allen
Date: 2008-11-27 01:23:33 -0500 (Thu, 27 Nov 2008)
New Revision: 9668
Added:
trunk/src/test/unit/org/jboss/seam/test/unit/web/IdentityRequestWrapperTest.java
Modified:
trunk/doc/Seam_Reference_Guide/en-US/Security.xml
trunk/src/main/org/jboss/seam/core-2.1.xsd
trunk/src/main/org/jboss/seam/core/Init.java
trunk/src/main/org/jboss/seam/mock/MockHttpServletRequest.java
trunk/src/main/org/jboss/seam/mock/MockHttpSession.java
trunk/src/main/org/jboss/seam/web/IdentityRequestWrapper.java
trunk/src/test/unit/org/jboss/seam/test/unit/testng.xml
Log:
JBSEAM-3629
Modified: trunk/doc/Seam_Reference_Guide/en-US/Security.xml
===================================================================
--- trunk/doc/Seam_Reference_Guide/en-US/Security.xml 2008-11-27 05:48:13 UTC (rev 9667)
+++ trunk/doc/Seam_Reference_Guide/en-US/Security.xml 2008-11-27 06:23:33 UTC (rev 9668)
@@ -57,9 +57,11 @@
<title>Disabling Security</title>
<para>
- In some situations it may be necessary to disable Seam Security, for example during
unit tests. This can be done by
- calling the static method
<literal>Identity.setSecurityEnabled(false)</literal> to disable security
checks. Doing this
- prevents any security checks being performed for the following:
+ In some situations it may be necessary to disable Seam Security, for instances
during unit tests or because you
+ are using a different approach to security, such as native JAAS. Simply call the
static method
+ <literal>Identity.setSecurityEnabled(false)</literal> to disable the
security infrastructure. Of course, it's not
+ very convenient to have to call a static method when you want to configure the
application, so as an alternative
+ you can control this setting in components.xml:
</para>
<itemizedlist>
@@ -75,7 +77,18 @@
<listitem>
<para>Page restrictions</para>
</listitem>
+ <listitem>
+ <para>Servlet API security integration</para>
+ </listitem>
</itemizedlist>
+
+ <para>
+ Assuming you are planning to take advantage of what Seam Security has to offer, the
rest of this chapter documents
+ the plethora of options you have for giving your user an identity in the eyes of
the security model
+ (authentication) and locking down the application by establishing constraints
(authorization). Let's begin with
+ the task of authentication since that's the foundation of any security model.
+ </para>
+
</sect1>
<sect1>
Modified: trunk/src/main/org/jboss/seam/core/Init.java
===================================================================
--- trunk/src/main/org/jboss/seam/core/Init.java 2008-11-27 05:48:13 UTC (rev 9667)
+++ trunk/src/main/org/jboss/seam/core/Init.java 2008-11-27 06:23:33 UTC (rev 9668)
@@ -33,6 +33,7 @@
import org.jboss.seam.log.Logging;
import org.jboss.seam.persistence.EntityManagerProxyInterceptor;
import org.jboss.seam.persistence.HibernateSessionProxyInterceptor;
+import org.jboss.seam.security.Identity;
import org.jboss.seam.security.SecurityInterceptor;
import org.jboss.seam.transaction.RollbackInterceptor;
import org.jboss.seam.transaction.TransactionInterceptor;
@@ -572,6 +573,16 @@
this.transactionManagementEnabled = transactionManagementEnabled;
}
+ public boolean isSecurityEnabled()
+ {
+ return Identity.isSecurityEnabled();
+ }
+
+ public void setSecurityEnabled(boolean securityEnabled)
+ {
+ Identity.setSecurityEnabled(securityEnabled);
+ }
+
public Collection<Namespace> getGlobalImports()
{
return globalImports;
Modified: trunk/src/main/org/jboss/seam/core-2.1.xsd
===================================================================
--- trunk/src/main/org/jboss/seam/core-2.1.xsd 2008-11-27 05:48:13 UTC (rev 9667)
+++ trunk/src/main/org/jboss/seam/core-2.1.xsd 2008-11-27 06:23:33 UTC (rev 9668)
@@ -46,6 +46,7 @@
<xs:attributeGroup name="attlist.init">
<xs:attribute name="debug" type="components:boolean"
/>
<xs:attribute name="jndi-pattern" type="components:string"
/>
+ <xs:attribute name="security-enabled"
type="components:boolean" />
<xs:attribute name="transaction-management-enabled"
type="components:boolean"/>
<xs:attribute name="user-transaction-name"
type="components:string"/>
</xs:attributeGroup>
Modified: trunk/src/main/org/jboss/seam/mock/MockHttpServletRequest.java
===================================================================
--- trunk/src/main/org/jboss/seam/mock/MockHttpServletRequest.java 2008-11-27 05:48:13 UTC
(rev 9667)
+++ trunk/src/main/org/jboss/seam/mock/MockHttpServletRequest.java 2008-11-27 06:23:33 UTC
(rev 9668)
@@ -143,8 +143,7 @@
public String getRemoteUser()
{
- //TODO
- return null;
+ return principalName;
}
public boolean isUserInRole(String role)
Modified: trunk/src/main/org/jboss/seam/mock/MockHttpSession.java
===================================================================
--- trunk/src/main/org/jboss/seam/mock/MockHttpSession.java 2008-11-27 05:48:13 UTC (rev
9667)
+++ trunk/src/main/org/jboss/seam/mock/MockHttpSession.java 2008-11-27 06:23:33 UTC (rev
9668)
@@ -29,6 +29,8 @@
private boolean isInvalid;
private ServletContext servletContext;
+ public MockHttpSession() {}
+
public MockHttpSession(ServletContext servletContext)
{
this.servletContext = servletContext;
Modified: trunk/src/main/org/jboss/seam/web/IdentityRequestWrapper.java
===================================================================
--- trunk/src/main/org/jboss/seam/web/IdentityRequestWrapper.java 2008-11-27 05:48:13 UTC
(rev 9667)
+++ trunk/src/main/org/jboss/seam/web/IdentityRequestWrapper.java 2008-11-27 06:23:33 UTC
(rev 9668)
@@ -14,7 +14,7 @@
*
* @author Dan Allen
*/
-class IdentityRequestWrapper extends HttpServletRequestWrapper {
+public class IdentityRequestWrapper extends HttpServletRequestWrapper {
private Identity identity;
@@ -32,11 +32,16 @@
@Override
public Principal getUserPrincipal()
{
- return Identity.isSecurityEnabled() && identity != null ?
