[jboss-cvs] JBossAS SVN: r103354 - trunk/tomcat/src/main/java/org/jboss/web/tomcat/security.

Wed Mar 31 14:20:29 EDT 2010

Author: anil.saldhana at jboss.com
Date: 2010-03-31 14:20:28 -0400 (Wed, 31 Mar 2010)
New Revision: 103354

Modified:
   trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java
Log:
JBAS-7881: flag to bypass jboss authz and rely on Tomcat realmbase authz only, if the admin chooses, for performance reasons

Modified: trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java
===================================================================

--- trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java	2010-03-31 17:47:39 UTC (rev 103353)
+++ trunk/tomcat/src/main/java/org/jboss/web/tomcat/security/JBossWebRealm.java	2010-03-31 18:20:28 UTC (rev 103354)
@@ -117,6 +117,10 @@
     * false - consider, true - do not consider
     */
    protected boolean ignoreBaseDecision = false;
+
+   /**
+    * Should we rely on RealmBase Authorization Check Alone? */
+   protected boolean ignoreJBossAuthorization = false;
    
    protected static boolean securityManagerFallback = false;
    
@@ -176,8 +180,18 @@
    public void setIgnoreBaseDecision(boolean ignoreBaseDecision)
    {
       this.ignoreBaseDecision = ignoreBaseDecision;
+      if( ignoreBaseDecision && ignoreJBossAuthorization )
+         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
    }
 
+
+   public void setIgnoreJBossAuthorization(boolean ignoreJBossAuthz )
+   {
+      this.ignoreJBossAuthorization = ignoreJBossAuthz;
+      if( ignoreBaseDecision && ignoreJBossAuthorization )
+         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+   }
+
    //*************************************************************************
    //   Realm.Authenticate Methods
    //************************************************************************* 
@@ -531,6 +545,9 @@
     */
    public boolean hasRole(Principal principal, String role)
    {
+      if( ignoreBaseDecision && ignoreJBossAuthorization )
+         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+
       String servletName = null;
       //WebProgrammaticAuthentication does not go through hasResourcePermission
       //and hence the activeRequest thread local may not be set
@@ -571,7 +588,7 @@
       boolean authzDecision = false;
       boolean baseDecision = ignoreBaseDecision ? true : super.hasRole(principal, role);
 
-      if (baseDecision)
+      if (baseDecision && !ignoreJBossAuthorization )
       {
          SecurityContext sc = SecurityAssociationActions.getSecurityContext();
 
@@ -613,9 +630,12 @@
    public boolean hasUserDataPermission(Request request, Response response, SecurityConstraint[] constraints)
          throws IOException
    {
+      if( ignoreBaseDecision && ignoreJBossAuthorization )
+         throw new RuntimeException( "One of ignoreBaseDecision or ignoreJBossAuthorization should be false" );
+
       boolean ok = ignoreBaseDecision ? true : super.hasUserDataPermission(request, response, constraints);
       //If the realmbase check has passed, then we can go to authz framework
-      if (ok)
+      if (ok && !ignoreJBossAuthorization )
       {
          Principal requestPrincipal = request.getPrincipal();
          establishSubjectContext(requestPrincipal);
@@ -1054,4 +1074,4 @@
       }
       return policyRegistration;
    }
-}
\ No newline at end of file
+}


