[jboss-dev-forums] [Design of Security on JBoss] - Legacy client SecurityAssociation
adrian@jboss.org
do-not-reply at jboss.com
Tue Jun 24 13:09:08 EDT 2008
This work:
http://jira.jboss.com/jira/browse/SECURITY-75
isn't much use without this:
http://jira.jboss.com/jira/browse/SECURITY-125
Most clients (if they used the SecurityAssociation api) will be using on the client
to do a single login for the entire jvm.
When the SecurityAssociation is not in server mode, it doesn't work at all with JBoss5.
e.g. You can see this in org.jboss.test.jmx.test.DeployXMBeanUnitTestCase
The following patch makes it work:
| [ejort at warjort testsuite]$ svn diff
| Index: src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java
| ===================================================================
| --- src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java (revision 74958)
| +++ src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java (working copy)
| @@ -487,6 +487,7 @@
| }
|
| SimplePrincipal jduke = new SimplePrincipal("jduke");
| + SecurityAssociation.setServer();
| SecurityAssociation.setPrincipal(jduke);
| SecurityAssociation.setCredential("theduke".toCharArray());
| naming.bind(hello, "HelloBinding", "java.lang.String");
| @@ -536,6 +537,7 @@
| Name hello = ctx.getNameParser("").parse("Hello");
|
| SimplePrincipal jduke = new SimplePrincipal("jduke");
| + SecurityAssociation.setServer();
| SecurityAssociation.setPrincipal(jduke);
| SecurityAssociation.setCredential("theduke".toCharArray());
|
But that isn't the correct fix.
There's a tonne of other code in the JBoss5 testsuite still using the SecurityAssoication:
| [ejort at warjort test]$ grep -ri SecurityAssociation * | grep -v svn
| aop/bean/SecurityTester.java: //SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("somebody"), password);
| aop/bean/SecurityTester.java: /*SecurityAssociation.popSubjectContext();
| aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("authfail"), password);
| aop/bean/SecurityTester.java: SecurityAssociation.popSubjectContext();
| aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("rolefail"), password);
| aop/bean/SecurityTester.java: SecurityAssociation.popSubjectContext();
| aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("pass"), password);
| aop/bean/SimpleBeanTester.java:import org.jboss.security.SecurityAssociation;
| cluster/invokerha/HAService.java:import org.jboss.security.SecurityAssociation;
| cluster/invokerha/HAService.java: SecurityAssociation.setPrincipal(principal);
| cluster/invokerha/HAService.java: SecurityAssociation.setCredential(credential);
| cluster/invokerha/HAService.java: SecurityAssociation.clear();
| jacc/test/portal/BasePortalJaccTestCase.java:import org.jboss.security.SecurityAssociation;
| jacc/test/portal/BasePortalJaccTestCase.java: SecurityAssociation.setSubject(subject);
| jmx/interceptors/PrincipalInterceptor.java:import org.jboss.security.SecurityAssociation;
| jmx/interceptors/PrincipalInterceptor.java: Principal caller = SecurityAssociation.getPrincipal();
| jmx/interceptors/JNDISecurity.java:import org.jboss.security.SecurityAssociation;
| jmx/interceptors/JNDISecurity.java: SecurityAssociation.pushSubjectContext(subject, principal, credential);
| jmx/interceptors/JNDISecurity.java: SecurityAssociation.popSubjectContext();
| jmx/test/DeployXMBeanUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setServer();
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(jduke);
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("theduke".toCharArray());
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(guest);
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("guest".toCharArray());
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setServer();
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(jduke);
| jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("theduke".toCharArray());
| naming/test/SecurityUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| naming/test/SecurityUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
| naming/test/SecurityUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal is null", p == null);
| security/interceptors/ClientEncryptionInterceptor.java:import org.jboss.security.SecurityAssociation;
| security/interceptors/ClientEncryptionInterceptor.java: Subject subject = SecurityAssociation.getSubject();
| security/interceptors/ServerEncryptionInterceptor.java:import org.jboss.security.SecurityAssociation;
| security/interceptors/ServerEncryptionInterceptor.java: Subject subject = SecurityAssociation.getSubject();
| security/ejb/SubjectSessionBean.java:import org.jboss.security.SecurityAssociation;
| security/ejb/SubjectSessionBean.java: * SecurityAssociation.getSubject and PolicyContext. This will not run under
| security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("enter", callerPrincipals);
| security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("post stateless", callerPrincipals);
| security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("post stateful", callerPrincipals);
| security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("exit", callerPrincipals);
| security/ejb/SubjectSessionBean.java: * Get the active subject as seen by the jboss SecurityAssociation
| security/ejb/SubjectSessionBean.java: protected void validateSecurityAssociationSubject(String ctx, Set callerPrincipals)
| security/ejb/SubjectSessionBean.java: Subject caller = SecurityAssociation.getSubject();
| security/ejb/SubjectSessionBean.java: String msg = ctx+", SecurityAssociation subject: "+caller
| security/ejb/SecuredBean.java: * SecurityAssociation.getSubject and PolicyContext. This will not run under
| security/test/SecurityMgrStressTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
| security/test/SecurityMgrStressTestCase.java: //SecurityAssociation.setServer();
| security/test/SecurityMgrStressTestCase.java: JaasSecurityManager secMgr = new JaasSecurityManager("testIdentity", new SecurityAssociationHandler());
| security/test/SecurityMgrStressTestCase.java: //SecurityAssociation.pushSubjectContext(subject, user, "any");
| security/test/ClientLoginModuleUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| security/test/ClientLoginModuleUnitTestCase.java: ClientLoginModuleUnitTestCase/SecurityAssociation interaction tests
| security/test/ClientLoginModuleUnitTestCase.java: //Clear SecurityAssociation
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.clear();
| security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
| security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setPrincipal(jduke1);
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setCredential("theduke1");
| security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
| security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
| security/test/ClientLoginModuleUnitTestCase.java: String theduke1 = (String) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
| security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
| security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.popSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
