[jboss-cvs] JBossAS SVN: r62958 - projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu May 10 00:19:07 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-05-10 00:19:06 -0400 (Thu, 10 May 2007)
New Revision: 62958
Removed:
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerService.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerServiceMBean.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManager.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerServiceMBean.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfig.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfigMBean.java
projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityManagerMBean.java
Log:
SECURITY-26: JBAS integration code moved to JBAS trunk
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerService.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerService.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerService.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,259 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source
- * Copyright 2005, JBoss Inc., and individual contributors as indicated
- * by the @authors tag. See the copyright.txt in the distribution for a
- * full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.jboss.security.plugins;
-
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Method;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.Hashtable;
-import java.util.Map;
-import java.util.Set;
-
-import javax.naming.Context;
-import javax.naming.InitialContext;
-import javax.naming.NamingException;
-import javax.security.auth.callback.CallbackHandler;
-
-import org.jboss.logging.Logger;
-import org.jboss.security.AuthorizationManager;
-import org.jboss.security.SecurityConstants;
-import org.jboss.security.auth.callback.SecurityAssociationHandler;
-import org.jboss.security.authorization.Resource;
-import org.jboss.system.ServiceMBeanSupport;
-import org.jboss.util.CachePolicy;
-
-//$Id$
-
-/**
- * Service that provides Authorization capabilities.
- * The service defaults to the
- * org.jboss.security.plugins.AuthorizationManager implementation but
- * this can be changed via the authorizationManagerClassName property.
- * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
- * @since Jan 3, 2006
- * @version $Revision$
- */
-public class AuthorizationManagerService
-extends ServiceMBeanSupport
-implements AuthorizationManagerServiceMBean
-{
- /** The log4j interface */
- private static Logger log = Logger.getLogger(AuthorizationManagerService.class);
- private static String authorizationMgrClassName = SecurityConstants.DEFAULT_AUTHORIZATION_CLASS;
- private static Class authorizationMgrClass = JBossAuthorizationManager.class;
-
- private static Hashtable authorizationManagersMap = new Hashtable();
-
- private static int defaultCacheTimeout = 30*60;
- private static int defaultCacheResolution = 60;
-
- /** The JAAS CallbackHandler interface implementation to use */
- private static String callbackHandlerClassName = "org.jboss.security.auth.callback.SecurityAssociationHandler";
- private static Class callbackHandlerClass = SecurityAssociationHandler.class;
-
- /**
- * @see AuthorizationManagerServiceMBean#setAuthorizationManagerClassName(String)
- */
- public void setAuthorizationManagerClassName(String className)
- throws ClassNotFoundException, ClassCastException
- {
- authorizationMgrClassName = className;
- ClassLoader loader = Thread.currentThread().getContextClassLoader();
- authorizationMgrClass = loader.loadClass(authorizationMgrClassName);
- if( AuthorizationManager.class.isAssignableFrom(authorizationMgrClass) == false )
- throw new ClassCastException(authorizationMgrClass+" does not implement "+AuthorizationManager.class);
- }
-
- /** Set the default CallbackHandler implementation class name
- * @see javax.security.auth.callback.CallbackHandler
- */
- public void setCallbackHandlerClassName(String className)
- throws ClassNotFoundException
- {
- callbackHandlerClassName = className;
- ClassLoader loader = Thread.currentThread().getContextClassLoader();
- callbackHandlerClass = loader.loadClass(callbackHandlerClassName);
- }
-
- /**
- * @see AuthorizationManagerServiceMBean#getAuthorizationManagerClassName()
- */
- public String getAuthorizationManagerClassName()
- {
- return authorizationMgrClassName;
- }
-
- /**
- * @see AuthorizationManager#doesUserHaveRole(String)
- */
- public boolean doesUserHaveRole(String roleName)
- {
- String str = "Use getAuthorizationManager method and then call doesUserHaveRole";
- throw new IllegalStateException(str);
- }
-
- /**
- * @see AuthorizationManager#doesUserHaveRole(Principal, Set)
- */
- public boolean doesUserHaveRole(Principal principal, Set roles)
- {
- String str = "Use getAuthorizationManager method and then call doesUserHaveRole";
- throw new IllegalStateException(str);
- }
-
- //ServiceMBeanSupport methods
- protected void startService() throws Exception
- {
- super.startService();
- }
-
- protected void stopService() throws Exception
- {
- super.stopService();
- }
-
- /** Return the set of domain roles the principal has been assigned.
- @return The Set<Principal> for the application domain roles that the
- principal has been assigned.
- */
- public Set getUserRoles(Principal principal)
- {
- String str = "Use getAuthorizationManager method and then call getUserRoles";
- throw new IllegalStateException(str);
- }
-
- /**
- * @see AuthorizationManager#getPrincipal(Principal)
- */
- public Principal getPrincipal(Principal principal)
- {
- String str = "Use getAuthorizationManager method and then call getPrincipal";
- throw new IllegalStateException(str);
- }
-
- /**
- * @see AuthorizationManagerServiceMBean#getAuthorizationManager(String)
- */
- public AuthorizationManager getAuthorizationManager( String securityDomain)
- {
- AuthorizationManager amanager = (AuthorizationManager)authorizationManagersMap.get(securityDomain);
- if(amanager == null)
- {
- //create a new Authorization Manager
- amanager = newAuthorizationManager(securityDomain);
- authorizationManagersMap.put(securityDomain, amanager);
- log.debug("Added "+securityDomain+", " + amanager + " to map");
- //Add a JNDI binding based on the JaasSecurityManagerService
- //SecurityDomainContext
- try
- {
- Context ctx = new InitialContext();
-
- SecurityDomainContext sdc = (SecurityDomainContext)ctx.lookup("java:jaas/security/domainContext");
- sdc.setAuthorizationManager(amanager);
- }
- catch (NamingException e)
- {
- if(log.isTraceEnabled())
- log.trace("Error in naming", e);
- log.error("Error in getAuthorizationManager",e);
- }
- }
- return amanager;
- }
-
- /**
- * @see AuthorizationManager#authorize(Resource)
- */
- public int authorize(Resource resource)
- {
- String str = "Use getAuthorizationManager method and then call authorize";
- throw new IllegalStateException(str);
- }
-
- //PRIVATE METHODS
-
- /** Create a new AuthorizationManager for securityDomain.
- * @param securityDomain
- * @return
- * @throws NamingException
- */
- static AuthorizationManager newAuthorizationManager(String securityDomain)
- {
- AuthorizationManager securityMgr = null;
- try
- {
- // Create instance of securityMgrClass
- Class[] parameterTypes = {String.class, CallbackHandler.class};
- Constructor ctor = authorizationMgrClass.getConstructor(parameterTypes);
- CallbackHandler handler = (CallbackHandler) callbackHandlerClass.newInstance();
- Object[] args = {securityDomain, handler};
- securityMgr = (AuthorizationManager) ctor.newInstance(args);
- log.debug("Created AuthorizationManager="+securityMgr);
-
- CachePolicy cachePolicy = JaasSecurityManagerService.lookupCachePolicy(securityDomain);
- log.debug("Found Cache Policy="+cachePolicy);
- /*TimedCachePolicy cachePolicy = new TimedCachePolicy(defaultCacheTimeout,
- true, defaultCacheResolution);
- cachePolicy.create();
- cachePolicy.start(); */
- // See if the security mgr supports an externalized cache policy
- setSecurityDomainCache(securityMgr, cachePolicy);
- }
- catch(Exception e2)
- {
- String msg = "Failed to create authz mgr('"+securityDomain+"'), authorizationMgrClass="
- + authorizationMgrClass ;
- log.error(msg, e2);
- }
- return securityMgr;
- }
-
- /** Use reflection to attempt to set the authentication cache on the
- * the Authorization Manager argument.
- * @param securityMgr the Authorization Manager
- * @param cachePolicy the cache policy implementation
- */
- private static void setSecurityDomainCache(AuthorizationManager securityMgr,
- CachePolicy cachePolicy)
- {
- try
- {
- Class[] setCachePolicyTypes = {CachePolicy.class};
- Method m = authorizationMgrClass.getMethod("setCachePolicy", setCachePolicyTypes);
- Object[] setCachePolicyArgs = {cachePolicy};
- m.invoke(securityMgr, setCachePolicyArgs);
- log.debug("setCachePolicy, c="+setCachePolicyArgs[0]);
- }
- catch(Exception e2)
- { // No cache policy support, this is ok
- if(log.isTraceEnabled())
- log.trace("optional setCachePolicy failed:" + e2.getLocalizedMessage());
- }
- }
-
- public Group getTargetRoles(Principal targetPrincipal, Map contextMap)
- {
- throw new RuntimeException("Not implemented");
- }
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerServiceMBean.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerServiceMBean.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/AuthorizationManagerServiceMBean.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,70 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source
- * Copyright 2005, JBoss Inc., and individual contributors as indicated
- * by the @authors tag. See the copyright.txt in the distribution for a
- * full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.jboss.security.plugins;
-
-import javax.management.ObjectName;
-
-import org.jboss.mx.util.ObjectNameFactory;
-import org.jboss.security.AuthorizationManager;
-import org.jboss.system.ServiceMBean;
-
-//$Id$
-
-/**
- * Management interface for the AuthorizationManagerService MBean
- * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
- * @since Jan 2, 2006
- * @version $Revision$
- */
-public interface AuthorizationManagerServiceMBean
-extends ServiceMBean, AuthorizationManager
-{
- /** The default ObjectName */
- ObjectName OBJECT_NAME = ObjectNameFactory.create("jboss.security:service=AuthorizationManager");
-
- /**
- * Set the name of the class that provides the authorization manager implementation.
- *
- * @exception ClassNotFoundException thrown if the className cannot be found
- * using the thread context class loader.
- * @exception ClassCastException thrown if the className does not implement the
- * org.jboss.security.AuthorizationManager interface.
- */
- void setAuthorizationManagerClassName(String className)
- throws ClassNotFoundException, ClassCastException;
-
- /**
- *
- * Get the name of the class that provides the authorization manager implementation.
- *
- * @return
- */
- String getAuthorizationManagerClassName();
-
- /**
- * Gets an AuthorizationManager instance given a security domain
- *
- * @param securityDomain
- * @return
- */
- AuthorizationManager getAuthorizationManager(String securityDomain);
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomain.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomain.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,575 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import java.io.BufferedReader;
-import java.io.File;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.lang.reflect.Constructor;
-import java.lang.reflect.Method;
-import java.net.MalformedURLException;
-import java.net.URL;
-import java.security.KeyStore;
-import java.util.Arrays;
-import java.util.StringTokenizer;
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.SecretKeyFactory;
-import javax.crypto.spec.PBEKeySpec;
-import javax.crypto.spec.PBEParameterSpec;
-import javax.management.MBeanServer;
-import javax.management.ObjectName;
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.TrustManagerFactory;
-import javax.security.auth.callback.CallbackHandler;
-
-import org.jboss.mx.util.MBeanServerLocator;
-import org.jboss.security.SecurityDomain;
-import org.jboss.security.Util;
-import org.jboss.security.auth.callback.SecurityAssociationHandler;
-
-/** The JaasSecurityDomain is an extension of JaasSecurityManager that addes
- the notion of a KeyStore, and JSSE KeyManagerFactory and TrustManagerFactory
- for supporting SSL and other cryptographic use cases.
-
- Attributes:
- <ul>
- <li>KeyStoreType: The implementation type name being used, defaults to 'JKS'.
- </li>
-
- <li>KeyStoreURL: Set the KeyStore database URL string. This is used to obtain
- an InputStream to initialize the KeyStore. If the string is not a value
- URL, its treated as a file.
