[Jboss-cvs] JBossAS SVN: r56120 - trunk/security/src/main/org/jboss/security/plugins
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Aug 21 12:40:10 EDT 2006
Author: anil.saldhana at jboss.com
Date: 2006-08-21 12:40:09 -0400 (Mon, 21 Aug 2006)
New Revision: 56120
Modified:
trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java
trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java
trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java
Log:
JBAS-3535: AuthorizationManager from JNDI
Modified: trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java 2006-08-21 16:37:05 UTC (rev 56119)
+++ trunk/security/src/main/org/jboss/security/plugins/AuthorizationManagerService.java 2006-08-21 16:40:09 UTC (rev 56120)
@@ -28,6 +28,9 @@
import java.util.Set;
import javax.management.ObjectName;
+import javax.naming.Context;
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
import javax.security.auth.callback.CallbackHandler;
import org.jboss.logging.Logger;
@@ -175,6 +178,21 @@
amanager = newAuthorizationManager(securityDomain);
this.authorizationManagersMap.put(securityDomain, amanager);
log.debug("Added "+securityDomain+", " + amanager + " to map");
+ //Add a JNDI binding based on the JaasSecurityManagerService
+ //SecurityDomainContext
+ try
+ {
+ Context ctx = new InitialContext();
+
+ SecurityDomainContext sdc = (SecurityDomainContext)ctx.lookup("java:jaas/security/domainContext");
+ sdc.setAuthorizationManager(amanager);
+ }
+ catch (NamingException e)
+ {
+ if(log.isTraceEnabled())
+ log.trace("Error in naming", e);
+ log.error("Error in getAuthorizationManager",e);
+ }
}
return amanager;
}
@@ -195,7 +213,7 @@
* @return
* @throws NamingException
*/
- private static AuthorizationManager newAuthorizationManager(String securityDomain)
+ static AuthorizationManager newAuthorizationManager(String securityDomain)
{
AuthorizationManager securityMgr = null;
try
Modified: trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java 2006-08-21 16:37:05 UTC (rev 56119)
+++ trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java 2006-08-21 16:40:09 UTC (rev 56120)
@@ -26,8 +26,7 @@
import java.security.Principal;
import java.security.acl.Group;
import java.util.Arrays;
-import java.util.Enumeration;
-import java.util.HashSet;
+import java.util.Enumeration;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
@@ -35,12 +34,12 @@
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
-import org.jboss.logging.Logger;
-import org.jboss.security.AnybodyPrincipal;
-import org.jboss.security.NobodyPrincipal;
+import org.jboss.logging.Logger;
+import org.jboss.security.AuthorizationManager;
import org.jboss.security.RealmMapping;
-import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityAssociation;
import org.jboss.security.SubjectSecurityManager;
+import org.jboss.security.Util;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import org.jboss.system.ServiceMBeanSupport;
import org.jboss.util.CachePolicy;
@@ -58,6 +57,7 @@
@author <a href="on at ibis.odessa.ua">Oleg Nitz</a>
@author Scott.Stark at jboss.org
+ @author Anil.Saldhana at jboss.org
@version $Revision$
*/
public class JaasSecurityManager extends ServiceMBeanSupport
@@ -205,8 +205,8 @@
/** The setSecurityInfo(Principal, Object) method of the handler obj */
private Method setSecurityInfo;
/** The flag to indicate that the Subject sets need to be deep copied*/
- private boolean deepCopySubjectOption = false;
-
+ private boolean deepCopySubjectOption = false;
+
/** The log4j category for the security manager domain
*/
protected Logger log;
@@ -244,7 +244,7 @@
{
String msg = "Failed to find setSecurityInfo(Princpal, Object) method in handler";
throw new UndeclaredThrowableException(e, msg);
- }
+ }
log.debug("CallbackHandler: "+handler);
}
@@ -357,24 +357,8 @@
*/
public Principal getPrincipal(Principal principal)
{
- Principal result = principal;
- // Get the CallerPrincipal group member
- synchronized( domainCache )
- {
- DomainInfo info = getCacheInfo(principal, false);
- if( trace )
- log.trace("getPrincipal, cache info: "+info);
- if( info != null )
- {
- result = info.callerPrincipal;
