Author: djencks Date: Sat Dec 4 23:37:35 2004 New Revision: 109872 URL: http://svn.apache.org/viewcvs?view=rev&rev=109872 Log: refactoring location of some security methods and using the security interceptor Removed: geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java Modified: geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
Modified: geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java Url: http://svn.apache.org/viewcvs/geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java?view=diff&rev=109872&p1=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java&r1=109871&p2=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java&r2=109872 ============================================================================== --- geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java (original) +++ geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyRealm.java Sat Dec 4 23:37:35 2004 @@ -28,6 +28,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.geronimo.security.ContextManager; +import org.apache.geronimo.jetty.interceptor.SecurityContextBeforeAfter; import org.mortbay.http.HttpRequest; import org.mortbay.http.UserRealm; @@ -129,7 +130,7 @@ public Principal pushRole(Principal user, String role) { ((JAASJettyPrincipal) user).push(ContextManager.getCurrentCaller()); - ContextManager.setCurrentCaller(JettyServer.getCurrentWebAppContext().getRoleDesignate(role)); + ContextManager.setCurrentCaller(SecurityContextBeforeAfter.getCurrentRoleDesignate(role)); return user; } Modified: geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java Url: http://svn.apache.org/viewcvs/geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java?view=diff&rev=109872&p1=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java&r1=109871&p2=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java&r2=109872 ============================================================================== --- geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java (original) +++ geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyServer.java Sat Dec 4 23:37:35 2004 @@ -30,7 +30,6 @@ * @version $Rev$ $Date$ */ public class JettyServer extends Server { - private final static ThreadLocal currentWebAppContext = new ThreadLocal(); private final Map realmDelegates = new HashMap(); public UserRealm addRealm(UserRealm realm) { @@ -56,20 +55,6 @@ public void removeRealm(UserRealm realm) { realmDelegates.remove(realm.getName()); - } - - public static void setCurrentWebAppContext(JettyWebAppJACCContext context) { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) sm.checkPermission(ContextManager.SET_CONTEXT); - - currentWebAppContext.set(context); - } - - public static JettyWebAppJACCContext getCurrentWebAppContext() { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) sm.checkPermission(ContextManager.GET_CONTEXT); - - return (JettyWebAppJACCContext) currentWebAppContext.get(); } private class RealmDelegate implements UserRealm { Modified: geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Url: http://svn.apache.org/viewcvs/geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java?view=diff&rev=109872&p1=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java&r1=109871&p2=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java&r2=109872 ============================================================================== --- geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java (original) +++ geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Sat Dec 4 23:37:35 2004 @@ -63,8 +63,9 @@ private final WebApplicationHandler handler; private String displayName; - private final BeforeAfter chain; - private final int contextLength; + //TODO make these private final again! + protected BeforeAfter chain; + protected int contextLength; /** * @deprecated never use this... this is only here because Jetty WebApplicationContext is externalizable Modified: geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java Url: http://svn.apache.org/viewcvs/geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java?view=diff&rev=109872&p1=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java&r1=109871&p2=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java&r2=109872 ============================================================================== --- geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java (original) +++ geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java Sat Dec 4 23:37:35 2004 @@ -26,8 +26,6 @@ import java.security.Permission; import java.security.Principal; import java.util.Collection; -import java.util.HashMap; -import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Map; @@ -37,7 +35,6 @@ import javax.security.auth.Subject; import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; -import