[jboss-cvs] JBossAS SVN: r64562 - in trunk/server/src: resources/schema and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Aug 13 15:22:57 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-08-13 15:22:56 -0400 (Mon, 13 Aug 2007)
New Revision: 64562
Modified:
trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
trunk/server/src/resources/schema/security-config_5_0.xsd
Log:
Identity trust framework changes
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2007-08-13 19:22:22 UTC (rev 64561)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2007-08-13 19:22:56 UTC (rev 64562)
@@ -39,6 +39,7 @@
import org.jboss.security.SecurityUtil;
import org.jboss.security.audit.AuditEvent;
import org.jboss.security.audit.AuditLevel;
+import org.jboss.security.identitytrust.IdentityTrustManager.TrustDecision;
import org.jboss.security.integration.ejb.EJBAuthorizationHelper;
import org.jboss.system.Registry;
@@ -204,8 +205,8 @@
}
finally
{
- SecurityActions.popRunAsIdentity();
- SecurityActions.popSubjectContext();
+ SecurityActions.popRunAsIdentity();
+ SecurityActions.popSubjectContext();
}
}
@@ -239,8 +240,8 @@
}
finally
{
- SecurityActions.popRunAsIdentity();
- SecurityActions.popSubjectContext();
+ SecurityActions.popRunAsIdentity();
+ SecurityActions.popSubjectContext();
}
}
@@ -257,13 +258,26 @@
SecurityContext callerSC = inv.getSecurityContext();
if(callerSC != null)
{
+ //Trust In-VM RunAsIdentity
+ if(callerSC.getIncomingRunAs() instanceof RunAsIdentity
+ && !inv.isInterVM())
+ return true;
+
+ //Add additional data on the security context for use
+ callerSC.getData().put("INVOCATION_SECURE", inv.isSecure());
+ callerSC.getData().put("INVOCATION_INTERVM", inv.isInterVM());
+ TrustDecision td = callerSC.getIdentityTrustManager().isTrusted();
+ if(td == TrustDecision.Deny)
+ throw new SecurityException("Caller not trusted");
+ trusted = td == TrustDecision.Permit;
+ /**
//authenticate the current principal
RunAs callerRunAsIdentity = callerSC.getOutgoingRunAs();
if(callerRunAsIdentity != null)
{
//Either has to be a in-vm call or the invocation has to be secure
trusted = !inv.isInterVM() || inv.isSecure();
- }
+ }**/
}
return trusted;
@@ -384,8 +398,6 @@
return callerRAI;
}
-
-
//******************************************************
// Audit Methods
//******************************************************
@@ -394,8 +406,7 @@
{
contextMap.put("Source", getClass().getName());
AuditEvent ae = new AuditEvent(level,contextMap,e);
-
- String secDomain = securityManager.getSecurityDomain();
+
SecurityContext sc = SecurityActions.getSecurityContext();
if(sc != null)
{
Modified: trunk/server/src/resources/schema/security-config_5_0.xsd
===================================================================
--- trunk/server/src/resources/schema/security-config_5_0.xsd 2007-08-13 19:22:22 UTC (rev 64561)
+++ trunk/server/src/resources/schema/security-config_5_0.xsd 2007-08-13 19:22:56 UTC (rev 64562)
@@ -1,12 +1,11 @@
-<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id$ -->
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:jbsx="urn:jboss:security-config:5.0"
- xmlns:jbxb="http://www.jboss.org/xml/ns/jbxb"
+ xmlns:jbxb="http://www.jboss.org/xml/ns/jbxb"
+ xmlns="urn:jboss:security-config:5.0"
targetNamespace="urn:jboss:security-config:5.0"
elementFormDefault="qualified">
-
- <xsd:annotation>
+ <xsd:annotation>
<xsd:appinfo>
<jbxb:schemaBindings>
<jbxb:package name="org.jboss.security.config"/>
@@ -15,35 +14,29 @@
</jbxb:schemaBindings>
</xsd:appinfo>
</xsd:annotation>
-
-
<xsd:element name="policy" type="jbsx:PolicyConfig"/>
<xsd:complexType name="PolicyConfig">
-
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class
- impl="org.jboss.security.config.PolicyConfig"/>
- </xsd:appinfo>
- </xsd:annotation>
-
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.config.PolicyConfig"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:application-policy" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
-
<xsd:element name="application-policy">
<xsd:complexType>
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class impl="org.jboss.security.config.ApplicationPolicyContainer"/>
