svn commit: r157364 - in geronimo/trunk/modules: jetty/src/java/org/apache/geronimo/jetty/interceptor/ security-builder/src/java/org/apache/geronimo/security/deployment/ security-builder/src/schema/ security/src/java/org/apache/geronimo/security/deploy/ security/src/java/org/apache/geronimo/security/jacc/ security/src/java/org/apache/geronimo/security/util/ tomcat/src/java/org/apache/geronimo/tomcat/

adc 14 Mar 2005 01:24:34 -0000

Author: adc
Date: Sun Mar 13 17:24:28 2005
New Revision: 157364

URL: http://svn.apache.org/viewcvs?view=rev&rev=157364
Log:
Added the ability to map distinguished names to roles.


Added:
    
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
Modified:
    
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
    
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
    geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
    
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
    
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
    
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
    
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java

Modified: 
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java?view=diff&r1=157363&r2=157364
==============================================================================
--- 
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
 (original)
+++ 
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
 Sun Mar 13 17:24:28 2005
@@ -29,6 +29,7 @@
 import java.util.Map;
 import java.util.Set;
 import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
 import javax.security.jacc.PolicyConfiguration;
 import javax.security.jacc.PolicyConfigurationFactory;
 import javax.security.jacc.PolicyContext;
@@ -37,6 +38,15 @@
 import javax.security.jacc.WebRoleRefPermission;
 import javax.security.jacc.WebUserDataPermission;
 
+import org.mortbay.http.Authenticator;
+import org.mortbay.http.HttpException;
+import org.mortbay.http.HttpRequest;
+import org.mortbay.http.HttpResponse;
+import org.mortbay.http.SecurityConstraint;
+import org.mortbay.http.UserRealm;
+import org.mortbay.jetty.servlet.FormAuthenticator;
+import org.mortbay.jetty.servlet.ServletHttpRequest;
+
 import org.apache.geronimo.common.GeronimoSecurityException;
 import org.apache.geronimo.jetty.JAASJettyPrincipal;
 import org.apache.geronimo.security.ContextManager;
@@ -45,20 +55,14 @@
 import org.apache.geronimo.security.RealmPrincipal;
 import org.apache.geronimo.security.SubjectId;
 import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
 import org.apache.geronimo.security.deploy.Realm;
 import org.apache.geronimo.security.deploy.Role;
 import org.apache.geronimo.security.deploy.Security;
 import org.apache.geronimo.security.jacc.RoleMappingConfiguration;
 import org.apache.geronimo.security.jacc.RoleMappingConfigurationFactory;
 import org.apache.geronimo.security.util.ConfigurationUtil;
-import org.mortbay.http.Authenticator;
-import org.mortbay.http.HttpException;
-import org.mortbay.http.HttpRequest;
-import org.mortbay.http.HttpResponse;
-import org.mortbay.http.SecurityConstraint;
-import org.mortbay.http.UserRealm;
-import org.mortbay.jetty.servlet.FormAuthenticator;
-import org.mortbay.jetty.servlet.ServletHttpRequest;
+
 
 /**
  * @version $Rev:  $ $Date:  $
@@ -151,7 +155,7 @@
         this.realm = realm;
 //        log.info("JettyWebAppJACCContext started with JACC policy '" + 
policyContextID + "'");
     }
-    
+
     public void registerServletHolder(Map webRoleRefPermissions) throws 
PolicyContextException {
         PolicyConfiguration policyConfiguration = 
factory.getPolicyConfiguration(policyContextID, false);
         for (Iterator iterator = webRoleRefPermissions.entrySet().iterator(); 
iterator.hasNext();) {
@@ -161,7 +165,7 @@
             policyConfiguration.addToRole(roleName, webRoleRefPermission);
         }
         policyConfiguration.commit();
-        
+
     }
 
     public void before(Object[] context, HttpRequest httpRequest, HttpResponse 
httpResponse) {
@@ -213,131 +217,131 @@
     //security check methods, delegated from WebAppContext
     
