[jboss-cvs] JBossAS SVN: r76444 - in trunk: messaging/src/main/org/jboss/jms/server/jbosssx and 1 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Tue Jul 29 19:50:56 EDT 2008


Author: sguilhen at redhat.com
Date: 2008-07-29 19:50:53 -0400 (Tue, 29 Jul 2008)
New Revision: 76444

Modified:
   trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml
   trunk/messaging/src/etc/deploy/common/messaging-service.xml
   trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java
   trunk/server/src/etc/conf/default/login-config.xml
Log:
JBAS-5814: Moved JBossASSecurityMetadataStore to messaging-jboss-beans.xml, injecting the SecurityManagement instance to be used. The metadata application policy has also been moved from the login-config.xml to the messaging-jboss-beans.



Modified: trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml
===================================================================
--- trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml	2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml	2008-07-29 23:50:53 UTC (rev 76444)
@@ -6,6 +6,34 @@
 -->
 <deployment xmlns="urn:jboss:bean-deployer:2.0">
 
+   <!-- messaging application-policy definition -->
+   <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
+      <authentication>
+         <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
+            <module-option name="unauthenticatedIdentity">guest</module-option>
+            <module-option name="dsJndiName">java:/DefaultDS</module-option>
+            <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
+            <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
+         </login-module>
+      </authentication>
+   </application-policy>
+
+   <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
+      <!-- default security configuration -->
+      <property name="defaultSecurityConfig">
+         <![CDATA[
+            <security>
+               <role name="guest" read="true" write="true" create="true"/>
+            </security>
+         ]]>
+      </property>
+      <property name="suckerPassword">CHANGE ME!!</property>
+      <property name="securityDomain">messaging</property>
+      <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
+      <!-- @JMX annotation to export the management view of this bean -->
+      <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
+   </bean>
+
    <bean name="QueueTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate">
       <property name="info"><inject bean="QueueTemplateInfo"/></property>
    </bean>

Modified: trunk/messaging/src/etc/deploy/common/messaging-service.xml
===================================================================
--- trunk/messaging/src/etc/deploy/common/messaging-service.xml	2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/messaging/src/etc/deploy/common/messaging-service.xml	2008-07-29 23:50:53 UTC (rev 76444)
@@ -7,23 +7,7 @@
  -->
 
 <server>
-     <mbean code="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore"
-          name="jboss.messaging:service=SecurityStore">
-          
-          <attribute name="DefaultSecurityConfig">
-               <security>
-                    <role name="guest" read="true" write="true" create="true"/>
-               </security>
-          </attribute>
-          
-          <attribute name="SecurityDomain">messaging</attribute>
-          
-          <attribute name="SuckerPassword">CHANGE ME!!</attribute>
-          <depends>JNDIBasedSecurityRegistration</depends> 
-          <depends>XMLLoginConfig</depends> 
-     </mbean>
 
-
    <!-- ServerPeer MBean configuration
         ============================== -->
 

Modified: trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java
===================================================================
--- trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java	2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java	2008-07-29 23:50:53 UTC (rev 76444)
@@ -1,24 +1,24 @@
 /*
-  * JBoss, Home of Professional Open Source
-  * Copyright 2005, JBoss Inc., and individual contributors as indicated
-  * by the @authors tag. See the copyright.txt in the distribution for a
-  * full listing of individual contributors.
-  *
-  * This is free software; you can redistribute it and/or modify it
-  * under the terms of the GNU Lesser General Public License as
-  * published by the Free Software Foundation; either version 2.1 of
-  * the License, or (at your option) any later version.
-  *
-  * This software is distributed in the hope that it will be useful,
-  * but WITHOUT ANY WARRANTY; without even the implied warranty of
-  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-  * Lesser General Public License for more details.
-  *
-  * You should have received a copy of the GNU Lesser General Public
-  * License along with this software; if not, write to the Free
-  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
-  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
-  */
+ * JBoss, Home of Professional Open Source
+ * Copyright 2005, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
 package org.jboss.jms.server.jbosssx;
 
 import java.security.Principal;
@@ -27,7 +27,6 @@
 import java.util.Set;
 
 import javax.jms.JMSSecurityException;
-import javax.naming.InitialContext;
 import javax.naming.NamingException;
 import javax.security.auth.Subject;
 
