[jboss-cvs] JBossAS SVN: r62260 - in trunk/tomcat/src/main/org/jboss/web/tomcat/security: authorization and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Apr 11 12:32:33 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-04-11 12:32:33 -0400 (Wed, 11 Apr 2007)
New Revision: 62260
Modified:
trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java
trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/WebResource.java
Log:
JBAS-43217:SecurityContext over the invocation
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-04-11 16:31:17 UTC (rev 62259)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/JBossWebRealm.java 2007-04-11 16:32:33 UTC (rev 62260)
@@ -59,18 +59,18 @@
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
import org.jboss.security.SimplePrincipal;
-import org.jboss.security.SubjectSecurityManager;
-import org.jboss.security.SecurityContext.SubjectInfo;
-import org.jboss.security.audit.AuditContext;
+import org.jboss.security.SubjectSecurityManager;
import org.jboss.security.audit.AuditEvent;
import org.jboss.security.audit.AuditLevel;
import org.jboss.security.audit.AuditManager;
+import org.jboss.security.audit.SecurityAuditManager;
import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
import org.jboss.security.auth.certs.SubjectDNMapping;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.AuthorizationException;
-import org.jboss.security.authorization.ResourceKeys;
-import org.jboss.security.plugins.JBossSecurityContext;
+import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.SecurityContextFactory;
import org.jboss.web.tomcat.security.authorization.WebResource;
//$Id$
@@ -186,7 +186,7 @@
public Principal authenticate(X509Certificate[] certs)
{
Principal principal = null;
- Context securityCtx = getSecurityContext();
+ Context securityCtx = getSecurityNamingContext();
if (securityCtx == null)
{
if (trace)
@@ -208,9 +208,9 @@
{
log.trace("User: " + principal + " is authenticated");
}
+ securityDomain = securityMgr.getSecurityDomain();
SecurityAssociationActions.setPrincipalInfo(principal, certs, subject);
- securityDomain = securityMgr.getSecurityDomain();
//Establish the Security Context
this.establishSecurityContext(securityDomain,
principal, certs, subject);
@@ -270,7 +270,7 @@
String nc, String cnonce, String qop, String realm, String md5a2)
{
Principal principal = null;
- Context securityCtx = getSecurityContext();
+ Context securityCtx = getSecurityNamingContext();
if (securityCtx == null)
{
if (trace)
@@ -364,7 +364,7 @@
log.trace("Begin authenticate, username=" + username);
}
Principal principal = null;
- Context securityCtx = getSecurityContext();
+ Context securityCtx = getSecurityNamingContext();
if (securityCtx == null)
{
if (trace)
@@ -485,7 +485,7 @@
Subject caller = this.establishSubjectContext(request.getPrincipal());
- Map map = new HashMap();
+ Map<String,Object> map = new HashMap<String,Object>();
map.put(ResourceKeys.WEB_REQUEST, request);
map.put(ResourceKeys.WEB_RESPONSE, response);
map.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, securityConstraints);
@@ -545,7 +545,7 @@
}
boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role);
- Map map = new HashMap();
+ Map<String,Object> map = new HashMap<String,Object>();
map.put(ResourceKeys.ROLENAME, roleName);
map.put(ResourceKeys.HASROLE_PRINCIPAL, principal);
map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
@@ -569,7 +569,7 @@
{
Principal requestPrincipal = request.getPrincipal();
establishSubjectContext(requestPrincipal);
- Map map = new HashMap();
+ Map<String,Object> map = new HashMap<String,Object>();
map.put(ResourceKeys.WEB_REQUEST, request);
map.put(ResourceKeys.WEB_RESPONSE, response);
map.put(ResourceKeys.WEB_SECURITY_CONSTRAINTS, constraints);
@@ -693,7 +693,7 @@
//*****************************************************************************
// PRIVATE METHODS
//*****************************************************************************
- private int authorize(Map map)
+ private int authorize(Map<String,Object> map)
