[jboss-cvs] JBossAS SVN: r62560 - in trunk/server/src/main/org/jboss: proxy and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Apr 25 11:12:07 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-04-25 11:12:07 -0400 (Wed, 25 Apr 2007)
New Revision: 62560
Modified:
trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java
trunk/server/src/main/org/jboss/jmx/connector/invoker/InvokerAdaptorService.java
trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java
trunk/server/src/main/org/jboss/proxy/SecurityActions.java
trunk/server/src/main/org/jboss/proxy/SecurityInterceptor.java
Log:
JBAS-4317: security context over the invocation
Modified: trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java 2007-04-25 15:11:19 UTC (rev 62559)
+++ trunk/server/src/main/org/jboss/jmx/connector/invoker/AuthenticationInterceptor.java 2007-04-25 15:12:07 UTC (rev 62560)
@@ -28,9 +28,9 @@
import org.jboss.mx.server.Invocation;
import org.jboss.mx.interceptor.AbstractInterceptor;
import org.jboss.mx.interceptor.Interceptor;
-import org.jboss.security.SubjectSecurityManager;
-import org.jboss.security.SubjectInfo;
-import org.jboss.security.plugins.JBossSecurityContext;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SubjectSecurityManager;
/** A security interceptor that requires an authorized user for invoke(Invocation)
@@ -93,11 +93,13 @@
throw new SecurityException(msg);
}
+ String securityDomain = SecurityConstants.DEFAULT_APPLICATION_POLICY;
+ if(securityMgr != null)
+ securityDomain = securityMgr.getSecurityDomain();
+ SecurityContext sc = SecurityActions.createSecurityContext(securityDomain);
+ SecurityActions.setSecurityContext(sc);
// Push the caller security context
- SecurityActions.pushSubjectContext(caller, credential, subject);
- //Establish the Security Context
- establishSecurityContext(securityMgr.getSecurityDomain(), caller,
- credential, subject);
+ SecurityActions.pushSubjectContext(caller, credential, subject);
}
}
@@ -112,17 +114,5 @@
if( subject != null )
SecurityActions.popSubjectContext();
}
- }
- // Security Context
- private void establishSecurityContext(String domain, Principal p, Object cred,
- Subject subject)
- {
- JBossSecurityContext jsc = new JBossSecurityContext(domain);
- SubjectInfo si = new SubjectInfo();
- si.setAuthenticatedSubject(subject);
- si.setAuthenticationCredential(cred);
- si.setAuthenticationPrincipal(p);
- jsc.setSubjectInfo(si);
- SecurityActions.setSecurityContext(jsc, domain);
- }
+ }
}
Modified: trunk/server/src/main/org/jboss/jmx/connector/invoker/InvokerAdaptorService.java
===================================================================
--- trunk/server/src/main/org/jboss/jmx/connector/invoker/InvokerAdaptorService.java 2007-04-25 15:11:19 UTC (rev 62559)
+++ trunk/server/src/main/org/jboss/jmx/connector/invoker/InvokerAdaptorService.java 2007-04-25 15:12:07 UTC (rev 62560)
@@ -43,6 +43,8 @@
import org.jboss.jmx.adaptor.rmi.RMINotificationListener;
import org.jboss.jmx.connector.invoker.client.InvokerAdaptorException;
import org.jboss.mx.server.ServerConstants;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityContext;
import org.jboss.system.Registry;
import org.jboss.system.ServiceMBeanSupport;
@@ -236,6 +238,8 @@
Principal principal = invocation.getPrincipal();
Object credential = invocation.getCredential();
Object value = null;
+ SecurityContext sc = SecurityActions.createSecurityContext(SecurityConstants.DEFAULT_APPLICATION_POLICY);
+ SecurityActions.setSecurityContext(sc);
// Associate the method
SecurityActions.pushSubjectContext(principal, credential, null);
@@ -280,7 +284,8 @@
finally
{
// Restore the input security context
- SecurityActions.popSubjectContext();
+ SecurityActions.popSubjectContext();
+ SecurityActions.clearSecurityContext();
// Restore the input class loader
if (newCL != null && newCL != oldCL)
SecurityActions.setContextClassLoader(oldCL);
Modified: trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java 2007-04-25 15:11:19 UTC (rev 62559)
+++ trunk/server/src/main/org/jboss/jmx/connector/invoker/SecurityActions.java 2007-04-25 15:12:07 UTC (rev 62560)
@@ -31,10 +31,13 @@
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityConstants;
import org.jboss.security.SecurityContext;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.SecurityContextFactory;
/** Common PrivilegedAction used by classes in this package.