- <jbxb:addMethod name="add" valueType="org.jboss.security.config.ApplicationPolicy"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.config.ApplicationPolicyContainer"/>
+ <jbxb:addMethod name="add" valueType="org.jboss.security.config.ApplicationPolicy"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:choice>
- <xsd:element ref="jbsx:authentication"/>
- <xsd:element ref="jbsx:authentication-jaspi"/>
+ <xsd:element ref="jbsx:authentication" minOccurs="0"/>
+ <xsd:element ref="jbsx:authentication-jaspi" minOccurs="0"/>
</xsd:choice>
<xsd:element ref="jbsx:authorization" minOccurs="0"/>
<xsd:element ref="jbsx:rolemapping" minOccurs="0"/>
@@ -53,213 +46,297 @@
<xsd:attribute name="name" type="xsd:string" use="required"/>
</xsd:complexType>
</xsd:element>
-
<xsd:element name="authentication" type="jbsx:authenticationInfo"/>
<xsd:element name="authentication-jaspi" type="jbsx:authenticationJaspiInfo"/>
- <xsd:element name="authorization" type="jbsx:authorizationInfo" />
+ <xsd:element name="authorization" type="jbsx:authorizationInfo"/>
<xsd:element name="rolemapping" type="jbsx:roleMappingInfo"/>
<xsd:element name="audit" type="jbsx:auditInfo"/>
<xsd:element name="identity-trust" type="jbsx:identityTrustInfo"/>
-
-
<xsd:complexType name="authenticationInfo">
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:skip/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:skip/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:login-module" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
-
<xsd:complexType name="authenticationJaspiInfo">
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:skip/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:skip/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:login-module-stack" maxOccurs="unbounded"/>
<xsd:element ref="jbsx:auth-module" maxOccurs="unbounded"/>
</xsd:sequence>
</xsd:complexType>
-
<xsd:complexType name="authorizationInfo">
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:skip/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:skip/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:policy-module"/>
</xsd:sequence>
</xsd:complexType>
-
<xsd:complexType name="roleMappingInfo">
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class impl="org.jboss.security.mapping.config.RoleMappingConfigContainer"/>
- <jbxb:addMethod name="addMappingInfo"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.mapping.config.RoleMappingConfigContainer"/>
+ <jbxb:addMethod name="addMappingInfo"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:mapping-module"/>
</xsd:sequence>
</xsd:complexType>
-
<xsd:complexType name="auditInfo">
<xsd:sequence>
<xsd:element ref="jbsx:provider-module"/>
</xsd:sequence>
</xsd:complexType>
-
<xsd:complexType name="identityTrustInfo">
<xsd:sequence>
<xsd:element ref="jbsx:trust-module"/>
</xsd:sequence>
</xsd:complexType>
-
+
<xsd:element name="login-module" type="jbsx:loginModuleInfo"/>
<xsd:complexType name="loginModuleInfo">
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class
- impl="org.jboss.security.auth.login.AppConfigurationEntryHolder"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.auth.login.AppConfigurationEntryHolder"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:module-option" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="code" type="xsd:string" use="required"/>
<xsd:attribute name="flag" use="required">
- <xsd:simpleType>
- <xsd:restriction base="xsd:string">
- <xsd:enumeration value="required"/>
- <xsd:enumeration value="requisite"/>
- <xsd:enumeration value="sufficient"/>
- <xsd:enumeration value="optional"/>
- </xsd:restriction>
- </xsd:simpleType>
+ <xsd:annotation>
+ <xsd:documentation>The flag attribute controls how a login module
+ participates in the overall authentication proceedure.
+ Required - The LoginModule is required to succeed. If it
+ succeeds or fails, authentication still continues to proceed
+ down the LoginModule list.
+
+ Requisite - The LoginModule is required to succeed. If it succeeds,
+ authentication continues down the LoginModule list. If it fails,
+ control immediately returns to the application (authentication does not proceed
+ down the LoginModule list).