{
AuthorizationManager authzMgr = this.getAuthorizationManager();
if(authzMgr == null)
@@ -767,7 +767,7 @@
AuthorizationManager am = null;
try
{
- am = (AuthorizationManager)getSecurityContext().lookup("authorizationMgr");
+ am = (AuthorizationManager)getSecurityNamingContext().lookup("authorizationMgr");
}
catch (Exception e)
{
@@ -777,7 +777,7 @@
return am;
}
- private Context getSecurityContext()
+ private Context getSecurityNamingContext()
{
Context securityCtx = null;
// Get the JBoss security manager from the ENC context
@@ -884,7 +884,7 @@
}
private void audit(String level,
- Map contextMap, Exception e)
+ Map<String,Object> contextMap, Exception e)
{
String requestInfo = "";
try
@@ -899,18 +899,23 @@
log.trace("Error obtaining the servlet request:", pe);
}
contextMap.put("Source", getClass().getName());
- SecurityContext sc = SecurityAssociationActions.getSecurityContext(securityDomain);
- AuditContext ac = sc != null ? sc.getAuditContext():
- AuditManager.getAuditContext(securityDomain);
AuditEvent ae = new AuditEvent(level);
ae.setContextMap(contextMap);
ae.setUnderlyingException(e);
- ac.audit(ae);
+
+ SecurityContext sc = SecurityAssociationActions.getSecurityContext(securityDomain);
+ if(sc != null)
+ {
+ SecurityAuditManager sam = sc.getAuditManager();
+ sam.audit(ae);
+ }
+ else
+ AuditManager.getAuditContext(securityDomain).audit(ae);
}
private void successAudit(Principal callerPrincipal, Principal principal)
{
- Map cmap = new HashMap();
+ Map<String,Object> cmap = new HashMap<String,Object>();
cmap.put("principal", principal);
cmap.put("CallerPrincipal", callerPrincipal);
audit(AuditLevel.SUCCESS,cmap,null);
@@ -918,14 +923,14 @@
private void failureAudit(Principal principal)
{
- Map cmap = new HashMap();
+ Map<String,Object> cmap = new HashMap<String,Object>();
cmap.put("principal", principal);
audit(AuditLevel.FAILURE,cmap,null);
}
private void errorAudit(Principal principal, Exception e)
{
- Map cmap = new HashMap();
+ Map<String,Object> cmap = new HashMap<String,Object>();
cmap.put("principal", principal);
audit(AuditLevel.ERROR,cmap,e);
}
@@ -934,7 +939,7 @@
{
if(!enableAudit)
return;
- Map cmap = new HashMap();
+ Map<String,Object> cmap = new HashMap<String,Object>();
cmap.putAll(resource.getMap());
audit(level,cmap,null);
}
@@ -943,13 +948,7 @@
private void establishSecurityContext(String domain, Principal p, Object cred,
Subject subject)
{
- JBossSecurityContext jsc = new JBossSecurityContext(domain);
- SubjectInfo si = jsc.new SubjectInfo();
- si.setAuthenticatedSubject(subject);
- si.setAuthenticationCredential(cred);
- si.setAuthenticationPrincipal(p);
- jsc.setSubjectInfo(si);
- SecurityAssociationActions.setSecurityContext(jsc, domain);
+ SecurityContextAssociation.setSecurityContext(SecurityContextFactory.createSecurityContext(p,cred,subject,domain));
if(trace)
log.trace("Established Security Context for " + domain);
}
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java 2007-04-11 16:31:17 UTC (rev 62259)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationActions.java 2007-04-11 16:32:33 UTC (rev 62260)
@@ -48,16 +48,18 @@
Principal principal;
Object credential;
Subject subject;
+ String securityDomain;
+
SetPrincipalInfoAction(Principal principal, Object credential, Subject subject)
{
this.principal = principal;
this.credential = credential;
- this.subject = subject;
+ this.subject = subject;
}
public Object run()
{
- SecurityAssociation.pushSubjectContext(subject, principal, credential);
+ SecurityAssociation.pushSubjectContext(subject, principal, credential);
credential = null;
principal = null;
subject = null;
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java 2007-04-11 16:31:17 UTC (rev 62259)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java 2007-04-11 16:32:33 UTC (rev 62260)
@@ -39,7 +39,11 @@
import org.jboss.metadata.WebMetaData;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityContext;
import org.jboss.security.plugins.JaasSecurityManagerServiceMBean;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.SecurityContextFactory;
