User: starksm
Date: 01/09/03 15:46:09
Modified: tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Update cleanup of SecurityAssociation to work with included content
Revision Changes Path
No revision
No revision
1.4.2.7 +229 -201
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===================================================================
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.6
retrieving revision 1.4.2.7
diff -u -r1.4.2.6 -r1.4.2.7
--- JBossSecurityMgrRealm.java 2001/07/29 15:26:04 1.4.2.6
+++ JBossSecurityMgrRealm.java 2001/09/03 22:46:09 1.4.2.7
@@ -24,222 +24,250 @@
import org.jboss.security.SubjectSecurityManager;
/** This is a request interceptor for authentication/authorization of users
-that uses the JBossSX security framework. It relieas on the JNDI ENC
-namespace setup by the AbstractWebContainer. In particular, it uses the
-java:comp/env/security subcontext to access the security manager interfaces
-for authorization and authenticaton.
-
-@see org.jboss.web.AbstractWebContainer
-@see org.jboss.security.EJBSecurityManager
-@see org.jboss.security.RealmMapping
-@see org.jboss.security.SimplePrincipal
-@see org.jboss.security.SecurityAssociation
-@see org.jboss.security.SubjectSecurityManager
-
-@author [EMAIL PROTECTED]
-@version $Revision: 1.4.2.6 $
-*/
+ that uses the JBossSX security framework. It relieas on the JNDI ENC
+ namespace setup by the AbstractWebContainer. In particular, it uses the
+ java:comp/env/security subcontext to access the security manager interfaces
+ for authorization and authenticaton.
+
+ @see org.jboss.web.AbstractWebContainer
+ @see org.jboss.security.EJBSecurityManager
+ @see org.jboss.security.RealmMapping
+ @see org.jboss.security.SimplePrincipal
+ @see org.jboss.security.SecurityAssociation
+ @see org.jboss.security.SubjectSecurityManager
+
+ @author [EMAIL PROTECTED]
+ @version $Revision: 1.4.2.7 $
+ */
public class JBossSecurityMgrRealm extends BaseInterceptor
{
- static Category category =
Category.getInstance(JBossSecurityMgrRealm.class.getName());
- private String subjectAttributeName = "j_subject";
- private boolean useJAAS = false;
-
- /** A flag to indicate if the security manager implements the
SubjectSecurityManager
- rather than EJBSecurityManager. When true, the authenticated Subject is
obtained
- from the SubjectSecurityManager and placed into the request under the
- subjectAttributeName attribute.
- */
- public void setUseJAAS(boolean useJAAS)
- {
- this.useJAAS = useJAAS;
- }
- /** The name of the request attribute under with the authenticated JAAS
- Subject is stored on successful authentication.
- */
- public void setSubjectAttributeName(String subjectAttributeName)
- {
- this.subjectAttributeName = subjectAttributeName;
- }
-
- private Context getSecurityContext()
- {
- Context securityCtx = null;
- // Get the JBoss security manager from the ENC context
- try
- {
- InitialContext iniCtx = new InitialContext();
- securityCtx = (Context) iniCtx.lookup("java:comp/env/security");
- }
- catch(NamingException e)
- {
- // Apparently there is no security context?
- }
- return securityCtx;
- }
-
- public int authenticate(Request request, Response response)
- {
+ private static Category category =
Category.getInstance(JBossSecurityMgrRealm.class);
+ private static ThreadLocal authInfo = new ThreadLocal();
+ private String subjectAttributeName = "j_subject";
+ private boolean useJAAS = false;
+
+ /** A flag to indicate if the security manager implements the
SubjectSecurityManager
+ rather than EJBSecurityManager. When true, the authenticated Subject is obtained
+ from the SubjectSecurityManager and placed into the request under the
+ subjectAttributeName attribute.
+ */
+ public void setUseJAAS(boolean useJAAS)
+ {
+ this.useJAAS = useJAAS;
+ }
+ /** The name of the request attribute under with the authenticated JAAS
+ Subject is stored on successful authentication.
+ */
+ public void setSubjectAttributeName(String subjectAttributeName)
+ {
+ this.subjectAttributeName = subjectAttributeName;
+ }
+
+ private Context getSecurityContext()
+ {
+ Context securityCtx = null;
+ // Get the JBoss security manager from the ENC context
+ try
+ {
+ InitialContext iniCtx = new InitialContext();
+ securityCtx = (Context) iniCtx.lookup("java:comp/env/security");
+ }
+ catch(NamingException e)
+ {
+ // Apparently there is no security context?
+ }
+ return securityCtx;
+ }
+
+ public int authenticate(Request request, Response response)
+ {
/* Get the username credentials from the request. We dont check
that they are null as the security domain may consider this
a valid indication of an unauthenticated user requesting
anonymous access.