*
* @author Scott.Stark at jboss.org
+ * @author Anil.Saldhana at redhat.com
* @version $Revison:$
*/
class SecurityActions
@@ -83,7 +86,8 @@
{
public Object run()
{
- SecurityAssociation.pushSubjectContext(subject, principal, credential);
+ //SecurityAssociation.pushSubjectContext(subject, principal, credential);
+ getSecurityContext().getUtil().createSubjectInfo(principal, credential, subject);
return null;
}
}
@@ -96,7 +100,12 @@
{
public Object run()
{
- SecurityAssociation.popSubjectContext();
+ //SecurityAssociation.popSubjectContext();
+ SecurityContext sc = getSecurityContext();
+ if(sc != null)
+ {
+ sc.getUtil().createSubjectInfo(null, null, null);
+ }
return null;
}
}
@@ -108,11 +117,17 @@
{
public void push(Principal principal, Object credential, Subject subject)
{
- SecurityAssociation.pushSubjectContext(subject, principal, credential);
+ //SecurityAssociation.pushSubjectContext(subject, principal, credential);
+ getSecurityContext().getUtil().createSubjectInfo(principal, credential, subject);
}
public void pop()
{
- SecurityAssociation.popSubjectContext();
+ //SecurityAssociation.popSubjectContext();
+ SecurityContext sc = getSecurityContext();
+ if(sc != null)
+ {
+ sc.getUtil().createSubjectInfo(null, null, null);
+ }
}
};
@@ -123,24 +138,15 @@
static class SetSecurityContextAction implements PrivilegedAction
{
private SecurityContext securityContext;
- private String securityDomain;
- SetSecurityContextAction(SecurityContext sc, String sd)
+
+ SetSecurityContextAction(SecurityContext sc)
{
- this.securityContext = sc;
- this.securityDomain = sd;
+ this.securityContext = sc;
}
public Object run()
{
- String sc = SecurityConstants.SECURITY_CONTEXT;
- HashMap map = (HashMap)SecurityAssociation.getContextInfo(sc);
- if(map == null)
- {
- map = new HashMap();
- SecurityAssociation.setContextInfo(sc, map);
- }
- map.put(securityDomain, securityContext);
- SecurityAssociation.setContextInfo(sc, map);
+ SecurityContextAssociation.setSecurityContext(securityContext);
return null;
}
}
@@ -184,9 +190,44 @@
PrincipalInfoAction.PRIVILEGED.pop();
}
}
- static void setSecurityContext(SecurityContext sc, String securityDomain)
+
+ static SecurityContext createSecurityContext(final String domain)
{
- SetSecurityContextAction action = new SetSecurityContextAction(sc,securityDomain);
+ return (SecurityContext)AccessController.doPrivileged( new PrivilegedAction()
+ {
+
+ public Object run()
+ {
+ return SecurityContextFactory.createSecurityContext(domain);
+ }});
+ }
+
+ static SecurityContext getSecurityContext()
+ {
+ return (SecurityContext)AccessController.doPrivileged( new PrivilegedAction()
+ {
+
+ public Object run()
+ {
+ return SecurityContextAssociation.getSecurityContext();
+ }});
+ }
+
+
+ static void clearSecurityContext()
+ {
+ AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ SecurityContextAssociation.clearSecurityContext();
+ return null;
+ }});
+ }
+
+ static void setSecurityContext(SecurityContext sc)
+ {
+ SetSecurityContextAction action = new SetSecurityContextAction(sc);
AccessController.doPrivileged(action);
}
}
Modified: trunk/server/src/main/org/jboss/proxy/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/proxy/SecurityActions.java 2007-04-25 15:11:19 UTC (rev 62559)
+++ trunk/server/src/main/org/jboss/proxy/SecurityActions.java 2007-04-25 15:12:07 UTC (rev 62560)
@@ -19,17 +19,15 @@
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
-package org.jboss.proxy;
+package org.jboss.proxy;
-import static org.jboss.security.SecurityConstants.RUNAS_IDENTITY_IDENTIFIER;
-
import java.security.AccessController;
import java.security.Principal;
import java.security.PrivilegedAction;
-import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
+import org.jboss.security.RunAs;
import org.jboss.security.SecurityContext;
+import org.jboss.security.SubjectInfo;
import org.jboss.security.plugins.SecurityContextAssociation;
import org.jboss.security.plugins.SecurityContextFactory;
@@ -55,22 +53,37 @@
{
public Principal getPrincipal()
{
- return SecurityAssociation.getPrincipal();
+ //return SecurityAssociation.getPrincipal();