javax.security.jacc.PolicyContext; import javax.security.jacc.PolicyContextException; import javax.security.jacc.WebResourcePermission; import javax.security.jacc.WebRoleRefPermission; @@ -49,6 +46,7 @@ import org.apache.geronimo.gbean.GBeanInfo; import org.apache.geronimo.gbean.GBeanInfoBuilder; import org.apache.geronimo.gbean.WaitingException; +import org.apache.geronimo.jetty.interceptor.SecurityContextBeforeAfter; import org.apache.geronimo.kernel.Kernel; import org.apache.geronimo.naming.java.ReadOnlyContext; import org.apache.geronimo.security.ContextManager; @@ -58,8 +56,6 @@ import org.apache.geronimo.security.SubjectId; import org.apache.geronimo.security.deploy.AutoMapAssistant; import org.apache.geronimo.security.deploy.DefaultPrincipal; -import org.apache.geronimo.security.deploy.Realm; -import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; import org.apache.geronimo.security.jacc.RoleMappingConfiguration; import org.apache.geronimo.security.realm.SecurityRealm; @@ -99,7 +95,6 @@ private PolicyConfigurationFactory factory; private PolicyConfiguration policyConfiguration; - private final Map roleDesignates = new HashMap(); private final PathMap constraintMap = new PathMap(); private String formLoginPath; @@ -109,6 +104,8 @@ private final Set uncheckedPermissions; private final Map rolePermissions; + private final SecurityContextBeforeAfter securityInterceptor; + public JettyWebAppJACCContext() { kernel = null; @@ -120,6 +117,7 @@ this.excludedPermissions = null; this.uncheckedPermissions = null; this.rolePermissions = null; + securityInterceptor = null; } public JettyWebAppJACCContext(URI uri, @@ -206,6 +204,11 @@ this.defaultPrincipal = generateDefaultPrincipal(securityConfig, loginDomainName); + int index = contextLength; + this.securityInterceptor = new SecurityContextBeforeAfter(chain, index++, index++, policyContextID); + contextLength = index; + chain = securityInterceptor; + //TODO remove for (Iterator entries = legacySecurityConstraintMap.entrySet().iterator(); entries.hasNext();) { Map.Entry entry = (Map.Entry) entries.next(); @@ -220,14 +223,6 @@ } - public Subject getRoleDesignate(String roleName) { - return (Subject) roleDesignates.get(roleName); - } - - void setRoleDesignate(String roleName, Subject subject) { - roleDesignates.put(roleName, subject); - } - public void registerServletHolder(ServletHolder servletHolder, String servletName, Set servletMappings, Map webRoleRefPermissions) throws Exception { super.registerServletHolder(servletHolder, servletName, servletMappings, webRoleRefPermissions); @@ -250,25 +245,25 @@ * @param httpRequest the request object * @param httpResponse the response object */ - public void handle(String pathInContext, - String pathParams, - HttpRequest httpRequest, - HttpResponse httpResponse) - throws HttpException, IOException { - - String savedPolicyContextID = PolicyContext.getContextID(); - JettyWebAppJACCContext savedContext = JettyServer.getCurrentWebAppContext(); - - try { - PolicyContext.setContextID(policyContextID); - JettyServer.setCurrentWebAppContext(this); - - super.handle(pathInContext, pathParams, httpRequest, httpResponse); - } finally { - JettyServer.setCurrentWebAppContext(savedContext); - PolicyContext.setContextID(savedPolicyContextID); - } - } +// public void handle(String pathInContext, +// String pathParams, +// HttpRequest httpRequest, +// HttpResponse httpResponse) +// throws HttpException, IOException { +// +// String savedPolicyContextID = PolicyContext.getContextID(); +// JettyWebAppJACCContext savedContext = SecurityContextBeforeAfter.getCurrentWebAppContext(); +// +// try { +// PolicyContext.setContextID(policyContextID); +// SecurityContextBeforeAfter.setCurrentWebAppContext(this); +// +// super.handle(pathInContext, pathParams, httpRequest, httpResponse); +// } finally { +// SecurityContextBeforeAfter.setCurrentWebAppContext(savedContext); +// PolicyContext.setContextID(savedPolicyContextID); +// } +// } /** * Keep our own copy of security constraints.<p/> @@ -531,7 +526,7 @@ policyConfiguration = factory.getPolicyConfiguration(policyContextID, true); configure(); // configure(policyConfiguration); - addRoleMappings((RoleMappingConfiguration) policyConfiguration, securityConfig); + securityInterceptor.addRoleMappings(securityRoles, loginDomainName, securityConfig, (RoleMappingConfiguration) policyConfiguration); policyConfiguration.commit(); } catch (ClassNotFoundException e) { // do nothing @@ -541,22 +536,6 @@ // do nothing } - /** - * Register the role designates with the context manager. - * - * THIS MUST BE RUN AFTER JettyXMLConfiguration.configure() - */ - Iterator iter = roleDesignates.keySet().iterator(); - while (iter.hasNext()) { - String roleName = (String) iter.next(); - Subject roleDesignate = (Subject) roleDesignates.get(roleName); - - ContextManager.registerSubject(roleDesignate); - id = ContextManager.getSubjectId(roleDesignate); - roleDesignate.getPrincipals().add(new IdentificationPrincipal(id)); - - log.debug("Role designate " + id + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' registered."); - } log.info("JettyWebAppJACCContext started with JACC policy '" + policyContextID + "'"); } @@ -571,14 +550,7 @@ ContextManager.unregisterSubject(defaultPrincipal.getSubject()); - Iterator iter = roleDesignates.keySet().iterator(); - while (iter.hasNext()) { - String roleName = (String) iter.next(); - Subject roleDesignate = (Subject) roleDesignates.get(roleName); - - ContextManager.unregisterSubject(roleDesignate); - log.debug("Role designate " + ContextManager.getSubjectId(roleDesignate) + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' unregistered."); - } + securityInterceptor.stop(); /** * Delete the policy configuration for this web application @@ -631,40 +603,6 @@ } } - protected void addRoleMappings(RoleMappingConfiguration roleMapper, Security security) throws PolicyContextException, GeronimoSecurityException { - - Iterator roleMappings = security.getRoleMappings().values().iterator(); - while (roleMappings.hasNext()) { - Role role = (Role) roleMappings.next(); - String roleName = role.getRoleName(); - Set principalSet = new HashSet(); - - if (!securityRoles.contains(roleName)) throw new GeronimoSecurityException("Role does not exist in this configuration"); - - Subject roleDesignate = new Subject(); - - Iterator realms = role.getRealms().values().iterator(); - while (realms.hasNext()) { - Realm realm = (Realm) realms.next(); - - Iterator principals = realm.getPrincipals().iterator(); - while (principals.hasNext()) { - org.apache.geronimo.security.deploy.Principal principal = (org.apache.geronimo.security.deploy.Principal) principals.next(); - - RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, loginDomainName, realm.getRealmName()); - if (realmPrincipal == null) throw new GeronimoSecurityException("Unable to create realm principal"); - - principalSet.add(realmPrincipal); - if (principal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(realmPrincipal); - } - } - roleMapper.addRoleMapping(roleName, principalSet); - - if (roleDesignate.getPrincipals().size() > 0) { - setRoleDesignate(roleName, roleDesignate); - } - } - } //=============================================================================== public static final GBeanInfo GBEAN_INFO; Deleted: /geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java Url: http://svn.apache.org/viewcvs/geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java?view=auto&rev=109871 ============================================================================== Modified: geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Url: http://svn.apache.org/viewcvs/geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java?view=diff&rev=109872&p1=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java&r1=109871&p2=geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java&r2=109872 ============================================================================== --- geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java (original) +++ geronimo/branches/djencks/jetty-deployer1/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Sat Dec 4 23:37:35 2004 @@ -16,12 +16,25 @@ */ package org.apache.geronimo.jetty.interceptor; +import java.util.HashMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.Map; +import java.util.Set; +import javax.security.auth.Subject; import javax.security.jacc.PolicyContext; +import javax.security.jacc.PolicyContextException; -import org.apache.geronimo.naming.java.ReadOnlyContext; -import org.apache.geronimo.naming.java.RootContext; -import org.apache.geronimo.jetty.JettyWebAppJACCContext; -import org.apache.geronimo.jetty.JettyServer; +import org.apache.geronimo.common.GeronimoSecurityException; +import org.apache.geronimo.security.ContextManager; +import org.apache.geronimo.security.RealmPrincipal; +import org.apache.geronimo.security.IdentificationPrincipal; +import org.apache.geronimo.security.SubjectId; +import org.apache.geronimo.security.deploy.Realm; +import org.apache.geronimo.security.deploy.Role; +import org.apache.geronimo.security.deploy.Security; +import org.apache.geronimo.security.jacc.RoleMappingConfiguration; +import org.apache.geronimo.security.util.ConfigurationUtil; /** * @version $Rev: $ $Date: $ @@ -32,24 +45,24 @@ private final int policyContextIDIndex; private final int webAppContextIndex; private final String policyContextID; - private final JettyWebAppJACCContext webAppContext; + private final static ThreadLocal