[jboss-cvs] JBossAS SVN: r75512 - in branches/JBPAPP_4_2_0_GA_CP: testsuite/imports/sections and 9 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Tue Jul 8 19:17:37 EDT 2008


Author: darran.lofthouse at jboss.com
Date: 2008-07-08 19:17:37 -0400 (Tue, 08 Jul 2008)
New Revision: 75512

Added:
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/error.html
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/login.html
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/restricted.html
   branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedSingleSignOn.java
Removed:
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/restricted.html
Modified:
   branches/JBPAPP_4_2_0_GA_CP/testsuite/build.xml
   branches/JBPAPP_4_2_0_GA_CP/testsuite/imports/sections/web.xml
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/servlets/ProgrammaticLoginTestServlet.java
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/test/WebProgrammaticLoginTestCase.java
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/test-configs/tomcat-sso/deploy/jboss-web.deployer/server.xml
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jboss-web.xml
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jbosstest-web.xml
   branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/application.xml
   branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java
   branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/login/WebAuthentication.java
   branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/service/sso/ClusteredSingleSignOn.java
Log:
[JBPAPP-851] WebAuthentication:Generate a SSOID.

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/build.xml
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/build.xml	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/build.xml	2008-07-08 23:17:37 UTC (rev 75512)
@@ -610,7 +610,6 @@
     <include name="**/test/jmx/test/Secure*TestCase.class"/>
     <include name="**/test/perf/test/SecurePerfStressTestCase.class"/>
     <include name="**/test/timer/test/SecureTimerUnitTestCase.class"/>
-    <include name="**/test/web/test/WebProgrammaticLoginTestCase.class"/>
   </patternset>
   <patternset id="security.excludes">
     <exclude name="**/test/naming/test/Security*"/>
@@ -639,9 +638,11 @@
   <!-- Tests needing non-clustered tomcat SSO -->
   <patternset id="tc-sso.includes">
     <include name="org/jboss/test/web/test/SingleSignOnUnitTestCase.class"/>
+    <include name="org/jboss/test/web/test/WebProgrammaticLoginTestCase.class"/>
   </patternset>
   <patternset id="tc-sso.excludes">
     <exclude name="org/jboss/test/web/test/SingleSignOnUnitTestCase.class"/>
+    <exclude name="org/jboss/test/web/test/WebProgrammaticLoginTestCase.class"/>
   </patternset>
   <!-- Tests needing clustered tomcat SSO -->
   <patternset id="tc-sso-clustered.includes">

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/imports/sections/web.xml
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/imports/sections/web.xml	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/imports/sections/web.xml	2008-07-08 23:17:37 UTC (rev 75512)
@@ -526,33 +526,31 @@
             includes="jboss-service.xml"/>
       </zip>
 
-     <!-- JBAS-4077: Programmatic Web Login -->
-    <war destfile="${build.lib}/programmaticweblogin.war"
-       webxml="${build.resources}/web/programmatic/WEB-INF/jbosstest-web.xml">
-         <webinf dir="${build.resources}/web/form-auth">
+      <!-- JBAS-4077: Programmatic Web Login -->
+      <war destfile="${build.lib}/programmaticweblogin.war"
+         webxml="${build.resources}/web/programmatic/WEB-INF/jbosstest-web.xml">
+         <webinf dir="${build.resources}/web/programmatic/WEB-INF">
             <include name="jboss-web.xml"/>
          </webinf>
          <classes dir="${build.classes}">
             <include name="org/jboss/test/web/servlets/Programm*Servlet.class"/>
          </classes>
-    </war>
-    <zip destfile="${build.lib}/programmaticweblogin.ear">
-         <zipfileset dir="${build.resources}/web/form-auth" prefix="META-INF">
-            <include name="jboss-app.xml"/>
-            <include name="security-config.xml"/>
-         </zipfileset>
+         <fileset dir="${build.resources}/web/programmatic">
+            <include name="restricted/*.html"/>
+            <include name="*.html"/>
+         </fileset>
+      </war>
+      <zip destfile="${build.lib}/programmaticweblogin.ear">
          <zipfileset dir="${build.resources}/web/programmatic" prefix="META-INF">
             <include name="application.xml"/>
          </zipfileset>
-         <zipfileset dir="${build.resources}/web"
-            fullpath="form-auth-users.properties"
-            includes="users.properties"/>
-         <zipfileset dir="${build.resources}/web"
-            fullpath="form-auth-roles.properties"
-            includes="roles.properties"/>
-         <zipfileset dir="${build.lib}" includes="programmatic*.war"/>
-         <zipfileset dir="${build.resources}/web/form-auth"
-            includes="jboss-service.xml"/>
+         <zipfileset dir="${build.resources}/web">
+            <include name="users.properties"/>
+            <include name="roles.properties"/>
+         </zipfileset>
+         <zipfileset dir="${build.lib}" includes="programmaticweblogin.war"/>
+         <zipfileset dir="${build.lib}" includes="sso-form-auth.war"/>
+         <zipfileset dir="${build.lib}" includes="jbosstest-web-ejbs.jar"/>
       </zip>
 
