[jboss-cvs] JBossAS SVN: r76444 - in trunk: messaging/src/main/org/jboss/jms/server/jbosssx and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Jul 29 19:50:56 EDT 2008
Author: sguilhen at redhat.com
Date: 2008-07-29 19:50:53 -0400 (Tue, 29 Jul 2008)
New Revision: 76444
Modified:
trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml
trunk/messaging/src/etc/deploy/common/messaging-service.xml
trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java
trunk/server/src/etc/conf/default/login-config.xml
Log:
JBAS-5814: Moved JBossASSecurityMetadataStore to messaging-jboss-beans.xml, injecting the SecurityManagement instance to be used. The metadata application policy has also been moved from the login-config.xml to the messaging-jboss-beans.
Modified: trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml
===================================================================
--- trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml 2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/messaging/src/etc/deploy/common/messaging-jboss-beans.xml 2008-07-29 23:50:53 UTC (rev 76444)
@@ -6,6 +6,34 @@
-->
<deployment xmlns="urn:jboss:bean-deployer:2.0">
+ <!-- messaging application-policy definition -->
+ <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
+ <authentication>
+ <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
+ <module-option name="unauthenticatedIdentity">guest</module-option>
+ <module-option name="dsJndiName">java:/DefaultDS</module-option>
+ <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
+ <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
+ </login-module>
+ </authentication>
+ </application-policy>
+
+ <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
+ <!-- default security configuration -->
+ <property name="defaultSecurityConfig">
+ <![CDATA[
+ <security>
+ <role name="guest" read="true" write="true" create="true"/>
+ </security>
+ ]]>
+ </property>
+ <property name="suckerPassword">CHANGE ME!!</property>
+ <property name="securityDomain">messaging</property>
+ <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
+ <!-- @JMX annotation to export the management view of this bean -->
+ <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
+ </bean>
+
<bean name="QueueTemplate" class="org.jboss.profileservice.management.templates.JmsDestinationTemplate">
<property name="info"><inject bean="QueueTemplateInfo"/></property>
</bean>
Modified: trunk/messaging/src/etc/deploy/common/messaging-service.xml
===================================================================
--- trunk/messaging/src/etc/deploy/common/messaging-service.xml 2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/messaging/src/etc/deploy/common/messaging-service.xml 2008-07-29 23:50:53 UTC (rev 76444)
@@ -7,23 +7,7 @@
-->
<server>
- <mbean code="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore"
- name="jboss.messaging:service=SecurityStore">
-
- <attribute name="DefaultSecurityConfig">
- <security>
- <role name="guest" read="true" write="true" create="true"/>
- </security>
- </attribute>
-
- <attribute name="SecurityDomain">messaging</attribute>
-
- <attribute name="SuckerPassword">CHANGE ME!!</attribute>
- <depends>JNDIBasedSecurityRegistration</depends>
- <depends>XMLLoginConfig</depends>
- </mbean>
-
<!-- ServerPeer MBean configuration
============================== -->
Modified: trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java
===================================================================
--- trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java 2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/messaging/src/main/org/jboss/jms/server/jbosssx/JBossASSecurityMetadataStore.java 2008-07-29 23:50:53 UTC (rev 76444)
@@ -1,24 +1,24 @@
/*
- * JBoss, Home of Professional Open Source
- * Copyright 2005, JBoss Inc., and individual contributors as indicated
- * by the @authors tag. See the copyright.txt in the distribution for a
- * full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
+ * JBoss, Home of Professional Open Source
+ * Copyright 2005, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
package org.jboss.jms.server.jbosssx;
import java.security.Principal;
@@ -27,7 +27,6 @@
import java.util.Set;
import javax.jms.JMSSecurityException;
-import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
@@ -42,43 +41,45 @@
import org.w3c.dom.Element;
/**
- * A security metadate store for JMS. Stores security information for destinations and delegates
- * authentication and authorization to a JaasSecurityManager.
