User: starksm
Date: 01/06/15 01:26:02
Modified: src/main/org/jboss/security/plugins JaasSecurityManager.java
JaasSecurityManagerService.java
Log:
Initialize the SecurityAssociation server mode in JaasSecurityManagerService
Revision Changes Path
1.7 +54 -29
jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java
Index: JaasSecurityManager.java
===================================================================
RCS file:
/cvsroot/jboss/jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- JaasSecurityManager.java 2001/06/11 06:23:39 1.6
+++ JaasSecurityManager.java 2001/06/15 08:26:02 1.7
@@ -51,10 +51,12 @@
@author <a href="[EMAIL PROTECTED]">Oleg Nitz</a>
@author [EMAIL PROTECTED]
-@version $Revision: 1.6 $
+@version $Revision: 1.7 $
*/
public class JaasSecurityManager implements SubjectSecurityManager, RealmMapping
{
+ /** The authentication cache object.
+ */
public static class DomainInfo
{
Subject subject;
@@ -70,7 +72,7 @@
the appName into the SecurityPolicy.
*/
private String securityDomain;
- /** A cache of DomainInfo objects.
+ /** A cache of DomainInfo objects keyd by Principal.
*/
private CachePolicy domainCache;
/** The custom JAAS policy. This may be null if a custom
@@ -153,6 +155,12 @@
this.domainCache = domainCache;
}
+ public void flushCache()
+ {
+ if( domainCache != null )
+ domainCache.flush();
+ }
+
public void setSecurityPolicyName(String jndiName) throws NamingException
{
InitialContext ctx = new InitialContext();
@@ -176,7 +184,14 @@
return (Subject) activeSubject.get();
}
- /** Validate that the given credential is correct for principal.
+ /** Validate that the given credential is correct for principal. This first
+ will check the current CachePolicy object if one exists to see if the
+ user's cached credentials match the given credential. If there is no
+ credential cache or the cache information is invalid or does not match,
+ the user is authenticated against the JAAS login modules configured for
+ the security domain.
+ @param principal, the security domain principal attempting access
+ @param credential, the proof of identity offered by the principal
@return true if the principal was authenticated, false otherwise.
*/
public boolean isValid(Principal principal, Object credential)
@@ -240,29 +255,6 @@
DomainInfo info = null;
if( domainCache != null )
info = (DomainInfo) domainCache.get(principal);
- if( info == null )
- { /* If there is no domain cache then this subject mgr is being used
- for role mapping only and the subject has been authenticated by
- some other mgr. We have to authenticate against this domain to
- obtain the subject roles and then restore the current subject.
- */
- try
- {
- Object credential = SecurityAssociation.getCredential();
- if( authenticate(principal, credential) == false )
- { /* The subject does not authenticate across domains,
- we can't do role mapping */
- System.out.println("Warning, "+securityDomain+" could not
perform role mapping for: "+principal);
- return false;
- }
- if( domainCache != null )
- info = (DomainInfo) domainCache.get(principal);
- }
- finally
- {
- activeSubject.set(subject);
- }
- }
Group roles = null;
if( info != null )
@@ -279,8 +271,37 @@
}
return hasRole;
}
+
+ /** Validates operational environment Principal against the specified
+ application domain role.
+ @param principal, the caller principal as known in the operation environment.
+ @param role, the application domain role that the principal is to be validated
against.
+ @return true if the principal has the role, false otherwise.
+ */
+ public boolean doesUserHaveRole(Principal principal, Principal role)
+ {
+ boolean hasRole = false;
+ Subject subject = getActiveSubject();
+ if( subject != null )
+ {
+ DomainInfo info = null;
+ if( domainCache != null )
+ info = (DomainInfo) domainCache.get(principal);
+
+ Group roles = null;
+ if( info != null )
+ roles = info.roles;
+ if( roles != null )
+ {
+ hasRole = roles.isMember(role);
+ }
+ }
+ return hasRole;
+ }
+
+ /** Currently this simply calls defaultLogin() to do a JAAS login using the
+ security domain name as the login module configuration name.
- /**
* @param principal, the user id to authenticate
* @param credential, an opaque credential.
* @return false on failure, true on success.
@@ -377,10 +398,13 @@
info.subject = subject;
info.credential = credential;
- // If we don't have a cache policy create a default timed cache
+ /* If we don't have a cache policy create a default timed cache
+ that has an 1800 sec lifetime, is thread-safe, and a resolution
+ of 60 seconds.
+ */
if( domainCache == null )
{
- domainCache = new TimedCachePolicy();
+ domainCache = new TimedCachePolicy(1800, true, 60);
try
{
domainCache.init();
@@ -418,4 +442,5 @@
domainCache.remove(principal);
domainCache.insert(principal, info);
}
+
}
1.2 +11 -5
jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java
Index: JaasSecurityManagerService.java
===================================================================
RCS file:
/cvsroot/jboss/jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- JaasSecurityManagerService.java 2001/04/11 01:54:46 1.1
+++ JaasSecurityManagerService.java 2001/06/15 08:26:02 1.2
@@ -30,6 +30,7 @@
import javax.management.ObjectName;
import org.jboss.logging.Log;
+import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityProxyFactory;
import org.jboss.util.ServiceMBeanSupport;
@@ -48,11 +49,11 @@
* @see SubjectSecurityManager
* @author <a href="[EMAIL PROTECTED]">Oleg Nitz</a>
* @author <a href="[EMAIL PROTECTED]">Rickard Oberg</a>
- * @author <a href="mailto:[EMAIL PROTECTED]";>Scott Stark</a>
+ * @author <a href="mailto:[EMAIL PROTECTED]";>Scott Stark</a>
*/
public class JaasSecurityManagerService
extends ServiceMBeanSupport
- implements JaasSecurityManagerServiceMBean, ObjectFactory
+ implements JaasSecurityManagerServiceMBean
{
/** The class that provides the security manager implementation */
private static String securityMgrClassName;
@@ -70,6 +71,8 @@
public JaasSecurityManagerService()
{
+ // use thread-local principal and credential propagation
+ SecurityAssociation.setServer();
try
{ // Use JaasSecurityManager as the default
setSecurityManagerClassName("org.jboss.security.plugins.JaasSecurityManager");
@@ -134,9 +137,10 @@
InitialContext ic = new InitialContext();
// Bind reference to SM subcontext in JNDI
- // Uses JNDI federation to handle the "java:jaas" context ourselves
+ // Uses JNDI federation to handle the "java:/jaas" context ourselves
RefAddr refAddr = new StringRefAddr("nns", "JSM");
- Reference jsmsRef = new Reference("javax.naming.Context",
refAddr,getClass().getName(), null);
+ String factoryName = SecurityDomainObjectFactory.class.getName();
+ Reference jsmsRef = new Reference("javax.naming.Context", refAddr,
factoryName, null);
Context ctx = new InitialContext();
ctx.rebind("java:/jaas", jsmsRef);
@@ -175,6 +179,8 @@
// ObjectFactory implementation ----------------------------------
+ public static class SecurityDomainObjectFactory implements ObjectFactory
+ {
/**
* Object factory implementation. This method is a bit tricky as it is called
twice for each
* JSM lookup. Let's say the lookup is for "java:jaas/MySecurity". Then this
will first be
@@ -248,11 +254,11 @@
catch(Exception e2)
{
e2.printStackTrace();
- log.exception(e2);
throw e2;
}
}
return ctx;
}
+ }
}
}
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
