[jboss-cvs] JBossAS SVN: r62757 - in branches/JBoss_4_0_2_CP: server/src/main/org/jboss/security and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed May 2 16:01:57 EDT 2007
Author: jiwils
Date: 2007-05-02 16:01:57 -0400 (Wed, 02 May 2007)
New Revision: 62757
Modified:
branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/ClientLoginModule.java
branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/SecurityAssociationActions.java
branches/JBoss_4_0_2_CP/server/src/main/org/jboss/security/SecurityAssociation.java
Log:
Fix for ASPATCH-207.
In addition to the changes specfied in the JIRA, revision 41292 of ClientLoginModule.java and SecurityAssociationActions.java for the 4.0.4.GA tag was used.
Modified: branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/ClientLoginModule.java
===================================================================
--- branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/ClientLoginModule.java 2007-05-02 19:30:28 UTC (rev 62756)
+++ branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/ClientLoginModule.java 2007-05-02 20:01:57 UTC (rev 62757)
@@ -1,10 +1,24 @@
/*
- * JBoss, the OpenSource WebOS
- *
- * Distributable under LGPL license.
- * See terms of license at gnu.org.
- */
-
+* JBoss, Home of Professional Open Source
+* Copyright 2005, JBoss Inc., and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
package org.jboss.security;
@@ -38,7 +52,7 @@
When restore-login-identity is true, the SecurityAssociation principal
and credential seen on entry to the login() method are saved and restored
on either abort or logout. When false (the default), the abort and logout
- simply clear the SecurityAssociation. A restore-login-identity of true is
+ simply clears the SecurityAssociation. A restore-login-identity of true is
needed if one need to change identities and then restore the original
caller identity.
<li>password-stacking=tryFirstPass|useFirstPass
@@ -69,12 +83,6 @@
be restored on logout.
*/
private boolean restoreLoginIdentity;
- /** The SecurityAssociation principal seen on entry to login() */
- private Principal restorePrincipal;
- /** The SecurityAssociation credential seen on entry to login() */
- private Object restoreCredential;
- /** The SecurityAssociation subject seen on entry to login() */
- private Subject restoreSubject;
private boolean trace;
/** Initialize this LoginModule. This checks for the options:
@@ -118,13 +126,6 @@
{
if( trace )
log.trace("Begin login");
- if( restoreLoginIdentity == true )
- {
- restorePrincipal = SecurityAssociationActions.getPrincipal();
- restoreCredential = SecurityAssociationActions.getCredential();
- restoreSubject = SecurityAssociationActions.getSubject();
- }
-
// If useFirstPass is true, look for the shared password
if (useFirstPass == true)
{
@@ -226,12 +227,15 @@
{
if( trace )
log.trace("abort");
- SecurityAssociationActions.clear();
if( restoreLoginIdentity == true )
{
- SecurityAssociationActions.setPrincipalInfo(restorePrincipal,
- restoreCredential, restoreSubject);
+ SecurityAssociationActions.popPrincipalInfo();
}
+ else
+ {
+ // Clear the entire security association stack
+ SecurityAssociationActions.clear();
+ }
return true;
}
@@ -240,12 +244,15 @@
{
if( trace )
log.trace("logout");
- SecurityAssociationActions.clear();
if( restoreLoginIdentity == true )
{
- SecurityAssociationActions.setPrincipalInfo(restorePrincipal,
- restoreCredential, restoreSubject);
+ SecurityAssociationActions.popPrincipalInfo();
}
+ else
+ {
+ // Clear the entire security association stack
+ SecurityAssociationActions.clear();
+ }
Set principals = subject.getPrincipals();
principals.remove(loginPrincipal);
return true;
Modified: branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/SecurityAssociationActions.java
===================================================================
--- branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/SecurityAssociationActions.java 2007-05-02 19:30:28 UTC (rev 62756)
+++ branches/JBoss_4_0_2_CP/security/src/main/org/jboss/security/SecurityAssociationActions.java 2007-05-02 20:01:57 UTC (rev 62757)
@@ -1,8 +1,23 @@
/*
-* JBoss, the OpenSource J2EE webOS
+* JBoss, Home of Professional Open Source
+* Copyright 2005, JBoss Inc., and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
*
-* Distributable under LGPL license.
-* See terms of license at gnu.org.