     /**
-    * Check the security constraints using JACC.
-    *
-    * @param pathInContext path in context
-    * @param request       HTTP request
-    * @param response      HTTP response
-    * @return true if the path in context passes the security check,
-    *         false if it fails or a redirection has occured during 
authentication.
-    */
-   public boolean checkSecurityConstraints(String pathInContext, HttpRequest 
request, HttpResponse response) throws HttpException, IOException {
-       if (formLoginPath != null) {
-           String pathToBeTested = (pathInContext.indexOf('?') > 0 ? 
pathInContext.substring(0, pathInContext.indexOf('?')) : pathInContext);
-
-           if (pathToBeTested.equals(formLoginPath)) {
-               return true;
-           }
-       }
-
-       try {
-           Principal user = obtainUser(pathInContext, request, response);
-
-           if (user == null) {
-               return false;
-           }
-           if (user == SecurityConstraint.__NOBODY) {
-               return true;
-           }
-
-           AccessControlContext acc = ContextManager.getCurrentContext();
-           ServletHttpRequest servletHttpRequest = (ServletHttpRequest) 
request.getWrapper();
-
-           /**
-            * JACC v1.0 secion 4.1.1
-            */
-
-           String transportType;
-           if (request.isConfidential()) {
-               transportType = "CONFIDENTIAL";
-           } else if (request.isIntegral()) {
-               transportType = "INTEGRAL";
-           } else {
-               transportType = null;
-           }
-           WebUserDataPermission wudp = new 
WebUserDataPermission(servletHttpRequest.getServletPath(), new String[] 
{servletHttpRequest.getMethod()}, transportType);
-           acc.checkPermission(wudp);
-
-           /**
-            * JACC v1.0 secion 4.1.2
-            */
-           acc.checkPermission(new WebResourcePermission(servletHttpRequest));
-       } catch (HttpException he) {
-           response.sendError(he.getCode(), he.getReason());
-           return false;
-       } catch (AccessControlException ace) {
-           response.sendError(HttpResponse.__403_Forbidden);
-           return false;
-       }
-       return true;
-   }
-
-   /**
-    * Obtain an authenticated user, if one is required.  Otherwise return the
-    * default principal.
-    * <p/>
-    * Also set the current caller for JACC security checks for the default
-    * principal.  This is automatically done by <code>JAASJettyRealm</code>.
-    *
-    * @param pathInContext path in context
-    * @param request       HTTP request
-    * @param response      HTTP response
-    * @return <code>null</code> if there is no authenticated user at the moment
-    *         and security checking should not proceed and servlet handling 
should also
-    *         not proceed, e.g. redirect. 
<code>SecurityConstraint.__NOBODY</code> if
-    *         security checking should not proceed and servlet handling should 
proceed,
-    *         e.g. login page.
-    */
-   private Principal obtainUser(String pathInContext, HttpRequest request, 
HttpResponse response) throws IOException, IOException {
-       ServletHttpRequest servletHttpRequest = (ServletHttpRequest) 
request.getWrapper();
-       WebResourcePermission resourcePermission = new 
WebResourcePermission(servletHttpRequest);
-       WebUserDataPermission dataPermission = new 
WebUserDataPermission(servletHttpRequest);
-       boolean unauthenticated = !(checked.implies(resourcePermission) || 
checked.implies(dataPermission));
-       boolean forbidden = excludedPermissions.implies(resourcePermission) || 
excludedPermissions.implies(dataPermission);
+     * Check the security constraints using JACC.
+     *
+     * @param pathInContext path in context
+     * @param request       HTTP request
+     * @param response      HTTP response
+     * @return true if the path in context passes the security check,
+     *         false if it fails or a redirection has occured during 
authentication.
+     */
+    public boolean checkSecurityConstraints(String pathInContext, HttpRequest 
request, HttpResponse response) throws HttpException, IOException {
+        if (formLoginPath != null) {
+            String pathToBeTested = (pathInContext.indexOf('?') > 0 ? 
pathInContext.substring(0, pathInContext.indexOf('?')) : pathInContext);
+
+            if (pathToBeTested.equals(formLoginPath)) {
+                return true;
+            }
+        }
+
+        try {
+            Principal user = obtainUser(pathInContext, request, response);
+
+            if (user == null) {
+                return false;
+            }
+            if (user == SecurityConstraint.__NOBODY) {
+                return true;
+            }
+
+            AccessControlContext acc = ContextManager.getCurrentContext();
+            ServletHttpRequest servletHttpRequest = (ServletHttpRequest) 
request.getWrapper();
+
+            /**
+             * JACC v1.0 secion 4.1.1
+             */
+
+            String transportType;
+            if (request.isConfidential()) {
+                transportType = "CONFIDENTIAL";
+            } else if (request.isIntegral()) {
+                transportType = "INTEGRAL";
+            } else {
+                transportType = null;
+            }
+            WebUserDataPermission wudp = new 
WebUserDataPermission(servletHttpRequest.getServletPath(), new 
String[]{servletHttpRequest.getMethod()}, transportType);
+            acc.checkPermission(wudp);
+
+            /**
+             * JACC v1.0 secion 4.1.2
+             */
+            acc.checkPermission(new WebResourcePermission(servletHttpRequest));
+        } catch (HttpException he) {
+            response.sendError(he.getCode(), he.getReason());
+            return false;
+        } catch (AccessControlException ace) {
+            response.sendError(HttpResponse.__403_Forbidden);
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Obtain an authenticated user, if one is required.  Otherwise return the
+     * default principal.
+     * <p/>
+     * Also set the current caller for JACC security checks for the default
+     * principal.  This is automatically done by <code>JAASJettyRealm</code>.
+     *
+     * @param pathInContext path in context
+     * @param request       HTTP request
+     * @param response      HTTP response
+     * @return <code>null</code> if there is no authenticated user at the 
moment
+     *         and security checking should not proceed and servlet handling 
should also
+     *         not proceed, e.g. redirect. 
<code>SecurityConstraint.__NOBODY</code> if
+     *         security checking should not proceed and servlet handling 
should proceed,
+     *         e.g. login page.
+     */
+    private Principal obtainUser(String pathInContext, HttpRequest request, 
HttpResponse response) throws IOException, IOException {
+        ServletHttpRequest servletHttpRequest = (ServletHttpRequest) 
request.getWrapper();
+        WebResourcePermission resourcePermission = new 
WebResourcePermission(servletHttpRequest);
+        WebUserDataPermission dataPermission = new 
WebUserDataPermission(servletHttpRequest);
+        boolean unauthenticated = !(checked.implies(resourcePermission) || 
checked.implies(dataPermission));
+        boolean forbidden = excludedPermissions.implies(resourcePermission) || 
excludedPermissions.implies(dataPermission);
 