- // If the mapping did not have a callerPrincipal just use principal
- if( result == null )
- result = principal;
- info.release();
- }
- }
-
- return result;
+ AuthorizationManager am = Util.getAuthorizationManager(securityDomain);
+ return am.getPrincipal(principal);
}
/** Does the current Subject have a role(a Principal) that equates to one
@@ -395,67 +379,11 @@
@see Subject#getPrincipals()
*/
public boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
- {
- boolean hasRole = false;
- // Check that the caller is authenticated to the current thread
- Subject subject = SubjectActions.getActiveSubject();
- if( subject != null )
- {
- // Check the caller's roles
- if( trace )
- log.trace("doesUserHaveRole(Set), subject: "+subject);
+ {
+ AuthorizationManager am = Util.getAuthorizationManager(securityDomain);
+ return am.doesUserHaveRole(principal, rolePrincipals);
+ }
- Group roles = getSubjectRoles(subject);
- if( trace )
- log.trace("roles="+roles);
- if( roles != null )
- {
- Iterator iter = rolePrincipals.iterator();
- while( hasRole == false && iter.hasNext() )
- {
- Principal role = (Principal) iter.next();
- hasRole = doesRoleGroupHaveRole(role, roles);
- if( trace )
- log.trace("hasRole("+role+")="+hasRole);
- }
- }
- if( trace )
- log.trace("hasRole="+hasRole);
- }
- return hasRole;
- }
-
- /** Does the current Subject have a role(a Principal) that equates to one
- of the role names.
-
- @see #doesUserHaveRole(Principal, Set)
-
- @param principal - ignored. The current authenticated Subject determines
- the active user and assigned user roles.
- @param role - the application domain role that the principal is to be
- validated against.
- @return true if the active principal has the role, false otherwise.
- */
- public boolean doesUserHaveRole(Principal principal, Principal role)
- {
- boolean hasRole = false;
- // Check that the caller is authenticated to the current thread
- Subject subject = SubjectActions.getActiveSubject();
- if( subject != null )
- {
- // Check the caller's roles
- if( trace )
- log.trace("doesUserHaveRole(Principal), subject: "+subject);
-
- Group roles = getSubjectRoles(subject);
- if( roles != null )
- {
- hasRole = doesRoleGroupHaveRole(role, roles);
- }
- }
- return hasRole;
- }
-
/** Return the set of domain roles the current active Subject 'Roles' group
found in the subject Principals set.
@@ -466,55 +394,10 @@
*/
public Set getUserRoles(Principal principal)
{
- HashSet userRoles = null;
- // Check that the caller is authenticated to the current thread
- Subject subject = SubjectActions.getActiveSubject();
- if( subject != null )
- {
- // Copy the caller's roles
- if( trace )
- log.trace("getUserRoles, subject: "+subject);
+ AuthorizationManager am = Util.getAuthorizationManager(securityDomain);
+ return am.getUserRoles(principal);
+ }
- Group roles = getSubjectRoles(subject);
- if( roles != null )
- {
- userRoles = new HashSet();
- Enumeration members = roles.members();
- while( members.hasMoreElements() )
- {
- Principal role = (Principal) members.nextElement();
- userRoles.add(role);
- }
- }
- }
- return userRoles;
- }
-
- /** Check that the indicated application domain role is a member of the
- user's assigned roles. This handles the special AnybodyPrincipal and
- NobodyPrincipal independent of the Group implementation.
-
- @param role , the application domain role required for access
- @param userRoles , the set of roles assigned to the user
- @return true if role is in userRoles or an AnybodyPrincipal instance, false
- if role is a NobodyPrincipal or no a member of userRoles
- */
- protected boolean doesRoleGroupHaveRole(Principal role, Group userRoles)
- {
- // First check that role is not a NobodyPrincipal
- if (role instanceof NobodyPrincipal)
- return false;
-
- // Check for inclusion in the user's role set
- boolean isMember = userRoles.isMember(role);
- if (isMember == false)
- { // Check the AnybodyPrincipal special cases
- isMember = (role instanceof AnybodyPrincipal);
- }
-
- return isMember;
- }
-
/** Currently this simply calls defaultLogin() to do a JAAS login using the
security domain name as the login module configuration name.