| security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
| security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setPrincipal(jduke1);
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setCredential("theduke1");
| security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
| security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
| security/test/ClientLoginModuleUnitTestCase.java: String theduke1 = (String) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
| security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
| security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.popSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
| security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
| security/test/SRPLoginModuleUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| security/test/SRPLoginModuleUnitTestCase.java: Principal user = SecurityAssociation.getPrincipal();
| security/test/SRPLoginModuleUnitTestCase.java: byte[] key = (byte[]) SecurityAssociation.getCredential();
| security/test/SAThreadLocalUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| security/test/SAThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
| security/test/SAThreadLocalUnitTestCase.java: * SecurityAssociation.getSubject() == authSubject
| security/test/SAThreadLocalUnitTestCase.java: * SecurityAssociation.getPrincipal() == authPrincipal
| security/test/SAThreadLocalUnitTestCase.java: Subject s = SecurityAssociation.getSubject();
| security/test/SAThreadLocalUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
| security/test/SAThreadLocalUnitTestCase.java: System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "true");
| security/test/SAThreadLocalUnitTestCase.java: SecurityAssociation.setServer();
| security/test/LoginModulesUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| security/test/LoginModulesUnitTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
| security/test/LoginModulesUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
| security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
| security/test/LoginModulesUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
| security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott2", saPrincipal.equals(scott2));
| security/test/LoginModulesUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
| security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
| security/test/LoginModulesUnitTestCase.java: SecurityAssociation.setPrincipal(new SimplePrincipal("jduke2"));
| security/test/LoginModulesUnitTestCase.java: SecurityAssociation.setCredential("theduke2".toCharArray());
| security/test/LoginModulesUnitTestCase.java: SecurityAssociationHandler handler = new SecurityAssociationHandler(x509, cert);
| security/test/LoginModulesUnitTestCase.java: SecurityAssociationHandler handler = new SecurityAssociationHandler(x509, cert);
| security/test/SAInheritableThreadLocalUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| security/test/SAInheritableThreadLocalUnitTestCase.java: * Test the expected security context exists via the SecurityAssociation accessors
| security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
| security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
| security/test/SAInheritableThreadLocalUnitTestCase.java: * SecurityAssociation.getSubject() == authSubject
| security/test/SAInheritableThreadLocalUnitTestCase.java: * SecurityAssociation.getPrincipal() == authPrincipal
| security/test/SAInheritableThreadLocalUnitTestCase.java: Subject s = SecurityAssociation.getSubject();
| security/test/SAInheritableThreadLocalUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
| security/test/SAInheritableThreadLocalUnitTestCase.java: System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "false");
| security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.setServer();
| security/test/SubjectContextUnitTestCase.java:import org.jboss.security.SecurityAssociation;
| security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
| security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
| security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
| security/test/JaasSecurityManagerUnitTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
| security/test/JaasSecurityManagerUnitTestCase.java: CallbackHandler handler = new SecurityAssociationHandler(jduke, "theduke".toCharArray());
| security/test/JaasSecurityManagerUnitTestCase.java: CallbackHandler handler = new SecurityAssociationHandler(jduke, "theduke".toCharArray());
| securitymgr/ejb/IOStatelessSessionBean.java:import org.jboss.security.SecurityAssociation;
| securitymgr/ejb/BadBean.java:import org.jboss.security.SecurityAssociation;
| securitymgr/ejb/BadBean.java: return SecurityAssociation.getPrincipal();
| securitymgr/ejb/BadBean.java: return SecurityAssociation.getCredential();
| securitymgr/ejb/BadBean.java: SecurityAssociation.setPrincipal(user);
| securitymgr/ejb/BadBean.java: SecurityAssociation.setCredential(password);
| securitymgr/ejb/BadBean.java: Subject s = SecurityAssociation.getSubject();
| securitymgr/ejb/BadBean.java: Subject s = SecurityAssociation.getSubject();
| securitymgr/ejb/BadBean.java: SecurityAssociation.pushSubjectContext(s, null, null);
| securitymgr/ejb/BadBean.java: SecurityAssociation.popRunAsIdentity();
| securitymgr/ejb/BadBean.java: SecurityAssociation.pushRunAsIdentity(runAs);
| securitymgr/test/SecurityUnitTestCase.java: /** Test that a bean cannot access the SecurityAssociation class
| securitymgr/test/PolicyUnitTestCase.java: /** Test that a bean cannot access the SecurityAssociation class
| securitymgr/test/PolicyUnitTestCase.java: public void testSecurityAssociation() throws Exception
| securitymgr/test/PolicyUnitTestCase.java: log.debug("+++ testSecurityAssociation()");
| web/test/FormAuthUnitTestCase.java: * a SecurityAssociation setting Subject.
| web/security/JASPISecurityFilter.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
| web/security/JASPISecurityFilter.java: CallbackHandler cbh = new SecurityAssociationHandler();
| web/servlets/SecureServlet.java:import org.jboss.security.SecurityAssociation;
| web/servlets/SecureServlet.java: // Assert that there is a valid SecurityAssociation Subject
| web/servlets/SecureServlet.java: Subject subject = SecurityAssociation.getSubject();
| webservice/jbws309/JBWS309TestCase.java:import org.jboss.security.SecurityAssociation;
| webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setPrincipal(null);
| webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setCredential(null);
| webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setPrincipal(new SimplePrincipal(USERNAME));
| webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setCredential(PASSWORD);
|
Some of these are probably running on the server side so the mapping should work?
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4160303#4160303
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4160303
More information about the jboss-dev-forums
mailing list