 //       Authenticator authenticator = getAuthenticator();
-       Principal user = null;
-       if (!unauthenticated && !forbidden) {
-           if (realm == null) {
+        Principal user = null;
+        if (!unauthenticated && !forbidden) {
+            if (realm == null) {
 //               log.warn("Realm Not Configured");
-               throw new 
HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured");
-           }
+                throw new 
HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured");
+            }
 
 
-           // Handle pre-authenticated request
-           if (authenticator != null) {
-               // User authenticator.
-               user = authenticator.authenticate(realm, pathInContext, 
request, response);
-           } else {
-               // don't know how authenticate
+            // Handle pre-authenticated request
+            if (authenticator != null) {
+                // User authenticator.
+                user = authenticator.authenticate(realm, pathInContext, 
request, response);
+            } else {
+                // don't know how authenticate
 //               log.warn("Mis-configured Authenticator for " + 
request.getPath());
-               throw new 
HttpException(HttpResponse.__500_Internal_Server_Error, "Mis-configured 
Authenticator for " + request.getPath());
-           }
+                throw new 
HttpException(HttpResponse.__500_Internal_Server_Error, "Mis-configured 
Authenticator for " + request.getPath());
+            }
 
-           return user;
-       } else if (authenticator instanceof FormAuthenticator && 
pathInContext.endsWith(FormAuthenticator.__J_SECURITY_CHECK)) {
-           /**
-            * This could be a post request to __J_SECURITY_CHECK.
-            */
-           if (realm == null) {
+            return user;
+        } else if (authenticator instanceof FormAuthenticator && 
pathInContext.endsWith(FormAuthenticator.__J_SECURITY_CHECK)) {
+            /**
+             * This could be a post request to __J_SECURITY_CHECK.
+             */
+            if (realm == null) {
 //               log.warn("Realm Not Configured");
-               throw new 
HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured");
-           }
-           return authenticator.authenticate(realm, pathInContext, request, 
response);
-       }
-
-       /**
-        * No authentication is required.  Return the defaultPrincipal.
-        */
-       ContextManager.setCurrentCaller(defaultPrincipal.getSubject());
-       return defaultPrincipal;
-   }
-    
+                throw new 
HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured");
+            }
+            return authenticator.authenticate(realm, pathInContext, request, 
response);
+        }
+
+        /**
+         * No authentication is required.  Return the defaultPrincipal.
+         */
+        ContextManager.setCurrentCaller(defaultPrincipal.getSubject());
+        return defaultPrincipal;
+    }
+
 