- </li>
-
- <li>KeyStorePass: the password used to load the KeyStore. Its format is one of:
- <ul>
- <li>The plaintext password for the KeyStore(or whatever format is used
- by the KeyStore). The toCharArray() value of the string is used without any
- manipulation.
- </li>
- <li>A command to execute to obtain the plaintext password. The format
- is '{EXT}...' where the '...' is the exact command line that will be passed
- to the Runtime.exec(String) method to execute a platform command. The first
- line of the command output is used as the password.
- </li>
- <li>A class to create to obtain the plaintext password. The format
- is '{CLASS}classname[:ctorarg]' where the '[:ctorarg]' is an optional
- string delimited by the ':' from the classname that will be passed to the
- classname ctor. The password is obtained from classname by invoking a 'char[]
- toCharArray()' method if found, otherwise, the 'String toString()' method is
- used.
- </li>
- </ul>
- The KeyStorePass is also used in combination with the Salt and IterationCount
- attributes to create a PBE secret key used with the encode/decode operations.
- </li>
-
- <li>ManagerServiceName: The JMX object name string of the security manager service
- that the domain registers with to function as a security manager for the
- security domain name passed to the ctor. The makes the JaasSecurityDomain
- available under the standard JNDI java:/jaas/(domain) binding.
- </li>
-
- <li>LoadSunJSSEProvider: A flag indicating if the Sun com.sun.net.ssl.internal.ssl.Provider
- security provider should be loaded on startup. This is needed when using
- the Sun JSSE jars without them installed as an extension with JDK 1.3. This
- should be set to false with JDK 1.4 or when using an alternate JSSE provider
- </li>
-
- <li>Salt:
- </li>
-
- <li>IterationCount:
- </li>
- </ul>
-
- @todo add support for encode/decode based on a SecretKey in the keystore.
-
- @author Scott.Stark at jboss.org
- @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
-
- @version $Revision$
- */
-public class JaasSecurityDomain
- extends JaasSecurityManager
- implements SecurityDomain, JaasSecurityDomainMBean
-{
- /** The permission required to access encode, encode64 */
- private static final RuntimePermission encodePermission =
- new RuntimePermission("org.jboss.security.plugins.JaasSecurityDomain.encode");
- /** The permission required to access decode, decode64 */
- private static final RuntimePermission decodePermission =
- new RuntimePermission("org.jboss.security.plugins.JaasSecurityDomain.decode");
-
- /** The KeyStore associated with the security domain */
- private KeyStore keyStore;
- private KeyManagerFactory keyMgr;
- /** The KeyStore implementation type which defaults to 'JKS' */
- private String keyStoreType = "JKS";
- /** The resource for the keystore location */
- private URL keyStoreURL;
- /** The keystore password for loading */
- private char[] keyStorePassword;
- /** A command string to execute to obtain the keyStorePassword */
- private String keyStorePasswordCmd;
- /** The type of command string: EXT, CLASS */
- private String keyStorePasswordCmdType;
- /** The secret key that corresponds to the keystore password */
- private SecretKey cipherKey;
- /** The encode/decode cipher algorigthm */
- private String cipherAlgorithm = "PBEwithMD5andDES";
- private byte[] salt = {1, 2, 3, 4, 5, 6, 7, 8};
- private int iterationCount = 103;
- private PBEParameterSpec cipherSpec;
- /** The JMX object name of the security manager service */
- private ObjectName managerServiceName = JaasSecurityManagerServiceMBean.OBJECT_NAME;
-
- private KeyStore trustStore;
- private String trustStoreType = "JKS";
- private char[] trustStorePassword;
- private URL trustStoreURL;
- private TrustManagerFactory trustMgr;
-
- /** Creates a default JaasSecurityDomain for with a securityDomain
- name of 'other'.
- */
- public JaasSecurityDomain()
- {
- super();
- }
-
- /** Creates a JaasSecurityDomain for with a securityDomain
- name of that given by the 'securityDomain' argument.
- @param securityDomain , the name of the security domain
- */
- public JaasSecurityDomain(String securityDomain)
- {
- this(securityDomain, new SecurityAssociationHandler());
- }
-
- /** Creates a JaasSecurityDomain for with a securityDomain
- name of that given by the 'securityDomain' argument.
- @param securityDomain , the name of the security domain
- @param handler , the CallbackHandler to use to obtain login module info
- */
- public JaasSecurityDomain(String securityDomain, CallbackHandler handler)
- {
- super(securityDomain, handler);
- }
-
- public KeyStore getKeyStore() throws SecurityException
- {
- return keyStore;
- }
-
- public KeyManagerFactory getKeyManagerFactory() throws SecurityException
- {
- return keyMgr;
- }
-
- public KeyStore getTrustStore() throws SecurityException
- {
- return trustStore;
- }
-
- public TrustManagerFactory getTrustManagerFactory() throws SecurityException
- {
- return trustMgr;
- }
-
- /** The JMX object name string of the security manager service.
- @return The JMX object name string of the security manager service.
- */
- public ObjectName getManagerServiceName()
- {
- return this.managerServiceName;
- }
-
- /** Set the JMX object name string of the security manager service.
- */
- public void setManagerServiceName(ObjectName managerServiceName)
- {
- this.managerServiceName = managerServiceName;
- }
-
- public String getKeyStoreType()
- {
- return this.keyStoreType;
- }
-
- public void setKeyStoreType(String type)
- {
- this.keyStoreType = type;
- }
-
- public String getKeyStoreURL()
- {
- String url = null;
- if( keyStoreURL != null )
- url = keyStoreURL.toExternalForm();
- return url;
- }
-
- public void setKeyStoreURL(String storeURL) throws IOException
- {
- this.keyStoreURL = this.validateStoreURL(storeURL);
- log.debug("Using KeyStore=" + keyStoreURL.toExternalForm());
- }
-
- public void setKeyStorePass(String password)
- {
- this.keyStorePassword = null;
- // Look for a {...} prefix indicating a password command
- if( password.charAt(0) == '{' )
- {
- StringTokenizer tokenizer = new StringTokenizer(password, "{}");
- this.keyStorePasswordCmdType = tokenizer.nextToken();
- this.keyStorePasswordCmd = tokenizer.nextToken();
- }
- else
- {
- // Its just the keystore password string
- this.keyStorePassword = password.toCharArray();
- }
- }
-
- public String getTrustStoreType()
- {
- return this.trustStoreType;
- }
-
- public void setTrustStoreType(String type)
- {
- this.trustStoreType = type;
- }
-
- public void setTrustStorePass(String password)
- {
- this.trustStorePassword = password.toCharArray();
- }
-
- public String getTrustStoreURL()
- {
- String url = null;
- if( trustStoreURL != null )
- url = trustStoreURL.toExternalForm();
- return url;
- }
-
- public void setTrustStoreURL(String storeURL) throws IOException
- {
- this.trustStoreURL = validateStoreURL(storeURL);
- }
-
- public void setSalt(String salt)
- {
- this.salt = salt.getBytes();
- }
-
- public void setIterationCount(int iterationCount)
- {
- this.iterationCount = iterationCount;
- }
-
- public String getCipherAlgorithm()
- {
- return cipherAlgorithm;
- }
-
- public void setCipherAlgorithm(String cipherAlgorithm)
- {
- this.cipherAlgorithm = cipherAlgorithm;
- }
-
- public String getName()
- {
- return "JaasSecurityDomain(" + getSecurityDomain() + ")";
- }
-
- /** Encrypt the secret using the cipherKey.
- * @param secret - the plaintext secret to encrypt
- * @return the encrypted secret
- * @throws Exception
- */
- public byte[] encode(byte[] secret)
- throws Exception
- {
- SecurityManager sm = System.getSecurityManager();
- if( sm != null )
- {
- System.out.println("Checking: "+encodePermission);
- sm.checkPermission(encodePermission);
- }
-
- Cipher cipher = Cipher.getInstance(cipherAlgorithm);
- cipher.init(Cipher.ENCRYPT_MODE, cipherKey, cipherSpec);
- byte[] encoding = cipher.doFinal(secret);
- return encoding;
- }
- /** Decrypt the secret using the cipherKey.
- *
- * @param secret - the encrypted secret to decrypt.
- * @return the decrypted secret
- * @throws Exception
- */
- public byte[] decode(byte[] secret)
- throws Exception
- {
- SecurityManager sm = System.getSecurityManager();
- if( sm != null )
- sm.checkPermission(decodePermission);
-
- Cipher cipher = Cipher.getInstance(cipherAlgorithm);
- cipher.init(Cipher.DECRYPT_MODE, cipherKey, cipherSpec);
- byte[] decode = cipher.doFinal(secret);
- return decode;
- }
- /** Encrypt the secret using the cipherKey and return a base64 encoding.
- * @param secret - the plaintext secret to encrypt
- * @return the encrypted secret as a base64 string
- * @throws Exception
- */
- public String encode64(byte[] secret)
- throws Exception
- {
- byte[] encoding = encode(secret);
- String b64 = Util.tob64(encoding);
- return b64;
- }
- /** Decrypt the base64 encoded secret using the cipherKey.
- *
- * @param secret - the base64 encoded encrypted secret to decrypt.
- * @return the decrypted secret
- * @throws Exception
- */
- public byte[] decode64(String secret)
- throws Exception
- {
- byte[] encoding = Util.fromb64(secret);
- byte[] decode = decode(encoding);
- return decode;
- }
-
- /**
- Reload the key- and truststore
- */
- public void reloadKeyAndTrustStore()
- throws Exception
- {
- loadKeyAndTrustStore();
- }
-
- protected void startService()
- throws Exception
- {
- // Load the keystore password if it was
- loadKeystorePassword();
-
- // Load the key and/or truststore into memory
- loadKeyAndTrustStore();
-
- // Only register with the JaasSecurityManagerService if its defined
- if( managerServiceName != null )
- {
- /* Register with the JaasSecurityManagerServiceMBean. This allows this
- JaasSecurityDomain to function as the security manager for security-domain
- elements that declare java:/jaas/xxx for our security domain name.
- */
- MBeanServer server = MBeanServerLocator.locateJBoss();
- Object[] params = {getSecurityDomain(), this};
- String[] signature = new String[]{"java.lang.String", "org.jboss.security.SecurityDomain"};
- server.invoke(managerServiceName, "registerSecurityDomain", params, signature);
- }
- }
-
- protected void stopService()
- {
- if( keyStorePassword != null )
- {
- Arrays.fill(keyStorePassword, '\0');
- keyStorePassword = null;
- }
- cipherKey = null;
- }
-
- /** If keyStorePassword is null and keyStorePasswordCmd exists,
- * execute it to obtain the password.