- *
+ * A security metadate store for JMS. Stores security information for destinations and delegates authentication and
+ * authorization to a JaasSecurityManager.
+ *
* @author Peter Antman
* @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>
* @author <a href="mailto:tim.fox at jboss.com">Tim Fox</a>
* @author <a href="mailto:ovidiu at feodorov.com">Ovidiu Feodorov</a>
* @author Anil.Saldhana at redhat.com
* @version $Revision$
- *
+ *
* $Id$
*/
@SuppressWarnings("unchecked")
public class JBossASSecurityMetadataStore implements SecurityStore, JBossASSecurityMetadataStoreMBean
{
// Constants -----------------------------------------------------
-
+
private static final Logger log = Logger.getLogger(JBossASSecurityMetadataStore.class);
-
+
public static final String DEFAULT_SUCKER_USER_PASSWORD = "CHANGE ME!!";
-
+
// Attributes ----------------------------------------------------
-
- private boolean trace = log.isTraceEnabled();
-
- private Map queueSecurityConf;
- private Map topicSecurityConf;
-
+
+ private final boolean trace = log.isTraceEnabled();
+
+ private final Map queueSecurityConf;
+
+ private final Map topicSecurityConf;
+
private Element defaultSecurityConfig;
+
private String securityDomain = "messaging";
-
- private String suckerPassword;
-
+
+ private String suckerPassword;
+
private ISecurityManagement securityManagement = null;
// Static --------------------------------------------------------
-
+
// Constructors --------------------------------------------------
public JBossASSecurityMetadataStore()
@@ -91,8 +92,8 @@
public SecurityMetadata getSecurityMetadata(boolean isQueue, String destName)
{
- SecurityMetadata m = (SecurityMetadata)
- (isQueue ? queueSecurityConf.get(destName) : topicSecurityConf.get(destName));
+ SecurityMetadata m = (SecurityMetadata) (isQueue ? queueSecurityConf.get(destName) : topicSecurityConf
+ .get(destName));
if (m == null)
{
@@ -126,30 +127,36 @@
public void setSecurityConfig(boolean isQueue, String destName, Element conf) throws Exception
{
- if (trace) { log.trace("adding security configuration for " + (isQueue ? "queue " : "topic ") + destName); }
-
+ if (trace)
+ {
+ log.trace("adding security configuration for " + (isQueue ? "queue " : "topic ") + destName);
+ }
+
if (conf == null)
{
- clearSecurityConfig(isQueue, destName);
+ clearSecurityConfig(isQueue, destName);
}
else
- {
- SecurityMetadata m = new SecurityMetadata(conf);
-
- if (isQueue)
- {
- queueSecurityConf.put(destName, m);
- }
- else
- {
- topicSecurityConf.put(destName, m);
- }
+ {
+ SecurityMetadata m = new SecurityMetadata(conf);
+
+ if (isQueue)
+ {
+ queueSecurityConf.put(destName, m);
+ }
+ else
+ {
+ topicSecurityConf.put(destName, m);
+ }
}
}
public void clearSecurityConfig(boolean isQueue, String name) throws Exception
{
- if (trace) { log.trace("clearing security configuration for " + (isQueue ? "queue " : "topic ") + name); }
+ if (trace)
+ {
+ log.trace("clearing security configuration for " + (isQueue ? "queue " : "topic ") + name);
+ }
if (isQueue)
{
@@ -160,11 +167,14 @@
topicSecurityConf.remove(name);
}
}
-
+
public Subject authenticate(String user, String password) throws JMSSecurityException
{
- if (trace) { log.trace("authenticating user " + user); }
-
+ if (trace)
+ {
+ log.trace("authenticating user " + user);
+ }
+
SimplePrincipal principal = new SimplePrincipal(user);
char[] passwordChars = null;
if (password != null)
@@ -173,45 +183,37 @@
}
Subject subject = new Subject();
-
+
boolean authenticated = false;
-
+
if (SUCKER_USER.equals(user))
{
- if (trace) { log.trace("Authenticating sucker user"); }
-
- checkDefaultSuckerPassword(password);
-
- // The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
-
- authenticated = suckerPassword.equals(password);
+ if (trace)
+ {
+ log.trace("Authenticating sucker user");
+ }
+
+ checkDefaultSuckerPassword(password);
+
+ // The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
+
+ authenticated = suckerPassword.equals(password);