       <!-- JBAS-3162 Root Context Tests -->

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/servlets/ProgrammaticLoginTestServlet.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/servlets/ProgrammaticLoginTestServlet.java	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/servlets/ProgrammaticLoginTestServlet.java	2008-07-08 23:17:37 UTC (rev 75512)
@@ -47,25 +47,38 @@
    protected void service(HttpServletRequest request, HttpServletResponse response) 
    throws ServletException, IOException
    {  
+      String operation = request.getParameter("operation");
       String username = request.getParameter("username");
       String pass = request.getParameter("pass");
-       
+
+      if("login".equals(operation))
+         this.login(request, username, pass);
+      else if("logout".equals(operation))
+         this.logout(request);
+      else
+         throw new ServletException("Unrecognized operation: " + operation);
+   }
+
+   private void login(HttpServletRequest request, String username, String pass)
+   throws ServletException
+   {
       if(username == null || pass == null)
-            throw new RuntimeException("username or password is null");
-      WebAuthentication pwl = new WebAuthentication(); 
-      pwl.login(username, pass);  
-       
-      //Only when there is web login, does the principal be visible
-      log("User Principal="+request.getUserPrincipal());
-      log("isUserInRole(Authorized User)="+request.isUserInRole("AuthorizedUser"));
+         throw new RuntimeException("username or password is null");
+      WebAuthentication pwl = new WebAuthentication();
+      pwl.login(username, pass);
+
+      //Only when there is web login, does the principal become visible
+      log("User Principal=" + request.getUserPrincipal());
+      log("isUserInRole(Authorized User)=" + request.isUserInRole("AuthorizedUser"));
       if(request.getUserPrincipal() == null || !request.isUserInRole("AuthorizedUser"))
          throw new ServletException("User is not authenticated or the isUserInRole check failed");
-      
-      
+   } 
+
+   private void logout(HttpServletRequest request) throws ServletException
+   {
       //Log the user out
-      pwl.logout();
-      
+      new WebAuthentication().logout();
       if(request.getUserPrincipal() != null || request.isUserInRole("AuthorizedUser"))
-         throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)"); 
-   } 
+         throw new ServletException("User is still authenticated or pass: isUserInRole(Authorized User)");
+   }
 }

