[jboss-cvs] Picketbox SVN: r359 - in trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security: auth/spi and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Nov 15 08:34:33 EST 2012
Author: tfonteyn
Date: 2012-11-15 08:34:32 -0500 (Thu, 15 Nov 2012)
New Revision: 359
Modified:
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/DatabaseServerLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/ProxyLoginModule.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java
Log:
[SECURITY-638] security modules option check
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java 2012-10-12 20:20:28 UTC (rev 358)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/AltClientLoginModule.java 2012-11-15 13:34:32 UTC (rev 359)
@@ -23,6 +23,8 @@
import java.security.Principal;
+import java.util.Arrays;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -62,6 +64,17 @@
*/
public class AltClientLoginModule implements LoginModule
{
+ private static final String MULTI_TREADED = "multi-threaded";
+ private static final String PASSWORD_STACKING = "password-stacking";
+ private static final String PRINCIPAL_CLASS = "principalClass";
+
+ private static final String[] ALL_VALID_OPTIONS =
+ {
+ MULTI_TREADED,PASSWORD_STACKING,PRINCIPAL_CLASS,
+
+ SecurityConstants.SECURITY_DOMAIN_OPTION
+ };
+
private Subject subject;
private CallbackHandler callbackHandler;
/** Shared state between login modules */
@@ -77,7 +90,19 @@
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String,?> sharedState, Map<String,?> options)
{
- this.subject = subject;
+ /* TODO: this module should really extend AbstractServerLoginModule where the options check is integrated.
+ * the code here has been intentionally kept identical
+ */
+ HashSet<String> validOptions = new HashSet<String>(Arrays.asList(ALL_VALID_OPTIONS));
+ for (Object key : options.keySet())
+ {
+ if (!validOptions.contains((String)key))
+ {
+ PicketBoxLogger.LOGGER.warnInvalidModuleOption((String)key);
+ }
+ }
+
+ this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
@@ -86,22 +111,22 @@
options.get(SecurityConstants.SECURITY_DOMAIN_OPTION));
// Check for multi-threaded option
- String mt = (String) options.get("multi-threaded");
+ String mt = (String) options.get(MULTI_TREADED);
if( Boolean.valueOf(mt).booleanValue() == true )
{
/* Turn on the server mode which uses thread local storage for
the principal information.
*/
- PicketBoxLogger.LOGGER.debugModuleOption("multi-threaded", mt);
+ PicketBoxLogger.LOGGER.debugModuleOption(MULTI_TREADED, mt);
}
/* Check for password sharing options. Any non-null value for
password_stacking sets useFirstPass as this module has no way to
validate any shared password.
*/
- String passwordStacking = (String) options.get("password-stacking");
+ String passwordStacking = (String) options.get(PASSWORD_STACKING);
useFirstPass = passwordStacking != null;
- PicketBoxLogger.LOGGER.debugModuleOption("password-stacking", passwordStacking);
+ PicketBoxLogger.LOGGER.debugModuleOption(PASSWORD_STACKING, passwordStacking);
}
/**
@@ -208,4 +233,4 @@
SecurityAssociationActions.clear();
return true;
}
-}
\ No newline at end of file
+}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java 2012-10-12 20:20:28 UTC (rev 358)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/ClientLoginModule.java 2012-11-15 13:34:32 UTC (rev 359)
@@ -23,6 +23,8 @@
import java.io.IOException;
import java.security.Principal;
+import java.util.Arrays;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -68,6 +70,18 @@
*/
public class ClientLoginModule implements LoginModule
{
+ private static final String MULTI_TREADED = "multi-threaded";
+ private static final String RESTORE_LOGIN_IDENTITY = "restore-login-identity";
+ private static final String PASSWORD_STACKING = "password-stacking";
+ private static final String PRINCIPAL_CLASS = "principalClass";
+
+ private static final String[] ALL_VALID_OPTIONS =
+ {
+ MULTI_TREADED,RESTORE_LOGIN_IDENTITY,PASSWORD_STACKING,PRINCIPAL_CLASS,
+
+ SecurityConstants.SECURITY_DOMAIN_OPTION
+ };
+
private Subject subject;
private CallbackHandler callbackHandler;
/** The principal set during login() */
@@ -94,6 +108,18 @@
public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String,?> sharedState, Map<String,?> options)
{
+ /* TODO: this module should really extend AbstractServerLoginModule where the options check is integrated.
+ * the code here has been intentionally kept identical
+ */
+ HashSet<String> validOptions = new HashSet<String>(Arrays.asList(ALL_VALID_OPTIONS));
+ for (Object key : options.keySet())
+ {
+ if (!validOptions.contains((String)key))
+ {
+ PicketBoxLogger.LOGGER.warnInvalidModuleOption((String)key);
+ }
+ }
+
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
@@ -103,13 +129,13 @@
options.get(SecurityConstants.SECURITY_DOMAIN_OPTION));
// Check for multi-threaded option
- String flag = (String) options.get("multi-threaded");
+ String flag = (String) options.get(MULTI_TREADED);
if (Boolean.valueOf(flag).booleanValue() == true)
{
/* Turn on the server mode which uses thread local storage for
the principal information.