- */
- Hashtable credentialMap = new Hashtable();
- SecurityTools.credentials(request, credentialMap);
- String username = (String) credentialMap.get("username");
- String password = (String) credentialMap.get("password");
-
+ */
+ Hashtable credentialMap = new Hashtable();
+ SecurityTools.credentials(request, credentialMap);
+ String username = (String) credentialMap.get("username");
+ String password = (String) credentialMap.get("password");
+
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
it does not do it for the authenticate/authorize phases of a
request.
*/
- ClassLoader cl = Thread.currentThread().getContextClassLoader();
- ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
- if( category.isDebugEnabled() )
- {
- category.debug("Authenticating access, username: " + username + " "
+request);
- category.debug("ClassLoader: "+cl.toString()+':'+cl.hashCode());
- category.debug("Servlet ClassLoader:
"+scl.toString()+':'+scl.hashCode());
- }
-
- // If we don't have a security context security is not required
- if( scl != cl )
- Thread.currentThread().setContextClassLoader(scl);
- Context securityCtx = getSecurityContext();
- if( securityCtx == null )
- {
- if( scl != cl )
- Thread.currentThread().setContextClassLoader(cl);
- return 0;
- }
-
- try
- {
- // Get the JBoss security manager from the ENC context
- EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup("securityMgr");
- SimplePrincipal principal = new SimplePrincipal(username);
- char[] passwordChars = null;
- if( password != null )
- passwordChars = password.toCharArray();
- if( securityMgr.isValid(principal, passwordChars) )
- {
- request.setRemoteUser(username);
- request.setUserPrincipal(principal);
- org.apache.tomcat.core.Context ctx = request.getContext();
- if (ctx != null)
- request.setAuthType(ctx.getAuthMethod());
- category.debug("Username: "+username+" is authenticated");
- SecurityAssociation.setPrincipal(principal);
- SecurityAssociation.setCredential(passwordChars);
- if( useJAAS == true && securityMgr instanceof
SubjectSecurityManager )
- {
- SubjectSecurityManager subjectMgr = (SubjectSecurityManager)
securityMgr;
- Subject subject = subjectMgr.getActiveSubject();
- request.setAttribute(subjectAttributeName, subject);
- }
- }
- else
- {
- category.debug("User: "+username+" is NOT authenticated");
- }
- }
- catch(NamingException e)
- {
- category.error("Error during authenticate", e);
- }
- finally
- {
- if( scl != cl )
- Thread.currentThread().setContextClassLoader(cl);
- }
- return 0;
- }
-
- public int authorize(Request request, Response response, String roles[])
- {
- if( roles==null || roles.length==0 )
- {
- // request doesn't need authentication
- return 0;
- }
-
- String username = request.getRemoteUser();
- if( username == null )
- return 401;
-
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
+ if( category.isDebugEnabled() )
+ {
+ category.debug("Authenticating access, username: " + username + " "
+request);
+ category.debug("ClassLoader: "+cl.toString()+':'+cl.hashCode());
+ category.debug("Servlet ClassLoader: "+scl.toString()+':'+scl.hashCode());
+ }
+
+ // If we don't have a security context security is not required
+ Context securityCtx = getSecurityContext();
+ if( securityCtx == null )
+ {
+ return 0;
+ }
+
+ try
+ {
+ // Get the JBoss security manager from the ENC context
+ EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup("securityMgr");
+ SimplePrincipal principal = new SimplePrincipal(username);
+ char[] passwordChars = null;
+ if( password != null )
+ passwordChars = password.toCharArray();
+ if( securityMgr.isValid(principal, passwordChars) )
+ {
+ request.setRemoteUser(username);
+ request.setUserPrincipal(principal);
+ org.apache.tomcat.core.Context ctx = request.getContext();
+ if (ctx != null)
+ request.setAuthType(ctx.getAuthMethod());
+ category.debug("Username: "+username+" is authenticated");
+ SecurityAssociation.setPrincipal(principal);
+ SecurityAssociation.setCredential(passwordChars);
+ authInfo.set(new AuthInfo(principal, passwordChars));
+ if( useJAAS == true && securityMgr instanceof SubjectSecurityManager )
+ {
+ SubjectSecurityManager subjectMgr = (SubjectSecurityManager)
securityMgr;
+ Subject subject = subjectMgr.getActiveSubject();
+ request.setAttribute(subjectAttributeName, subject);
+ }
+ }
+ else
+ {
+ category.debug("User: "+username+" is NOT authenticated");
+ }
+ }
+ catch(NamingException e)
+ {
+ category.error("Error during authenticate", e);
+ }
+ finally
+ {
+ }
+ return 0;
+ }
+
+ public int authorize(Request request, Response response, String roles[])
+ {
+ if( roles==null || roles.length==0 )
+ {
+ // request doesn't need authentication
+ return 0;
+ }
+
+ String username = request.getRemoteUser();
+ if( username == null )
+ return 401;
+
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
it does not do it for the authenticate/authorize phases of a
request.