currentWebAppContext = new ThreadLocal(); + private final Map roleDesignates = new HashMap(); - public SecurityContextBeforeAfter(BeforeAfter next, int policyContextIDIndex, int webAppContextIndex, String policyContextID, JettyWebAppJACCContext webAppContext) { + public SecurityContextBeforeAfter(BeforeAfter next, int policyContextIDIndex, int webAppContextIndex, String policyContextID) { this.next = next; this.policyContextIDIndex = policyContextIDIndex; this.webAppContextIndex = webAppContextIndex; this.policyContextID = policyContextID; - this.webAppContext = webAppContext; } public void before(Object[] context) { context[policyContextIDIndex] = PolicyContext.getContextID(); - context[webAppContextIndex] = JettyServer.getCurrentWebAppContext(); + context[webAppContextIndex] = getCurrentSecurityInterceptor(); - PolicyContext.setContextID(policyContextID); - JettyServer.setCurrentWebAppContext(webAppContext); + PolicyContext.setContextID(policyContextID); + setCurrentSecurityInterceptor(this); - if (next != null) { + if (next != null) { next.before(context); } } @@ -58,8 +71,98 @@ if (next != null) { next.after(context); } - JettyServer.setCurrentWebAppContext((JettyWebAppJACCContext) context[webAppContextIndex]); + setCurrentSecurityInterceptor((SecurityContextBeforeAfter) context[webAppContextIndex]); PolicyContext.setContextID((String) context[policyContextIDIndex]); } + private static void setCurrentSecurityInterceptor(SecurityContextBeforeAfter context) { + SecurityManager sm = System.getSecurityManager(); + if (sm != null) sm.checkPermission(ContextManager.SET_CONTEXT); + + currentWebAppContext.set(context); + } + + private static SecurityContextBeforeAfter getCurrentSecurityInterceptor() { + SecurityManager sm = System.getSecurityManager(); + if (sm != null) sm.checkPermission(ContextManager.GET_CONTEXT); + + return (SecurityContextBeforeAfter) currentWebAppContext.get(); + } + + public static Subject getCurrentRoleDesignate(String role) { + return getCurrentSecurityInterceptor().getRoleDesignate(role); + } + + private Subject getRoleDesignate(String roleName) { + return (Subject) roleDesignates.get(roleName); + } + + private void setRoleDesignate(String roleName, Subject subject) { + roleDesignates.put(roleName, subject); + } + + public void addRoleMappings(Set securityRoles, String loginDomainName, Security security, RoleMappingConfiguration roleMapper) throws PolicyContextException, GeronimoSecurityException { + + for (Iterator roleMappings = security.getRoleMappings().values().iterator(); roleMappings.hasNext();) { + Role role = (Role) roleMappings.next(); + String roleName = role.getRoleName(); + Set principalSet = new HashSet(); + + if (!securityRoles.contains(roleName)) { + throw new GeronimoSecurityException("Role does not exist in this configuration"); + } + + Subject roleDesignate = new Subject(); + + for (Iterator realms = role.getRealms().values().iterator(); realms.hasNext();) { + Realm realm = (Realm) realms.next(); + + for (Iterator principals = realm.getPrincipals().iterator(); principals.hasNext();) { + org.apache.geronimo.security.deploy.Principal principal = (org.apache.geronimo.security.deploy.Principal) principals.next(); + + RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, loginDomainName, realm.getRealmName()); + if (realmPrincipal == null) { + throw new GeronimoSecurityException("Unable to create realm principal"); + } + + principalSet.add(realmPrincipal); + if (principal.isDesignatedRunAs()) { + roleDesignate.getPrincipals().add(realmPrincipal); + } + } + } + roleMapper.addRoleMapping(roleName, principalSet); + + if (roleDesignate.getPrincipals().size() > 0) { + setRoleDesignate(roleName, roleDesignate); + } + } + + /** + * Register the role designates with the context manager. + * + * THIS MUST BE RUN AFTER JettyXMLConfiguration.configure() + */ + for (Iterator iter = roleDesignates.keySet().iterator(); iter.hasNext();) { + String roleName = (String) iter.next(); + Subject roleDesignate = (Subject) roleDesignates.get(roleName); + + ContextManager.registerSubject(roleDesignate); + SubjectId id = ContextManager.getSubjectId(roleDesignate); + roleDesignate.getPrincipals().add(new IdentificationPrincipal(id)); + +// log.debug("Role designate " + id + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' registered."); + } + + } + + public void stop() { + for (Iterator iter = roleDesignates.keySet().iterator(); iter.hasNext();) { + String roleName = (String) iter.next(); + Subject roleDesignate = (Subject) roleDesignates.get(roleName); + + ContextManager.unregisterSubject(roleDesignate); +// log.debug("Role designate " + ContextManager.getSubjectId(roleDesignate) + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' unregistered."); + } + } }