@@ -42,43 +41,45 @@
 import org.w3c.dom.Element;
 
 /**
- * A security metadate store for JMS. Stores security information for destinations and delegates
- * authentication and authorization to a JaasSecurityManager.
- *
+ * A security metadate store for JMS. Stores security information for destinations and delegates authentication and
+ * authorization to a JaasSecurityManager.
+ * 
  * @author Peter Antman
  * @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>
  * @author <a href="mailto:tim.fox at jboss.com">Tim Fox</a>
  * @author <a href="mailto:ovidiu at feodorov.com">Ovidiu Feodorov</a>
  * @author Anil.Saldhana at redhat.com
  * @version $Revision$
- *
+ * 
  * $Id$
  */
 @SuppressWarnings("unchecked")
 public class JBossASSecurityMetadataStore implements SecurityStore, JBossASSecurityMetadataStoreMBean
 {
    // Constants -----------------------------------------------------
-   
+
    private static final Logger log = Logger.getLogger(JBossASSecurityMetadataStore.class);
-   
+
    public static final String DEFAULT_SUCKER_USER_PASSWORD = "CHANGE ME!!";
-   
+
    // Attributes ----------------------------------------------------
-   
-   private boolean trace = log.isTraceEnabled();
-   
-   private Map queueSecurityConf;
-   private Map topicSecurityConf; 
-   
+
+   private final boolean trace = log.isTraceEnabled();
+
+   private final Map queueSecurityConf;
+
+   private final Map topicSecurityConf;
+
    private Element defaultSecurityConfig;
+
    private String securityDomain = "messaging";
-      
-   private String suckerPassword; 
-   
+
+   private String suckerPassword;
+
    private ISecurityManagement securityManagement = null;
 
    // Static --------------------------------------------------------
-   
+
    // Constructors --------------------------------------------------
 
    public JBossASSecurityMetadataStore()
@@ -91,8 +92,8 @@
 
    public SecurityMetadata getSecurityMetadata(boolean isQueue, String destName)
    {
-      SecurityMetadata m = (SecurityMetadata)
-         (isQueue ? queueSecurityConf.get(destName) : topicSecurityConf.get(destName));
+      SecurityMetadata m = (SecurityMetadata) (isQueue ? queueSecurityConf.get(destName) : topicSecurityConf
+            .get(destName));
 
       if (m == null)
       {
@@ -126,30 +127,36 @@
 
    public void setSecurityConfig(boolean isQueue, String destName, Element conf) throws Exception
    {
-      if (trace) { log.trace("adding security configuration for " + (isQueue ? "queue " : "topic ") + destName); }
-      
+      if (trace)
+      {
+         log.trace("adding security configuration for " + (isQueue ? "queue " : "topic ") + destName);
+      }
+
       if (conf == null)
       {
-      	clearSecurityConfig(isQueue, destName);
+         clearSecurityConfig(isQueue, destName);
       }
       else
-      {	
-	      SecurityMetadata m = new SecurityMetadata(conf);
-	
-	      if (isQueue)
-	      {
-	         queueSecurityConf.put(destName, m);
-	      }
-	      else
-	      {
-	         topicSecurityConf.put(destName, m);
-	      }
+      {
+         SecurityMetadata m = new SecurityMetadata(conf);
+
+         if (isQueue)
+         {
+            queueSecurityConf.put(destName, m);
+         }
+         else
+         {
+            topicSecurityConf.put(destName, m);
+         }
       }
    }
 
    public void clearSecurityConfig(boolean isQueue, String name) throws Exception
    {
-      if (trace) { log.trace("clearing security configuration for " + (isQueue ? "queue " : "topic ") + name); }
+      if (trace)
+      {
+         log.trace("clearing security configuration for " + (isQueue ? "queue " : "topic ") + name);
+      }
 
       if (isQueue)
       {
@@ -160,11 +167,14 @@
          topicSecurityConf.remove(name);
       }
    }
-   
+
    public Subject authenticate(String user, String password) throws JMSSecurityException
    {
-      if (trace) { log.trace("authenticating user " + user); }
-      
+      if (trace)
+      {
+         log.trace("authenticating user " + user);
+      }
+
       SimplePrincipal principal = new SimplePrincipal(user);
       char[] passwordChars = null;
       if (password != null)
@@ -173,45 +183,37 @@
       }
 
