[jboss-cvs] JBossAS SVN: r60856 - branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Feb 23 16:11:54 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-02-23 16:11:54 -0500 (Fri, 23 Feb 2007)
New Revision: 60856
Added:
branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java
Modified:
branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java
Log:
JBAS:4149: realm that can take deployment level role mapping into consideration
Added: branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java
===================================================================
--- branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java (rev 0)
+++ branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedJaccAuthorizationRealm.java 2007-02-23 21:11:54 UTC (rev 60856)
@@ -0,0 +1,110 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2006, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.web.tomcat.security;
+
+import java.security.Permission;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.jboss.metadata.WebMetaData;
+import org.jboss.security.RealmMapping;
+import org.jboss.security.SimplePrincipal;
+
+//$Id$
+
+/**
+ * JBAS-4149: Extension of JACCAuthorizationRealm that considers deployment level
+ * role mapping
+ * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
+ * @since Feb 23, 2007
+ * @version $Revision$
+ */
+public class ExtendedJaccAuthorizationRealm extends JaccAuthorizationRealm
+{
+ protected Principal getCachingPrincpal(RealmMapping realmMapping,
+ Principal authPrincipal,
+ Principal callerPrincipal, Object credential, Subject subject)
+ {
+ if(SecurityAssociationActions.getCallerRunAsIdentity() == null)
+ {
+ //Check if there are deployment level roles
+ WebMetaData wmd = (WebMetaData) JaccContextValve.activeWebMetaData.get();
+ if(wmd != null)
+ {
+ Set secroles = wmd.getSecurityRoleNamesByPrincipal(authPrincipal.getName());
+ Set<Principal> principalroles = new HashSet<Principal>();
+
+ if(secroles != null && secroles.isEmpty() == false)
+ {
+ Iterator iter = secroles.iterator();
+ while(iter.hasNext())
+ {
+ principalroles.add(new SimplePrincipal((String) iter.next()));
+ }
+
+ return new JBossGenericPrincipal(this, subject,
+ authPrincipal, callerPrincipal, credential,
+ new ArrayList(secroles), principalroles);
+ }
+ }
+ }
+ return super.getCachingPrincpal(realmMapping, authPrincipal,
+ callerPrincipal, credential, subject);
+ }
+
+ /** See if the given JACC permission is implied using the caller as
+ * obtained from either the
+ * PolicyContext.getContext(javax.security.auth.Subject.container) or
+ * the info associated with the requestPrincipal.
+ *
+ * @param perm - the JACC permission to check
+ * @param requestPrincpal - the http request getPrincipal
+ * @return true if the permission is allowed, false otherwise
+ */
+ protected boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal)
+ {
+ // Get the caller
+ establishSubjectContext(requestPrincpal);
+
+ // Get the caller principals, its null if there is no caller
+ Principal[] principals = null;
+
+ //Use the roles cached in the principal
+ if(requestPrincpal instanceof JBossGenericPrincipal)
+ {
+ JBossGenericPrincipal jgp = (JBossGenericPrincipal)requestPrincpal;
+ String[] rolenames = jgp.getRoles();
+ int len = rolenames.length;
+ principals = new Principal[len];
+ for(int i = 0; i < len; i++)
+ {
+ principals[i] = new SimplePrincipal(rolenames[i]);
+ }
+ }
+ return checkSecurityAssociation(perm, principals);
+ }
+}
Modified: branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java
===================================================================
--- branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java 2007-02-23 21:10:47 UTC (rev 60855)
+++ branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/JaccAuthorizationRealm.java 2007-02-23 21:11:54 UTC (rev 60856)
@@ -65,7 +65,7 @@
/** The current servlet request */
private static ThreadLocal activeRequest = new ThreadLocal();
private boolean trace;
- private Policy policy;
+ protected Policy policy;
/**
* JBAS-2519:Delegate to JACC provider for unsecured resources in web.xml
@@ -228,7 +228,7 @@
* @param requestPrincpal - the http request getPrincipal
* @return true if the permission is allowed, false otherwise
*/
- private boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal)
+ protected boolean checkSecurityAssociation(Permission perm, Principal requestPrincpal)
{
// Get the caller
Subject caller = establishSubjectContext(requestPrincpal);
@@ -254,7 +254,7 @@
* @param principals - the possibly null set of principals for the caller
* @return true if the permission is allowed, false otherwise
*/
- private boolean checkSecurityAssociation(Permission perm, Principal[] principals)
+ protected boolean checkSecurityAssociation(Permission perm, Principal[] principals)
{
CodeSource webCS = (CodeSource) JaccContextValve.activeCS.get();
ProtectionDomain pd = new ProtectionDomain(webCS, null, null, principals);
@@ -276,7 +276,7 @@
* @param principal - the http request getPrincipal
* @return the authenticated Subject is there is one, null otherwise
*/
- private Subject establishSubjectContext(Principal principal)
+ protected Subject establishSubjectContext(Principal principal)
{
Subject caller = null;
try
More information about the jboss-cvs-commits
mailing list