+
+ Sufficient - The LoginModule is not required to succeed. If it does
+ succeed, control immediately returns to the application (authentication
+ does not proceed down the LoginModule list). If it fails,
+ authentication continues down the LoginModule list.
+
+ Optional - The LoginModule is not required to succeed. If it succeeds or
+ fails, authentication still continues to proceed down the
+ LoginModule list.
+
+ The overall authentication succeeds only if
+ all required and requisite LoginModules succeed. If a
+ sufficient LoginModule is configured and succeeds, then only
+ the required and requisite LoginModules prior to that
+ sufficient LoginModule need to have succeeded for the overall
+ authentication to succeed. If no required or requisite
+ LoginModules are configured for an application, then at least
+ one sufficient or optional LoginModule must succeed.
+ </xsd:documentation>
+ </xsd:annotation>
+ <xsd:simpleType>
+ <xsd:restriction base="xsd:string">
+ <xsd:enumeration value="required" />
+ <xsd:enumeration value="requisite" />
+ <xsd:enumeration value="sufficient" />
+ <xsd:enumeration value="optional" />
+ </xsd:restriction>
+ </xsd:simpleType>
</xsd:attribute>
+
</xsd:complexType>
<xsd:element name="module-option">
<xsd:complexType mixed="true">
<xsd:annotation>
- <xsd:appinfo>
- <!-- ModuleOption declares a constructor that takes name as a parameter
+ <xsd:appinfo>
+ <!-- ModuleOption declares a constructor that takes name as a parameter
while the value should be set with the setter.
This use-case is not supported out-of-the-box. So, we use this container. -->
- <jbxb:class
- impl="org.jboss.security.auth.login.ModuleOptionContainer"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <jbxb:class impl="org.jboss.security.auth.login.ModuleOptionContainer"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:any namespace="##other" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required"/>
</xsd:complexType>
</xsd:element>
-
<xsd:element name="login-module-stack">
<xsd:complexType>
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class
- impl="org.jboss.security.auth.login.LoginModuleStackContainer"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.auth.login.LoginModuleStackContainer"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:login-module" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required"/>
</xsd:complexType>
</xsd:element>
-
<xsd:element name="auth-module" type="jbsx:authModuleInfo"/>
<xsd:complexType name="authModuleInfo">
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class
- impl="org.jboss.security.auth.container.config.AuthModuleEntryHolder"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.auth.container.config.AuthModuleEntryHolder"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:module-option" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="code" type="xsd:string" use="required"/>
<xsd:attribute name="login-module-stack-ref" type="xsd:string"/>
</xsd:complexType>
-
<xsd:element name="policy-module">
<xsd:complexType>
<xsd:annotation>
- <xsd:appinfo>
- <jbxb:class
- impl="org.jboss.security.authorization.config.AuthorizationConfigEntryHolder"/>
- </xsd:appinfo>
- </xsd:annotation>
-
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.authorization.config.AuthorizationConfigEntryHolder"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:module-option" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="code" type="xsd:string" use="required"/>
<xsd:attribute name="flag" use="required">
- <xsd:simpleType>
- <xsd:restriction base="xsd:string">
- <xsd:enumeration value="required"/>
- <xsd:enumeration value="requisite"/>
- <xsd:enumeration value="sufficient"/>
- <xsd:enumeration value="optional"/>
- </xsd:restriction>
- </xsd:simpleType>
- </xsd:attribute>
+ <xsd:annotation>
+ <xsd:documentation>The flag attribute controls how a login module
+ participates in the overall authentication proceedure.
+ Required - The LoginModule is required to succeed. If it
+ succeeds or fails, authentication still continues to proceed
+ down the LoginModule list.
+
+ Requisite - The LoginModule is required to succeed. If it succeeds,
+ authentication continues down the LoginModule list. If it fails,
+ control immediately returns to the application (authentication does not proceed
+ down the LoginModule list).
+
+ Sufficient - The LoginModule is not required to succeed. If it does
+ succeed, control immediately returns to the application (authentication
+ does not proceed down the LoginModule list). If it fails,
+ authentication continues down the LoginModule list.