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/test/WebProgrammaticLoginTestCase.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/test/WebProgrammaticLoginTestCase.java	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/main/org/jboss/test/web/test/WebProgrammaticLoginTestCase.java	2008-07-08 23:17:37 UTC (rev 75512)
@@ -61,28 +61,39 @@
     */
    public void testUnsuccessfulLogin() throws Exception
    {
-      String path1 = "programmaticweblogin/TestServlet";
+      String path = "war1/TestServlet";
+      // try to perform programmatic auth without supplying login information.
       HttpMethod indexGet = null;
       try
       {
-         indexGet = new GetMethod(baseURLNoAuth+path1); 
+         indexGet = new GetMethod(baseURLNoAuth + path + "?operation=login"); 
          int responseCode = httpConn.executeMethod(indexGet);
          assertTrue("Get Error("+responseCode+")", 
                responseCode == HttpURLConnection.HTTP_INTERNAL_ERROR);
+         // assert access to the restricted area of the first application is denied.
+         SSOBaseCase.checkAccessDenied(this.httpConn, this.baseURLNoAuth + 
+               "war1/restricted/restricted.html");
+         // assert access to the second application is not granted, as no successful login
+         // was performed (and therefore no ssoid has been set).
+         SSOBaseCase.checkAccessDenied(this.httpConn, this.baseURLNoAuth + "war2/index.html");
       }
       finally
       {
          if(indexGet != null)
            indexGet.releaseConnection();
       } 
-      
-      path1 = path1 + "?username=dummy&pass=dummy";
+      // try to perform programmatic auth with no valid username/password.
+      path = path + "?operation=login&username=dummy&pass=dummy";
       try
       {
-         indexGet = new GetMethod(baseURLNoAuth+path1); 
+         indexGet = new GetMethod(baseURLNoAuth + path); 
          int responseCode = httpConn.executeMethod(indexGet);
          assertTrue("Get Error("+responseCode+")", 
                responseCode == HttpURLConnection.HTTP_INTERNAL_ERROR);
+         // assert access to the restricted applications remains denied.
+         SSOBaseCase.checkAccessDenied(this.httpConn, this.baseURLNoAuth + 
+               "war1/restricted/restricted.html");
+         SSOBaseCase.checkAccessDenied(this.httpConn, this.baseURLNoAuth + "war2/index.html");
       }
       finally
       {
@@ -97,18 +108,36 @@
     */
    public void testSuccessfulLogin() throws Exception
    {
-      String path1 = "programmaticweblogin/TestServlet?username=jduke&pass=theduke"; 
+      String path = "war1/TestServlet?operation=login&username=jduke&pass=theduke"; 
       HttpMethod indexGet = null;
+      HttpMethod indexGet2 = null;
       try
       {
-         indexGet = new GetMethod(baseURLNoAuth+path1); 
+         indexGet = new GetMethod(baseURLNoAuth + path); 
          int responseCode = httpConn.executeMethod(indexGet);
          assertTrue("Get OK("+responseCode+")", responseCode == HttpURLConnection.HTTP_OK);
+         // assert access to the restricted are of the first application is now allowed.
+         SSOBaseCase.checkAccessAllowed(this.httpConn, this.baseURLNoAuth +
+               "war1/restricted/restricted.html");
+         // assert the sso cookie has been created.
+         SSOBaseCase.processSSOCookie(this.httpConn.getState(), this.baseURLNoAuth, this.baseURLNoAuth);
+         // assert access to the second application is allowed
+         SSOBaseCase.checkAccessAllowed(this.httpConn, this.baseURLNoAuth + "war2/index.html");
+
+         // perform a programmatic logout and assert access is not allowed anymore.
+         indexGet2 = new GetMethod(baseURLNoAuth + "war1/TestServlet?operation=logout");
+         responseCode = httpConn.executeMethod(indexGet2);
+         assertTrue("Get OK("+responseCode+")", responseCode == HttpURLConnection.HTTP_OK);
+         SSOBaseCase.checkAccessDenied(this.httpConn, this.baseURLNoAuth +
+               "war1/restricted/restricted.html");
+         SSOBaseCase.checkAccessDenied(this.httpConn, this.baseURLNoAuth + "war2/index.html");
       }
       finally
       {
          if(indexGet != null)
            indexGet.releaseConnection();
+         if(indexGet2 != null)
+           indexGet2.releaseConnection();
       } 
    } 
 

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/test-configs/tomcat-sso/deploy/jboss-web.deployer/server.xml
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/test-configs/tomcat-sso/deploy/jboss-web.deployer/server.xml	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/test-configs/tomcat-sso/deploy/jboss-web.deployer/server.xml	2008-07-08 23:17:37 UTC (rev 75512)
@@ -114,7 +114,7 @@
                               to span more than one hostname.
              -->
             <!-- -->
-            <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
+            <Valve className="org.jboss.web.tomcat.security.ExtendedSingleSignOn" />
             <!-- -->
 