identity.getPrincipal() : null;
+ return seamSecurityIsActive() ? identity.getPrincipal() :
super.getUserPrincipal();
}
@Override
public boolean isUserInRole(String role) {
- return getUserPrincipal() != null && identity != null ?
identity.hasRole(role) : false;
+ return seamSecurityIsActive() ? identity.hasRole(role) : super.isUserInRole(role);
}
+
+ private boolean seamSecurityIsActive()
+ {
+ return Identity.isSecurityEnabled() && identity != null;
+ }
}
Modified: trunk/src/test/unit/org/jboss/seam/test/unit/testng.xml
===================================================================
--- trunk/src/test/unit/org/jboss/seam/test/unit/testng.xml 2008-11-27 05:48:13 UTC (rev
9667)
+++ trunk/src/test/unit/org/jboss/seam/test/unit/testng.xml 2008-11-27 06:23:33 UTC (rev
9668)
@@ -61,6 +61,7 @@
<test name="Seam Unit Tests: Filters">
<classes>
<class name="org.jboss.seam.test.unit.web.MultipartRequestTest"
/>
+ <class
name="org.jboss.seam.test.unit.web.IdentityRequestWrapperTest" />
</classes>
</test>
Added: trunk/src/test/unit/org/jboss/seam/test/unit/web/IdentityRequestWrapperTest.java
===================================================================
--- trunk/src/test/unit/org/jboss/seam/test/unit/web/IdentityRequestWrapperTest.java
(rev 0)
+++
trunk/src/test/unit/org/jboss/seam/test/unit/web/IdentityRequestWrapperTest.java 2008-11-27
06:23:33 UTC (rev 9668)
@@ -0,0 +1,69 @@
+package org.jboss.seam.test.unit.web;
+
+import java.security.Principal;
+import java.util.Arrays;
+import java.util.HashSet;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpSession;
+
+import org.jboss.seam.Seam;
+import org.jboss.seam.mock.MockHttpServletRequest;
+import org.jboss.seam.mock.MockHttpSession;
+import org.jboss.seam.security.Identity;
+import org.jboss.seam.security.SimplePrincipal;
+import org.jboss.seam.web.IdentityRequestWrapper;
+import org.testng.annotations.Test;
+
+public class IdentityRequestWrapperTest
+{
+ private static final String JAAS_USER = "jaasUser";
+
+ private static final String JAAS_ROLE = "jaasRole";
+
+ private static final String SEAM_USER = "seamUser";
+
+ private static final String SEAM_ROLE = "seamRole";
+
+ @Test
+ public void testWithSeamSecurityEnabled()
+ {
+ HttpServletRequest request = initializeWrappedRequest();
+ assert request.getUserPrincipal() != null &&
request.getUserPrincipal().getName().equals(SEAM_USER);
+ assert request.getRemoteUser() != null &&
request.getRemoteUser().equals(SEAM_USER);
+ assert request.isUserInRole(SEAM_ROLE);
+ }
+
+ @Test
+ public void testWithSeamSecurityDisabled()
+ {
+ HttpServletRequest request = initializeWrappedRequest();
+ Identity.setSecurityEnabled(false);
+ assert request.getUserPrincipal() != null &&
request.getUserPrincipal().getName().equals(JAAS_USER);
+ assert request.getRemoteUser() != null &&
request.getRemoteUser().equals(JAAS_USER);
+ assert request.isUserInRole(JAAS_ROLE);
+ }
+
+ public HttpServletRequest initializeWrappedRequest() {
+ HttpSession session = new MockHttpSession();
+ Identity identity = new Identity() {
+
+ @Override
+ public Principal getPrincipal()
+ {
+ return new SimplePrincipal(SEAM_USER);
+ }
+
+ @Override
+ public boolean hasRole(String role)
+ {
+ return SEAM_ROLE.equals(role);
+ }
+
+ };
+ session.setAttribute(Seam.getComponentName(Identity.class), identity);
+ HttpServletRequest request = new MockHttpServletRequest(session, JAAS_USER, new
HashSet<String>(Arrays.asList(JAAS_ROLE)), null, "GET");
+ return new IdentityRequestWrapper(request);
+ }
+
+}