[jboss-cvs] JBossAS SVN: r81761 - in trunk/profileservice: src/main/org/jboss/profileservice/remoting and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Nov 28 05:31:02 EST 2008
Author: scott.stark at jboss.org
Date: 2008-11-28 05:31:01 -0500 (Fri, 28 Nov 2008)
New Revision: 81761
Added:
trunk/profileservice/src/main/org/jboss/profileservice/remoting/SecurityActions.java
Modified:
trunk/profileservice/.classpath
trunk/profileservice/build.xml
trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProfileServiceInvocationHandler.java
trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProxyFactory.java
trunk/profileservice/src/resources/profileservice-jboss-beans.xml
Log:
JBAS-6137, add hooks for securing the profileservice management views
Modified: trunk/profileservice/.classpath
===================================================================
--- trunk/profileservice/.classpath 2008-11-28 10:26:08 UTC (rev 81760)
+++ trunk/profileservice/.classpath 2008-11-28 10:31:01 UTC (rev 81761)
@@ -16,5 +16,6 @@
<classpathentry kind="lib" path="/thirdparty/junit/lib/junit.jar" sourcepath="/thirdparty/junit/lib/junit-src.zip"/>
<classpathentry kind="con" path="org.eclipse.jdt.junit.JUNIT_CONTAINER/3"/>
<classpathentry kind="lib" path="/thirdparty/jboss/aop/lib/jboss-aop.jar"/>
+ <classpathentry kind="lib" path="/thirdparty/jboss/jboss-security-spi/lib/jboss-security-spi.jar" sourcepath="/thirdparty/jboss/jboss-security-spi/lib/jboss-security-spi-sources.jar"/>
<classpathentry kind="output" path="output/eclipse-classes"/>
</classpath>
Modified: trunk/profileservice/build.xml
===================================================================
--- trunk/profileservice/build.xml 2008-11-28 10:26:08 UTC (rev 81760)
+++ trunk/profileservice/build.xml 2008-11-28 10:31:01 UTC (rev 81761)
@@ -81,6 +81,7 @@
<path refid="jboss.microcontainer.classpath"/>
<path refid="jboss.profileservice.spi.classpath"/>
<path refid="jboss.remoting.classpath"/>
+ <path refid="jboss.jboss.security.spi.classpath"/>
<path refid="jboss.jbossxb.classpath"/>
<path refid="sun.jaxb.classpath"/>
<path refid="stax.api.classpath"/>
Modified: trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProfileServiceInvocationHandler.java
===================================================================
--- trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProfileServiceInvocationHandler.java 2008-11-28 10:26:08 UTC (rev 81760)
+++ trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProfileServiceInvocationHandler.java 2008-11-28 10:31:01 UTC (rev 81761)
@@ -21,12 +21,17 @@
*/
package org.jboss.profileservice.remoting;
+import java.security.Principal;
+
import org.jboss.aop.joinpoint.InvocationResponse;
import org.jboss.aspects.remoting.AOPRemotingInvocationHandler;
import org.jboss.deployers.spi.management.ManagementView;
import org.jboss.deployers.spi.management.deploy.DeploymentManager;
+import org.jboss.logging.Logger;
import org.jboss.remoting.InvocationRequest;
import org.jboss.remoting.ServerInvocationHandler;
+import org.jboss.security.ISecurityManagement;
+import org.jboss.security.SecurityContext;
/**
* The remoting ServerInvocationHandler implementation for the ProfileService.