- */
- private void loadKeystorePassword()
- throws Exception
- {
- if( keyStorePassword == null )
- {
- if( keyStorePasswordCmdType.equals("EXT") )
- execPasswordCmd();
- else if( keyStorePasswordCmdType.equals("CLASS") )
- invokePasswordClass();
- else
- throw new IllegalArgumentException("Unknown keyStorePasswordCmdType: "+keyStorePasswordCmdType);
- }
-
- // Create the PBE secret key
- cipherSpec = new PBEParameterSpec(salt, iterationCount);
- PBEKeySpec keySpec = new PBEKeySpec(keyStorePassword);
- SecretKeyFactory factory = SecretKeyFactory.getInstance("PBEwithMD5andDES");
- cipherKey = factory.generateSecret(keySpec);
- }
-
- private void loadKeyAndTrustStore()
- throws Exception
- {
- if( keyStoreURL != null )
- {
- keyStore = KeyStore.getInstance(keyStoreType);
- InputStream is = keyStoreURL.openStream();
- keyStore.load(is, keyStorePassword);
- String algorithm = KeyManagerFactory.getDefaultAlgorithm();
- keyMgr = KeyManagerFactory.getInstance(algorithm);
- keyMgr.init(keyStore, keyStorePassword);
- }
- if( trustStoreURL != null )
- {
- trustStore = KeyStore.getInstance(trustStoreType);
- InputStream is = trustStoreURL.openStream();
- trustStore.load(is, trustStorePassword);
- String algorithm = TrustManagerFactory.getDefaultAlgorithm();
- trustMgr = TrustManagerFactory.getInstance(algorithm);
- trustMgr.init(trustStore);
- }
- else if( keyStore != null )
- {
- trustStore = keyStore;
- String algorithm = TrustManagerFactory.getDefaultAlgorithm();
- trustMgr = TrustManagerFactory.getInstance(algorithm);
- trustMgr.init(trustStore);
- }
- }
-
- private void execPasswordCmd()
- throws Exception
- {
- log.debug("Executing command: "+keyStorePasswordCmd);
- Runtime rt = Runtime.getRuntime();
- Process p = rt.exec(keyStorePasswordCmd);
- InputStream stdin = p.getInputStream();
- BufferedReader reader = new BufferedReader(new InputStreamReader(stdin));
- String password = reader.readLine();
- stdin.close();
- int exitCode = p.waitFor();
- log.debug("Command exited with: "+exitCode);
- keyStorePassword = password.toCharArray();
- }
- /**
- *
- * @throws Exception
- */
- private void invokePasswordClass()
- throws Exception
- {
- keyStorePassword = null;
-
- // Check for a ctor argument delimited by ':'
- String classname = keyStorePasswordCmd;
- String ctorArg = null;
- int colon = keyStorePasswordCmd.indexOf(':');
- if( colon > 0 )
- {
- classname = keyStorePasswordCmd.substring(0, colon);
- ctorArg = keyStorePasswordCmd.substring(colon+1);
- }
- log.debug("Loading class: "+classname+", ctorArg="+ctorArg);
- ClassLoader loader = SubjectActions.getContextClassLoader();
- Class c = loader.loadClass(classname);
- Object instance = null;
- // Check for a ctor(String) if ctorArg is not null
- if( ctorArg != null )
- {
- Class[] sig = {String.class};
- Constructor ctor = c.getConstructor(sig);
- Object[] args = {ctorArg};
- instance = ctor.newInstance(args);
- }
- else
- {
- // Use the default ctor
- instance = c.newInstance();
- }
-
- // Look for a toCharArray() method
- try
- {
- log.debug("Checking for toCharArray");
- Class[] sig = {};
- Method toCharArray = c.getMethod("toCharArray", sig);
- Object[] args = {};
- log.debug("Invoking toCharArray");
- keyStorePassword = (char[]) toCharArray.invoke(instance, args);
- }
- catch(NoSuchMethodException e)
- {
- log.debug("No toCharArray found, invoking toString");
- String tmp = instance.toString();
- if( tmp != null )
- keyStorePassword = tmp.toCharArray();
- }
- }
-
- private URL validateStoreURL(String storeURL) throws IOException
- {
- URL url = null;
- // First see if this is a URL
- try
- {
- url = new URL(storeURL);
- }
- catch(MalformedURLException e)
- {
- // Not a URL or a protocol without a handler
- }
-
- // Next try to locate this as file path
- if( url == null )
- {
- File tst = new File(storeURL);
- if( tst.exists() == true )
- url = tst.toURL();
- }
-
- // Last try to locate this as a classpath resource
- if( url == null )
- {
- ClassLoader loader = SubjectActions.getContextClassLoader();
- url = loader.getResource(storeURL);
- }
-
- // Fail if no valid key store was located
- if( url == null )
- {
- String msg = "Failed to find url=" + storeURL + " as a URL, file or resource";
- throw new MalformedURLException(msg);
- }
- return url;
- }
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityDomainMBean.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,127 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import java.io.IOException;
-import javax.management.ObjectName;
-import org.jboss.system.ServiceMBean;
-
-
-/** The JaasSecurityDomainMBean adds support for KeyStore management.
-
- @author Scott.Stark at jboss.org
- @author <a href="mailto:jasone at greenrivercomputing.com">Jason Essington</a>
- @version $Revision$
-*/
-public interface JaasSecurityDomainMBean extends ServiceMBean
-{
- /** KeyStore implementation type being used.
- @return the KeyStore implementation type being used.
- */
- public String getKeyStoreType();
- /** Set the type of KeyStore implementation to use. This is
- passed to the KeyStore.getInstance() factory method.
- */
- public void setKeyStoreType(String type);
- /** Get the KeyStore database URL string.
- */
- public String getKeyStoreURL();
- /** Set the KeyStore database URL string. This is used to obtain
- an InputStream to initialize the KeyStore.
- */
- public void setKeyStoreURL(String storeURL) throws IOException;
- /** Set the credential string for the KeyStore.
- */
- public void setKeyStorePass(String password);
-
- /** Get the type of the trust store
- * @return the type of the trust store
- */
- public String getTrustStoreType();
- /** Set the type of the trust store
- * @param type - the trust store implementation type
- */
- public void setTrustStoreType(String type);
- /** Set the credential string for the trust store.
- */
- public void setTrustStorePass(String password);
- /** Get the trust store database URL string.
- */
- public String getTrustStoreURL();
- /** Set the trust store database URL string. This is used to obtain
- an InputStream to initialize the trust store.
- */
- public void setTrustStoreURL(String storeURL) throws IOException;
- /**
- Reload the key- and truststore
- */
- public void reloadKeyAndTrustStore() throws Exception;
- /** The JMX object name string of the security manager service.
- @return The JMX object name string of the security manager service.
- */
- public ObjectName getManagerServiceName();
- /** Set the JMX object name string of the security manager service.
- */
- public void setManagerServiceName(ObjectName jmxName);
-
- /** Set the salt used with PBE based on the keystore password.
- * @param salt - an 8 char randomization string
- */
- public void setSalt(String salt);
- /** Set the iteration count used with PBE based on the keystore password.
- * @param count - an iteration count randomization value
- */
- public void setIterationCount(int count);
-
- /** Encode a secret using the keystore password and PBEwithMD5andDES algo
- * @param secret - the byte sequence to encrypt
- * @return the encrypted byte sequence
- * @throws Exception
- */
- public byte[] encode(byte[] secret)
- throws Exception;
-
- /** Decode a secret using the keystore password and PBEwithMD5andDES algo
- * @param secret - the byte sequence to decrypt
- * @return the decrypted byte sequence
- * @throws Exception
- */
- public byte[] decode(byte[] secret)
- throws Exception;
-
- /** Encode a secret using the keystore password and PBEwithMD5andDES algo
- * @param secret - the byte sequence to encrypt as a base64 string using
- * the Util.tob64() function
- * @return the encrypted byte sequence
- * @throws Exception
- */
- public String encode64(byte[] secret)
- throws Exception;
-
- /** Decode a secret using the keystore password and PBEwithMD5andDES algo
- * @param secret - the Util.tob64 string represention to decrypt
- * @return the decrypted byte sequence
- * @throws Exception
- */
- public byte[] decode64(String secret)
- throws Exception;
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManager.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManager.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManager.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,722 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import java.lang.reflect.Method;
-import java.lang.reflect.UndeclaredThrowableException;
-import java.security.Principal;
-import java.security.acl.Group;
-import java.util.Arrays;
-import java.util.Enumeration;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Set;
-import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
-
-import org.jboss.logging.Logger;
-import org.jboss.security.AuthorizationManager;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.SecurityContext;
-import org.jboss.security.SubjectSecurityManager;
-import org.jboss.security.Util;
-import org.jboss.security.auth.callback.SecurityAssociationHandler;
-import org.jboss.system.ServiceMBeanSupport;
-import org.jboss.util.CachePolicy;
-import org.jboss.util.TimedCachePolicy;
-
-/** The JaasSecurityManager is responsible both for authenticating credentials
- associated with principals and for role mapping. This implementation relies
- on the JAAS LoginContext/LoginModules associated with the security
- domain name associated with the class for authentication,
- and the context JAAS Subject object for role mapping.
-
- @see #isValid(Principal, Object, Subject)
- @see #getPrincipal(Principal)
- @see #doesUserHaveRole(Principal, Set)
-
- @author <a href="on at ibis.odessa.ua">Oleg Nitz</a>
- @author Scott.Stark at jboss.org
- @author Anil.Saldhana at jboss.org
- @version $Revision$
-*/
-public class JaasSecurityManager extends ServiceMBeanSupport
- implements SubjectSecurityManager, RealmMapping
-{
- /** The authentication cache object.
- */
- public static class DomainInfo implements TimedCachePolicy.TimedEntry
- {
- private static Logger log = Logger.getLogger(DomainInfo.class);
- private static boolean trace = log.isTraceEnabled();
- private LoginContext loginCtx;
- private Subject subject;
- private Object credential;
- private Principal callerPrincipal;
- private long expirationTime;
- /** Is there an active authentication in process */
- private boolean needsDestroy;
- /** The number of users sharing this DomainInfo */
- private int activeUsers;
-
- /**
- Create a cache entry with the given lifetime in seconds. Since this comes
- from the TimedCachePolicy, its expected to be <= Integer.MAX_VALUE.
-
- @param lifetime - lifetime in seconds. A lifetime <= 0 means no caching
- with the exception of -1 which indicates that the cache entry never
- expires.
- */
- public DomainInfo(long lifetime)
- {
- expirationTime = lifetime;
- if( expirationTime != -1 )
- expirationTime *= 1000;
- }
-
- synchronized int acquire()
- {
- return activeUsers ++;
- }
- synchronized int release()
- {
- int users = activeUsers --;
- if( needsDestroy == true && users == 0 )
- {
- if( trace )
- log.trace("needsDestroy is true, doing logout");
- logout();
- }
- return users;
- }
- synchronized void logout()
- {
- if( trace )
- log.trace("logout, subject="+subject+", this="+this);
- try
- {
- if( loginCtx != null )
- loginCtx.logout();
- }
- catch(Throwable e)
- {
- if( trace )
- log.trace("Cache entry logout failed", e);
- }
- }
-
- public void init(long now)
- {
- expirationTime += now;
- }
- public boolean isCurrent(long now)
- {
- boolean isCurrent = expirationTime == -1;
- if( isCurrent == false )
- isCurrent = expirationTime > now;
- return isCurrent;
- }
- public boolean refresh()
- {
- return false;
- }
- /**
- * This
- */
- public void destroy()
- {
- if( trace )
- {
- log.trace("destroy, subject="+subject+", this="+this
- +", activeUsers="+activeUsers);
- }
-
- synchronized( this )
- {
- if( activeUsers == 0 )
- logout();
- else
- {
- if( trace )
- log.trace("destroy saw activeUsers="+activeUsers);
- needsDestroy = true;
- }
- }
- }
- public Object getValue()
- {
- return this;
- }
- public String toString()
- {
- StringBuffer tmp = new StringBuffer(super.toString());
- tmp.append('[');
- tmp.append(SubjectActions.toString(subject));
- tmp.append(",credential.class=");
- if( credential != null )
- {
- Class c = credential.getClass();
- tmp.append(c.getName());
- tmp.append('@');
- tmp.append(System.identityHashCode(c));
- }
- else
- {
- tmp.append("null");
- }
- tmp.append(",expirationTime=");
- tmp.append(expirationTime);
- tmp.append(']');
-
- return tmp.toString();
- }
- }
-
- /** The name of the domain this instance is securing. It is used as
- the appName into the SecurityPolicy.
