[portal-commits] JBoss Portal SVN: r11821 - in branches/JBoss_Portal_2_6_6_JBPORTAL-2109: cms/src/main/org/jboss/portal/cms/impl/jcr/ha and 2 other directories.
portal-commits at lists.jboss.org
portal-commits at lists.jboss.org
Fri Sep 5 16:34:27 EDT 2008
Author: sohil.shah at jboss.com
Date: 2008-09-05 16:34:27 -0400 (Fri, 05 Sep 2008)
New Revision: 11821
Modified:
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/ha/HAJCRCMS.java
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/security/AuthorizationProviderImpl.java
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/domain.hbm.xml
branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/hibernate.cfg.xml
Log:
JBPORTAL-2109 - CMS Security Issue with LDAP/Clustered mode
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java 2008-09-05 16:52:34 UTC (rev 11820)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/JCRCMS.java 2008-09-05 20:34:27 UTC (rev 11821)
@@ -68,6 +68,7 @@
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Locale;
+import java.util.Set;
/**
@@ -114,15 +115,13 @@
/** Used for storing the logged in user information */
protected static ThreadLocal userInfo = new ThreadLocal();
-
public static ThreadLocal getUserInfo()
{
return JCRCMS.userInfo;
- }
+ }
/** This is used to turnoff workflow triggering only for this particular request through the CMS commands */
protected static ThreadLocal turnOffWorkflow = new ThreadLocal();
-
public static void turnOffWorkflow()
{
turnOffWorkflow.set(new Boolean(true));
@@ -156,6 +155,21 @@
return isUISecurityFilterActive;
}
+
+ /**
+ * Used for propagating user's role information from different nodes of a cluster to the
+ * HASingleton Master Node currently processing CMS requests
+ */
+ protected static ThreadLocal userRoles = new ThreadLocal();
+ public static Set<String> getRoles()
+ {
+ return (Set<String>)userRoles.get();
+ }
+ public static void setRoles(Set<String> roles)
+ {
+ userRoles.set(roles);
+ }
+
public JCRCMS()
{
@@ -582,6 +596,11 @@
{
JCRCMS.enableUISecurityFilter();
}
+ Set<String> roles = (Set<String>)propagatedContext.getClusterContextInfo("roles");
+ if(roles != null)
+ {
+ JCRCMS.setRoles(roles);
+ }
}
// .... add new nodes & properties and save them
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/ha/HAJCRCMS.java
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/ha/HAJCRCMS.java 2008-09-05 16:52:34 UTC (rev 11820)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/impl/jcr/ha/HAJCRCMS.java 2008-09-05 20:34:27 UTC (rev 11821)
@@ -22,6 +22,15 @@
******************************************************************************/
package org.jboss.portal.cms.impl.jcr.ha;
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+import javax.security.jacc.PolicyContext;
+import javax.security.jacc.PolicyContextException;
+
import org.apache.log4j.Logger;
import org.jboss.portal.cms.CMSException;
import org.jboss.portal.cms.Command;
@@ -31,6 +40,7 @@
import org.jboss.portal.cms.model.CMSUser;
import org.jboss.portal.identity.User;
import org.jboss.portal.jems.ha.HASingletonInvoker;
+import org.jboss.portal.security.impl.jacc.JACCPortalPrincipal;
/**
* Extend the JCR CMS and make it run as an ha singleton.
@@ -62,6 +72,17 @@
User user = (User)this.getUserInfo().get();
JCRCommandContext context = this.getCommandContext((JCRCommand)cmd);
context.setClusterContextInfo("user", new CMSUser(user.getUserName()));
+
+ try
+ {
+ //Propagate the currently authenticated Subject's roles to the Master Node
+ Set<String> roles = this.getCurrentRoles();
+ context.setClusterContextInfo("roles", roles);
+ }
+ catch(PolicyContextException e)
+ {
+ throw new CMSException(e);
+ }
}
//Add the Workflow ThreadLocal variable to the Command Context for propagation to the Master Node
@@ -77,7 +98,7 @@
{
JCRCommandContext context = this.getCommandContext((JCRCommand)cmd);
context.setClusterContextInfo("enableUISecurityFilter", Boolean.TRUE);
- }
+ }
// Use the proxy to invoke on the singleton
Object returnValue = null;
@@ -206,4 +227,40 @@
return context;
}
+
+ private Set getCurrentRoles() throws PolicyContextException
+ {
+ Set<String> roles = new HashSet<String>();
+
+ // Get the current authenticated subject through the JACC contract
+ Subject subject = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container");
+
+ if (subject != null)
+ {
+ Set tmp = subject.getPrincipals(JACCPortalPrincipal.class);
+ JACCPortalPrincipal pp = null;
+ for (Iterator i = tmp.iterator(); i.hasNext();)
+ {
+ pp = (JACCPortalPrincipal)i.next();
+ if (pp != null)
+ {
+ break;
+ }
+ }
+ if (pp == null)
+ {
+ pp = new JACCPortalPrincipal(subject);
+ tmp.add(pp);
+
+ // Lazy create all the permission containers for the given role names
+ for (Iterator i = pp.getRoles().iterator(); i.hasNext();)
+ {
+ Principal role = (Principal)i.next();
+ roles.add(role.getName());
+ }
+ }
+ }
+
+ return roles;
+ }
}
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/security/AuthorizationProviderImpl.java
