Author: shawkins
Date: 2009-04-08 16:38:18 -0400 (Wed, 08 Apr 2009)
New Revision: 732
Modified:
trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java
trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java
trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties
trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java
Log:
TEIID-476 adding a property to restrict root logons
Modified:
trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java
===================================================================
---
trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java 2009-04-08
15:36:10 UTC (rev 731)
+++
trunk/server/src/main/java/com/metamatrix/platform/security/api/service/MembershipServiceInterface.java 2009-04-08
20:38:18 UTC (rev 732)
@@ -64,6 +64,7 @@
public static final String ADMIN_PASSWORD =
ConfigurationPropertyNames.MEMBERSHIP_ADMIN_PASSWORD;
public static final String ADMIN_USERNAME =
ConfigurationPropertyNames.MEMBERSHIP_ADMIN_USERNAME;
public static final String DOMAIN_ACTIVE = "activate"; //$NON-NLS-1$
+ public static final String ADMIN_HOSTS =
"metamatrix.security.admin.allowedHosts"; //$NON-NLS-1$
public static final String SECURITY_ENABLED =
ConfigurationPropertyNames.MEMBERSHIP_SECURITY_ENABLED;
public static final String DOMAIN_PROPERTIES = "propertiesFile";
//$NON-NLS-1$
Modified:
trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java
===================================================================
---
trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java 2009-04-08
15:36:10 UTC (rev 731)
+++
trunk/server/src/main/java/com/metamatrix/platform/security/membership/service/MembershipServiceImpl.java 2009-04-08
20:38:18 UTC (rev 732)
@@ -38,7 +38,10 @@
import java.util.List;
import java.util.Properties;
import java.util.Set;
+import java.util.regex.Pattern;
+import org.teiid.dqp.internal.process.DQPWorkContext;
+
import com.metamatrix.admin.api.exception.security.MetaMatrixSecurityException;
import com.metamatrix.api.exception.security.InvalidPrincipalException;
import com.metamatrix.api.exception.security.InvalidUserException;
@@ -111,6 +114,8 @@
private String adminUsername = DEFAULT_ADMIN_USERNAME;
private String adminCredentials;
+ private Pattern allowedAddresses;
+
private boolean isSecurityEnabled = true;
public MembershipServiceImpl() {
@@ -137,6 +142,11 @@
throw new
ServiceException(PlatformPlugin.Util.getString("MembershipServiceImpl.Root_password_required"));
//$NON-NLS-1$
}
+ String property = env.getProperty(ADMIN_HOSTS);
+ if (property != null && property.length() > 0) {
+ this.allowedAddresses = Pattern.compile(property);
+ }
+
isSecurityEnabled =
Boolean.valueOf(env.getProperty(SECURITY_ENABLED)).booleanValue();
LogManager.logDetail(LogSecurityConstants.CTX_MEMBERSHIP, "Security Enabled:
" + isSecurityEnabled); //$NON-NLS-1$
@@ -266,6 +276,14 @@
protected void killService() {
this.shutdownDomains();
}
+
+ void setAllowedAddresses(Pattern allowedAddresses) {
+ this.allowedAddresses = allowedAddresses;
+ }
+
+ void setAdminCredentials(String adminCredentials) {
+ this.adminCredentials = adminCredentials;
+ }
/**
* Authenticate a user with the specified username and credential
@@ -306,6 +324,17 @@
}
if (isSuperUser(username)) {
+ if (isSecurityEnabled && allowedAddresses != null) {
+ String address = DQPWorkContext.getWorkContext().getClientAddress();
+ if (address == null) {
+ LogManager.logWarning(LogSecurityConstants.CTX_MEMBERSHIP,
PlatformPlugin.Util.getString("MembershipServiceImpl.unknown_host"));
//$NON-NLS-1$
+ return new FailedAuthenticationToken();
+ }
+ if (!allowedAddresses.matcher(address).matches() ||
address.equals(CurrentConfiguration.getInstance().getHostAddress().getHostAddress())) {
+ LogManager.logWarning(LogSecurityConstants.CTX_MEMBERSHIP,
PlatformPlugin.Util.getString("MembershipServiceImpl.invalid_host", address,
allowedAddresses.pattern())); //$NON-NLS-1$
+ return new FailedAuthenticationToken();
+ }
+ }
// decrypt admin password for comparison
if ((credential != null &&
adminCredentials.equals(String.valueOf(credential.getCredentialsAsCharArray())))) {
return new SuccessfulAuthenticationToken(trustedPayload, username);
Modified: trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties
===================================================================
--- trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties 2009-04-08
15:36:10 UTC (rev 731)
+++ trunk/server/src/main/resources/com/metamatrix/platform/i18n.properties 2009-04-08
20:38:18 UTC (rev 732)
@@ -1267,6 +1267,8 @@
MembershipServiceImpl.Decrypt_failed=Could not decrypt the encrypted password for user
''{0}''
MembershipServiceImpl.source_exception=Membership Domain ''{0}'' failed
to perform the desired operation, please check the settings for this domain
MembershipServiceImpl.load_error=Could not load file ''{0}'' from the
classpath, the file system, or as a URL.
+MembershipServiceImpl.unknown_host=Did not allow root user authentication attempt, since
root logons are restricted and could not determine the remote host.
+MembershipServiceImpl.invalid_host=Could not authenticate root user, since the client
address {0} is not in the allowed values {1}
LDAPMembershipDomain.No_annonymous=Annonymous user authentications are not allowed in
domain {0}
LDAPMembershipDomain.Required_property=Required property {0} was missing.
Modified:
trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java
===================================================================
---
trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java 2009-04-08
15:36:10 UTC (rev 731)
+++
trunk/server/src/test/java/com/metamatrix/platform/security/membership/service/TestMembershipServiceImpl.java 2009-04-08
20:38:18 UTC (rev 732)
@@ -23,9 +23,12 @@
package com.metamatrix.platform.security.membership.service;
import java.util.Properties;
+import java.util.regex.Pattern;
import junit.framework.TestCase;
+import org.teiid.dqp.internal.process.DQPWorkContext;
+
import com.metamatrix.api.exception.security.InvalidPrincipalException;
import com.metamatrix.common.util.crypto.CryptoUtil;
import com.metamatrix.platform.security.api.Credentials;
@@ -86,6 +89,26 @@
return membershipService;
}
+ public void testSuperAuthenticate() throws Exception {
+ MembershipServiceImpl membershipService = createMembershipService();
+
membershipService.setAllowedAddresses(Pattern.compile("192[.]168[.]0[.]2"));
//$NON-NLS-1$
+ membershipService.setAdminCredentials("pass1"); //$NON-NLS-1$
+
+ AuthenticationToken at =
membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new
Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$
+
+ assertFalse(at.isAuthenticated());
+ DQPWorkContext.getWorkContext().setClientAddress("192.168.0.1");
//$NON-NLS-1$
+ at =
membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new
Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$
+
+ assertFalse(at.isAuthenticated());
+ DQPWorkContext.getWorkContext().setClientAddress("192.168.0.2");
//$NON-NLS-1$
+ at =
membershipService.authenticateUser(MembershipServiceImpl.DEFAULT_ADMIN_USERNAME, new
Credentials("pass1".toCharArray()), null, null); //$NON-NLS-1$ //$NON-NLS-2$
+
+ assertTrue(at.isAuthenticated());
+ }
+
+
+
public void testGetPrincipal() throws Exception {
MembershipServiceImpl membershipService = createMembershipService();