@@ -39,8 +44,16 @@
public class ProfileServiceInvocationHandler extends AOPRemotingInvocationHandler
implements ServerInvocationHandler
{
+ private static Logger log = Logger.getLogger(ProfileServiceInvocationHandler.class);
+
+ /** The ManagementView proxy */
private ManagementView mgtViewProxy;
+ /** The DeploymentManager proxy */
private DeploymentManager deployMgrProxy;
+ /** The profile service security domain name */
+ private String securityDomain = "profileservice";
+ /** The security management layer to use in the security context setup */
+ private ISecurityManagement securityManagement;
public ManagementView getManagementViewProxy()
{
@@ -51,7 +64,6 @@
this.mgtViewProxy = mgtViewProxy;
}
-
public DeploymentManager getDeployMgrProxy()
{
return deployMgrProxy;
@@ -61,9 +73,29 @@
this.deployMgrProxy = deployMgrProxy;
}
+ public String getSecurityDomain()
+ {
+ return securityDomain;
+ }
+ public void setSecurityDomain(String securityDomain)
+ {
+ this.securityDomain = securityDomain;
+ }
+
+ public ISecurityManagement getSecurityManagement()
+ {
+ return securityManagement;
+ }
+ public void setSecurityManagement(ISecurityManagement securityManagement)
+ {
+ this.securityManagement = securityManagement;
+ }
public Object invoke(InvocationRequest invocation)
throws Throwable
{
+ // Create a security context for the invocation
+ establishSecurityContext(invocation);
+
InvocationResponse value = (InvocationResponse) super.invoke(invocation);
if( value.getResponse() instanceof ManagementView )
{
@@ -79,4 +111,12 @@
return value;
}
+ private void establishSecurityContext(InvocationRequest invocation) throws Exception
+ {
+ SecurityContext newSC = SecurityActions.createAndSetSecurityContext(securityDomain);
+
+ // Set the SecurityManagement on the context
+ SecurityActions.setSecurityManagement(newSC, securityManagement);
+ log.trace("establishSecurityIdentity:SecCtx="+SecurityActions.trace(newSC));
+ }
}
Modified: trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProxyFactory.java
===================================================================
--- trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProxyFactory.java 2008-11-28 10:26:08 UTC (rev 81760)
+++ trunk/profileservice/src/main/org/jboss/profileservice/remoting/ProxyFactory.java 2008-11-28 10:31:01 UTC (rev 81761)
@@ -22,6 +22,7 @@
package org.jboss.profileservice.remoting;
import java.util.ArrayList;
+import java.util.List;
import javax.naming.InitialContext;
@@ -58,6 +59,7 @@
private Proxy psProxy;
private Proxy mgtViewProxy;
private Proxy deployMgrProxy;
+ private List<Interceptor> proxyInterceptors;
public String getDispatchName()
{
@@ -132,6 +134,16 @@
return deployMgrProxy;
}
+
+ public List<Interceptor> getProxyInterceptors()
+ {
+ return proxyInterceptors;
+ }
+ public void setProxyInterceptors(List<Interceptor> proxyInterceptors)
+ {
+ this.proxyInterceptors = proxyInterceptors;
+ }
+
public void start()
throws Exception
{
@@ -141,12 +153,15 @@
// Create the ProfileService proxy
Dispatcher.singleton.registerTarget(dispatchName, ps);
- ArrayList<Interceptor> interceptors = new ArrayList<Interceptor>();
- interceptors.add(SecurityClientInterceptor.singleton);
- interceptors.add(MergeMetaDataInterceptor.singleton);
- interceptors.add(InvokeRemoteInterceptor.singleton);
+ if(proxyInterceptors == null)
+ {
+ proxyInterceptors = new ArrayList<Interceptor>();
+ proxyInterceptors.add(SecurityClientInterceptor.singleton);
+ proxyInterceptors.add(MergeMetaDataInterceptor.singleton);
+ proxyInterceptors.add(InvokeRemoteInterceptor.singleton);
+ }
- psProxy = Remoting.createRemoteProxy(dispatchName, loader, ifaces, locator, interceptors, "ProfileService");
+ psProxy = Remoting.createRemoteProxy(dispatchName, loader, ifaces, locator, proxyInterceptors, "ProfileService");
InitialContext ctx = new InitialContext();
Util.bind(ctx, jndiName, psProxy);
log.debug("Bound ProfileService proxy");
@@ -155,14 +170,14 @@
Class[] mvIfaces = {ManagementView.class};
String mvDispatchName = dispatchName+".ManagementView";
Dispatcher.singleton.registerTarget(mvDispatchName, mgtView);
- mgtViewProxy = Remoting.createRemoteProxy(mvDispatchName, loader, mvIfaces, locator, interceptors, "ProfileService");
+ mgtViewProxy = Remoting.createRemoteProxy(mvDispatchName, loader, mvIfaces, locator, proxyInterceptors, "ProfileService");
log.debug("Created ManagementView proxy");
// Create the DeploymentManager proxy
Class[] dmIfaces = {DeploymentManager.class};
String dmDispatchName = dispatchName+".DeploymentManager";
Dispatcher.singleton.registerTarget(dmDispatchName, deployMgr);
- deployMgrProxy = Remoting.createRemoteProxy(dmDispatchName, loader, dmIfaces, locator, interceptors, "DeploymentManager");
+ deployMgrProxy = Remoting.createRemoteProxy(dmDispatchName, loader, dmIfaces, locator, proxyInterceptors, "DeploymentManager");
log.debug("Created DeploymentManager proxy");
}
Added: trunk/profileservice/src/main/org/jboss/profileservice/remoting/SecurityActions.java
===================================================================
