[Jboss-cvs] JBossAS SVN: r56358 - trunk/security/src/main/org/jboss/security/plugins
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Aug 28 16:50:36 EDT 2006
Author: anil.saldhana at jboss.com
Date: 2006-08-28 16:50:35 -0400 (Mon, 28 Aug 2006)
New Revision: 56358
Modified:
trunk/security/src/main/org/jboss/security/plugins/JBossAuthorizationManager.java
trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java
Log:
JBAS-3576: Security Context
Modified: trunk/security/src/main/org/jboss/security/plugins/JBossAuthorizationManager.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/JBossAuthorizationManager.java 2006-08-28 20:49:36 UTC (rev 56357)
+++ trunk/security/src/main/org/jboss/security/plugins/JBossAuthorizationManager.java 2006-08-28 20:50:35 UTC (rev 56358)
@@ -22,7 +22,7 @@
package org.jboss.security.plugins;
import java.io.InputStream;
-import java.net.URL;
+import java.net.URL;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Enumeration;
@@ -41,18 +41,19 @@
import org.jboss.logging.Logger;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
-import org.jboss.security.NobodyPrincipal;
+import org.jboss.security.NobodyPrincipal;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContext;
import org.jboss.security.Util;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
+import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
-import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.util.CachePolicy;
import org.jboss.util.TimedCachePolicy;
import org.jboss.util.xml.DOMUtils;
import org.w3c.dom.Element;
-//Sun's OSS XACML implementation
import com.sun.xacml.Policy;
//$Id$
@@ -241,31 +242,22 @@
public boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
{
boolean hasRole = false;
- // Check that the caller is authenticated to the current thread
- Subject subject = SubjectActions.getActiveSubject();
- if( subject != null )
+ Group roles = this.getCurrentRoles();
+ if( trace )
+ log.trace("doesUserHaveRole(Set), roles: "+roles);
+ if(roles != null)
{
- // Check the caller's roles
- if( trace )
- log.trace("doesUserHaveRole(Set), subject: "+subject);
-
- Group roles = getSubjectRoles(subject);
- if( trace )
- log.trace("roles="+roles);
- if( roles != null )
+ Iterator iter = rolePrincipals.iterator();
+ while( hasRole == false && iter.hasNext() )
{
- Iterator iter = rolePrincipals.iterator();
- while( hasRole == false && iter.hasNext() )
- {
- Principal role = (Principal) iter.next();
- hasRole = doesRoleGroupHaveRole(role, roles);
- if( trace )
- log.trace("hasRole("+role+")="+hasRole);
- }
+ Principal role = (Principal) iter.next();
+ hasRole = doesRoleGroupHaveRole(role, roles);
+ if( trace )
+ log.trace("hasRole("+role+")="+hasRole);
}
if( trace )
log.trace("hasRole="+hasRole);
- }
+ }
return hasRole;
}
@@ -283,20 +275,8 @@
public boolean doesUserHaveRole(Principal principal, Principal role)
{
boolean hasRole = false;
- // Check that the caller is authenticated to the current thread
- Subject subject = SubjectActions.getActiveSubject();
- if( subject != null )
- {
- // Check the caller's roles
- if( trace )
- log.trace("doesUserHaveRole(Principal), subject: "+subject);
-
- Group roles = getSubjectRoles(subject);
- if( roles != null )
- {
- hasRole = doesRoleGroupHaveRole(role, roles);
- }
- }
+ Group roles = this.getCurrentRoles();
+ hasRole = doesRoleGroupHaveRole(role, roles);
return hasRole;
}
@@ -318,12 +298,12 @@
*/
public Set getUserRoles(Principal principal)
{
- //Fallback on the subject roles
- //Check that the caller is authenticated to the current thread
- Subject subject = SubjectActions.getActiveSubject();
- return this.getRolesAsSet(Util.getSubjectRoles(subject));
+ Group userRoles = getCurrentRoles();
+ return this.getRolesAsSet(userRoles);
}
+
+
/**