       Subject subject = new Subject();
-      
+
       boolean authenticated = false;
-      
+
       if (SUCKER_USER.equals(user))
       {
-      	if (trace) { log.trace("Authenticating sucker user"); }
-      	
-      	checkDefaultSuckerPassword(password);
-      	
-      	// The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
-      	
-      	authenticated = suckerPassword.equals(password);
+         if (trace)
+         {
+            log.trace("Authenticating sucker user");
+         }
+
+         checkDefaultSuckerPassword(password);
+
+         // The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
+
+         authenticated = suckerPassword.equals(password);
       }
       else
       {
-        if(securityManagement == null)
-        {   
-           try
-           {
-              lookupSecurityManagement();;
-           }
-           catch (NamingException e)
-           {
-              throw new RuntimeException(e);
-           }
-        } 
-        AuthenticationManager authenticationManager = 
-           securityManagement.getAuthenticationManager(securityDomain);
-        if(authenticationManager == null)
-           throw new SecurityException("AuthenticationManager is null for domain=" + securityDomain);
-        authenticated = authenticationManager.isValid(principal, passwordChars, subject);
+         if (securityManagement == null)
+            throw new SecurityException("SecurityManagement has not been set");
+         AuthenticationManager authenticationManager = securityManagement.getAuthenticationManager(securityDomain);
+         if (authenticationManager == null)
+            throw new SecurityException("AuthenticationManager is null for domain=" + securityDomain);
+         authenticated = authenticationManager.isValid(principal, passwordChars, subject);
       }
 
       if (authenticated)
       {
          // Warning! This "taints" thread local. Make sure you pop it off the stack as soon as
-         //          you're done with it.
-         SecurityActions.pushSubjectContext(principal, passwordChars, subject, 
-               securityDomain);
+         // you're done with it.
+         SecurityActions.pushSubjectContext(principal, passwordChars, subject, securityDomain);
          return subject;
       }
       else
@@ -222,49 +224,45 @@
 
    public boolean authorize(String user, Set rolePrincipals, CheckType checkType)
    {
-      if (trace) { log.trace("authorizing user " + user + " for role(s) " + rolePrincipals.toString()); }
-      
+      if (trace)
+      {
+         log.trace("authorizing user " + user + " for role(s) " + rolePrincipals.toString());
+      }
+
       if (SUCKER_USER.equals(user))
       {
-      	//The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
-      	//It has automatic read/write access to all destinations
-      	return (checkType.equals(CheckType.READ) || checkType.equals(CheckType.WRITE));
+         // The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
+         // It has automatic read/write access to all destinations
+         return (checkType.equals(CheckType.READ) || checkType.equals(CheckType.WRITE));
       }
 
       Principal principal = user == null ? null : new SimplePrincipal(user);
-      if(securityManagement == null)
-      {
-         try
-         {
-            lookupSecurityManagement();;
-         }
-         catch (NamingException e)
-         {
-            throw new RuntimeException(e);
-         }
-      } 
-      AuthorizationManager authorizationManager = 
-         securityManagement.getAuthorizationManager(securityDomain); 
-      if(authorizationManager == null)
+      if (securityManagement == null)
+         throw new SecurityException("SecurityManagement has not been set");
+      AuthorizationManager authorizationManager = securityManagement.getAuthorizationManager(securityDomain);
+      if (authorizationManager == null)
          throw new SecurityException("AuthorizationManager is null for domain=" + securityDomain);
       boolean hasRole = authorizationManager.doesUserHaveRole(principal, rolePrincipals);
 
-      if (trace) { log.trace("user " + user + (hasRole ? " is " : " is NOT ") + "authorized"); }
+      if (trace)
+      {
+         log.trace("user " + user + (hasRole ? " is " : " is NOT ") + "authorized");
+      }
 