@@ -801,25 +684,5 @@
log.trace("Inserted cache info: "+info);
}
return info.subject;
- }
-
- /**
- * Get the Subject roles by looking for a Group called 'Roles'
- * @param theSubject - the Subject to search for roles
- * @return the Group contain the subject roles if found, null otherwise
- */
- private Group getSubjectRoles(Subject theSubject)
- {
- Set subjectGroups = theSubject.getPrincipals(Group.class);
- Iterator iter = subjectGroups.iterator();
- Group roles = null;
- while( iter.hasNext() )
- {
- Group grp = (Group) iter.next();
- String name = grp.getName();
- if( name.equals("Roles") )
- roles = grp;
- }
- return roles;
- }
+ }
}
Modified: trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java 2006-08-21 16:37:05 UTC (rev 56119)
+++ trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java 2006-08-21 16:40:09 UTC (rev 56120)
@@ -33,7 +33,7 @@
import java.util.Map;
import java.util.Iterator;
import java.beans.PropertyEditorManager;
-
+
import javax.naming.CommunicationException;
import javax.naming.Context;
import javax.naming.InitialContext;
@@ -51,8 +51,9 @@
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
-import org.jboss.logging.Logger;
+import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
+import org.jboss.security.AuthorizationManager;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityProxyFactory;
import org.jboss.security.SecurityDomain;
@@ -117,7 +118,7 @@
private static boolean deepCopySubjectMode = false;
/** The default unauthenticated principal */
- private static String defaultUnauthenticatedPrincipal = "Unauthenticated Principal";
+ private static String defaultUnauthenticatedPrincipal = "Unauthenticated Principal";
static
{
@@ -167,7 +168,7 @@
securityProxyFactoryClassName = className;
ClassLoader loader = Thread.currentThread().getContextClassLoader();
securityProxyFactoryClass = loader.loadClass(securityProxyFactoryClassName);
- }
+ }
/** Get the default CallbackHandler implementation class name
*
@@ -283,7 +284,7 @@
log.warn("Failed to find cache policy for securityDomain='"
+ securityDomain + "'");
}
- }
+ }
/** flush the cache policy for the indicated security domain if one exists.
* @param securityDomain the name of the security domain cache
@@ -496,7 +497,9 @@
{
log.debug("Added "+securityDomain+", "+instance+" to map");
CachePolicy authCache = lookupCachePolicy(securityDomain);
+
SecurityDomainContext sdc = new SecurityDomainContext(instance, authCache);
+ sdc.setAuthorizationManager(AuthorizationManagerService.newAuthorizationManager(securityDomain));
securityDomainCtxMap.put(securityDomain, sdc);
// See if the security mgr supports an externalized cache policy
setSecurityDomainCache(instance, authCache);
@@ -640,12 +643,15 @@
Object[] args = {securityDomain, handler};
AuthenticationManager securityMgr = (AuthenticationManager) ctor.newInstance(args);
log.debug("Created securityMgr="+securityMgr);
- CachePolicy cachePolicy = lookupCachePolicy(securityDomain);
+ CachePolicy cachePolicy = lookupCachePolicy(securityDomain);
sdc = new SecurityDomainContext(securityMgr, cachePolicy);
// See if the security mgr supports an externalized cache policy
setSecurityDomainCache(securityMgr, cachePolicy);
if(deepCopySubjectMode)
setDeepCopySubjectOption(securityMgr, true);
+ //Set the Authorization Manager
+ AuthorizationManager am = AuthorizationManagerService.newAuthorizationManager(securityDomain);
+ sdc.setAuthorizationManager(am);
}
catch(Exception e2)
{
@@ -657,8 +663,8 @@
throw ne;
}
return sdc;
- }
-
+ }
+
/**
* Get the default unauthenticated principal.
* @return The principal name
More information about the jboss-cvs-commits
mailing list