             <!-- Uncomment to enable single sign-on across web apps

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jboss-web.xml
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jboss-web.xml	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jboss-web.xml	2008-07-08 23:17:37 UTC (rev 75512)
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE jboss-web
+    PUBLIC "-//JBoss//DTD Web Application 2.4//EN"
+    "http://www.jboss.org/j2ee/dtds/jboss-web_4_0.dtd">
+
+<jboss-web>
+   <security-domain>java:/jaas/jbosstest-web</security-domain>
+</jboss-web>

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jbosstest-web.xml
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jbosstest-web.xml	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/WEB-INF/jbosstest-web.xml	2008-07-08 23:17:37 UTC (rev 75512)
@@ -20,9 +20,24 @@
       <url-pattern>/TestServlet</url-pattern>
    </servlet-mapping>
 
+   <security-constraint>
+      <web-resource-collection>
+         <web-resource-name>Restricted</web-resource-name>
+         <description>Restricted Area</description>
+         <url-pattern>/restricted/*</url-pattern>
+      </web-resource-collection>
+      <auth-constraint>
+         <description>Only authenticated users can access secure content</description>
+         <role-name>AuthorizedUser</role-name>
+      </auth-constraint>
+   </security-constraint>
+
    <login-config>
-      <auth-method>BASIC</auth-method>
-      <realm-name>JBossTest Servlets</realm-name>
+      <auth-method>FORM</auth-method>
+      <form-login-config>
+         <form-login-page>/login.html</form-login-page>
+         <form-error-page>/error.html</form-error-page>
+      </form-login-config>
    </login-config>
 
    <security-role>

Modified: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/application.xml
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/application.xml	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/application.xml	2008-07-08 23:17:37 UTC (rev 75512)
@@ -6,10 +6,20 @@
 <application>
    <display-name>Programmatic Web Login</display-name>
 
-   <module>
-      <web>
-         <web-uri>programmaticweblogin.war</web-uri>
-      </web>
-   </module>
+      <module>
+         <web>
+            <web-uri>programmaticweblogin.war</web-uri>
+            <context-root>/war1</context-root>
+         </web>
+      </module>
+      <module>
+         <web>
+            <web-uri>sso-form-auth.war</web-uri>
+            <context-root>/war2</context-root>
+         </web>
+      </module>
+      <module>
+         <ejb>jbosstest-web-ejbs.jar</ejb>
+      </module>
 
 </application>

Copied: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/error.html (from rev 67516, branches/Branch_4_2/testsuite/src/resources/web/programmatic/error.html)
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/error.html	                        (rev 0)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/error.html	2008-07-08 23:17:37 UTC (rev 75512)
@@ -0,0 +1,11 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+   <title>Error Page For Examples</title>
+</head>
+
+   <body bgcolor="white">
+   Invalid username and/or password, please try again
+   </body>
+</html>
+

Copied: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/login.html (from rev 67516, branches/Branch_4_2/testsuite/src/resources/web/programmatic/login.html)
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/login.html	                        (rev 0)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/login.html	2008-07-08 23:17:37 UTC (rev 75512)
@@ -0,0 +1,26 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
+<html>
+<head>
+   <title>Login Page for Examples</title>
+</head>
+
+   <body bgcolor="white">
+   <form method="POST" action="j_security_check">
+     <table border="0" cellspacing="5">
+       <tr>
+         <th align="right">Username:</th>
+         <td align="left"><input type="text" name="j_username"></td>
+       </tr>
+       <tr>
+         <th align="right">Password:</th>
+         <td align="left"><input type="password" name="j_password"></td>
+       </tr>
+       <tr>
+         <td align="right"><input type="submit" value="Log In"></td>
+         <td align="left"><input type="reset"></td>
+       </tr>
+     </table>
+   </form>
+   </body>
+</html>
+

Copied: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted (from rev 67516, branches/Branch_4_2/testsuite/src/resources/web/programmatic/restricted)