-      return hasRole;     
+      return hasRole;
    }
-   
+
    // Public --------------------------------------------------------
-   
+
    public void setSuckerPassword(String password)
-   {   	   	
-   	checkDefaultSuckerPassword(password);
-   	   	
-   	this.suckerPassword = password;
-   } 
-   
+   {
+      checkDefaultSuckerPassword(password);
+
+      this.suckerPassword = password;
+   }
+
    /**
-    * @see JBossASSecurityMetadataStoreMBean#setSecurityManagement(ISecurityManagement) 
+    * @see JBossASSecurityMetadataStoreMBean#setSecurityManagement(ISecurityManagement)
     */
    public void setSecurityManagement(ISecurityManagement securityManagement)
    {
@@ -272,7 +270,7 @@
    }
 
    public void start() throws NamingException
-   {   
+   {
    }
 
    public void stop() throws Exception
@@ -287,7 +285,7 @@
    public void setSecurityDomain(String securityDomain)
    {
       this.securityDomain = securityDomain;
-   } 
+   }
 
    public Element getDefaultSecurityConfig()
    {
@@ -306,29 +304,16 @@
    // Package Private -----------------------------------------------
 
    // Private -------------------------------------------------------
-   
+
    private void checkDefaultSuckerPassword(String password)
    {
-   	// Sanity check
-   	if (DEFAULT_SUCKER_USER_PASSWORD.equals(password))
-   	{
-   		log.warn("WARNING! POTENTIAL SECURITY RISK. It has been detected that the MessageSucker component " +
-   				   "which sucks messages from one node to another has not had its password changed from the installation default. " +
-   				   "Please see the JBoss Messaging user guide for instructions on how to do this.");
-   	}
+      // Sanity check
+      if (DEFAULT_SUCKER_USER_PASSWORD.equals(password))
+      {
+         log
+               .warn("WARNING! POTENTIAL SECURITY RISK. It has been detected that the MessageSucker component "
+                     + "which sucks messages from one node to another has not had its password changed from the installation default. "
+                     + "Please see the JBoss Messaging user guide for instructions on how to do this.");
+      }
    }
-   
-   /**
-    * TODO: This method needs to go when ISecurityManagement is injected
-    * by the Microcontainer. (When this exists in messaging-beans.xml
-    * rather than messaging-service.xml)
-    * @throws NamingException
-    */
-   private void lookupSecurityManagement() throws NamingException
-   {
-      InitialContext ic = new InitialContext();
-      this.securityManagement = (ISecurityManagement) ic.lookup("java:/securityManagement");
-   } 
-    
-   // Inner class ---------------------------------------------------      
 }
\ No newline at end of file

Modified: trunk/server/src/etc/conf/default/login-config.xml
===================================================================
--- trunk/server/src/etc/conf/default/login-config.xml	2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/server/src/etc/conf/default/login-config.xml	2008-07-29 23:50:53 UTC (rev 76444)
@@ -38,65 +38,6 @@
     </authentication>
   </application-policy>
 
-   <!--  <application-policy name="messaging">
-      <authentication>
-         <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
-            <module-option name="unauthenticatedIdentity">guest</module-option>
-            <module-option name="usersProperties">props/messaging-users.properties</module-option>
-            <module-option name="rolesProperties">props/messaging-roles.properties</module-option>
-         </login-module>
-      </authentication>
-   </application-policy> -->
-
-   <application-policy name="messaging">
-   	<authentication>
-   		<login-module
-   			code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
-   			flag="required">
-   			<module-option name="unauthenticatedIdentity">
-   				guest
-   			</module-option>
-   			<module-option name="dsJndiName">
-   				java:/DefaultDS
-   			</module-option>
-   			<module-option name="principalsQuery">
-   				SELECT PASSWD FROM JBM_USER WHERE USER_ID=?
-   			</module-option>
-   			<module-option name="rolesQuery">
-   				SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?
-   			</module-option>
-   		</login-module>
-   	</authentication>
-   </application-policy>
-
-
-
-   <!-- Security domain for JBossMQ
-  <application-policy name="jbossmq">
-    <authentication>
-      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
-        flag="required">
-        <module-option name="unauthenticatedIdentity">guest</module-option>
-        <module-option name="dsJndiName">java:/DefaultDS</module-option>
-        <module-option name="principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
-        <module-option name="rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
-      </login-module>
-    </authentication>
-  </application-policy>
-  -->
-
-  <!-- Security domain for JBossMQ when using file-state-service.xml
-  <application-policy name = "jbossmq">
-     <authentication>
-        <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
-           flag = "required">
-           <module-option name = "unauthenticatedIdentity">guest</module-option>
-           <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
-        </login-module>
-     </authentication>
-  </application-policy>
-  -->
-
   <!-- Security domains for testing new jca framework -->
   <application-policy name="HsqlDbRealm">
     <authentication>




More information about the jboss-cvs-commits mailing list