     /**
      * Generate the default principal from the security config.
      *
-     * @param securityConfig  The Geronimo security configuration.
+     * @param securityConfig The Geronimo security configuration.
      * @return the default principal
      */
     protected JAASJettyPrincipal generateDefaultPrincipal(Security 
securityConfig) throws GeronimoSecurityException {
@@ -346,7 +350,7 @@
         if (defaultPrincipal == null) {
             throw new GeronimoSecurityException("Unable to generate default 
principal");
         }
-        
+
         JAASJettyPrincipal result = new JAASJettyPrincipal("default");
         Subject defaultSubject = new Subject();
 
@@ -398,6 +402,18 @@
                     }
                 }
             }
+
+            for (Iterator names = role.getDNames().iterator(); 
names.hasNext();) {
+                DistinguishedName dn = (DistinguishedName) names.next();
+
+                X500Principal x500Principal = 
ConfigurationUtil.generateX500Principal(dn.getName());
+
+                principalSet.add(x500Principal);
+                if (dn.isDesignatedRunAs()) {
+                    roleDesignate.getPrincipals().add(x500Principal);
+                }
+            }
+
             roleMapper.addRoleMapping(roleName, principalSet);
 
             if (roleDesignate.getPrincipals().size() > 0) {
@@ -453,11 +469,11 @@
 //            log.debug("Role designate " + 
ContextManager.getSubjectId(roleDesignate) + " for role '" + roleName + "' for 
JACC policy '" + policyContextID + "' unregistered.");
         }
         ContextManager.unregisterSubject(defaultPrincipal.getSubject());
-        
+
         if (policyConfiguration != null) {
             policyConfiguration.delete();
         }
 
-        
+
     }
 }

Modified: 
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java?view=diff&r1=157363&r2=157364
==============================================================================
--- 
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
 (original)
+++ 
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
 Sun Mar 13 17:24:28 2005
@@ -16,16 +16,17 @@
  */
 package org.apache.geronimo.security.deployment;
 
-import java.util.HashSet;
 import java.util.Set;
 
 import org.apache.geronimo.common.DeploymentException;
 import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
 import org.apache.geronimo.security.deploy.Principal;
 import org.apache.geronimo.security.deploy.Realm;
 import org.apache.geronimo.security.deploy.Role;
 import org.apache.geronimo.security.deploy.Security;
 import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerDistinguishedNameType;
 import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
 import org.apache.geronimo.xbeans.geronimo.security.GerRealmType;
 import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType;
@@ -52,9 +53,8 @@
             security.setDefaultRole(securityType.getDefaultRole().trim());
         }
 
-        GerRoleMappingsType roleMappingsType = securityType.getRoleMappings();
-        Set allRealms = new HashSet();
-        if (roleMappingsType != null) {
+        if (securityType.isSetRoleMappings()) {
+            GerRoleMappingsType roleMappingsType = 
securityType.getRoleMappings();
             for (int i = 0; i < roleMappingsType.sizeOfRoleArray(); i++) {
                 GerRoleType roleType = roleMappingsType.getRoleArray(i);
                 Role role = new Role();
@@ -65,7 +65,6 @@
                 for (int j = 0; j < roleType.sizeOfRealmArray(); j++) {
                     GerRealmType realmType = roleType.getRealmArray(j);
                     String realmName = realmType.getRealmName().trim();
-                    allRealms.add(realmName);
                     Realm realm = new Realm();
 
                     realm.setRealmName(realmName);
@@ -75,6 +74,15 @@
                     }
 
                     role.getRealms().put(realmName, realm);
+                }
+
+                for (int j = 0; j < roleType.sizeOfDistinguishedNameArray(); 
j++) {
+                    GerDistinguishedNameType dnType = 
roleType.getDistinguishedNameArray(j);
+                    DistinguishedName name = new 
DistinguishedName(dnType.getName());
+
+                    name.setDesignatedRunAs(dnType.getDesignatedRunAs());
+
+                    role.append(name);
                 }
 
                 security.getRoleMappings().put(roleName, role);