* @see AuthorizationManager#getPrincipal(Principal)
*/
@@ -492,27 +472,7 @@
}
return isMember;
- }
-
- /**
- * Get the Subject roles by looking for a Group called 'Roles'
- * @param theSubject - the Subject to search for roles
- * @return the Group contain the subject roles if found, null otherwise
- */
- private Group getSubjectRoles(Subject theSubject)
- {
- Set subjectGroups = theSubject.getPrincipals(Group.class);
- Iterator iter = subjectGroups.iterator();
- Group roles = null;
- while( iter.hasNext() )
- {
- Group grp = (Group) iter.next();
- String name = grp.getName();
- if( name.equals("Roles") )
- roles = grp;
- }
- return roles;
- }
+ }
/**
* @see PolicyRegistration#registerPolicy(String, URL)
@@ -600,5 +560,65 @@
}
}
return userRoles;
+ }
+
+ /*
+ * Get the current role group from the security context or
+ * the Subject
+ */
+ private Group getCurrentRoles()
+ {
+ boolean emptyContextRoles = false;
+ //Check that the caller is authenticated to the current thread
+ Subject subject = SubjectActions.getActiveSubject();
+ Group subjectRoles = Util.getSubjectRoles(subject);
+
+ //Deal with the security context
+ SecurityContext sc = SecurityAssociation.getSecurityContext();
+ if(sc == null)
+ {
+ sc = new SecurityContext();
+ SecurityAssociation.setSecurityContext(sc);
+ }
+
+ Group userRoles = sc.getRoles(securityDomain);
+ if(userRoles == null)
+ emptyContextRoles = true;
+ userRoles = copyGroups(userRoles, subjectRoles);
+
+ /**
+ * Update the roles in the SecurityContext and
+ * allow mapping rules be applied only if the SC roles
+ * and the subject roles are not the same
+ */
+ if(subjectRoles != userRoles || emptyContextRoles)
+ sc.setRoles(userRoles, securityDomain);
+
+ //Send the final processed (mapping applied) roles
+ return sc.getRoles(securityDomain);
+ }
+
+ /**
+ * Copy the principals from the second group into the first.
+ * If the first group is null and the second group is not, the
+ * first group will be made equal to the second group
+ * @param source
+ * @param toCopy
+ */
+ public Group copyGroups(Group source, Group toCopy)
+ {
+ if(toCopy == null)
+ return source;
+ if(source == null && toCopy != null)
+ source = toCopy;
+ else
+ {
+ Enumeration en = toCopy.members();
+ while(en.hasMoreElements())
+ {
+ source.addMember((Principal)en.nextElement());
+ }
+ }
+ return source;
}
}
Modified: trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java
===================================================================
--- trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java 2006-08-28 20:49:36 UTC (rev 56357)
+++ trunk/security/src/main/org/jboss/security/plugins/JaasSecurityManager.java 2006-08-28 20:50:35 UTC (rev 56358)
@@ -26,7 +26,7 @@
import java.security.Principal;
import java.security.acl.Group;
import java.util.Arrays;
-import java.util.Enumeration;
+import java.util.Enumeration;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.Subject;
@@ -39,7 +39,7 @@
import org.jboss.security.RealmMapping;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SubjectSecurityManager;
-import org.jboss.security.Util;
+import org.jboss.security.Util;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import org.jboss.system.ServiceMBeanSupport;
import org.jboss.util.CachePolicy;
@@ -269,8 +269,8 @@
{
log.debug("setDeepCopySubjectOption="+ flag);
this.deepCopySubjectOption = (flag == Boolean.TRUE) ;
- }
-
+ }
+
/** Not really used anymore as the security manager service manages the
security domain authentication caches.
*/
@@ -343,7 +343,7 @@
if( isValid == false )
isValid = authenticate(principal, credential, activeSubject);
if( trace )
- log.trace("End isValid, "+isValid);
+ log.trace("End isValid, "+isValid);
return isValid;
}
More information about the jboss-cvs-commits
mailing list