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.security;
@@ -40,6 +55,14 @@
return null;
}
}
+ private static class PopPrincipalInfoAction implements PrivilegedAction
+ {
+ public Object run()
+ {
+ SecurityAssociation.popSubjectContext();
+ return null;
+ }
+ }
private static class SetServerAction implements PrivilegedAction
{
static PrivilegedAction ACTION = new SetServerAction();
@@ -91,6 +114,11 @@
SetPrincipalInfoAction action = new SetPrincipalInfoAction(principal, credential, subject);
AccessController.doPrivileged(action);
}
+ static void popPrincipalInfo()
+ {
+ PopPrincipalInfoAction action = new PopPrincipalInfoAction();
+ AccessController.doPrivileged(action);
+ }
static void setServer()
{
AccessController.doPrivileged(SetServerAction.ACTION);
Modified: branches/JBoss_4_0_2_CP/server/src/main/org/jboss/security/SecurityAssociation.java
===================================================================
--- branches/JBoss_4_0_2_CP/server/src/main/org/jboss/security/SecurityAssociation.java 2007-05-02 19:30:28 UTC (rev 62756)
+++ branches/JBoss_4_0_2_CP/server/src/main/org/jboss/security/SecurityAssociation.java 2007-05-02 20:01:57 UTC (rev 62757)
@@ -33,10 +33,10 @@
* When the server property is false, security information is maintained in
* class variables which makes the information available to all threads within
* the current VM.
- *
+ *
* Note that this is not a public API class. Its an implementation detail that
* is subject to change without notice.
- *
+ *
* @author Daniel O'Connor (docodan at nycap.rr.com)
* @author Scott.Stark at jboss.org
* @version $Revision$
@@ -82,7 +82,7 @@
/**
* Thread local stacks of authenticated subject used to control the current
* caller security context
- */
+ */
private static SubjectThreadLocalStack threadSubjectStacks = new SubjectThreadLocalStack();
/**
@@ -188,7 +188,7 @@
* method with a <code> RuntimePermission("org.jboss.security.SecurityAssociation.getPrincipalInfo")
* </code> permission to ensure it's ok to access principal information. If
* not, a <code>SecurityException</code> will be thrown.
- *
+ *
* @return Principal, the current principal identity.
*/
public static Principal getCallerPrincipal()
@@ -271,7 +271,7 @@
threadPrincipal.set(principal);
else
SecurityAssociation.principal = principal;
- // Integrate with the new SubjectContext
+ // Integrate with the new SubjectContext
SubjectContext sc = threadSubjectStacks.peek();
if( sc == null )
{
@@ -283,7 +283,7 @@
{
// The current security context has its principal set
sc = new SubjectContext();
- threadSubjectStacks.push(sc);
+ threadSubjectStacks.push(sc);
}
sc.setPrincipal(principal);
}
@@ -309,7 +309,7 @@
threadCredential.set(credential);
else
SecurityAssociation.credential = credential;
- // Integrate with the new SubjectContext
+ // Integrate with the new SubjectContext
SubjectContext sc = threadSubjectStacks.peek();
if( sc == null )
{
@@ -321,7 +321,7 @@
{
// The current security context has its principal set
sc = new SubjectContext();
- threadSubjectStacks.push(sc);
+ threadSubjectStacks.push(sc);
}
sc.setCredential(credential);
}
@@ -342,7 +342,7 @@
if (trace)
log.trace("setSubject, s=" + subject + ", server=" + server);
- // Integrate with the new SubjectContext
+ // Integrate with the new SubjectContext
SubjectContext sc = threadSubjectStacks.peek();
if( sc == null )
{
@@ -354,7 +354,7 @@
{
// The current security context has its subject set
sc = new SubjectContext();
- threadSubjectStacks.push(sc);
+ threadSubjectStacks.push(sc);
}
sc.setSubject(subject);
}
@@ -409,7 +409,7 @@
* @param subject - the authenticated subject
* @param principal - the principal that was input into the authentication
* @param credential - the credential that was input into the authentication
- */
+ */
public static void pushSubjectContext(Subject subject,
Principal principal, Object credential)
{
@@ -458,7 +458,7 @@
* RuntimePermission("org.jboss.security.SecurityAssociation.setPrincipalInfo")
* permission.
* @return the SubjectContext pushed previously by a pushSubjectContext call
- */
+ */
public static SubjectContext popSubjectContext()
{
SecurityManager sm = System.getSecurityManager();
@@ -466,6 +466,33 @@
sm.checkPermission(setPrincipalInfoPermission);
SubjectContext sc = threadSubjectStacks.pop();
+ if (trace)
+ {
+ log.trace("popSubjectContext, sc="+sc);
+ }
+
+ Principal principal = null;
+ Object credential = null;
+
+ SubjectContext top = threadSubjectStacks.peek();
+
+ if (top != null)
+ {
+ principal = top.getPrincipal();
+ credential = top.getCredential();
+ }
+
+ if (server)
+ {
+ threadPrincipal.set(principal);
+ threadCredential.set(credential);
+ }
+ else
+ {
+ SecurityAssociation.principal = principal;
+ SecurityAssociation.credential = credential;
+ }
+
return sc;
}
@@ -621,7 +648,7 @@
/**
* The encapsulation of the authenticated subject
- */
+ */
public static class SubjectContext
{
public static final int SUBJECT_WAS_SET = 1;
@@ -733,7 +760,7 @@
}
/**
* Remove all SubjectContext from the current thread stack
- */
+ */
void clear()
{
ArrayList stack = (ArrayList) super.get();
More information about the jboss-cvs-commits
mailing list