+ Principal p = null;
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc != null)
+ {
+ p = sc.getUtil().getUserPrincipal();
+ }
+ return p;
}
public Object getCredential()
{
- return SecurityAssociation.getCredential();
+ //return SecurityAssociation.getCredential();
+ Object cred = null;
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc != null)
+ {
+ SubjectInfo si = sc.getSubjectInfo();
+ cred = si != null ? si.getAuthenticationCredential() : null;
+ }
+ return cred;
}
- public RunAsIdentity getCallerRunAsIdentity()
+ public RunAs getCallerRunAsIdentity()
{
- RunAsIdentity rai = null;
+ RunAs rai = null;
//Pluck the run-as identity from the existing SC if any
SecurityContext existingSC = getSecurityContext();
if(existingSC != null)
{
- rai = existingSC.getUtil().get(existingSC, RUNAS_IDENTITY_IDENTIFIER);
+ rai = existingSC.getRunAs();
}
return rai;
}
@@ -98,7 +111,14 @@
{
public Object run()
{
- return SecurityAssociation.getPrincipal();
+ //return SecurityAssociation.getPrincipal();
+ Principal p = null;
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc != null)
+ {
+ p = sc.getUtil().getUserPrincipal();
+ }
+ return p;
}
};
@@ -106,7 +126,15 @@
{
public Object run()
{
- return SecurityAssociation.getCredential();
+ //return SecurityAssociation.getCredential();
+ Object cred = null;
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc != null)
+ {
+ SubjectInfo si = sc.getSubjectInfo();
+ cred = si.getAuthenticationCredential();
+ }
+ return cred;
}
};
@@ -128,18 +156,18 @@
return AccessController.doPrivileged(getCredentialAction);
}
- public RunAsIdentity getCallerRunAsIdentity()
+ public RunAs getCallerRunAsIdentity()
{
- return (RunAsIdentity)AccessController.doPrivileged(new PrivilegedAction(){
+ return (RunAs)AccessController.doPrivileged(new PrivilegedAction(){
public Object run()
{
- RunAsIdentity rai = null;
+ RunAs rai = null;
//Pluck the run-as identity from the existing SC if any
SecurityContext existingSC = getSecurityContext();
if(existingSC != null)
{
- rai = existingSC.getUtil().get(existingSC, RUNAS_IDENTITY_IDENTIFIER);
+ rai = existingSC.getRunAs();
}
return rai;
}});
@@ -180,7 +208,7 @@
Object getCredential();
- RunAsIdentity getCallerRunAsIdentity();
+ RunAs getCallerRunAsIdentity();
SecurityContext createSecurityContext( Principal p, Object cred,
String sdomain);
Modified: trunk/server/src/main/org/jboss/proxy/SecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/proxy/SecurityInterceptor.java 2007-04-25 15:11:19 UTC (rev 62559)
+++ trunk/server/src/main/org/jboss/proxy/SecurityInterceptor.java 2007-04-25 15:12:07 UTC (rev 62560)
@@ -23,13 +23,10 @@
import java.security.Principal;
-import org.jboss.invocation.Invocation;
-import org.jboss.invocation.InvocationKey;
-import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityContext;
+import org.jboss.invocation.Invocation;
+import org.jboss.security.RunAs;
+import org.jboss.security.SecurityContext;
-import static org.jboss.security.SecurityConstants.RUNAS_IDENTITY_IDENTIFIER;
-
/**
* The client-side proxy for an EJB Home object.
*
@@ -70,28 +67,28 @@
invocation.setCredential(credential);
}
- RunAsIdentity callerRAI = sa.getCallerRunAsIdentity();
+ SecurityContext sc = sa.getSecurityContext();
+ RunAs callerRAI = sa.getCallerRunAsIdentity();
SecurityContext newSc = createSecurityContext(invocation);
//Push the caller run-as identity onto the security context
if(callerRAI != null)
{
- newSc.getUtil().set(newSc, RUNAS_IDENTITY_IDENTIFIER, callerRAI);
+ newSc.setRunAs(callerRAI);
+ newSc.getUtil().setCallerRunAs(callerRAI);
}
/**
* Push the security context on the invocation
*/
- invocation.getAsIsPayload().put(InvocationKey.SECURITY_CONTEXT, newSc);
+ invocation.setSecurityContext(newSc);
try
{
return getNext().invoke(invocation);
}
finally
- {
- //Set the cached original RAI on the return path
- SecurityContext existingSC = sa.getSecurityContext();
- if(existingSC != null)
- existingSC.getUtil().set(existingSC, RUNAS_IDENTITY_IDENTIFIER, callerRAI);
+ {
+ if(sc != null)
+ sa.setSecurityContext(sc);
}
}
More information about the jboss-cvs-commits
mailing list