- */
- private String securityDomain;
- /** A cache of DomainInfo objects keyd by Principal. This is now
- always set externally by our security manager service.
- */
- private CachePolicy domainCache;
- /** The JAAS callback handler to use in defaultLogin */
- private CallbackHandler handler;
- /** The setSecurityInfo(Principal, Object) method of the handler obj */
- private Method setSecurityInfo;
- /** The flag to indicate that the Subject sets need to be deep copied*/
- private boolean deepCopySubjectOption = false;
-
- /** The log4j category for the security manager domain
- */
- protected Logger log;
- protected boolean trace;
-
- /** Creates a default JaasSecurityManager for with a securityDomain
- name of 'other'.
- */
- public JaasSecurityManager()
- {
- this("other", new SecurityAssociationHandler());
- }
- /** Creates a JaasSecurityManager for with a securityDomain
- name of that given by the 'securityDomain' argument.
- @param securityDomain the name of the security domain
- @param handler the JAAS callback handler instance to use
- @exception UndeclaredThrowableException thrown if handler does not
- implement a setSecurityInfo(Princpal, Object) method
- */
- public JaasSecurityManager(String securityDomain, CallbackHandler handler)
- {
- this.securityDomain = securityDomain;
- this.handler = handler;
- String categoryName = getClass().getName()+'.'+securityDomain;
- this.log = Logger.getLogger(categoryName);
- this.trace = log.isTraceEnabled();
-
- // Get the setSecurityInfo(Principal principal, Object credential) method
- Class[] sig = {Principal.class, Object.class};
- try
- {
- setSecurityInfo = handler.getClass().getMethod("setSecurityInfo", sig);
- }
- catch (Exception e)
- {
- String msg = "Failed to find setSecurityInfo(Princpal, Object) method in handler";
- throw new UndeclaredThrowableException(e, msg);
- }
- log.debug("CallbackHandler: "+handler);
- }
-
- /** The domainCache is typically a shared object that is populated
- by the login code(LoginModule, etc.) and read by this class in the
- isValid() method.
- @see #isValid(Principal, Object, Subject)
- */
- public void setCachePolicy(CachePolicy domainCache)
- {
- this.domainCache = domainCache;
- log.debug("CachePolicy set to: "+domainCache);
- }
-
- /**
- * Flag to specify if deep copy of subject sets needs to be
- * enabled
- *
- * @param flag
- */
- public void setDeepCopySubjectOption(Boolean flag)
- {
- log.debug("setDeepCopySubjectOption="+ flag);
- this.deepCopySubjectOption = (flag == Boolean.TRUE) ;
- }
-
- /** Not really used anymore as the security manager service manages the
- security domain authentication caches.
- */
- public void flushCache()
- {
- if( domainCache != null )
- domainCache.flush();
- }
-
- /** Get the name of the security domain associated with this security mgr.
- @return Name of the security manager security domain.
- */
- public String getSecurityDomain()
- {
- return securityDomain;
- }
-
- /** Get the currently authenticated Subject. This is a thread local
- property shared across all JaasSecurityManager instances.
- @return The Subject authenticated in the current thread if one
- exists, null otherwise.
- */
- public Subject getActiveSubject()
- {
- /* This does not use SubjectActions.getActiveSubject since the caller
- must have the correct permissions to access the
- SecurityAssociation.getSubject method.
- */
- //return SecurityAssociation.getSubject();
- Subject subj = null;
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- if(sc != null)
- {
- subj = sc.getUtil().getSubject();
- }
- return subj;
- }
-
- /** Validate that the given credential is correct for principal. This
- returns the value from invoking isValid(principal, credential, null).
- @param principal - the security domain principal attempting access
- @param credential - the proof of identity offered by the principal
- @return true if the principal was authenticated, false otherwise.
- */
- public boolean isValid(Principal principal, Object credential)
- {
- return isValid(principal, credential, null);
- }
-
- /** Validate that the given credential is correct for principal. This first
- will check the current CachePolicy object if one exists to see if the
- user's cached credentials match the given credential. If there is no
- credential cache or the cache information is invalid or does not match,
- the user is authenticated against the JAAS login modules configured for
- the security domain.
- @param principal - the security domain principal attempting access
- @param credential the proof of identity offered by the principal
- @param activeSubject - if not null, a Subject that will be populated with
- the state of the authenticated Subject.
- @return true if the principal was authenticated, false otherwise.
- */
- public boolean isValid(Principal principal, Object credential,
- Subject activeSubject)
- {
- // Check the cache first
- DomainInfo cacheInfo = getCacheInfo(principal, true);
- if( trace )
- log.trace("Begin isValid, principal:"+principal+", cache info: "+cacheInfo);
-
- boolean isValid = false;
- if( cacheInfo != null )
- {
- isValid = validateCache(cacheInfo, credential, activeSubject);
- if( cacheInfo != null )
- cacheInfo.release();
- }
- if( isValid == false )
- isValid = authenticate(principal, credential, activeSubject);
- if( trace )
- log.trace("End isValid, "+isValid);
- return isValid;
- }
-
- /** Map the argument principal from the deployment environment principal
- to the developer environment. This is called by the EJB context
- getCallerPrincipal() to return the Principal as described by
- the EJB developer domain.
- @return a Principal object that is valid in the deployment environment
- if one exists. If no Subject exists or the Subject has no principals
- then the argument principal is returned.
- */
- public Principal getPrincipal(Principal principal)
- {
- if(domainCache == null)
- return principal;
- Principal result = principal;
- // Get the CallerPrincipal group member
- synchronized( domainCache )
- {
- DomainInfo info = getCacheInfo(principal, false);
- if( trace )
- log.trace("getPrincipal, cache info: "+info);
- if( info != null )
- {
- result = info.callerPrincipal;
- // If the mapping did not have a callerPrincipal just use principal
- if( result == null )
- result = principal;
- info.release();
- }
- }
-
- return result;
- }
-
- /** Does the current Subject have a role(a Principal) that equates to one
- of the role names. This method obtains the Group named 'Roles' from
- the principal set of the currently authenticated Subject as determined
- by the SecurityAssociation.getSubject() method and then creates a
- SimplePrincipal for each name in roleNames. If the role is a member of the
- Roles group, then the user has the role. This requires that the caller
- establish the correct SecurityAssociation subject prior to calling this
- method. In the past this was done as a side-effect of an isValid() call,
- but this is no longer the case.
-
- @param principal - ignored. The current authenticated Subject determines
- the active user and assigned user roles.
- @param rolePrincipals - a Set of Principals for the roles to check.
-
- @see java.security.acl.Group;
- @see Subject#getPrincipals()
- */
- public boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
- {
- AuthorizationManager am = Util.getAuthorizationManager(securityDomain);
- return am.doesUserHaveRole(principal, rolePrincipals);
- }
-
- /** Return the set of domain roles the current active Subject 'Roles' group
- found in the subject Principals set.
-
- @param principal - ignored. The current authenticated Subject determines
- the active user and assigned user roles.
- @return The Set<Principal> for the application domain roles that the
- principal has been assigned.
- */
- public Set getUserRoles(Principal principal)
- {
- AuthorizationManager am = Util.getAuthorizationManager(securityDomain);
- return am.getUserRoles(principal);
- }
-
- /**
- * @see AuthenticationManager#getTargetPrincipal(Principal,Map)
- */
- public Principal getTargetPrincipal(Principal anotherDomainPrincipal, Map contextMap)
- {
- throw new RuntimeException("Not implemented yet");
- }
-
- /** Currently this simply calls defaultLogin() to do a JAAS login using the
- security domain name as the login module configuration name.
-
- * @param principal - the user id to authenticate
- * @param credential - an opaque credential.
- * @return false on failure, true on success.
- */
- private boolean authenticate(Principal principal, Object credential,
- Subject theSubject)
- {
- Subject subject = null;
- boolean authenticated = false;
- LoginException authException = null;
-
- try
- {
- // Validate the principal using the login configuration for this domain
- LoginContext lc = defaultLogin(principal, credential);
- subject = lc.getSubject();
-
- // Set the current subject if login was successful
- if( subject != null )
- {
- // Copy the current subject into theSubject
- if( theSubject != null )
- {
- SubjectActions.copySubject(subject, theSubject, false,this.deepCopySubjectOption);
- }
- else
- {
- theSubject = subject;
- }
-
- authenticated = true;
- // Build the Subject based DomainInfo cache value
- updateCache(lc, subject, principal, credential);
- }
- }
- catch(LoginException e)
- {
- // Don't log anonymous user failures unless trace level logging is on
- if( principal != null && principal.getName() != null || trace )
- log.trace("Login failure", e);
- authException = e;
- }
- // Set the security association thread context info exception
- SubjectActions.setContextInfo("org.jboss.security.exception", authException);
-
- return authenticated;
- }
-
- /** Pass the security info to the login modules configured for
- this security domain using our SecurityAssociationHandler.
- @return The authenticated Subject if successful.
- @exception LoginException throw if login fails for any reason.
- */
- private LoginContext defaultLogin(Principal principal, Object credential)
- throws LoginException
- {
- /* We use our internal CallbackHandler to provide the security info. A
- copy must be made to ensure there is a unique handler per active
- login since there can be multiple active logins.
- */
- Object[] securityInfo = {principal, credential};
- CallbackHandler theHandler = null;
- try
- {
- theHandler = (CallbackHandler) handler.getClass().newInstance();
- setSecurityInfo.invoke(theHandler, securityInfo);
- }
- catch (Throwable e)
- {
- if( trace )
- log.trace("Failed to create/setSecurityInfo on handler", e);
- LoginException le = new LoginException("Failed to setSecurityInfo on handler");
- le.initCause(e);
- throw le;
- }
- Subject subject = new Subject();
- LoginContext lc = null;
- if( trace )
- log.trace("defaultLogin, principal="+principal);
- lc = SubjectActions.createLoginContext(securityDomain, subject, theHandler);
- lc.login();
- if( trace )
- log.trace("defaultLogin, lc="+lc+", subject="+SubjectActions.toString(subject));
- return lc;
- }
-
- /** Validate the cache credential value against the provided credential
- */
- private boolean validateCache(DomainInfo info, Object credential,
- Subject theSubject)
- {
- if( trace )
- {
- StringBuffer tmp = new StringBuffer("Begin validateCache, info=");
- tmp.append(info.toString());
- tmp.append(";credential.class=");
- if( credential != null )
- {
- Class c = credential.getClass();
- tmp.append(c.getName());
- tmp.append('@');
- tmp.append(System.identityHashCode(c));
- }
- else
- {
- tmp.append("null");
- }
- log.trace(tmp.toString());
- }
-
- Object subjectCredential = info.credential;
- boolean isValid = false;
- // Check for a null credential as can be the case for an anonymous user
- if( credential == null || subjectCredential == null )
- {
- // Both credentials must be null
- isValid = (credential == null) && (subjectCredential == null);
- }
- // See if the credential is assignable to the cache value
- else if( subjectCredential.getClass().isAssignableFrom(credential.getClass()) )
- {
- /* Validate the credential by trying Comparable, char[], byte[],
- Object[], and finally Object.equals()
- */
- if( subjectCredential instanceof Comparable )
- {
- Comparable c = (Comparable) subjectCredential;
- isValid = c.compareTo(credential) == 0;
- }
- else if( subjectCredential instanceof char[] )
- {
- char[] a1 = (char[]) subjectCredential;
- char[] a2 = (char[]) credential;
- isValid = Arrays.equals(a1, a2);
- }
- else if( subjectCredential instanceof byte[] )
- {
- byte[] a1 = (byte[]) subjectCredential;
- byte[] a2 = (byte[]) credential;
- isValid = Arrays.equals(a1, a2);
- }
- else if( subjectCredential.getClass().isArray() )
- {
- Object[] a1 = (Object[]) subjectCredential;
- Object[] a2 = (Object[]) credential;
- isValid = Arrays.equals(a1, a2);
- }
- else
- {
- isValid = subjectCredential.equals(credential);
- }
- }
- else if( subjectCredential instanceof char[] && credential instanceof String )
- {
- char[] a1 = (char[]) subjectCredential;
- char[] a2 = ((String) credential).toCharArray();
- isValid = Arrays.equals(a1, a2);
- }
- else if( subjectCredential instanceof String && credential instanceof char[] )
- {
- char[] a1 = ((String) subjectCredential).toCharArray();
- char[] a2 = (char[]) credential;
- isValid = Arrays.equals(a1, a2);
- }
-
- // If the credentials match, set the thread's active Subject
- if( isValid )
- {
- // Copy the current subject into theSubject
- if( theSubject != null )
- {
- SubjectActions.copySubject(info.subject, theSubject, false,this.deepCopySubjectOption);
- }
- }
- if( trace )
- log.trace("End validateCache, isValid="+isValid);
-
- return isValid;
- }
-
- /** An accessor method that synchronizes access on the domainCache
- to avoid a race condition that can occur when the cache entry expires
- in the presence of multi-threaded access. The allowRefresh flag should
- be true for authentication accesses and false for other accesses.