/**
* A Valve that sets/clears the SecurityAssociation information associated with
@@ -47,6 +51,7 @@
*
* @author Scott.Stark at jboss.org
* @author Thomas.Diesler at jboss.org
+ * @author Anil.Saldhana at jboss.org
* @version $Revision$
*/
public class SecurityAssociationValve extends ValveBase
@@ -63,6 +68,9 @@
/** The service used to flush authentication cache on session invalidation. */
private JaasSecurityManagerServiceMBean secMgrService;
private boolean trace;
+
+ /**No push of security context happens for non-sso case. The realm handles it.*/
+ private boolean ssoCase = false;
public SecurityAssociationValve(WebMetaData metaData,
JaasSecurityManagerServiceMBean secMgrService)
@@ -88,8 +96,7 @@
throws IOException, ServletException
{
Session session = null;
- // Get the request caller which could be set due to SSO
- //Principal caller = request.getUserPrincipal();
+ // Get the request caller which could be set due to SSO
Principal caller = request.getPrincipal();
// The cached web container principal
JBossGenericPrincipal principal = null;
@@ -101,6 +108,8 @@
activeWebMetaData.set(metaData);
try
{
+ //Create a Security Context
+ SecurityContext sc = SecurityContextFactory.createSecurityContext(metaData.getSecurityDomain());
try
{
Wrapper servlet = request.getWrapper();
@@ -114,6 +123,7 @@
log.trace(name + ", runAs: " + identity);
}
SecurityAssociationActions.pushRunAsIdentity(identity);
+ sc.getUtil().set(sc,SecurityConstants.RUNAS_IDENTITY_IDENTIFIER, identity);
}
userPrincipal.set(caller);
@@ -152,15 +162,20 @@
log.trace("Restoring principal info from cache");
SecurityAssociationActions.setPrincipalInfo(principal.getAuthPrincipal(),
principal.getCredentials(), principal.getSubject());
+ //Create a subject info
+ sc.setSubjectInfo(SecurityContextFactory.createSubjectInfo(principal.getAuthPrincipal(),
+ principal.getCredentials(), principal.getSubject()));
+ this.ssoCase = true;
+
}
// Put the authenticated subject in the session if requested
if (subjectAttributeName != null)
{
- javax.naming.Context securityCtx = getSecurityContext();
- if (securityCtx != null)
+ javax.naming.Context securityNamingCtx = getSecurityNamingContext();
+ if (securityNamingCtx != null)
{
// Get the JBoss security manager from the ENC context
- AuthenticationManager securityMgr = (AuthenticationManager) securityCtx.lookup("securityMgr");
+ AuthenticationManager securityMgr = (AuthenticationManager) securityNamingCtx.lookup("securityMgr");
Subject subject = securityMgr.getActiveSubject();
request.getRequest().setAttribute(subjectAttributeName, subject);
}
@@ -170,6 +185,9 @@
{
log.debug("Failed to determine servlet", e);
}
+
+ if(!ssoCase)
+ SecurityContextAssociation.setSecurityContext(sc);
// Perform the request
getNext().invoke(request, response);
SecurityAssociationActions.popRunAsIdentity();
@@ -206,11 +224,11 @@
if( trace )
log.trace("End invoke, caller"+caller);
activeWebMetaData.set(null);
- userPrincipal.set(null);
+ userPrincipal.set(null);
}
}
- private javax.naming.Context getSecurityContext()
+ private javax.naming.Context getSecurityNamingContext()
{
javax.naming.Context securityCtx = null;
// Get the JBoss security manager from the ENC context
Modified: trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/WebResource.java
===================================================================
--- trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/WebResource.java 2007-04-11 16:31:17 UTC (rev 62259)
+++ trunk/tomcat/src/main/org/jboss/web/tomcat/security/authorization/WebResource.java 2007-04-11 16:32:33 UTC (rev 62260)
@@ -25,6 +25,7 @@
import java.util.Map;
import org.jboss.security.authorization.Resource;
+import org.jboss.security.authorization.ResourceType;
//$Id$
@@ -59,9 +60,9 @@
/**
* @see Resource#getLayer()
*/
- public String getLayer()
+ public ResourceType getLayer()
{
- return Resource.WEB;
+ return ResourceType.WEB;
}
/**
More information about the jboss-cvs-commits
mailing list