--- trunk/profileservice/src/main/org/jboss/profileservice/remoting/SecurityActions.java (rev 0)
+++ trunk/profileservice/src/main/org/jboss/profileservice/remoting/SecurityActions.java 2008-11-28 10:31:01 UTC (rev 81761)
@@ -0,0 +1,93 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.profileservice.remoting;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+import org.jboss.security.ISecurityManagement;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextFactory;
+import org.jboss.security.SecurityContextAssociation;
+
+/**
+ * Privileged Blocks
+ * @author Anil.Saldhana at redhat.com
+ * @author Scott.Stark at jboss.org
+ * @version $Revision$
+ */
+class SecurityActions
+{
+ static SecurityContext createAndSetSecurityContext(final String domain) throws PrivilegedActionException
+ {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<SecurityContext>()
+ {
+ public SecurityContext run() throws Exception
+ {
+ SecurityContext sc = SecurityContextFactory.createSecurityContext(domain);
+ setSecurityContext(sc);
+ return sc;
+ }}
+ );
+ }
+
+ static void setSecurityContext(final SecurityContext sc)
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ SecurityContextAssociation.setSecurityContext(sc);
+ return null;
+ }}
+ );
+ }
+ static void setSecurityManagement(final SecurityContext sc, final ISecurityManagement sm)
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ sc.setSecurityManagement(sm);
+ return null;
+ }}
+ );
+ }
+ static String trace(final SecurityContext sc)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<String>()
+ {
+ public String run()
+ {
+ StringBuilder sb = new StringBuilder();
+ sb.append(" Principal = " + sc.getUtil().getUserPrincipal());
+ sb.append(" Subject:"+sc.getUtil().getSubject());
+ sb.append(" Incoming run as:"+sc.getIncomingRunAs());
+ sb.append(" Outgoing run as:"+sc.getOutgoingRunAs());
+ return sb.toString();
+ }
+ }
+ );
+ }
+}
Modified: trunk/profileservice/src/resources/profileservice-jboss-beans.xml
===================================================================
--- trunk/profileservice/src/resources/profileservice-jboss-beans.xml 2008-11-28 10:26:08 UTC (rev 81760)
+++ trunk/profileservice/src/resources/profileservice-jboss-beans.xml 2008-11-28 10:31:01 UTC (rev 81761)
@@ -10,6 +10,44 @@
-->
<deployment xmlns="urn:jboss:bean-deployer:2.0">
+ <bean name="ProfileServiceAuthenticationManager" class="org.jboss.security.AuthenticationManager">
+ <constructor factoryMethod="getAuthenticationManager">
+ <factory bean="JNDIBasedSecurityManagement"/>
+ <parameter>profileservice</parameter>
+ </constructor>
+ </bean>
+ <bean name="ProfileServiceAuthorizationManager" class="org.jboss.security.AuthorizationManager">
+ <constructor factoryMethod="getAuthorizationManager">
+ <factory bean="JNDIBasedSecurityManagement"/>
+ <parameter>profileservice</parameter>
+ </constructor>
+ </bean>
+
+ <interceptor xmlns="urn:jboss:aop-beans:1.0" class="org.jboss.aspects.security.AuthenticationInterceptor">
+ <constructor>
+ <parameter><inject bean="ProfileServiceAuthenticationManager"/></parameter>
+ </constructor>
+ </interceptor>
+ <!-- TODO: the second param is a RealmMapping interface, but the
+ JNDIBasedSecurityManagement.getAuthorizationManager returns an AuthorizationManager.
+ The RoleBasedAuthorizationInterceptor should be updated to accept an
+ AuthorizationManager. This only works because the AuthorizationManager
+ still implements RealmMapping.
+ -->
+ <interceptor xmlns="urn:jboss:aop-beans:1.0" class="org.jboss.aspects.security.RoleBasedAuthorizationInterceptor">
+ <constructor>
+ <parameter><inject bean="ProfileServiceAuthenticationManager"/></parameter>
+ <parameter><inject bean="ProfileServiceAuthorizationManager"/></parameter>
+ </constructor>
+ </interceptor>
+
+<!-- Uncomment to require secure access
+ <bind xmlns="urn:jboss:aop-beans:1.0" pointcut="execution(* $instanceof{org.jboss.deployers.spi.management.ManagementView}->$implements{org.jboss.deployers.spi.management.ManagementView}(..))">
+ <interceptor-ref name="org.jboss.aspects.security.AuthenticationInterceptor"/>
+ <interceptor-ref name="org.jboss.aspects.security.RoleBasedAuthorizationInterceptor"/>
+ </bind>
+-->
+
<bean name="ConnectorMBean">
<constructor factoryClass="org.jboss.mx.util.MBeanTyper" factoryMethod="typeMBean">
<parameter><inject bean="JMXKernel" property="mbeanServer"/></parameter>
@@ -18,7 +56,7 @@
</constructor>
<depends>jboss.remoting:service=Connector,transport=socket</depends>
</bean>
-
+
<!--
Add a ProfileService handler to the remoting socket connector
-->
@@ -33,6 +71,8 @@
</uninstall>
<property name="managementViewProxy"><inject bean="ProfileServiceProxyFactory" property="managementViewProxy"/></property>
<property name="deployMgrProxy"><inject bean="ProfileServiceProxyFactory" property="deployMgrProxy"/></property>
+ <property name="securityDomain">profileservice</property>
+ <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
</bean>
<!--
More information about the jboss-cvs-commits
mailing list