User: starksm Date: 01/06/15 01:26:02 Modified: src/main/org/jboss/security/plugins JaasSecurityManager.java JaasSecurityManagerService.java Log: Initialize the SecurityAssociation server mode in JaasSecurityManagerService Revision Changes Path 1.7 +54 -29 jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java Index: JaasSecurityManager.java =================================================================== RCS file: /cvsroot/jboss/jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManager.java,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- JaasSecurityManager.java 2001/06/11 06:23:39 1.6 +++ JaasSecurityManager.java 2001/06/15 08:26:02 1.7 @@ -51,10 +51,12 @@ @author <a href="[EMAIL PROTECTED]">Oleg Nitz</a> @author [EMAIL PROTECTED] -@version $Revision: 1.6 $ +@version $Revision: 1.7 $ */ public class JaasSecurityManager implements SubjectSecurityManager, RealmMapping { + /** The authentication cache object. + */ public static class DomainInfo { Subject subject; @@ -70,7 +72,7 @@ the appName into the SecurityPolicy. */ private String securityDomain; - /** A cache of DomainInfo objects. + /** A cache of DomainInfo objects keyd by Principal. */ private CachePolicy domainCache; /** The custom JAAS policy. This may be null if a custom @@ -153,6 +155,12 @@ this.domainCache = domainCache; } + public void flushCache() + { + if( domainCache != null ) + domainCache.flush(); + } + public void setSecurityPolicyName(String jndiName) throws NamingException { InitialContext ctx = new InitialContext(); @@ -176,7 +184,14 @@ return (Subject) activeSubject.get(); } - /** Validate that the given credential is correct for principal. + /** Validate that the given credential is correct for principal. This first + will check the current CachePolicy object if one exists to see if the + user's cached credentials match the given credential. If there is no + credential cache or the cache information is invalid or does not match, + the user is authenticated against the JAAS login modules configured for + the security domain. + @param principal, the security domain principal attempting access + @param credential, the proof of identity offered by the principal @return true if the principal was authenticated, false otherwise. */ public boolean isValid(Principal principal, Object credential) @@ -240,29 +255,6 @@ DomainInfo info = null; if( domainCache != null ) info = (DomainInfo) domainCache.get(principal); - if( info == null ) - { /* If there is no domain cache then this subject mgr is being used - for role mapping only and the subject has been authenticated by - some other mgr. We have to authenticate against this domain to - obtain the subject roles and then restore the current subject. - */ - try - { - Object credential = SecurityAssociation.getCredential(); - if( authenticate(principal, credential) == false ) - { /* The subject does not authenticate across domains, - we can't do role mapping */ - System.out.println("Warning, "+securityDomain+" could not perform role mapping for: "+principal); - return false; - } - if( domainCache != null ) - info = (DomainInfo) domainCache.get(principal); - } - finally - { - activeSubject.set(subject); - } - } Group roles = null; if( info != null ) @@ -279,8 +271,37 @@ } return hasRole; } + + /** Validates operational environment Principal against the specified + application domain role. + @param principal, the caller principal as known in the operation environment. + @param role, the application domain role that the principal is to be validated against. + @return true if the principal has the role, false otherwise. + */ + public boolean doesUserHaveRole(Principal principal, Principal role) + { + boolean hasRole = false; + Subject subject = getActiveSubject(); + if( subject != null ) + { + DomainInfo info = null; + if( domainCache != null ) + info = (DomainInfo) domainCache.get(principal); + + Group roles = null; + if( info != null ) + roles = info.roles; + if( roles != null ) + { + hasRole = roles.isMember(role); + } + } + return hasRole; + } + + /** Currently this simply calls defaultLogin() to do a JAAS login using the + security domain name as the login module configuration name. - /** * @param principal, the user id to authenticate * @param credential, an opaque credential. * @return false on failure, true on success. @@ -377,10 +398,13 @@ info.subject = subject; info.credential = credential; - // If we don't have a cache policy create a default timed cache + /* If we don't have a cache policy create a default timed cache + that has an 1800 sec lifetime, is thread-safe, and a resolution + of 60 seconds. + */ if( domainCache == null ) { - domainCache = new TimedCachePolicy(); + domainCache = new TimedCachePolicy(1800, true, 60); try { domainCache.init(); @@ -418,4 +442,5 @@ domainCache.remove(principal); domainCache.insert(principal, info); } + } 1.2 +11 -5 jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java Index: JaasSecurityManagerService.java =================================================================== RCS file: /cvsroot/jboss/jbosssx/src/main/org/jboss/security/plugins/JaasSecurityManagerService.java,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- JaasSecurityManagerService.java 2001/04/11 01:54:46 1.1 +++ JaasSecurityManagerService.java 2001/06/15 08:26:02 1.2 @@ -30,6 +30,7 @@ import javax.management.ObjectName; import org.jboss.logging.Log; +import org.jboss.security.SecurityAssociation; import org.jboss.security.SecurityProxyFactory; import org.jboss.util.ServiceMBeanSupport; @@ -48,11 +49,11 @@ * @see SubjectSecurityManager * @author <a href="[EMAIL PROTECTED]">Oleg Nitz</a> * @author <a href="[EMAIL PROTECTED]">Rickard Oberg</a> - * @author <a href="mailto:[EMAIL PROTECTED]">Scott Stark</a> + * @author <a href="mailto:[EMAIL PROTECTED]">Scott Stark</a> */ public class JaasSecurityManagerService extends ServiceMBeanSupport - implements JaasSecurityManagerServiceMBean, ObjectFactory + implements JaasSecurityManagerServiceMBean { /** The class that provides the security manager implementation */ private static String securityMgrClassName; @@ -70,6 +71,8 @@ public JaasSecurityManagerService() { + // use thread-local principal and credential propagation + SecurityAssociation.setServer(); try { // Use JaasSecurityManager as the default setSecurityManagerClassName("org.jboss.security.plugins.JaasSecurityManager"); @@ -134,9 +137,10 @@ InitialContext ic = new InitialContext(); // Bind reference to SM subcontext in JNDI - // Uses JNDI federation to handle the "java:jaas" context ourselves + // Uses JNDI federation to handle the "java:/jaas" context ourselves RefAddr refAddr = new StringRefAddr("nns", "JSM"); - Reference jsmsRef = new Reference("javax.naming.Context", refAddr,getClass().getName(), null); + String factoryName = SecurityDomainObjectFactory.class.getName(); + Reference jsmsRef = new Reference("javax.naming.Context", refAddr, factoryName, null); Context ctx = new InitialContext(); ctx.rebind("java:/jaas", jsmsRef); @@ -175,6 +179,8 @@ // ObjectFactory implementation ---------------------------------- + public static class SecurityDomainObjectFactory implements ObjectFactory + { /** * Object factory implementation. This method is a bit tricky as it is called twice for each * JSM lookup. Let's say the lookup is for "java:jaas/MySecurity". Then this will first be @@ -248,11 +254,11 @@ catch(Exception e2) { e2.printStackTrace(); - log.exception(e2); throw e2; } } return ctx; } + } } } _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] http://lists.sourceforge.net/lists/listinfo/jboss-development