svn commit: r381957 - in /portals/jetspeed-2/trunk: components/security/src/java/org/apache/jetspeed/security/ components/security/src/java/org/apache/jetspeed/security/impl/ src/webapp/WEB-INF/ src/webapp/WEB-INF/assembly/

[rwatler]

Author: rwatler
Date: Wed Mar  1 01:05:52 2006
New Revision: 381957

URL: http://svn.apache.org/viewcvs?rev=381957&view=rev
Log:
JS2-496 fix - Support strict interpretation of authenticated role names in 
web.xml for tomcat 5.5.14+:

- the '*' role name in <auth-constraint> tags is interpreted as any role define 
in the
  webapp web.xml file, (not any role the application chooses to pass in the 
JAAS subject).

- test for authenticated user using psuedo role returned to container using 
JAAS subject:

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Login</web-resource-name>
      <url-pattern>/login/redirector</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>portal-user</role-name>
    </auth-constraint>
  </security-constraint>

- portal user psuedo role name can be specified in security-atn.xml 
configuration.

- default portal user psuedo role name is 'portal-user'.

- user roles defined in J2 remain included in the subject for those that wish 
to use
  finer grain tests at the container level.

- this feature may be refined if container managed security is refactored to 
support
  J2EE style role usage patterns.
 

Modified:
    
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/LoginModuleProxy.java
    
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/DefaultLoginModule.java
    
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/LoginModuleProxyImpl.java
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-atn.xml
    portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml

Modified: 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/LoginModuleProxy.java
URL: 
http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/LoginModuleProxy.java?rev=381957&r1=381956&r2=381957&view=diff
==============================================================================
--- 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/LoginModuleProxy.java
 (original)
+++ 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/LoginModuleProxy.java
 Wed Mar  1 01:05:52 2006
@@ -22,8 +22,22 @@
 public interface LoginModuleProxy
 {
     /**
+     * <p>Default .portal user role name</p>
+     */
+    String DEFAULT_PORTAL_USER_ROLE_NAME = "portal-user";
+
+    /**
      * <p>Getter for the [EMAIL PROTECTED] UserManager}.</p>
      * @return The UserManager.
      */
     UserManager getUserManager();
+
+    /**
+     * <p>Getter for the required portal user role name.</p>
+     *
+     * <p>Used in web.xml authorization to detect authenticated portal 
users.</p>
+     *
+     * @return The portal user role name.
+     */
+    String getPortalUserRole();
 }

Modified: 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/DefaultLoginModule.java
URL: 
http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/DefaultLoginModule.java?rev=381957&r1=381956&r2=381957&view=diff
==============================================================================
--- 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/DefaultLoginModule.java
 (original)
+++ 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/DefaultLoginModule.java
 Wed Mar  1 01:05:52 2006
@@ -75,6 +75,9 @@
     /** <p>InternalUserPrincipal manager service.</p> */
     private UserManager ums;
 
+    /** The portal user role. */
+    private String portalUserRole;
+
     /** <p>The user name.</p> */
     private String username;
 
@@ -88,6 +91,7 @@
         if (loginModuleProxy != null)
         {
             this.ums = loginModuleProxy.getUserManager();
+            this.portalUserRole = loginModuleProxy.getPortalUserRole();
         }
         debug = false;
         success = false;
@@ -99,15 +103,21 @@
     /**
      * Create a new login module that uses the given user manager.
      * @param userManager the user manager to use
+     * @param portalUserRole the portal user role to use
      */
-    protected DefaultLoginModule (UserManager userManager) 
+    protected DefaultLoginModule (UserManager userManager, String 
portalUserRole) 
     {
-        ums = userManager;
+        this.ums = userManager;
+        this.portalUserRole = portalUserRole;
         debug = false;
         success = false;
         commitSuccess = false;
         username = null;
     }
+    protected DefaultLoginModule (UserManager userManager) 
+    {
+        this(userManager, LoginModuleProxy.DEFAULT_PORTAL_USER_ROLE_NAME);
+    }
     
     /**
      * @see javax.security.auth.spi.LoginModule#abort()
@@ -269,7 +279,12 @@
      */
     protected void commitPrincipals(Subject subject, User user)
     {
+        // add user specific portal user name and roles
         subject.getPrincipals().add(getUserPrincipal(user));
         subject.getPrincipals().addAll(getUserRoles(user));
+
+        // add portal user role: used in web.xml authorization to
+        // detect authenticated portal users
+        subject.getPrincipals().add(new RolePrincipalImpl(portalUserRole));    
    