Modified: 
geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd 
(original)
+++ geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd 
Sun Mar 13 17:24:28 2005
@@ -86,7 +86,8 @@
     <xsd:complexType name="roleType">
         <xsd:sequence>
             <xsd:element name="description" type="j2ee:descriptionType" 
minOccurs="0" maxOccurs="unbounded"/>
-            <xsd:element name="realm" type="geronimo:realmType" minOccurs="1" 
maxOccurs="unbounded"/>
+            <xsd:element name="realm" type="geronimo:realmType" minOccurs="0" 
maxOccurs="unbounded"/>
+            <xsd:element name="distinguished-name" 
type="geronimo:distinguishedNameType" minOccurs="0" maxOccurs="unbounded"/>
         </xsd:sequence>
         <xsd:attribute name="role-name" type="xsd:string" use="required"/>
     </xsd:complexType>
@@ -102,6 +103,20 @@
             <xsd:element name="description" type="j2ee:descriptionType" 
minOccurs="0" maxOccurs="unbounded"/>
         </xsd:sequence>
         <xsd:attribute name="class" type="xsd:string" use="required"/>
+        <xsd:attribute name="name" type="xsd:string" use="required"/>
+        <xsd:attribute name="designated-run-as" type="xsd:boolean" 
default="false">
+            <xsd:annotation>
+                <xsd:documentation>
+                    Set this attribute to "true" if this principal is to be
+                    used as the run-as principal for this role.
+                </xsd:documentation>
+            </xsd:annotation>
+        </xsd:attribute>
+    </xsd:complexType>
+    <xsd:complexType name="distinguishedNameType">
+        <xsd:sequence>
+            <xsd:element name="description" type="j2ee:descriptionType" 
minOccurs="0" maxOccurs="unbounded"/>
+        </xsd:sequence>
         <xsd:attribute name="name" type="xsd:string" use="required"/>
         <xsd:attribute name="designated-run-as" type="xsd:boolean" 
default="false">
             <xsd:annotation>

Added: 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java?view=auto&rev=157364
==============================================================================
--- 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
 (added)
+++ 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
 Sun Mar 13 17:24:28 2005
@@ -0,0 +1,90 @@
+/**
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided
+ * that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain copyright
+ *    statements and notices.  Redistributions must also contain a
+ *    copy of this document.
+ *
+ * 2. Redistributions in binary form must reproduce the
+ *    above copyright notice, this list of conditions and the
+ *    following disclaimer in the documentation and/or other
+ *    materials provided with the distribution.
+ *
+ * 3. The name "OpenEJB" must not be used to endorse or promote
+ *    products derived from this Software without prior written
+ *    permission of The OpenEJB Group.  For written permission,
+ *    please contact [EMAIL PROTECTED]
+ *
+ * 4. Products derived from this Software may not be called "OpenEJB"
+ *    nor may "OpenEJB" appear in their names without prior written
+ *    permission of The OpenEJB Group. OpenEJB is a registered
+ *    trademark of The OpenEJB Group.
+ *
+ * 5. Due credit should be given to the OpenEJB Project
+ *    (http://openejb.sf.net/).
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OPENEJB GROUP AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
+ * NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * THE OPENEJB GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Copyright 2005 (C) The OpenEJB Group. All Rights Reserved.
+ *
+ * $Id: $
+ */
+package org.apache.geronimo.security.deploy;
+
+import java.io.Serializable;
+
+
+/**
+ * @version $Revision: $ $Date: $
+ */
+public class DistinguishedName implements Serializable {
+
+    private final String name;
+    private boolean designatedRunAs;
+
+    public DistinguishedName(String name) {
+        assert name != null;
+
+        this.name = name;
+    }
+
+    public boolean isDesignatedRunAs() {
+        return designatedRunAs;
+    }
+
+    public void setDesignatedRunAs(boolean designatedRunAs) {
+        this.designatedRunAs = designatedRunAs;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (!(o instanceof DistinguishedName)) return false;
+
+        final DistinguishedName dn = (DistinguishedName) o;
+
+        if (!name.equals(dn.name)) return false;
+
+        return true;
+    }
+
+    public int hashCode() {
+        return name.hashCode();
+    }
+}

Modified: 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java?view=diff&r1=157363&r2=157364
==============================================================================
--- 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
 (original)
+++ 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
 Sun Mar 13 17:24:28 2005
@@ -18,7 +18,9 @@
 
 import java.io.Serializable;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
+import java.util.Set;
 