Deleted: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/restricted.html
===================================================================
--- branches/Branch_4_2/testsuite/src/resources/web/programmatic/restricted/restricted.html	2007-11-27 22:15:09 UTC (rev 67516)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/restricted.html	2008-07-08 23:17:37 UTC (rev 75512)
@@ -1,10 +0,0 @@
-<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
-<html>
-<head>
-   <title>Programmatic Login Secure Page</title>
-</head>
-
-<body>
-<h1>Programmatic Login Secure Page</h1>
-</body>
-</html>

Copied: branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/restricted.html (from rev 67516, branches/Branch_4_2/testsuite/src/resources/web/programmatic/restricted/restricted.html)
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/restricted.html	                        (rev 0)
+++ branches/JBPAPP_4_2_0_GA_CP/testsuite/src/resources/web/programmatic/restricted/restricted.html	2008-07-08 23:17:37 UTC (rev 75512)
@@ -0,0 +1,10 @@
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+   <title>Programmatic Login Secure Page</title>
+</head>
+
+<body>
+<h1>Programmatic Login Secure Page</h1>
+</body>
+</html>

Copied: branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedSingleSignOn.java (from rev 66612, branches/Branch_4_2/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedSingleSignOn.java)
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedSingleSignOn.java	                        (rev 0)
+++ branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/ExtendedSingleSignOn.java	2008-07-08 23:17:37 UTC (rev 75512)
@@ -0,0 +1,80 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.web.tomcat.security;
+
+import java.security.Principal;
+
+import org.apache.catalina.Session;
+import org.apache.catalina.authenticator.SingleSignOn;
+
+/**
+ * <p>
+ * An extension of the <code>SingleSignOn</code> valve that exposes some protected methods of
+ * the superclass as <code>public</code>, allowing the <code>WebAuthentication</code> class
+ * to delegate single sign-on behaviour to this valve.
+ * </p>
+ * 
+ * @author sguilhen at redhat.com
+ */
+public class ExtendedSingleSignOn extends SingleSignOn
+{
+
+   /*
+    * (non-Javadoc)
+    * @see org.apache.catalina.authenticator.SingleSignOn#associate(java.lang.String, org.apache.catalina.Session)
+    */
+   @Override
+   public void associate(String ssoId, Session session)
+   {
+      super.associate(ssoId, session);
+   }
+   
+   /*
+    * (non-Javadoc)
+    * @see org.apache.catalina.authenticator.SingleSignOn#register(java.lang.String, java.security.Principal, java.lang.String, java.lang.String, java.lang.String)
+    */
+   @Override
+   public void register(String ssoId, Principal principal, String authType, String username, String password)
+   {
+      super.register(ssoId, principal, authType, username, password);
+   }
+
+   /*
+    * (non-Javadoc)
+    * @see org.apache.catalina.authenticator.SingleSignOn#deregister(java.lang.String)
+    */
+   @Override
+   public void deregister(String ssoId)
+   {
+      super.deregister(ssoId);
+   }
+   
+   /*
+    * (non-Javadoc)
+    * @see org.apache.catalina.authenticator.SingleSignOn#update(java.lang.String, java.security.Principal, java.lang.String, java.lang.String, java.lang.String)
+    */
+   @Override
+   public void update(String ssoId, Principal principal, String authType, String username, String password)
+   {
+      super.update(ssoId, principal, authType, username, password);
+   }
+}

Modified: branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/SecurityAssociationValve.java	2008-07-08 23:17:37 UTC (rev 75512)
@@ -58,7 +58,9 @@
    public static ThreadLocal activeWebMetaData = new ThreadLocal();
    /** Maintain the Catalina Request for programmatic web login */
    public static ThreadLocal activeRequest = new ThreadLocal();
-
+   /** Maintain the Catalina Response for programmatic web login */
+   public static ThreadLocal activeResponse = new ThreadLocal();
+   
    /** The web app metadata */
    private WebMetaData metaData;
    /** The name in the session under which the Subject is stored */
@@ -102,8 +104,9 @@
          log.trace("Begin invoke, caller"+caller);
       // Set the active meta data
       activeWebMetaData.set(metaData);
-      //Set the active request
+      //Set the active request and response
       activeRequest.set(request);
+      activeResponse.set(response);
       try
       {
          try
@@ -213,6 +216,7 @@
          activeWebMetaData.set(null);
          userPrincipal.set(null);
          activeRequest.set(null);
+         activeResponse.set(null);
       }
    }
 