+
+ Optional - The LoginModule is not required to succeed. If it succeeds or
+ fails, authentication still continues to proceed down the
+ LoginModule list.
+
+ The overall authentication succeeds only if
+ all required and requisite LoginModules succeed. If a
+ sufficient LoginModule is configured and succeeds, then only
+ the required and requisite LoginModules prior to that
+ sufficient LoginModule need to have succeeded for the overall
+ authentication to succeed. If no required or requisite
+ LoginModules are configured for an application, then at least
+ one sufficient or optional LoginModule must succeed.
+ </xsd:documentation>
+ </xsd:annotation>
+ <xsd:simpleType>
+ <xsd:restriction base="xsd:string">
+ <xsd:enumeration value="required" />
+ <xsd:enumeration value="requisite" />
+ <xsd:enumeration value="sufficient" />
+ <xsd:enumeration value="optional" />
+ </xsd:restriction>
+ </xsd:simpleType>
+ </xsd:attribute>
+
</xsd:complexType>
</xsd:element>
-
-
<xsd:element name="mapping-module">
<xsd:complexType>
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class impl="org.jboss.security.mapping.config.MappingConfigEntryHolder"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.mapping.config.MappingConfigEntryHolder"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:module-option" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="code" type="xsd:string" use="required"/>
</xsd:complexType>
</xsd:element>
-
<xsd:element name="provider-module">
<xsd:complexType>
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class impl="org.jboss.security.audit.config.AuditConfigEntryHolder"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.audit.config.AuditConfigEntryHolder"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:module-option" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
- <xsd:attribute name="code" type="xsd:string" use="required"/>
+ <xsd:attribute name="code" type="xsd:string" use="required"/>
</xsd:complexType>
</xsd:element>
-
<xsd:element name="trust-module">
<xsd:complexType>
- <xsd:annotation>
- <xsd:appinfo>
- <jbxb:class impl="org.jboss.security.trust.config.TrustConfigEntryHolder"/>
- </xsd:appinfo>
- </xsd:annotation>
+ <xsd:annotation>
+ <xsd:appinfo>
+ <jbxb:class impl="org.jboss.security.trust.config.TrustConfigEntryHolder"/>
+ </xsd:appinfo>
+ </xsd:annotation>
<xsd:sequence>
<xsd:element ref="jbsx:module-option" minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="code" type="xsd:string" use="required"/>
+ <xsd:attribute name="flag" use="required">
+ <xsd:annotation>
+ <xsd:documentation>The flag attribute controls how a login module
+ participates in the overall authentication proceedure.
+ Required - The LoginModule is required to succeed. If it
+ succeeds or fails, authentication still continues to proceed
+ down the LoginModule list.
+
+ Requisite - The LoginModule is required to succeed. If it succeeds,
+ authentication continues down the LoginModule list. If it fails,
+ control immediately returns to the application (authentication does not proceed
+ down the LoginModule list).
+
+ Sufficient - The LoginModule is not required to succeed. If it does
+ succeed, control immediately returns to the application (authentication
+ does not proceed down the LoginModule list). If it fails,
+ authentication continues down the LoginModule list.
+
+ Optional - The LoginModule is not required to succeed. If it succeeds or
+ fails, authentication still continues to proceed down the
+ LoginModule list.
+
+ The overall authentication succeeds only if
+ all required and requisite LoginModules succeed. If a
+ sufficient LoginModule is configured and succeeds, then only
+ the required and requisite LoginModules prior to that
+ sufficient LoginModule need to have succeeded for the overall
+ authentication to succeed. If no required or requisite
+ LoginModules are configured for an application, then at least
+ one sufficient or optional LoginModule must succeed.
+ </xsd:documentation>
+ </xsd:annotation>
+ <xsd:simpleType>
+ <xsd:restriction base="xsd:string">
+ <xsd:enumeration value="required" />
+ <xsd:enumeration value="requisite" />
+ <xsd:enumeration value="sufficient" />
+ <xsd:enumeration value="optional" />
+ </xsd:restriction>
+ </xsd:simpleType>
+ </xsd:attribute>
+
</xsd:complexType>
</xsd:element>
-
</xsd:schema>
More information about the jboss-cvs-commits
mailing list