*/
- PicketBoxLogger.LOGGER.debugModuleOption("multi-threaded", flag);
+ PicketBoxLogger.LOGGER.debugModuleOption(MULTI_TREADED, flag);
}
/**
@@ -121,17 +147,17 @@
SecurityAssociationActions.setClient();
}
- flag = (String) options.get("restore-login-identity");
+ flag = (String) options.get(RESTORE_LOGIN_IDENTITY);
restoreLoginIdentity = Boolean.valueOf(flag).booleanValue();
- PicketBoxLogger.LOGGER.debugModuleOption("restory-login-identity", flag);
+ PicketBoxLogger.LOGGER.debugModuleOption(RESTORE_LOGIN_IDENTITY, flag);
/* Check for password sharing options. Any non-null value for
password_stacking sets useFirstPass as this module has no way to
validate any shared password.
*/
- String passwordStacking = (String) options.get("password-stacking");
+ String passwordStacking = (String) options.get(PASSWORD_STACKING);
useFirstPass = passwordStacking != null;
- PicketBoxLogger.LOGGER.debugModuleOption("password-stacking", passwordStacking);
+ PicketBoxLogger.LOGGER.debugModuleOption(PASSWORD_STACKING, passwordStacking);
//Cache the existing security context
this.cachedSecurityContext = SecurityAssociationActions.getSecurityContext();
@@ -262,4 +288,4 @@
principals.remove(loginPrincipal);
return true;
}
-}
\ No newline at end of file
+}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/DatabaseServerLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/DatabaseServerLoginModule.java 2012-10-12 20:20:28 UTC (rev 358)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/DatabaseServerLoginModule.java 2012-11-15 13:34:32 UTC (rev 359)
@@ -80,7 +80,7 @@
private static final String[] ALL_VALID_OPTIONS =
{
- DS_JNDI_NAME,ROLES_QUERY,SUSPEND_RESUME,PRINCIPALS_QUERY
+ DS_JNDI_NAME,ROLES_QUERY,SUSPEND_RESUME,PRINCIPALS_QUERY,TRANSACTION_MANAGER_JNDI_NAME
};
/** The JNDI name of the DataSource to use */
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java 2012-10-12 20:20:28 UTC (rev 358)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapExtLoginModule.java 2012-11-15 13:34:32 UTC (rev 359)
@@ -169,16 +169,42 @@
private static final String ALLOW_EMPTY_PASSWORDS = "allowEmptyPasswords";
private static final String[] ALL_VALID_OPTIONS =
{
- ROLES_CTX_DN_OPT,ROLE_ATTRIBUTE_ID_OPT,
- ROLE_NAME_ATTRIBUTE_ID_OPT,PARSE_ROLE_NAME_FROM_DN_OPT,
- BIND_DN,BIND_CREDENTIAL,BASE_CTX_DN,BASE_FILTER_OPT,
- ROLE_FILTER_OPT,ROLE_RECURSION,DEFAULT_ROLE,
- SEARCH_TIME_LIMIT_OPT,SEARCH_SCOPE_OPT,SECURITY_DOMAIN_OPT,
- DISTINGUISHED_NAME_ATTRIBUTE_OPT,PARSE_USERNAME,USERNAME_BEGIN_STRING,USERNAME_END_STRING,
- ALLOW_EMPTY_PASSWORDS,
-
- Context.INITIAL_CONTEXT_FACTORY,Context.SECURITY_AUTHENTICATION,Context.SECURITY_PROTOCOL,
- Context.PROVIDER_URL,Context.SECURITY_PRINCIPAL,Context.SECURITY_CREDENTIALS
+ ROLES_CTX_DN_OPT,
+ ROLE_ATTRIBUTE_ID_OPT,
+ ROLE_ATTRIBUTE_IS_DN_OPT,
+ ROLE_NAME_ATTRIBUTE_ID_OPT,
+ PARSE_ROLE_NAME_FROM_DN_OPT,
+ BIND_DN,
+ BIND_CREDENTIAL,
+ BASE_CTX_DN,
+ BASE_FILTER_OPT,
+ ROLE_FILTER_OPT,
+ ROLE_RECURSION,
+ DEFAULT_ROLE,
+ SEARCH_TIME_LIMIT_OPT,
+ SEARCH_SCOPE_OPT,
+ SECURITY_DOMAIN_OPT,
+ DISTINGUISHED_NAME_ATTRIBUTE_OPT,
+ PARSE_USERNAME,
+ USERNAME_BEGIN_STRING,
+ USERNAME_END_STRING,
+ ALLOW_EMPTY_PASSWORDS,
+
+ Context.INITIAL_CONTEXT_FACTORY,
+ Context.OBJECT_FACTORIES,
+ Context.STATE_FACTORIES,
+ Context.URL_PKG_PREFIXES,
+ Context.PROVIDER_URL,
+ Context.DNS_URL,
+ Context.AUTHORITATIVE,
+ Context.BATCHSIZE,
+ Context.REFERRAL,
+ Context.SECURITY_PROTOCOL,
+ Context.SECURITY_AUTHENTICATION,
+ Context.SECURITY_PRINCIPAL,