Modified: branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/login/WebAuthentication.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/login/WebAuthentication.java	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/security/login/WebAuthentication.java	2008-07-08 23:17:37 UTC (rev 75512)
@@ -20,15 +20,22 @@
   * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
   */
 package org.jboss.web.tomcat.security.login;
- 
+
 import java.security.Principal;
 import java.security.cert.X509Certificate;
+import java.util.UUID;
 
 import javax.naming.NamingException;
+import javax.servlet.http.Cookie;
 
+import org.apache.catalina.Container;
+import org.apache.catalina.Pipeline;
 import org.apache.catalina.Session;
+import org.apache.catalina.Valve;
 import org.apache.catalina.authenticator.Constants;
 import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.jboss.web.tomcat.security.ExtendedSingleSignOn;
 import org.jboss.web.tomcat.security.SecurityAssociationValve;
 
 //$Id$
@@ -40,12 +47,13 @@
  *  @version $Revision$
  */
 public class WebAuthentication
-{  
+{
    private static final String AUTH_TYPE = "PROGRAMMATIC_WEB_LOGIN";
+
    public WebAuthentication()
-   {  
+   {
    }
-   
+
    /**
     * Login an user via the CLIENT-CERT method
     * @param certs X509 certificates
@@ -55,16 +63,16 @@
    {
       //Get the active request
       Request request = (Request) SecurityAssociationValve.activeRequest.get();
-      if(request == null)
+      if (request == null)
          throw new IllegalStateException("request is null");
       Principal p = request.getContext().getRealm().authenticate(certs);
-      if(p != null)
+      if (p != null)
       {
-         register(request,p, null, null);
+         register(request, p, null, null);
       }
-      return p!= null; 
+      return p != null;
    }
-   
+
    /**
     * Login an user via the BASIC, FORM, DIGEST methods
     * @param username
@@ -72,29 +80,29 @@
     * @return
     * @throws NamingException
     */
-   public boolean login(String username, Object credential) 
-   { 
+   public boolean login(String username, Object credential)
+   {
       //Get the active request
       Request request = (Request) SecurityAssociationValve.activeRequest.get();
-      if(request == null)
+      if (request == null)
          throw new IllegalStateException("request is null");
-      
+
       Principal p = null;
-      if(credential instanceof String)
+      if (credential instanceof String)
       {
-         p = request.getContext().getRealm().authenticate(username, (String)credential); 
-      } 
+         p = request.getContext().getRealm().authenticate(username, (String) credential);
+      }
       else if (credential instanceof byte[])
       {
-         p = request.getContext().getRealm().authenticate(username, (byte[])credential); 
-      } 
-      if(p != null)
+         p = request.getContext().getRealm().authenticate(username, (byte[]) credential);
+      }
+      if (p != null)
       {
-         register(request,p, username, credential);
+         register(request, p, username, credential);
       }
       return p != null;
-   } 
-   
+   }
+
    /**
     * Log the user out
     *
@@ -103,11 +111,11 @@
    {
       //Get the active request
       Request request = (Request) SecurityAssociationValve.activeRequest.get();
-      if(request == null)
+      if (request == null)
          throw new IllegalStateException("request is null");
       unregister(request);
    }
-   
+
    /**
     * Register the principal with the request, session etc just the way AuthenticatorBase does
     * @param request Catalina Request
@@ -118,25 +126,72 @@
    protected void register(Request request, Principal principal, String username, Object password)
    {
       request.setAuthType(AUTH_TYPE);
-      request.setUserPrincipal(principal); 
-      
+      request.setUserPrincipal(principal);
+
       //Cache the authentication principal in the session
       Session session = request.getSessionInternal(false);
-      if(session != null)
+      if (session != null)
       {
          session.setAuthType(AUTH_TYPE);
          session.setPrincipal(principal);
          if (username != null)
-             session.setNote(Constants.SESS_USERNAME_NOTE, username);
+            session.setNote(Constants.SESS_USERNAME_NOTE, username);
          else
-             session.removeNote(Constants.SESS_USERNAME_NOTE);
+            session.removeNote(Constants.SESS_USERNAME_NOTE);
          if (password != null)
-             session.setNote(Constants.SESS_PASSWORD_NOTE, getPasswordAsString(password));
+            session.setNote(Constants.SESS_PASSWORD_NOTE, getPasswordAsString(password));
          else
-             session.removeNote(Constants.SESS_PASSWORD_NOTE);
+            session.removeNote(Constants.SESS_PASSWORD_NOTE);
       }
+
+      // JBAS-4424: Programmatic web authentication with SSO