}
else
{
- if(securityManagement == null)
- {
- try
- {
- lookupSecurityManagement();;
- }
- catch (NamingException e)
- {
- throw new RuntimeException(e);
- }
- }
- AuthenticationManager authenticationManager =
- securityManagement.getAuthenticationManager(securityDomain);
- if(authenticationManager == null)
- throw new SecurityException("AuthenticationManager is null for domain=" + securityDomain);
- authenticated = authenticationManager.isValid(principal, passwordChars, subject);
+ if (securityManagement == null)
+ throw new SecurityException("SecurityManagement has not been set");
+ AuthenticationManager authenticationManager = securityManagement.getAuthenticationManager(securityDomain);
+ if (authenticationManager == null)
+ throw new SecurityException("AuthenticationManager is null for domain=" + securityDomain);
+ authenticated = authenticationManager.isValid(principal, passwordChars, subject);
}
if (authenticated)
{
// Warning! This "taints" thread local. Make sure you pop it off the stack as soon as
- // you're done with it.
- SecurityActions.pushSubjectContext(principal, passwordChars, subject,
- securityDomain);
+ // you're done with it.
+ SecurityActions.pushSubjectContext(principal, passwordChars, subject, securityDomain);
return subject;
}
else
@@ -222,49 +224,45 @@
public boolean authorize(String user, Set rolePrincipals, CheckType checkType)
{
- if (trace) { log.trace("authorizing user " + user + " for role(s) " + rolePrincipals.toString()); }
-
+ if (trace)
+ {
+ log.trace("authorizing user " + user + " for role(s) " + rolePrincipals.toString());
+ }
+
if (SUCKER_USER.equals(user))
{
- //The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
- //It has automatic read/write access to all destinations
- return (checkType.equals(CheckType.READ) || checkType.equals(CheckType.WRITE));
+ // The special user SUCKER_USER is used for creating internal connections that suck messages between nodes
+ // It has automatic read/write access to all destinations
+ return (checkType.equals(CheckType.READ) || checkType.equals(CheckType.WRITE));
}
Principal principal = user == null ? null : new SimplePrincipal(user);
- if(securityManagement == null)
- {
- try
- {
- lookupSecurityManagement();;
- }
- catch (NamingException e)
- {
- throw new RuntimeException(e);
- }
- }
- AuthorizationManager authorizationManager =
- securityManagement.getAuthorizationManager(securityDomain);
- if(authorizationManager == null)
+ if (securityManagement == null)
+ throw new SecurityException("SecurityManagement has not been set");
+ AuthorizationManager authorizationManager = securityManagement.getAuthorizationManager(securityDomain);
+ if (authorizationManager == null)
throw new SecurityException("AuthorizationManager is null for domain=" + securityDomain);
boolean hasRole = authorizationManager.doesUserHaveRole(principal, rolePrincipals);
- if (trace) { log.trace("user " + user + (hasRole ? " is " : " is NOT ") + "authorized"); }
+ if (trace)
+ {
+ log.trace("user " + user + (hasRole ? " is " : " is NOT ") + "authorized");
+ }
- return hasRole;
+ return hasRole;
}
-
+
// Public --------------------------------------------------------
-
+
public void setSuckerPassword(String password)
- {
- checkDefaultSuckerPassword(password);
-
- this.suckerPassword = password;
- }
-
+ {
+ checkDefaultSuckerPassword(password);
+
+ this.suckerPassword = password;
+ }
+
/**
- * @see JBossASSecurityMetadataStoreMBean#setSecurityManagement(ISecurityManagement)
+ * @see JBossASSecurityMetadataStoreMBean#setSecurityManagement(ISecurityManagement)
*/
public void setSecurityManagement(ISecurityManagement securityManagement)
{
@@ -272,7 +270,7 @@
}
public void start() throws NamingException
- {
+ {
}
public void stop() throws Exception
@@ -287,7 +285,7 @@
public void setSecurityDomain(String securityDomain)
{
this.securityDomain = securityDomain;
- }
+ }
public Element getDefaultSecurityConfig()
{
@@ -306,29 +304,16 @@