     }
 }

Modified: 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/LoginModuleProxyImpl.java
URL: 
http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/LoginModuleProxyImpl.java?rev=381957&r1=381956&r2=381957&view=diff
==============================================================================
--- 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/LoginModuleProxyImpl.java
 (original)
+++ 
portals/jetspeed-2/trunk/components/security/src/java/org/apache/jetspeed/security/impl/LoginModuleProxyImpl.java
 Wed Mar  1 01:05:52 2006
@@ -23,13 +23,15 @@
  */
 public class LoginModuleProxyImpl implements LoginModuleProxy
 {
-
     /** The [EMAIL PROTECTED] LoginModuleProxy}instance. */
     static LoginModuleProxy loginModuleProxy;
 
     /** The [EMAIL PROTECTED] UserManager}. */
     private UserManager userMgr;
 
+    /** The portal user role. */
+    private String portalUserRole;
+
     /**
      * <p>
      * Constructor providing a bridge between the login module and the user
@@ -37,17 +39,27 @@
      * </p>
      * 
      * @param userMgr The user manager.
+     * @param portalUserRole The portal user role shared by all portal users: 
used
+     *                       in web.xml authorization to detect authenticated 
portal
+     *                       users.
      *  
      */
-    public LoginModuleProxyImpl(UserManager userMgr)
+    public LoginModuleProxyImpl(UserManager userMgr, String portalUserRole)
     {
         // The user manager.
         this.userMgr = userMgr;
 
+        // The portal user role
+        this.portalUserRole = (portalUserRole != null ? portalUserRole : 
DEFAULT_PORTAL_USER_ROLE_NAME);
+
         // Hack providing access to the UserManager in the LoginModule.
         // TODO Can we fix this?
         LoginModuleProxyImpl.loginModuleProxy = this;
     }
+    public LoginModuleProxyImpl(UserManager userMgr)
+    {
+        this(userMgr, DEFAULT_PORTAL_USER_ROLE_NAME);
+    }
 
     /**
      * @see org.apache.jetspeed.security.LoginModuleProxy#getUserManager()
@@ -57,4 +69,11 @@
         return this.userMgr;
     }
 
-}
\ No newline at end of file
+    /**
+     * @see org.apache.jetspeed.security.LoginModuleProxy#getPortalUserRole()
+     */
+    public String getPortalUserRole()
+    {
+        return this.portalUserRole;
+    }
+}

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-atn.xml
URL: 
http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-atn.xml?rev=381957&r1=381956&r2=381957&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-atn.xml 
(original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/assembly/security-atn.xml Wed 
Mar  1 01:05:52 2006
@@ -21,8 +21,11 @@
   <!-- Security: Login Module Proxy -->
   <bean id="org.apache.jetspeed.security.LoginModuleProxy" 
           class="org.apache.jetspeed.security.impl.LoginModuleProxyImpl"
-  >       
-          <constructor-arg ><ref 
bean="org.apache.jetspeed.security.UserManager"/></constructor-arg>      
+  >
+       <!-- User Manager to construct JAAS subject/principals returned to 
container -->
+          <constructor-arg index="0"><ref 
bean="org.apache.jetspeed.security.UserManager"/></constructor-arg>             
+       <!-- Portal user role name used to identify authenticated users in 
web.xml security constraints -->
+          <constructor-arg 
index="1"><value>portal-user</value></constructor-arg>         
   </bean>
 
 </beans>

Modified: portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml
URL: 
http://svn.apache.org/viewcvs/portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml?rev=381957&r1=381956&r2=381957&view=diff
==============================================================================
--- portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml (original)
+++ portals/jetspeed-2/trunk/src/webapp/WEB-INF/web.xml Wed Mar  1 01:05:52 2006
@@ -210,7 +210,9 @@
       <url-pattern>/login/redirector</url-pattern>
     </web-resource-collection>
     <auth-constraint>
-      <role-name>*</role-name>
+      <!-- the required portal user role name defined in: -->
+      <!-- /WEB-INF/assembly/security-atn.xml             -->
+      <role-name>portal-user</role-name>
     </auth-constraint>
   </security-constraint>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]