- Previously the other accesses included authorization and caller principal
- mapping. Now the only use of the
-
- @param principal - the caller identity whose cached credentials are to
- be accessed.
- @param allowRefresh - a flag indicating if the cache access should flush
- any expired entries.
- */
- private DomainInfo getCacheInfo(Principal principal, boolean allowRefresh)
- {
- if( domainCache == null )
- return null;
-
- DomainInfo cacheInfo = null;
- synchronized( domainCache )
- {
- if( allowRefresh == true )
- cacheInfo = (DomainInfo) domainCache.get(principal);
- else
- cacheInfo = (DomainInfo) domainCache.peek(principal);
- if( cacheInfo != null )
- cacheInfo.acquire();
- }
- return cacheInfo;
- }
-
- private Subject updateCache(LoginContext lc, Subject subject,
- Principal principal, Object credential)
- {
- // If we don't have a cache there is nothing to update
- if( domainCache == null )
- return subject;
-
- long lifetime = 0;
- if( domainCache instanceof TimedCachePolicy )
- {
- TimedCachePolicy cache = (TimedCachePolicy) domainCache;
- lifetime = cache.getDefaultLifetime();
- }
- DomainInfo info = new DomainInfo(lifetime);
- info.loginCtx = lc;
- info.subject = new Subject();
- SubjectActions.copySubject(subject, info.subject, true, this.deepCopySubjectOption);
- info.credential = credential;
-
- if( trace )
- {
- log.trace("updateCache, inputSubject="+SubjectActions.toString(subject)
- +", cacheSubject="+SubjectActions.toString(info.subject));
- }
-
- /* Get the Subject callerPrincipal by looking for a Group called
- 'CallerPrincipal'
- */
- Set subjectGroups = subject.getPrincipals(Group.class);
- Iterator iter = subjectGroups.iterator();
- while( iter.hasNext() )
- {
- Group grp = (Group) iter.next();
- String name = grp.getName();
- if( name.equals("CallerPrincipal") )
- {
- Enumeration members = grp.members();
- if( members.hasMoreElements() )
- info.callerPrincipal = (Principal) members.nextElement();
- }
- }
-
- /* Handle null principals with no callerPrincipal. This is an indication
- of an user that has not provided any authentication info, but
- has been authenticated by the domain login module stack. Here we look
- for the first non-Group Principal and use that.
- */
- if( principal == null && info.callerPrincipal == null )
- {
- Set subjectPrincipals = subject.getPrincipals(Principal.class);
- iter = subjectPrincipals.iterator();
- while( iter.hasNext() )
- {
- Principal p = (Principal) iter.next();
- if( (p instanceof Group) == false )
- info.callerPrincipal = p;
- }
- }
-
- /* If the user already exists another login is active. Currently
- only one is allowed so remove the old and insert the new. Synchronize
- on the domainCache to ensure the removal and addition are an atomic
- operation so that getCacheInfo cannot see stale data.
- */
- synchronized( domainCache )
- {
- if( domainCache.peek(principal) != null )
- domainCache.remove(principal);
- domainCache.insert(principal, info);
- if( trace )
- log.trace("Inserted cache info: "+info);
- }
- return info.subject;
- }
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,806 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import java.lang.reflect.Constructor;
-import java.lang.reflect.InvocationHandler;
-import java.lang.reflect.Method;
-import java.lang.reflect.Proxy;
-import java.security.Principal;
-import java.util.Enumeration;
-import java.util.Hashtable;
-import java.util.Set;
-import java.util.List;
-import java.util.Map;
-import java.util.Iterator;
-import java.beans.PropertyEditorManager;
-
-import javax.naming.CommunicationException;
-import javax.naming.Context;
-import javax.naming.InitialContext;
-import javax.naming.Name;
-import javax.naming.NameClassPair;
-import javax.naming.NameParser;
-import javax.naming.NamingEnumeration;
-import javax.naming.NamingException;
-import javax.naming.OperationNotSupportedException;
-import javax.naming.RefAddr;
-import javax.naming.Reference;
-import javax.naming.StringRefAddr;
-import javax.naming.spi.ObjectFactory;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.Subject;
-import javax.security.jacc.PolicyContext;
-
-import org.jboss.logging.Logger;
-import org.jboss.security.AuthenticationManager;
-import org.jboss.security.AuthorizationManager;
-import org.jboss.security.SecurityAssociation;
-import org.jboss.security.SecurityConstants;
-import org.jboss.security.SecurityProxyFactory;
-import org.jboss.security.SecurityDomain;
-import org.jboss.security.auth.callback.CallbackHandlerPolicyContextHandler;
-import org.jboss.security.jacc.SubjectPolicyContextHandler;
-import org.jboss.security.propertyeditor.PrincipalEditor;
-import org.jboss.security.propertyeditor.SecurityDomainEditor;
-import org.jboss.system.ServiceMBeanSupport;
-import org.jboss.util.CachePolicy;
-import org.jboss.util.TimedCachePolicy;
-import EDU.oswego.cs.dl.util.concurrent.ConcurrentReaderHashMap;
-
-/**
- * This is a JMX service which manages JAAS based SecurityManagers.
- * JAAS SecurityManagers are responsible for validating credentials
- * associated with principals. The service defaults to the
- * org.jboss.security.plugins.JaasSecurityManager implementation but
- * this can be changed via the securityManagerClass property.
- *
- * @see JaasSecurityManager
- * @see org.jboss.security.SubjectSecurityManager
- *
- * @author <a href="on at ibis.odessa.ua">Oleg Nitz</a>
- * @author <a href="rickard at telkel.com">Rickard Oberg</a>
- * @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>
- * @version $Revision$
- */
-public class JaasSecurityManagerService
- extends ServiceMBeanSupport
- implements JaasSecurityManagerServiceMBean
-{
- private static final String SECURITY_MGR_PATH = "java:/jaas";
- private static final String DEFAULT_CACHE_POLICY_PATH = "java:/timedCacheFactory";
- /** The log4j interface */
- private static Logger log;
- /** The class that provides the security manager implementation */
- private static String securityMgrClassName = "org.jboss.security.plugins.JaasSecurityManager";
- /** The loaded securityMgrClassName */
- private static Class securityMgrClass = JaasSecurityManager.class;
- /** The JAAS CallbackHandler interface implementation to use */
- private static String callbackHandlerClassName = "org.jboss.security.auth.callback.SecurityAssociationHandler";
- private static Class callbackHandlerClass = org.jboss.security.auth.callback.SecurityAssociationHandler.class;
-
- /** The location of the security credential cache policy. This is first treated
- as a ObjectFactory location that is capable of returning CachePolicy instances
- on a per security domain basis by appending a '/security-domain-name' string
- to this name when looking up the CachePolicy for a domain. If this fails then
- the location is treated as a single CachePolicy for all security domains.
- */
- private static String cacheJndiName = DEFAULT_CACHE_POLICY_PATH;
- private static int defaultCacheTimeout = 30*60;
- private static int defaultCacheResolution = 60;
- /** The class that provides the SecurityProxyFactory implementation */
- private static String securityProxyFactoryClassName = "org.jboss.security.SubjectSecurityProxyFactory";
- private static Class securityProxyFactoryClass = org.jboss.security.SubjectSecurityProxyFactory.class;
- /** A mapping from security domain name to a SecurityDomainContext object */
- private static ConcurrentReaderHashMap securityDomainCtxMap = new ConcurrentReaderHashMap();
- private static NameParser parser;
- /** A flag indicating if the SecurityAssociation.setServer should be called */
- private boolean serverMode = true;
- /** A flag indicating if the Deep Copy of Subject Sets should be enabled in the security managers */
- private static boolean deepCopySubjectMode = false;
-
- /** The default unauthenticated principal */
- private static String defaultUnauthenticatedPrincipal = "Unauthenticated Principal";
-
- static
- {
- // Get a log interface, required for some statics below
- // can not use instance field inherited from ServiceMBeanSupport
- log = Logger.getLogger(JaasSecurityManagerService.class);
-
- }
-
- /** The constructor does nothing as the security manager is created
- on each lookup into java:/jaas/xxx. This is also why all variables
- in this class are static.
- */
- public JaasSecurityManagerService()
- {
- }
-
- public boolean getServerMode()
- {
- return serverMode;
- }
- public void setServerMode(boolean mode)
- {
- this.serverMode = mode;
- }
-
- public String getSecurityManagerClassName()
- {
- return securityMgrClassName;
- }
- public void setSecurityManagerClassName(String className)
- throws ClassNotFoundException, ClassCastException
- {
- securityMgrClassName = className;
- ClassLoader loader = Thread.currentThread().getContextClassLoader();
- securityMgrClass = loader.loadClass(securityMgrClassName);
- if( AuthenticationManager.class.isAssignableFrom(securityMgrClass) == false )
- throw new ClassCastException(securityMgrClass+" does not implement "+AuthenticationManager.class);
- }
- public String getSecurityProxyFactoryClassName()
- {
- return securityProxyFactoryClassName;
- }
- public void setSecurityProxyFactoryClassName(String className)
- throws ClassNotFoundException
- {
- securityProxyFactoryClassName = className;
- ClassLoader loader = Thread.currentThread().getContextClassLoader();
- securityProxyFactoryClass = loader.loadClass(securityProxyFactoryClassName);
- }
-
- /** Get the default CallbackHandler implementation class name
- *
- * @return The fully qualified classname of the
- */
- public String getCallbackHandlerClassName()
- {
- return JaasSecurityManagerService.callbackHandlerClassName;
- }
- /** Set the default CallbackHandler implementation class name
- * @see javax.security.auth.callback.CallbackHandler
- */
- public void setCallbackHandlerClassName(String className)
- throws ClassNotFoundException
- {
- callbackHandlerClassName = className;
- ClassLoader loader = Thread.currentThread().getContextClassLoader();
- callbackHandlerClass = loader.loadClass(callbackHandlerClassName);
- }
-
- /** Get the jndi name under which the authentication cache policy is found
- */
- public String getAuthenticationCacheJndiName()
- {
- return cacheJndiName;
- }
- /** Set the jndi name under which the authentication cache policy is found
- */
- public void setAuthenticationCacheJndiName(String jndiName)
- {
- cacheJndiName = jndiName;
- }
- /** Get the default timed cache policy timeout.