+      ExtendedSingleSignOn sso = this.getSingleSignOn(request);
+      if (sso == null)
+         return;
+
+      // Only create a new SSO entry if the SSO did not already set a note
+      // for an existing entry (as it would do with subsequent requests
+      // for DIGEST and SSL authenticated contexts)
+      String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
+      if (ssoId == null)
+      {
+         // Construct a cookie to be returned to the client
+         ssoId = generateSessionId();
+         Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
+         cookie.setMaxAge(-1);
+         cookie.setPath("/");
+         cookie.setSecure(request.isSecure());
+
+         String ssoDomain = sso.getCookieDomain();
+         if (ssoDomain != null)
+         {
+            cookie.setDomain(ssoDomain);
+         }
+
+         Response response = (Response) SecurityAssociationValve.activeResponse.get();
+         response.addCookie(cookie);
+
+         // Register this principal with our SSO valve
+         sso.register(ssoId, principal, AUTH_TYPE, username, this.getPasswordAsString(password));
+         request.setNote(Constants.REQ_SSOID_NOTE, ssoId);
+
+      }
+      else
+      {
+         // Update the SSO session with the latest authentication data
+         sso.update(ssoId, principal, AUTH_TYPE, username, this.getPasswordAsString(password));
+      }
+
+      // Always associate a session with a new SSO reqistration.
+      // SSO entries are only removed from the SSO registry map when
+      // associated sessions are destroyed; if a new SSO entry is created
+      // above for this request and the user never revisits the context, the
+      // SSO entry will never be cleared if we don't associate the session
+      if (session == null)
+         session = request.getSessionInternal(true);
+      sso.associate(ssoId, session);
    }
-   
+
    /**
     * Log the user out
     * @param request
@@ -144,31 +199,88 @@
    protected void unregister(Request request)
    {
       request.setAuthType(null);
-      request.setUserPrincipal(null); 
-      
+      request.setUserPrincipal(null);
+
       //Cache the authentication principal in the session
       Session session = request.getSessionInternal(false);
-      if(session != null)
+      if (session != null)
       {
          session.setAuthType(null);
          session.setPrincipal(null);
          session.removeNote(Constants.SESS_USERNAME_NOTE);
          session.removeNote(Constants.SESS_PASSWORD_NOTE);
       }
+      //Deregister the SSOID
+      ExtendedSingleSignOn sso = this.getSingleSignOn(request);
+      if(sso != null) {
+         String ssoId = (String) request.getNote(Constants.REQ_SSOID_NOTE);
+         sso.deregister(ssoId);
+      }
    }
-   
+
    private String getPasswordAsString(Object cred)
    {
       String p = null;
-      
-      if(cred instanceof String)
+
+      if (cred instanceof String)
       {
-         p = (String)cred;
+         p = (String) cred;
       }
-      else if(cred instanceof byte[])
+      else if (cred instanceof byte[])
       {
-         p = new String((byte[])cred);
+         p = new String((byte[]) cred);
       }
       return p;
    }
+
+   /**
+    * <p>
+    * Generate and return a new session identifier for the cookie that identifies an SSO principal.
+    * </p>
+    * 
+    * @return a <code>String</code> representing the generated identifier.
+    */
+   private String generateSessionId()
+   {
+      UUID uid = UUID.randomUUID();
+      String higherBits = Long.toHexString(uid.getMostSignificantBits());
+      String lowerBits = Long.toHexString(uid.getLeastSignificantBits());
+
+      return (higherBits + lowerBits).toUpperCase();
+   }
+   
+   /**
+    * <p>
+    * Obtain a reference to the <code>ExtendedSingleSignOn</code> valve, if one was configured.
+    * </p>
+    * 
+    * @param request    the <code>Request</code> object used to look up the SSO valve.
+    * @return   a reference to the <code>ExtendedSingleSignOn</code> valve, or <code>null</code> if that valve
+    * has not been configured.
+    */
+   private ExtendedSingleSignOn getSingleSignOn(Request request)
+   {
+      ExtendedSingleSignOn sso = null;
+      Container parent = request.getContext().getParent();
+      while ((sso == null) && (parent != null))
+      {
+         if (!(parent instanceof Pipeline))
+         {
+            parent = parent.getParent();
+            continue;
+         }
+         Valve valves[] = ((Pipeline) parent).getValves();
+         for (int i = 0; i < valves.length; i++)
+         {
+            if (valves[i] instanceof ExtendedSingleSignOn)
+            {
+               sso = (ExtendedSingleSignOn) valves[i];
+               break;
+            }
+         }
+         if (sso == null)
+            parent = parent.getParent();
+      }
+      return sso;
+   }
 }