+ Context.SECURITY_CREDENTIALS,
+ Context.LANGUAGE,
+ Context.APPLET
};
protected String bindDN;
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java 2012-10-12 20:20:28 UTC (rev 358)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/LdapLoginModule.java 2012-11-15 13:34:32 UTC (rev 359)
@@ -188,13 +188,35 @@
private static final String[] ALL_VALID_OPTIONS =
{
- PRINCIPAL_DN_PREFIX_OPT,PRINCIPAL_DN_SUFFIX_OPT,ROLES_CTX_DN_OPT,USER_ROLES_CTX_DN_ATTRIBUTE_ID_OPT,
- UID_ATTRIBUTE_ID_OPT,ROLE_ATTRIBUTE_ID_OPT,MATCH_ON_USER_DN_OPT,
- ROLE_ATTRIBUTE_IS_DN_OPT,ROLE_NAME_ATTRIBUTE_ID_OPT,
- SEARCH_TIME_LIMIT_OPT,SEARCH_SCOPE_OPT,SECURITY_DOMAIN_OPT,ALLOW_EMPTY_PASSWORDS,
-
- Context.INITIAL_CONTEXT_FACTORY,Context.SECURITY_AUTHENTICATION,Context.SECURITY_PROTOCOL,
- Context.PROVIDER_URL,Context.SECURITY_PRINCIPAL,Context.SECURITY_CREDENTIALS
+ PRINCIPAL_DN_PREFIX_OPT,
+ PRINCIPAL_DN_SUFFIX_OPT,
+ ROLES_CTX_DN_OPT,
+ USER_ROLES_CTX_DN_ATTRIBUTE_ID_OPT,
+ UID_ATTRIBUTE_ID_OPT,
+ ROLE_ATTRIBUTE_ID_OPT,
+ MATCH_ON_USER_DN_OPT,
+ ROLE_ATTRIBUTE_IS_DN_OPT,
+ ROLE_NAME_ATTRIBUTE_ID_OPT,
+ SEARCH_TIME_LIMIT_OPT,
+ SEARCH_SCOPE_OPT,
+ SECURITY_DOMAIN_OPT,
+ ALLOW_EMPTY_PASSWORDS,
+
+ Context.INITIAL_CONTEXT_FACTORY,
+ Context.OBJECT_FACTORIES,
+ Context.STATE_FACTORIES,
+ Context.URL_PKG_PREFIXES,
+ Context.PROVIDER_URL,
+ Context.DNS_URL,
+ Context.AUTHORITATIVE,
+ Context.BATCHSIZE,
+ Context.REFERRAL,
+ Context.SECURITY_PROTOCOL,
+ Context.SECURITY_AUTHENTICATION,
+ Context.SECURITY_PRINCIPAL,
+ Context.SECURITY_CREDENTIALS,
+ Context.LANGUAGE,
+ Context.APPLET
};
public LdapLoginModule()
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/ProxyLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/ProxyLoginModule.java 2012-10-12 20:20:28 UTC (rev 358)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/ProxyLoginModule.java 2012-11-15 13:34:32 UTC (rev 359)
@@ -33,6 +33,7 @@
import org.jboss.logging.Logger;
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.PicketBoxMessages;
+import org.jboss.security.SecurityConstants;
/** A proxy LoginModule that loads a delegate LoginModule using
the current thread context class loader. The purpose of this
@@ -50,10 +51,12 @@
{
// see AbstractServerLoginModule
private static final String MODULE_NAME = "moduleName";
+ private static final String PRINCIPAL_CLASS = "principalClass";
private static final String[] ALL_VALID_OPTIONS =
{
- MODULE_NAME
+ MODULE_NAME,PRINCIPAL_CLASS,
+ SecurityConstants.SECURITY_DOMAIN_OPTION
};
protected Logger log;
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java 2012-10-12 20:20:28 UTC (rev 358)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/auth/spi/RunAsLoginModule.java 2012-11-15 13:34:32 UTC (rev 359)
@@ -32,6 +32,7 @@
import org.jboss.security.PicketBoxLogger;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContextAssociation;
+import org.jboss.security.SecurityConstants;
/** A login module that establishes a run-as role for the duration of the login
* phase of authentication. It can be used to allow another login module
@@ -44,10 +45,13 @@
{
private static final String ROLE_NAME = "roleName";
private static final String PRINCIPLE_NAME = "principalName";
+ private static final String PRINCIPAL_CLASS = "principalClass";
private static final String[] ALL_VALID_OPTIONS =
{
- ROLE_NAME,PRINCIPLE_NAME
+ ROLE_NAME,PRINCIPLE_NAME,PRINCIPAL_CLASS,
+
+ SecurityConstants.SECURITY_DOMAIN_OPTION
};
private String roleName;
More information about the jboss-cvs-commits
mailing list