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/security/AuthorizationProviderImpl.java 2008-09-05 16:52:34 UTC (rev 11820)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/cms/src/main/org/jboss/portal/cms/security/AuthorizationProviderImpl.java 2008-09-05 20:34:27 UTC (rev 11821)
@@ -26,6 +26,7 @@
import org.hibernate.Session;
import org.hibernate.Transaction;
import org.jboss.portal.cms.hibernate.state.Tools;
+import org.jboss.portal.cms.impl.jcr.JCRCMS;
import org.jboss.portal.identity.AnonymousRole;
import org.jboss.portal.identity.IdentityContext;
import org.jboss.portal.identity.IdentityServiceController;
@@ -567,7 +568,7 @@
// Get the current authenticated subject through the JACC contract
Subject subject = (Subject)PolicyContext.getContext("javax.security.auth.Subject.container");
-
+
if (subject != null)
{
Set tmp = subject.getPrincipals(JACCPortalPrincipal.class);
@@ -593,6 +594,13 @@
}
}
}
+
+ if(roles.isEmpty())
+ {
+ //Check and see if roles are found propagated via the cluster context
+ roles = JCRCMS.getRoles();
+ }
+
return roles;
}
}
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/domain.hbm.xml
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/domain.hbm.xml 2008-09-05 16:52:34 UTC (rev 11820)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/domain.hbm.xml 2008-09-05 20:34:27 UTC (rev 11821)
@@ -277,7 +277,7 @@
<!-- mapping to persist CMS Fine Grained Security related objects -->
<class name="org.jboss.portal.cms.security.PermRoleAssoc" table="jbp_cms_perm_role">
- <cache usage="read-write"/>
+ <cache usage="@portal.hibernate.cache.usage@"/>
<id
name="id"
column="ID"
@@ -292,7 +292,7 @@
/>
</class>
<class name="org.jboss.portal.cms.security.PermUserAssoc" table="jbp_cms_perm_user">
- <cache usage="read-write"/>
+ <cache usage="@portal.hibernate.cache.usage@"/>
<id
name="id"
column="ID"
@@ -307,7 +307,7 @@
/>
</class>
<class name="org.jboss.portal.cms.security.Criteria" table="jbp_cms_perm_criteria">
- <cache usage="read-write"/>
+ <cache usage="@portal.hibernate.cache.usage@"/>
<id
name="id"
column="ID"
@@ -328,7 +328,7 @@
/>
</class>
<class name="org.jboss.portal.cms.security.Permission" table="jbp_cms_perm">
- <cache usage="read-write"/>
+ <cache usage="@portal.hibernate.cache.usage@"/>
<id
name="id"
column="ID"
@@ -337,19 +337,19 @@
</id>
<!-- one-to-many association with the criteria object -->
<set name="criteria" lazy="false" table="jbp_cms_perm_criteria" cascade="all-delete-orphan">
- <cache usage="read-write"/>
+ <cache usage="@portal.hibernate.cache.usage@"/>
<key column="CMS_PERM_ID"/>
<one-to-many class="org.jboss.portal.cms.security.Criteria"/>
</set>
<!-- many-to-many association with the role object -->
<set name="roleAssoc" lazy="false" cascade="all-delete-orphan">
- <cache usage="read-write"/>
+ <cache usage="@portal.hibernate.cache.usage@"/>
<key column="CMS_PERM_ID"/>
<one-to-many class="org.jboss.portal.cms.security.PermRoleAssoc"/>
</set>
<!-- many-to-many association with the user object -->
<set name="userAssoc" lazy="false" cascade="all-delete-orphan">
- <cache usage="read-write"/>
+ <cache usage="@portal.hibernate.cache.usage@"/>
<key column="CMS_PERM_ID"/>
<one-to-many class="org.jboss.portal.cms.security.PermUserAssoc"/>
</set>
Modified: branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/hibernate.cfg.xml
===================================================================
--- branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/hibernate.cfg.xml 2008-09-05 16:52:34 UTC (rev 11820)
+++ branches/JBoss_Portal_2_6_6_JBPORTAL-2109/core-cms/src/resources/portal-cms-sar/conf/hibernate/cms/hibernate.cfg.xml 2008-09-05 20:34:27 UTC (rev 11821)
@@ -33,8 +33,23 @@
<!-- caching properties -->
<property name="cache.use_second_level_cache">true</property>
<property name="cache.use_query_cache">true</property>
- <property name="cache.provider_configuration_file_resource_path">conf/hibernate/cms/ehcache.xml</property>
- <property name="cache.provider_class">org.hibernate.cache.EhCacheProvider</property>
+
+ <!--
+ | Uncomment in clustered mode : use transactional replicated cache
+ @portal.single.xml.close@
+ <property name="cache.provider_class">org.jboss.portal.jems.hibernate.JMXTreeCacheProvider</property>
+ <property name="cache.object_name">portal:service=TreeCacheProvider,type=hibernate</property>
+ @portal.single.xml.open@
+ -->
+
+ <!--
+ | Comment in clustered mode
+ @portal.clustered.xml.close@
+ <property name="cache.provider_configuration_file_resource_path">conf/hibernate/portal/ehcache.xml</property>
+ <property name="cache.provider_class">org.hibernate.cache.EhCacheProvider</property>
+ @portal.clustered.xml.open@
+ -->
+
<!-- managed environment transaction configuration -->
<property name="hibernate.transaction.manager_lookup_class">org.hibernate.transaction.JBossTransactionManagerLookup</property>
More information about the portal-commits
mailing list