*/
- ClassLoader cl = Thread.currentThread().getContextClassLoader();
- ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
- if( category.isDebugEnabled() )
- {
- category.debug("Authorizing access, username: " + username + " "
+request);
- category.debug("ClassLoader: "+cl.toString()+':'+cl.hashCode());
- category.debug("Servlet ClassLoader:
"+scl.toString()+':'+scl.hashCode());
- }
- int code = 0;
- try
- {
- if( scl != cl )
- Thread.currentThread().setContextClassLoader(scl);
- boolean userHasRole = false;
- Set requiredRoles = new HashSet();
- for(int r = 0; r < roles.length; r ++)
- requiredRoles.add(new SimplePrincipal(roles[r]));
- // Get the JBoss security manager from the ENC context
- Context securityCtx = getSecurityContext();
- if( securityCtx != null )
- {
- RealmMapping securityMgr = (RealmMapping)
securityCtx.lookup("realmMapping");
- SimplePrincipal principal = new SimplePrincipal(username);
- userHasRole = securityMgr.doesUserHaveRole(principal,
requiredRoles);
- }
- else
- {
- category.warn("Warning: no security context available");
- }
-
- if( userHasRole )
- {
- // Need to get roles from the security mgr. Needs updated
interface...
- String userRoles[] = {};
- request.setUserRoles( userRoles );
- category.debug("User: "+username+" is authorized");
- }
- else
- {
- category.debug("User: "+username+" is NOT authorized,
requiredRoles="+requiredRoles);
- code = 401;
- }
- }
- catch(NamingException e)
- {
- category.error("Error during authorize", e);
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
+ if( category.isDebugEnabled() )
+ {
+ category.debug("Authorizing access, username: " + username + " " +request);
+ category.debug("ClassLoader: "+cl.toString()+':'+cl.hashCode());
+ category.debug("Servlet ClassLoader: "+scl.toString()+':'+scl.hashCode());
+ }
+ int code = 0;
+ try
+ {
+ boolean userHasRole = false;
+ Set requiredRoles = new HashSet();
+ for(int r = 0; r < roles.length; r ++)
+ requiredRoles.add(new SimplePrincipal(roles[r]));
+ // Get the JBoss security manager from the ENC context
+ Context securityCtx = getSecurityContext();
+ if( securityCtx != null )
+ {
+ RealmMapping securityMgr = (RealmMapping)
securityCtx.lookup("realmMapping");
+ SimplePrincipal principal = new SimplePrincipal(username);
+ userHasRole = securityMgr.doesUserHaveRole(principal, requiredRoles);
+ }
+ else
+ {
+ category.warn("Warning: no security context available");
+ }
+
+ if( userHasRole )
+ {
+ // Need to get roles from the security mgr. Needs updated interface...
+ String userRoles[] =
+ {};
+ request.setUserRoles( userRoles );
+ category.debug("User: "+username+" is authorized");
+ }
+ else
+ {
+ category.debug("User: "+username+" is NOT authorized,
requiredRoles="+requiredRoles);
code = 401;
- }
- finally
- {
- if( scl != cl )
- Thread.currentThread().setContextClassLoader(cl);
- }
-
- return code;
- }
-
- /** Called after service method ends. We clear any SecurityAssociation that
- may have been set.
- */
- public int postService(Request request, Response response)
- {
- SecurityAssociation.setPrincipal(null);
- SecurityAssociation.setCredential(null);
- return 0;
- }
-
+ }
+ }
+ catch(NamingException e)
+ {
+ category.error("Error during authorize", e);
+ code = 401;
+ }
+ finally
+ {
+ }
+
+ return code;
+ }
+
+ /**
+ */
+ public int preService(Request request, Response response)
+ {
+ AuthInfo info = (AuthInfo) authInfo.get();
+ if( info != null )
+ {
+ SecurityAssociation.setPrincipal(info.principal);
+ SecurityAssociation.setCredential(info.passwordChars);
+ }
+
+ if( category.isDebugEnabled() )
+ {
+ Principal p = SecurityAssociation.getPrincipal();
+ category.debug("preService, user="+request.getRemoteUser()+",
SA.principal="+p+", request=" +request);
+ }
+ return 0;
+ }
+
+ /** Called after service method ends. We clear any SecurityAssociation that
+ may have been set.
+ */
+ public int postService(Request request, Response response)
+ {
+ if( category.isDebugEnabled() )
+ {
+ Principal p = SecurityAssociation.getPrincipal();
+ category.debug("postService, user="+request.getRemoteUser()+",
SA.principal="+p+", request=" +request);
+ }
+ SecurityAssociation.setPrincipal(null);
+ SecurityAssociation.setCredential(null);
+ return 0;
+ }
+
+ private static class AuthInfo
+ {
+ Principal principal;
+ char[] passwordChars;
+
+ AuthInfo(Principal principal, char[] passwordChars)
+ {
+ this.principal = principal;
+ this.passwordChars = passwordChars;
+ }
+ }
+
}
-
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
