[jboss-cvs] JBossAS SVN: r60856 - branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Fri Feb 23 16:11:54 EST 2007 

Author: anil.saldhana at jboss.com
Date: 2007-02-23 16:11:54 -0500 (Fri, 23 Feb 2007)
New Revision: 60856

Added:
   branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java
Modified:
   branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java
Log:
JBAS:4149: realm that can take deployment level role mapping into consideration

Added: branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java
===================================================================
--- branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java	                        (rev 0)
+++ branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java	2007-02-23 21:11:54 UTC (rev 60856)
@@ -0,0 +1,110 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2006, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.web.tomcat.security;
+ 
+import java.security.Permission;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator; 
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.jboss.metadata.WebMetaData;
+import org.jboss.security.RealmMapping;
+import org.jboss.security.SimplePrincipal;
+
+//$Id$
+
+/**
+ *  JBAS-4149: Extension of JACCAuthorizationRealm that considers deployment level
+ *  role mapping
+ *  @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
+ *  @since  Feb 23, 2007 
+ *  @version $Revision$
+ */
+public class ExtendedJaccAuthorizationRealm extends JaccAuthorizationRealm
+{ 
+   protected Principal getCachingPrincpal(RealmMapping realmMapping, 
+         Principal authPrincipal,
+         Principal callerPrincipal, Object credential, Subject subject)
+   { 
+      if(SecurityAssociationActions.getCallerRunAsIdentity() == null)
+      {
+         //Check if there are deployment level roles
+         WebMetaData wmd = (WebMetaData) JaccContextValve.activeWebMetaData.get();
+         if(wmd != null)
+         {
+            Set secroles = wmd.getSecurityRoleNamesByPrincipal(authPrincipal.getName());
+            Set<Principal> principalroles = new HashSet<Principal>();
+            
+            if(secroles != null && secroles.isEmpty() == false)
+            {
+               Iterator iter = secroles.iterator();
+               while(iter.hasNext())
+               {
+                  principalroles.add(new SimplePrincipal((String) iter.next()));
+               }
+               
+               return new JBossGenericPrincipal(this, subject,
+                     authPrincipal, callerPrincipal, credential, 
+                                new ArrayList(secroles), principalroles);  
+            }
+         }
+      }
+      return super.getCachingPrincpal(realmMapping, authPrincipal, 
+            callerPrincipal, credential, subject);
+   }  
+   
+   /** See if the given JACC permission is implied using the caller as
+    * obtained from either the
+    * PolicyContext.getContext(javax.security.auth.Subject.container) or
+    * the info associated with the requestPrincipal.
+    * 
+    * @param perm - the JACC permission to check
+    * @param requestPrincpal - the http request getPrincipal
+    * @return true if the permission is allowed, false otherwise
+    */ 
+   protected boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal)
+   {
+      // Get the caller
+      establishSubjectContext(requestPrincpal);
+
+      // Get the caller principals, its null if there is no caller
+      Principal[] principals = null;
+      
+      //Use the roles cached in the principal
+      if(requestPrincpal instanceof JBossGenericPrincipal)
+      {
+         JBossGenericPrincipal jgp = (JBossGenericPrincipal)requestPrincpal;
+         String[] rolenames = jgp.getRoles();
+         int len = rolenames.length;
+         principals = new Principal[len];
+         for(int i = 0; i < len; i++)
+         {
+            principals[i] = new SimplePrincipal(rolenames[i]);
+         }
+      } 
+      return checkSecurityAssociation(perm, principals);
+   }
+}

Modified: branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java
===================================================================
--- branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java	2007-02-23 21:10:47 UTC (rev 60855)
+++ branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java	2007-02-23 21:11:54 UTC (rev 60856)
@@ -65,7 +65,7 @@
    /** The current servlet request */
    private static ThreadLocal activeRequest = new ThreadLocal();
    private boolean trace;
-   private Policy policy;
+   protected Policy policy;
    
    /**
     * JBAS-2519:Delegate to JACC provider for unsecured resources in web.xml 
@@ -228,7 +228,7 @@
     * @param requestPrincpal - the http request getPrincipal
     * @return true if the permission is allowed, false otherwise
     */ 
-   private boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal)
+   protected boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal)
    {
       // Get the caller
       Subject caller = establishSubjectContext(requestPrincpal);
@@ -254,7 +254,7 @@
     * @param principals - the possibly null set of principals for the caller
     * @return true if the permission is allowed, false otherwise
     */ 
-   private boolean checkSecurityAssociation(Permission perm, Principal[] principals)
+   protected boolean checkSecurityAssociation(Permission perm, Principal[] principals)
    {
       CodeSource webCS = (CodeSource) JaccContextValve.activeCS.get();
       ProtectionDomain pd = new ProtectionDomain(webCS, null, null, principals);
@@ -276,7 +276,7 @@
     * @param principal - the http request getPrincipal
     * @return the authenticated Subject is there is one, null otherwise
     */ 
-   private Subject establishSubjectContext(Principal principal)
+   protected Subject establishSubjectContext(Principal principal)
    {
       Subject caller = null;
       try

More information about the jboss-cvs-commits mailing list