- @return the default cache timeout in seconds.
- */
- public int getDefaultCacheTimeout()
- {
- return defaultCacheTimeout;
- }
- /** Set the default timed cache policy timeout. This has no affect if the
- AuthenticationCacheJndiName has been changed from the default value.
- @param timeoutInSecs - the cache timeout in seconds.
- */
- public void setDefaultCacheTimeout(int timeoutInSecs)
- {
- defaultCacheTimeout = timeoutInSecs;
- }
- /** Get the default timed cache policy resolution.
- */
- public int getDefaultCacheResolution()
- {
- return defaultCacheResolution;
- }
- /** Set the default timed cache policy resolution. This has no affect if the
- AuthenticationCacheJndiName has been changed from the default value.
- @param resInSecs - resolution of timeouts in seconds.
- */
- public void setDefaultCacheResolution(int resInSecs)
- {
- defaultCacheResolution = resInSecs;
- }
-
- /**
- * @see JaasSecurityManagerServiceMBean#getDeepCopySubjectMode()
- */
- public boolean getDeepCopySubjectMode()
- {
- return deepCopySubjectMode;
- }
-
- /**
- * @see JaasSecurityManagerServiceMBean#getDeepCopySubjectMode()
- */
- public void setDeepCopySubjectMode(boolean flag)
- {
- log.debug("setDeepCopySubjectMode="+flag);
- deepCopySubjectMode = flag;
- //Update the security managers if already present
- if(securityDomainCtxMap.isEmpty() == false)
- {
- Iterator iter = securityDomainCtxMap.keySet().iterator();
- while(iter.hasNext())
- {
- String securityDomainName = (String)iter.next();
- SecurityDomainContext sdc = (SecurityDomainContext)securityDomainCtxMap.get(securityDomainName);
- setDeepCopySubjectOption(sdc.securityMgr, flag);
- }
- }
- }
-
- /** Set the indicated security domain cache timeout. This only has an
- effect if the security domain is using the default jboss TimedCachePolicy
- implementation.
-
- @param securityDomain the name of the security domain cache
- @param timeoutInSecs - the cache timeout in seconds.
- @param resInSecs - resolution of timeouts in seconds.
- */
- public void setCacheTimeout(String securityDomain, int timeoutInSecs, int resInSecs)
- {
- CachePolicy cache = getCachePolicy(securityDomain);
- if( cache != null && cache instanceof TimedCachePolicy )
- {
- TimedCachePolicy tcp = (TimedCachePolicy) cache;
- synchronized( tcp )
- {
- tcp.setDefaultLifetime(timeoutInSecs);
- tcp.setResolution(resInSecs);
- }
- }
- else
- {
- log.warn("Failed to find cache policy for securityDomain='"
- + securityDomain + "'");
- }
- }
-
- /** flush the cache policy for the indicated security domain if one exists.
- * @param securityDomain the name of the security domain cache
- */
- public void flushAuthenticationCache(String securityDomain)
- {
- CachePolicy cache = getCachePolicy(securityDomain);
- if( cache != null )
- {
- cache.flush();
- }
- else
- {
- log.warn("Failed to find cache policy for securityDomain='"
- + securityDomain + "'");
- }
- }
-
- /** Flush a principal's authentication cache entry associated with the
- * given securityDomain.
- *
- * @param securityDomain the name of the security domain cache
- * @param user the principal of the user to flush
- */
- public void flushAuthenticationCache(String securityDomain, Principal user)
- {
- CachePolicy cache = getCachePolicy(securityDomain);
- if( cache != null )
- {
- cache.remove(user);
- }
- else
- {
- log.warn("Failed to find cache policy for securityDomain='"
- + securityDomain + "'");
- }
- }
-
- /** Return the active principals in the indicated security domain auth cache.
- * @param securityDomain the name of the security to lookup the cache for
- * @return List<Principal> of active keys found in the auth cache if
- * the cache exists and is accessible, null otherwise.
- */
- public List getAuthenticationCachePrincipals(String securityDomain)
- {
- CachePolicy cache = getCachePolicy(securityDomain);
- List validPrincipals = null;
- if( cache instanceof TimedCachePolicy )
- {
- TimedCachePolicy tcache = (TimedCachePolicy) cache;
- validPrincipals = tcache.getValidKeys();
- }
- return validPrincipals;
- }
-
-// Begin SecurityManagerMBean interface methods
- public boolean isValid(String securityDomain, Principal principal, Object credential)
- {
- boolean isValid = false;
- try
- {
- SecurityDomainContext sdc = lookupSecurityDomain(securityDomain);
- isValid = sdc.getSecurityManager().isValid(principal, credential, null);
- }
- catch(NamingException e)
- {
- log.debug("isValid("+securityDomain+") failed", e);
- }
- return isValid;
- }
-
- public Principal getPrincipal(String securityDomain, Principal principal)
- {
- Principal realmPrincipal = null;
- try
- {
- SecurityDomainContext sdc = lookupSecurityDomain(securityDomain);
- realmPrincipal = sdc.getRealmMapping().getPrincipal(principal);
- }
- catch(NamingException e)
- {
- log.debug("getPrincipal("+securityDomain+") failed", e);
- }
- return realmPrincipal;
- }
-
- public boolean doesUserHaveRole(String securityDomain, Principal principal,
- Object credential, Set roles)
- {
- boolean doesUserHaveRole = false;
- try
- {
- SecurityDomainContext sdc = lookupSecurityDomain(securityDomain);
- // Must first validate the user
- Subject subject = new Subject();
- boolean isValid = sdc.getSecurityManager().isValid(principal, credential, subject);
- if( isValid )
- {
- // Now can query if the authenticated Subject has the role
- SubjectActions.pushSubjectContext(principal, credential, subject,
- sdc.getSecurityManager().getSecurityDomain());
- doesUserHaveRole = sdc.getRealmMapping().doesUserHaveRole(principal, roles);
- SubjectActions.popSubjectContext();
- }
- }
- catch(NamingException e)
- {
- log.debug("doesUserHaveRole("+securityDomain+") failed", e);
- }
- return doesUserHaveRole;
- }
-
- public Set getUserRoles(String securityDomain, Principal principal, Object credential)
- {
- Set userRoles = null;
- try
- {
- SecurityDomainContext sdc = lookupSecurityDomain(securityDomain);
- // Must first validate the user
- Subject subject = new Subject();
- boolean isValid = sdc.getSecurityManager().isValid(principal, credential, subject);
- // Now can query if the authenticated Subject has the role
- if( isValid )
- {
- SubjectActions.pushSubjectContext(principal, credential, subject,
- sdc.getSecurityManager().getSecurityDomain() );
- userRoles = sdc.getRealmMapping().getUserRoles(principal);
- SubjectActions.popSubjectContext();
- }
- }
- catch(NamingException e)
- {
- log.debug("getUserRoles("+securityDomain+") failed", e);
- }
- return userRoles;
- }
-// End SecurityManagerMBean interface methods
-
- protected void startService() throws Exception
- {
- // use thread-local principal and credential propagation
- if (serverMode)
- SecurityAssociation.setServer();
-
- // Register the default active Subject PolicyContextHandler
- SubjectPolicyContextHandler handler = new SubjectPolicyContextHandler();
- PolicyContext.registerHandler(SecurityConstants.SUBJECT_CONTEXT_KEY,
- handler, true);
- // Register the JAAS CallbackHandler JACC PolicyContextHandlers
- CallbackHandlerPolicyContextHandler chandler = new CallbackHandlerPolicyContextHandler();
- PolicyContext.registerHandler(CallbackHandlerPolicyContextHandler.CALLBACK_HANDLER_KEY,
- chandler, false);
-
- Context ctx = new InitialContext();
- parser = ctx.getNameParser("");
-
- /* Create a mapping from the java:/jaas context to a SecurityDomainObjectFactory
- so that any lookup against java:/jaas/domain returns an instance of our
- security manager class.
- */
- RefAddr refAddr = new StringRefAddr("nns", "JSM");
- String factoryName = SecurityDomainObjectFactory.class.getName();
- Reference ref = new Reference("javax.naming.Context", refAddr, factoryName, null);
- ctx.rebind(SECURITY_MGR_PATH, ref);
- log.debug("securityMgrCtxPath="+SECURITY_MGR_PATH);
-
- refAddr = new StringRefAddr("nns", "JSMCachePolicy");
- factoryName = DefaultCacheObjectFactory.class.getName();
- ref = new Reference("javax.naming.Context", refAddr, factoryName, null);
- ctx.rebind(DEFAULT_CACHE_POLICY_PATH, ref);
- log.debug("cachePolicyCtxPath="+cacheJndiName);
-
- // Bind the default SecurityProxyFactory instance under java:/SecurityProxyFactory
- SecurityProxyFactory proxyFactory = (SecurityProxyFactory) securityProxyFactoryClass.newInstance();
- ctx.bind("java:/SecurityProxyFactory", proxyFactory);
- log.debug("SecurityProxyFactory="+proxyFactory);
-
- // Register the Principal property editor
- PropertyEditorManager.registerEditor(Principal.class, PrincipalEditor.class);
- PropertyEditorManager.registerEditor(SecurityDomain.class, SecurityDomainEditor.class);
- log.debug("Registered PrincipalEditor, SecurityDomainEditor");
-
- log.debug("ServerMode="+this.serverMode);
- log.debug("SecurityMgrClass="+JaasSecurityManagerService.securityMgrClass);
- log.debug("CallbackHandlerClass="+JaasSecurityManagerService.callbackHandlerClass);
- }
-
- protected void stopService() throws Exception
- {
- InitialContext ic = new InitialContext();
-
- try
- {
- ic.unbind(SECURITY_MGR_PATH);
- }
- catch(CommunicationException e)
- {
- // Do nothing, the naming services is already stopped
- }
- finally
- {
- ic.close();
- }
- }
-
- /** Register a SecurityDomain implmentation. This is synchronized to ensure
- * that the binding of the security domain and cache population is atomic.
- * @param securityDomain the name of the security domain
- * @param instance the SecurityDomain instance to bind
- */
- public synchronized void registerSecurityDomain(String securityDomain, SecurityDomain instance)
- {
- log.debug("Added "+securityDomain+", "+instance+" to map");
- CachePolicy authCache = lookupCachePolicy(securityDomain);
-
- SecurityDomainContext sdc = new SecurityDomainContext(instance, authCache);
- sdc.setAuthorizationManager(AuthorizationManagerService.newAuthorizationManager(securityDomain));
- securityDomainCtxMap.put(securityDomain, sdc);
- // See if the security mgr supports an externalized cache policy
- setSecurityDomainCache(instance, authCache);
- }
-
- /** Access the CachePolicy for the securityDomain.
- * @param securityDomain the name of the security domain
- * @return The CachePolicy if found, null otherwise.
- */
- private static CachePolicy getCachePolicy(String securityDomain)
- {
- if( securityDomain.startsWith(SECURITY_MGR_PATH) )
- securityDomain = securityDomain.substring(SECURITY_MGR_PATH.length()+1);
- CachePolicy cache = null;
- try
- {
- SecurityDomainContext sdc = lookupSecurityDomain(securityDomain);
- if( sdc != null )
- cache = sdc.getAuthenticationCache();
- }
- catch(NamingException e)
- {
- log.debug("getCachePolicy("+securityDomain+") failure", e);
- }
- return cache;
- }
-
- /** Lookup the authentication CachePolicy object for a security domain. This
- method first treats the cacheJndiName as a ObjectFactory location that is
- capable of returning CachePolicy instances on a per security domain basis
- by appending a '/security-domain-name' string to the cacheJndiName when
- looking up the CachePolicy for a domain. If this fails then the cacheJndiName
- location is treated as a single CachePolicy for all security domains.