Modified: branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/service/sso/ClusteredSingleSignOn.java
===================================================================
--- branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/service/sso/ClusteredSingleSignOn.java	2008-07-08 22:35:09 UTC (rev 75511)
+++ branches/JBPAPP_4_2_0_GA_CP/tomcat/src/main/org/jboss/web/tomcat/service/sso/ClusteredSingleSignOn.java	2008-07-08 23:17:37 UTC (rev 75512)
@@ -40,6 +40,7 @@
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.session.ManagerBase;
+import org.jboss.web.tomcat.security.ExtendedSingleSignOn;
 import org.jboss.web.tomcat.service.JBossWeb;
 import org.jboss.web.tomcat.service.session.JBossManager;
 
@@ -67,7 +68,7 @@
  * @version $Revision: 57329 $ $Date: 2006-10-02 00:35:46 +0200 (lun., 02 oct. 2006) $
  */
 public class ClusteredSingleSignOn
-   extends org.apache.catalina.authenticator.SingleSignOn
+   extends ExtendedSingleSignOn
    implements LifecycleListener
 {
    /** By default we process expired SSOs no more often than once per minute */
@@ -690,7 +691,7 @@
     * @param ssoId   Single sign on identifier
     * @param session Session to be associated
     */
-   protected void associate(String ssoId, Session session)
+   public void associate(String ssoId, Session session)
    {
       if (getContainer().getLogger().isDebugEnabled())
           getContainer().getLogger().debug("Associate sso id " + ssoId + " with session " + session);
@@ -796,7 +797,7 @@
     *
     * @param ssoId Single sign on identifier to deregister
     */
-   protected void deregister(String ssoId)
+   public void deregister(String ssoId)
    {
       if (getContainer().getLogger().isDebugEnabled())
           getContainer().getLogger().debug("Deregistering sso id '" + ssoId + "'");
@@ -947,7 +948,7 @@
     * @param username  Username used to authenticate this user
     * @param password  Password used to authenticate this user
     */
-   protected void register(String ssoId, Principal principal, String authType,
+   public void register(String ssoId, Principal principal, String authType,
       String username, String password)
    {
       registerLocal(ssoId, principal, authType, username, password);
@@ -1030,7 +1031,7 @@
     * @param username  the username (if any) used for the authentication
     * @param password  the password (if any) used for the authentication
     */
-   protected void update(String ssoId, Principal principal, String authType,
+   public void update(String ssoId, Principal principal, String authType,
       String username, String password)
    {
       boolean needToBroadcast = updateLocal(ssoId, principal, authType,
@@ -1310,4 +1311,4 @@
       return valid;
    }
 
-}
\ No newline at end of file
+}




More information about the jboss-cvs-commits mailing list