// Package Private -----------------------------------------------
// Private -------------------------------------------------------
-
+
private void checkDefaultSuckerPassword(String password)
{
- // Sanity check
- if (DEFAULT_SUCKER_USER_PASSWORD.equals(password))
- {
- log.warn("WARNING! POTENTIAL SECURITY RISK. It has been detected that the MessageSucker component " +
- "which sucks messages from one node to another has not had its password changed from the installation default. " +
- "Please see the JBoss Messaging user guide for instructions on how to do this.");
- }
+ // Sanity check
+ if (DEFAULT_SUCKER_USER_PASSWORD.equals(password))
+ {
+ log
+ .warn("WARNING! POTENTIAL SECURITY RISK. It has been detected that the MessageSucker component "
+ + "which sucks messages from one node to another has not had its password changed from the installation default. "
+ + "Please see the JBoss Messaging user guide for instructions on how to do this.");
+ }
}
-
- /**
- * TODO: This method needs to go when ISecurityManagement is injected
- * by the Microcontainer. (When this exists in messaging-beans.xml
- * rather than messaging-service.xml)
- * @throws NamingException
- */
- private void lookupSecurityManagement() throws NamingException
- {
- InitialContext ic = new InitialContext();
- this.securityManagement = (ISecurityManagement) ic.lookup("java:/securityManagement");
- }
-
- // Inner class ---------------------------------------------------
}
\ No newline at end of file
Modified: trunk/server/src/etc/conf/default/login-config.xml
===================================================================
--- trunk/server/src/etc/conf/default/login-config.xml 2008-07-29 22:40:32 UTC (rev 76443)
+++ trunk/server/src/etc/conf/default/login-config.xml 2008-07-29 23:50:53 UTC (rev 76444)
@@ -38,65 +38,6 @@
</authentication>
</application-policy>
- <!-- <application-policy name="messaging">
- <authentication>
- <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
- <module-option name="unauthenticatedIdentity">guest</module-option>
- <module-option name="usersProperties">props/messaging-users.properties</module-option>
- <module-option name="rolesProperties">props/messaging-roles.properties</module-option>
- </login-module>
- </authentication>
- </application-policy> -->
-
- <application-policy name="messaging">
- <authentication>
- <login-module
- code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
- flag="required">
- <module-option name="unauthenticatedIdentity">
- guest
- </module-option>
- <module-option name="dsJndiName">
- java:/DefaultDS
- </module-option>
- <module-option name="principalsQuery">
- SELECT PASSWD FROM JBM_USER WHERE USER_ID=?
- </module-option>
- <module-option name="rolesQuery">
- SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?
- </module-option>
- </login-module>
- </authentication>
- </application-policy>
-
-
-
- <!-- Security domain for JBossMQ
- <application-policy name="jbossmq">
- <authentication>
- <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
- flag="required">
- <module-option name="unauthenticatedIdentity">guest</module-option>
- <module-option name="dsJndiName">java:/DefaultDS</module-option>
- <module-option name="principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
- <module-option name="rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
- </login-module>
- </authentication>
- </application-policy>
- -->
-
- <!-- Security domain for JBossMQ when using file-state-service.xml
- <application-policy name = "jbossmq">
- <authentication>
- <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
- flag = "required">
- <module-option name = "unauthenticatedIdentity">guest</module-option>
- <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
- </login-module>
- </authentication>
- </application-policy>
- -->
-
<!-- Security domains for testing new jca framework -->
<application-policy name="HsqlDbRealm">
<authentication>
More information about the jboss-cvs-commits
mailing list