 
 /**
@@ -27,7 +29,8 @@
 public class Role implements Serializable {
 
     private String roleName;
-    private Map realms = new HashMap();
+    private final Map realms = new HashMap();
+    private final Set dNames = new HashSet();
 
     public String getRoleName() {
         return roleName;
@@ -48,5 +51,13 @@
         } else {
             realms.put(realm.getRealmName(), realm);
         }
+    }
+
+    public Set getDNames() {
+        return dNames;
+    }
+
+    public void append(DistinguishedName distinguishedName) {
+        dNames.add(distinguishedName);
     }
 }

Modified: 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java?view=diff&r1=157363&r2=157364
==============================================================================
--- 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
 (original)
+++ 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
 Sun Mar 13 17:24:28 2005
@@ -30,8 +30,6 @@
 import java.util.Iterator;
 import javax.security.jacc.PolicyContextException;
 
-import org.apache.geronimo.security.RealmPrincipal;
-
 
 /**
  * @version $Rev$ $Date$
@@ -70,7 +68,6 @@
 
         for (int i = 0; i < principals.length; i++) {
             Principal principal = principals[i];
-            if (!(principal instanceof RealmPrincipal)) continue;
 
             Permissions permissions = (Permissions) 
principalPermissionsMap.get(principal);
 
@@ -84,8 +81,6 @@
         Iterator iter = principals.iterator();
         while (iter.hasNext()) {
             Principal principal = (Principal) iter.next();
-
-            if (!(principal instanceof RealmPrincipal)) throw new 
PolicyContextException("Principal not instance of RealmPrincipal");
 
             HashSet roles = (HashSet) principalRoleMapping.get(principal);
             if (roles == null) {

Modified: 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java?view=diff&r1=157363&r2=157364
==============================================================================
--- 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
 (original)
+++ 
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
 Sun Mar 13 17:24:28 2005
@@ -24,6 +24,7 @@
 import javax.security.jacc.PolicyContext;
 import javax.security.jacc.PolicyContextException;
 import javax.security.jacc.PolicyContextHandler;
+import javax.security.auth.x500.X500Principal;
 
 import org.apache.geronimo.security.PrimaryRealmPrincipal;
 import org.apache.geronimo.security.RealmPrincipal;
@@ -39,6 +40,15 @@
  * @see "JSR 115" Java Authorization Contract for Containers
  */
 public class ConfigurationUtil {
+
+    /**
+     * Create an X500Principal from a deployment description.
+     * @param name the distinguished name of the principal
+     * @return an X500Principal from a deployment description
+     */
+    public static X500Principal generateX500Principal(String name) {
+        return new X500Principal(name);
+    }
 
     /**
      * Create a RealmPrincipal from a deployment description.

Modified: 
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
URL: 
http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java?view=diff&r1=157363&r2=157364
==============================================================================
--- 
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
 (original)
+++ 
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
 Sun Mar 13 17:24:28 2005
@@ -34,6 +34,7 @@
 import javax.security.auth.login.FailedLoginException;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
+import javax.security.auth.x500.X500Principal;
 import javax.security.jacc.PolicyConfiguration;
 import javax.security.jacc.PolicyConfigurationFactory;
 import javax.security.jacc.PolicyContext;
@@ -61,6 +62,7 @@
 import org.apache.geronimo.security.RealmPrincipal;
 import org.apache.geronimo.security.SubjectId;
 import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
 import org.apache.geronimo.security.deploy.Realm;
 import org.apache.geronimo.security.deploy.Role;
 import org.apache.geronimo.security.deploy.Security;
@@ -521,6 +523,18 @@
                     }
                 }
             }
+
+            for (Iterator names = role.getDNames().iterator(); 
names.hasNext();) {
+                DistinguishedName dn = (DistinguishedName) names.next();
+
+                X500Principal x500Principal = 
ConfigurationUtil.generateX500Principal(dn.getName());
+
+                principalSet.add(x500Principal);
+                if (dn.isDesignatedRunAs()) {
+                    roleDesignate.getPrincipals().add(x500Principal);
+                }
+            }
+
             roleMapper.addRoleMapping(roleName, principalSet);
 
             if (roleDesignate.getPrincipals().size() > 0) {

Reply via email to