- */
- static CachePolicy lookupCachePolicy(String securityDomain)
- {
- CachePolicy authCache = null;
- String domainCachePath = cacheJndiName + '/' + securityDomain;
- try
- {
- InitialContext iniCtx = new InitialContext();
- authCache = (CachePolicy) iniCtx.lookup(domainCachePath);
- }
- catch(Exception e)
- {
- // Failed, treat the cacheJndiName name as a global CachePolicy binding
- try
- {
- InitialContext iniCtx = new InitialContext();
- authCache = (CachePolicy) iniCtx.lookup(cacheJndiName);
- }
- catch(Exception e2)
- {
- log.warn("Failed to locate auth CachePolicy at: "+cacheJndiName
- + " for securityDomain="+securityDomain);
- }
- }
- return authCache;
- }
-
- /** Use reflection to attempt to set the authentication cache on the
- * securityMgr argument.
- * @param securityMgr the security manager
- * @param cachePolicy the cache policy implementation
- */
- private static void setSecurityDomainCache(AuthenticationManager securityMgr,
- CachePolicy cachePolicy)
- {
- try
- {
- Class[] setCachePolicyTypes = {CachePolicy.class};
- Method m = securityMgrClass.getMethod("setCachePolicy", setCachePolicyTypes);
- Object[] setCachePolicyArgs = {cachePolicy};
- m.invoke(securityMgr, setCachePolicyArgs);
- log.debug("setCachePolicy, c="+setCachePolicyArgs[0]);
- }
- catch(Exception e2)
- {
- if(log.isTraceEnabled())
- log.trace("Optional setCachePolicy failed" + e2.getLocalizedMessage());
- }
- }
-
- /** Use reflection to attempt to set the DeepCopySubject on the
- * securityMgr argument.
- * @param securityMgr the security manager
- * @param flag deep copy subject option
- */
- private static void setDeepCopySubjectOption(AuthenticationManager securityMgr,
- boolean flag)
- {
- Boolean bValue = flag ? Boolean.TRUE : Boolean.FALSE;
- try
- {
- Class[] setDeepCopySubjTypes = {Boolean.class};
- Method m = securityMgrClass.getMethod("setDeepCopySubjectOption", setDeepCopySubjTypes);
- Object[] setDeepCopySubjectOptionArgs = {bValue};
- m.invoke(securityMgr, setDeepCopySubjectOptionArgs);
- log.debug("setDeepCopySubjectOption, c="+setDeepCopySubjectOptionArgs[0]);
- }
- catch(Exception e2)
- { // No setDeepCopySubjectOption support, this is ok
- log.debug("setDeepCopySubjectOption failed", e2);
- }
- }
-
- /** Lookup or create the SecurityDomainContext for securityDomain.
- * @param securityDomain
- * @return the SecurityDomainContext for securityDomain
- * @throws NamingException
- */
- private synchronized static SecurityDomainContext lookupSecurityDomain(String securityDomain)
- throws NamingException
- {
- SecurityDomainContext securityDomainCtx = (SecurityDomainContext) securityDomainCtxMap.get(securityDomain);
- if( securityDomainCtx == null )
- {
- securityDomainCtx = newSecurityDomainCtx(securityDomain);
- securityDomainCtxMap.put(securityDomain, securityDomainCtx);
- log.debug("Added "+securityDomain+", "+securityDomainCtx+" to map");
- }
- return securityDomainCtx;
- }
-
- /** Create a new SecurityDomainContext for securityDomain. This is
- * synchronized to ensure that the creation and setting of the domain
- * cache are atomic.
- * @param securityDomain
- * @return the SecurityDomainContext for securityDomain
- * @throws NamingException
- */
- private synchronized static SecurityDomainContext newSecurityDomainCtx(String securityDomain)
- throws NamingException
- {
- SecurityDomainContext sdc = null;
- try
- {
- // Create instance of securityMgrClass
- Class[] parameterTypes = {String.class, CallbackHandler.class};
- Constructor ctor = securityMgrClass.getConstructor(parameterTypes);
- CallbackHandler handler = (CallbackHandler) callbackHandlerClass.newInstance();
- Object[] args = {securityDomain, handler};
- AuthenticationManager securityMgr = (AuthenticationManager) ctor.newInstance(args);
- log.debug("Created securityMgr="+securityMgr);
- CachePolicy cachePolicy = lookupCachePolicy(securityDomain);
- sdc = new SecurityDomainContext(securityMgr, cachePolicy);
- // See if the security mgr supports an externalized cache policy
- setSecurityDomainCache(securityMgr, cachePolicy);
- if(deepCopySubjectMode)
- setDeepCopySubjectOption(securityMgr, true);
- //Set the Authorization Manager
- AuthorizationManager am = AuthorizationManagerService.newAuthorizationManager(securityDomain);
- sdc.setAuthorizationManager(am);
- }
- catch(Exception e2)
- {
- String msg = "Failed to create sec mgr('"+securityDomain+"'), securityMgrClass="
- +securityMgrClass +", callbackHandlerClass="
- +callbackHandlerClass;
- NamingException ne = new NamingException(msg);
- ne.setRootCause(e2);
- throw ne;
- }
- return sdc;
- }
-
- /**
- * Get the default unauthenticated principal.
- * @return The principal name
- */
- public String getDefaultUnauthenticatedPrincipal()
- {
- return defaultUnauthenticatedPrincipal;
- }
-
- /**
- * Set the default unauthenticated principal.
- * @param principal The principal name
- */
- public void setDefaultUnauthenticatedPrincipal(String principal)
- {
- defaultUnauthenticatedPrincipal = principal;
- }
-
- // java:/jaas context ObjectFactory implementation
-
- public static class SecurityDomainObjectFactory
- implements InvocationHandler, ObjectFactory
- {
- /** Object factory implementation. This method returns a Context proxy
- that is only able to handle a lookup operation for an atomic name of
- a security domain.
- */
- public Object getObjectInstance(Object obj, Name name, Context nameCtx,
- Hashtable environment)
- throws Exception
- {
- ClassLoader loader = SubjectActions.getContextClassLoader();
- Class[] interfaces = {Context.class};
- Context ctx = (Context) Proxy.newProxyInstance(loader, interfaces, this);
- return ctx;
- }
-
-
- /** This is the InvocationHandler callback for the Context interface that
- was created by out getObjectInstance() method. We handle the java:/jaas/domain
- level operations here.
- */
- public Object invoke(Object obj, Method method, Object[] args) throws Throwable
- {
- String methodName = method.getName();
- if( methodName.equals("toString") == true )
- return SECURITY_MGR_PATH + " Context proxy";
- if( methodName.equals("list") == true )
- return new DomainEnumeration(securityDomainCtxMap.keys(), securityDomainCtxMap);
-
- if( methodName.equals("lookup") == false )
- throw new OperationNotSupportedException("Only lookup is supported, op="+method);
- String securityDomain = null;
- Name name = null;
- if( args[0] instanceof String )
- name = parser.parse((String) args[0]);
- else
- name = (Name)args[0];
- securityDomain = name.get(0);
- SecurityDomainContext securityDomainCtx = lookupSecurityDomain(securityDomain);
- Object binding = securityDomainCtx.getSecurityManager();
- // Look for requests against the security domain context
- if( name.size() == 2 )
- {
- String request = name.get(1);
- binding = securityDomainCtx.lookup(request);
- }
- return binding;
- }
- }
- static class DomainEnumeration implements NamingEnumeration
- {
- Enumeration domains;
- Map ctxMap;
- DomainEnumeration(Enumeration domains, Map ctxMap)
- {
- this.domains = domains;
- this.ctxMap = ctxMap;
- }
-
- public void close()
- {
- }
- public boolean hasMoreElements()
- {
- return domains.hasMoreElements();
- }
- public boolean hasMore()
- {
- return domains.hasMoreElements();
- }
- public Object next()
- {
- String name = (String) domains.nextElement();
- Object value = ctxMap.get(name);
- String className = value.getClass().getName();
- NameClassPair pair = new NameClassPair(name, className);
- return pair;
- }
- public Object nextElement()
- {
- return domains.nextElement();
- }
- }
-
- /** java:/timedCacheFactory ObjectFactory implementation
- */
- public static class DefaultCacheObjectFactory implements InvocationHandler, ObjectFactory
- {
- /** Object factory implementation. This method returns a Context proxy
- that is only able to handle a lookup operation for an atomic name of
- a security domain.
- */
- public Object getObjectInstance(Object obj, Name name, Context nameCtx, Hashtable environment)
- throws Exception
- {
- ClassLoader loader = Thread.currentThread().getContextClassLoader();
- Class[] interfaces = {Context.class};
- Context ctx = (Context) Proxy.newProxyInstance(loader, interfaces, this);
- return ctx;
- }
- /** This is the InvocationHandler callback for the Context interface that
- was created by out getObjectInstance() method. All this does is create
- a new TimedCache instance.
- */
- public Object invoke(Object obj, Method method, Object[] args) throws Throwable
- {
- TimedCachePolicy cachePolicy = new TimedCachePolicy(defaultCacheTimeout,
- true, defaultCacheResolution);
- cachePolicy.create();
- cachePolicy.start();
- return cachePolicy;
- }
- }
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerServiceMBean.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerServiceMBean.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/JaasSecurityManagerServiceMBean.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,195 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import java.security.Principal;
-import java.util.List;
-import javax.management.ObjectName;
-
-import org.jboss.mx.util.ObjectNameFactory;
-import org.jboss.security.SecurityDomain;
-import org.jboss.system.ServiceMBean;
-
-/**
- * The management interface for the JaasSecurityManagerService mbean.
- *
- * @author Scott.Stark at jboss.org
- * @version $Revision$
- */
-public interface JaasSecurityManagerServiceMBean
- extends ServiceMBean, SecurityManagerMBean
-{
- ObjectName OBJECT_NAME = ObjectNameFactory.create("jboss.security:service=JaasSecurityManager");
-
- /** A flag indicating if the Deep Copy of Subject Sets should be enabled in the security managers */
- public boolean getDeepCopySubjectMode();
-
- /**
- * A flag indicating if the Deep Copy of Subject Sets should be enabled in the security managers
- *
- * @param flag
- */
- public void setDeepCopySubjectMode(boolean flag);
-
- /**
- * A flag indicating if the SecurityAssociation.setServer should be called
- * on service startup.
- * @return the SecurityAssociation.setServer flag.
- */
- public boolean getServerMode();
-
- /**
- * The SecurityAssociation server mode flag.
- *
- * @param flag - A flag indicating if the SecurityAssociation.setServer
- * should be called on service startup.
- */
- public void setServerMode(boolean flag);
-
- /**
- * Get the name of the class that provides the security manager implementation.
- */
- String getSecurityManagerClassName();
-
- /**
- * Set the name of the class that provides the security manager implementation.
- *
- * @exception ClassNotFoundException thrown if the className cannot be found
- * using the thread context class loader.
- * @exception ClassCastException thrown if the className does not implement the
- * org.jboss.security.AuthenticationManager interface.
- */
- void setSecurityManagerClassName(String className)
- throws ClassNotFoundException, ClassCastException;
-
- /**
- * Get the name of the class that provides the SecurityProxyFactory implementation.
- */
- String getSecurityProxyFactoryClassName();
-
- /**
- * Set the name of the class that provides the SecurityProxyFactory implementation.
- */
- void setSecurityProxyFactoryClassName(String className)
- throws ClassNotFoundException;
-
- /** Get the default CallbackHandler implementation class name
- *
- * @return The fully qualified classname of the
- */
- public String getCallbackHandlerClassName();
- /** Set the default CallbackHandler implementation class name
- * @see javax.security.auth.callback.CallbackHandler
- */
- public void setCallbackHandlerClassName(String className)
- throws ClassNotFoundException;
-
- /**
- * Get the jndi name under which the authentication CachePolicy implenentation
- * is found
- */
- String getAuthenticationCacheJndiName();
-
- /**
- * Set the location of the security credential cache policy. This is first treated
- * as a ObjectFactory location that is capable of returning CachePolicy instances
- * on a per security domain basis by appending a '/security-domain-name' string
- * to this name when looking up the CachePolicy for a domain. If this fails then
- * the location is treated as a single CachePolicy for all security domains.
- *
- * @param jndiName the name to the ObjectFactory or CachePolicy binding.
- */
- void setAuthenticationCacheJndiName(String jndiName);
-
- /**
- * Get the default timed cache policy timeout.
- * @return the default cache timeout in seconds.
- */
- int getDefaultCacheTimeout();
-
- /**
- * Set the default timed cache policy timeout. This has no affect if the
- * AuthenticationCacheJndiName has been changed from the default value.
- * @param timeoutInSecs the cache timeout in seconds.
- */
- void setDefaultCacheTimeout(int timeoutInSecs);
-
- /**
- * Get the default timed cache policy resolution.
- */
- int getDefaultCacheResolution();
-
- /**
- * Set the default timed cache policy resolution. This has no affect if the
- * AuthenticationCacheJndiName has been changed from the default value.
- *
- * @param resInSecs resolution of timeouts in seconds.
- */
- void setDefaultCacheResolution(int resInSecs);
-
- /** Set the indicated security domain cache timeout. This only has an
- * effect if the security domain is using the default jboss TimedCachePolicy
- * implementation.
-
- @param securityDomain the name of the security domain cache
- @param timeoutInSecs - the cache timeout in seconds.
- @param resInSecs - resolution of timeouts in seconds.
- */
- public void setCacheTimeout(String securityDomain, int timeoutInSecs, int resInSecs);
-
- /** Flush the authentication cache associated with the given securityDomain.
- *
- * @param securityDomain the name of the security domain cache
- */
- void flushAuthenticationCache(String securityDomain);
-
- /** Flush a principal's authentication cache entry associated with the
- * given securityDomain.
- *
- * @param securityDomain the name of the security domain cache
- * @param user the principal of the user to flush
- */
- void flushAuthenticationCache(String securityDomain, Principal user);
-
- /** The the list of active Principls for the given security domain
- * @param securityDomain
- * @return List<Princpals> of active users, may be null.
- */
- List getAuthenticationCachePrincipals(String securityDomain);
-
- /**
- * Register a SecurityDomain implmentation
- */
- void registerSecurityDomain(String securityDomain, SecurityDomain instance);
-
- /**
- * Get the default unauthenticated principal.
- * @return The principal name
- */
- String getDefaultUnauthenticatedPrincipal();
-
- /**
- * Set the default unauthenticated principal.
- * @param principal The principal name
- */
- void setDefaultUnauthenticatedPrincipal(String principal);
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfig.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfig.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfig.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,157 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import java.util.Stack;
-import javax.management.JMException;
-import javax.management.MalformedObjectNameException;
-import javax.management.MBeanServer;
-import javax.management.ObjectName;
-import javax.security.auth.login.Configuration;
-
-import org.jboss.system.ServiceMBeanSupport;
-
-/** The SecurityConfigMBean implementation. This class needs the
- javax.security.auth.AuthPermission("setLoginConfiguration") to install
- the javax.security.auth.login.Configuration when running with a security
- manager.
-
- @author Scott.Stark at jboss.org
- @version $Revision$
- */
-public class SecurityConfig extends ServiceMBeanSupport
- implements SecurityConfigMBean
-{
- // Constants -----------------------------------------------------
-
- // Attributes ----------------------------------------------------
- /** The default Configuration mbean name */
- private String loginConfigName;
- /** The stack of Configuration mbeans that are active */
- private Stack loginConfigStack = new Stack();
-
- static class ConfigInfo
- {
- ObjectName name;
- Configuration config;
- ConfigInfo(ObjectName name, Configuration config)
- {
- this.name = name;
- this.config = config;
- }
- }
-
- public SecurityConfig()
- {
- }
-
- public String getName()
- {
- return "SecurityIntialization";
- }
-
- /** Get the name of the mbean that provides the default JAAS login configuration
- */
- public String getLoginConfig()
- {
- return loginConfigName;
- }
-
- /** Set the name of the mbean that provides the default JAAS login configuration
- */
- public void setLoginConfig(String name) throws MalformedObjectNameException
- {
- this.loginConfigName = name;
- }
-
- /** Start the configuration service by pushing the mbean given by the
- LoginConfig onto the configuration stack.
- */
- public void startService() throws Exception
- {
- pushLoginConfig(loginConfigName);
- }
-
- /** Start the configuration service by poping the top of the
- configuration stack.
- */
- public void stopService() throws Exception
- {
- if( loginConfigStack.empty() == false )
- popLoginConfig();
- }
-
- /** Push an mbean onto the login configuration stack and install its
- Configuration as the current instance.
- @see javax.security.auth.login.Configuration
- */
- public synchronized void pushLoginConfig(String objectName)
- throws JMException, MalformedObjectNameException
- {
- ObjectName name = new ObjectName(objectName);
- Configuration prevConfig = null;
- if( loginConfigStack.empty() == false )
- {
- ConfigInfo prevInfo = (ConfigInfo) loginConfigStack.peek();
- prevConfig = prevInfo.config;
- }
-
- ConfigInfo info = installConfig(name, prevConfig);
- loginConfigStack.push(info);
- }
- /** Pop the current mbean from the login configuration stack and install
- the previous Configuration as the current instance.
- @see javax.security.auth.login.Configuration
- */
- public synchronized void popLoginConfig()
- throws JMException
- {
- ConfigInfo info = (ConfigInfo) loginConfigStack.pop();
- Configuration prevConfig = null;
- if( loginConfigStack.empty() == false )
- {
- ConfigInfo prevInfo = (ConfigInfo) loginConfigStack.peek();
- prevConfig = prevInfo.config;
- }
-
- installConfig(info.name, prevConfig);
- }
-
- /** Obtain the Configuration from the named mbean using its getConfiguration
- operation and install it as the current Configuration.
-
- @see Configuration.setConfiguration(javax.security.auth.login.Configuration)
- */
- private ConfigInfo installConfig(ObjectName name, Configuration prevConfig)
- throws JMException
- {
- MBeanServer server = super.getServer();
- Object[] args = {prevConfig};
- String[] signature = {"javax.security.auth.login.Configuration"};
- Configuration config = (Configuration) server.invoke(name,
- "getConfiguration", args, signature);
- Configuration.setConfiguration(config);
- ConfigInfo info = new ConfigInfo(name, config);
- log.debug("Installed JAAS Configuration service="+name+", config="+config);
- return info;
- }
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfigMBean.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfigMBean.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityConfigMBean.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,55 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import javax.management.JMException;
-import javax.management.MalformedObjectNameException;
-
-import org.jboss.system.ServiceMBean;
-
-/** A security configuration MBean. This establishes the JAAS and Java2
- security properties and related configuration.
-
- @see DefaultLoginConfig
- @see javax.security.auth.login.Configuration
-
- at author Scott.Stark at jboss.org
- at version $Revision$
-*/
-public interface SecurityConfigMBean extends ServiceMBean
-{
- /** Get the name of the mbean that provides the default JAAS login configuration */
- public String getLoginConfig();
- /** Set the name of the mbean that provides the default JAAS login configuration */
- public void setLoginConfig(String objectName) throws MalformedObjectNameException;
- /** Push an mbean onto the login configuration stack and install its
- Configuration as the current instance.
- @see javax.security.auth.login.Configuration
- */
- public void pushLoginConfig(String objectName) throws JMException, MalformedObjectNameException;
- /** Pop the current mbean from the login configuration stack and install
- the previous Configuration as the current instance.
- @see javax.security.auth.login.Configuration
- */
- public void popLoginConfig() throws JMException;
-
-}
Deleted: projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityManagerMBean.java
===================================================================
--- projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityManagerMBean.java 2007-05-10 04:16:04 UTC (rev 62957)
+++ projects/security/security-jboss-sx/trunk/src/main/org/jboss/security/plugins/SecurityManagerMBean.java 2007-05-10 04:19:06 UTC (rev 62958)
@@ -1,83 +0,0 @@
-/*
-* JBoss, Home of Professional Open Source
-* Copyright 2005, JBoss Inc., and individual contributors as indicated
-* by the @authors tag. See the copyright.txt in the distribution for a
-* full listing of individual contributors.
-*
-* This is free software; you can redistribute it and/or modify it
-* under the terms of the GNU Lesser General Public License as
-* published by the Free Software Foundation; either version 2.1 of
-* the License, or (at your option) any later version.
-*
-* This software is distributed in the hope that it will be useful,
-* but WITHOUT ANY WARRANTY; without even the implied warranty of
-* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-* Lesser General Public License for more details.
-*
-* You should have received a copy of the GNU Lesser General Public
-* License along with this software; if not, write to the Free
-* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-*/
-package org.jboss.security.plugins;
-
-import java.security.Principal;
-import java.util.Set;
-
-/** An MBean interface that unifies the AuthenticationManager and RealmMapping
- * security interfaces implemented by a security manager for a given domain
- * and provides access to this functionality across all domains by including
- * the security domain name as a method argument.
- *
- * @author Scott.Stark at jboss.org
- * @version $Revision$
- */
-public interface SecurityManagerMBean
-{
-
- /** The isValid method is invoked to see if a user identity and associated
- credentials as known in the operational environment are valid proof of the
- user identity.
- @param securityDomain - the name of the security to use
- @param principal - the user identity in the operation environment
- @param credential - the proof of user identity as known in the
- operation environment
- @return true if the principal, credential pair is valid, false otherwise.
- */
- public boolean isValid(String securityDomain, Principal principal, Object credential);
-
- /** Map from the operational environment Principal to the application
- domain principal. This is used by the EJBContext.getCallerPrincipal implentation
- to map from the authenticated principal to a principal in the application
- domain.
- @param principal - the caller principal as known in the operation environment.
- @return the principal
- */
- public Principal getPrincipal(String securityDomain, Principal principal);
-
- /** Validates the application domain roles to which the operational
- environment Principal belongs. This may first authenticate the principal
- as some security manager impls require a preceeding isValid call.
- @param securityDomain - the name of the security to use
- @param principal - the user identity in the operation environment
- @param credential - the proof of user identity as known in the
- @param roles - Set<Principal> for the application domain roles that the
- principal is to be validated against.
- @return true if the principal has at least one of the roles in the roles set,
- false otherwise.
- */
- public boolean doesUserHaveRole(String securityDomain, Principal principal,
- Object credential, Set roles);
-
- /** Return the set of domain roles the principal has been assigned.
- This may first authenticate the principal as some security manager impls
- require a preceeding isValid call.
- @param securityDomain - the name of the security to use
- @param principal - the user identity in the operation environment
- @param credential - the proof of user identity as known in the
- @return The Set<Principal> for the application domain roles that the
- principal has been assigned.
- */
- public Set getUserRoles(String securityDomain, Principal principal,
- Object credential);
-}
More information about the jboss-cvs-commits
mailing list