maguro 2005/03/12 12:04:54
Modified: modules/core/src/java/org/openejb/corba/security
SecurityInitializer.java
ServerSecurityInterceptor.java
Log:
Some fixes to POA policies and added default principal to the CORBA ORB.
Revision Changes Path
1.4 +45 -3
openejb/modules/core/src/java/org/openejb/corba/security/SecurityInitializer.java
Index: SecurityInitializer.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/SecurityInitializer.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- SecurityInitializer.java 8 Mar 2005 04:08:27 -0000 1.3
+++ SecurityInitializer.java 12 Mar 2005 17:04:54 -0000 1.4
@@ -44,6 +44,8 @@
*/
package org.openejb.corba.security;
+import javax.security.auth.Subject;
+
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.omg.CORBA.LocalObject;
@@ -51,6 +53,11 @@
import org.omg.PortableInterceptor.ORBInitInfoPackage.DuplicateName;
import org.omg.PortableInterceptor.ORBInitializer;
+import org.apache.geronimo.common.GeronimoSecurityException;
+import org.apache.geronimo.security.PrimaryRealmPrincipal;
+import org.apache.geronimo.security.RealmPrincipal;
+import org.apache.geronimo.security.util.ConfigurationUtil;
+
/**
* @version $Revision$ $Date$
@@ -91,14 +98,49 @@
* operations by which Interceptors can be registered.
*/
public void post_init(ORBInitInfo info) {
+
+ Subject defaultSubject = null;
+ String[] strings = info.arguments();
+ for (int i = 0; i < strings.length; i++) {
+ String arg = strings[i];
+ if (arg.startsWith("default-principal::")) {
+ defaultSubject = generateDefaultSubject(arg);
+ break;
+ }
+ }
+
try {
info.add_client_request_interceptor(new
ClientSecurityInterceptor());
- info.add_server_request_interceptor(new
ServerSecurityInterceptor());
+ info.add_server_request_interceptor(new
ServerSecurityInterceptor(info.allocate_slot_id(), defaultSubject));
info.add_ior_interceptor(new IORSecurityInterceptor());
} catch (DuplicateName dn) {
log.error("Error registering interceptor", dn);
}
+
info.register_policy_factory(ClientPolicyFactory.POLICY_TYPE, new
ClientPolicyFactory());
info.register_policy_factory(ServerPolicyFactory.POLICY_TYPE, new
ServerPolicyFactory());
+ }
+
+ private Subject generateDefaultSubject(String argument) {
+ Subject defaultSubject = new Subject();
+
+ String[] tokens = argument.substring(19).split(":");
+ String realm = tokens[0];
+ String className = tokens[1];
+ String principalName = tokens[2];
+
+ RealmPrincipal realmPrincipal =
ConfigurationUtil.generateRealmPrincipal(className, principalName, realm);
+ if (realmPrincipal == null) {
+ throw new GeronimoSecurityException("Unable to create realm
principal");
+ }
+ PrimaryRealmPrincipal primaryRealmPrincipal =
ConfigurationUtil.generatePrimaryRealmPrincipal(className, principalName,
realm);
+ if (primaryRealmPrincipal == null) {
+ throw new GeronimoSecurityException("Unable to create primary
realm principal");
+ }
+
+ defaultSubject.getPrincipals().add(realmPrincipal);
+ defaultSubject.getPrincipals().add(primaryRealmPrincipal);
+
+ return defaultSubject;
}
}
1.4 +62 -27
openejb/modules/core/src/java/org/openejb/corba/security/ServerSecurityInterceptor.java
Index: ServerSecurityInterceptor.java
===================================================================
RCS file:
/home/projects/openejb/scm/openejb/modules/core/src/java/org/openejb/corba/security/ServerSecurityInterceptor.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- ServerSecurityInterceptor.java 8 Mar 2005 04:08:27 -0000 1.3
+++ ServerSecurityInterceptor.java 12 Mar 2005 17:04:54 -0000 1.4
@@ -44,9 +44,7 @@
*/
package org.openejb.corba.security;
-import javax.security.cert.X509Certificate;
-import javax.net.ssl.SSLSession;
-import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.security.auth.Subject;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -54,22 +52,24 @@
import org.omg.CORBA.INTERNAL;
import org.omg.CORBA.INV_POLICY;
import org.omg.CORBA.LocalObject;
-import org.omg.CORBA.UserException;
import org.omg.CSI.MTCompleteEstablishContext;
import org.omg.CSI.MTContextError;
import org.omg.CSI.MTEstablishContext;
import org.omg.CSI.MTMessageInContext;
import org.omg.CSI.SASContextBody;
import org.omg.CSI.SASContextBodyHelper;
-import org.omg.IOP.Codec;
+import org.omg.IOP.CodecPackage.FormatMismatch;
+import org.omg.IOP.CodecPackage.TypeMismatch;
import org.omg.IOP.SecurityAttributeService;
import org.omg.IOP.ServiceContext;
-import org.omg.PortableInterceptor.ForwardRequest;
+import org.omg.PortableInterceptor.InvalidSlot;
import org.omg.PortableInterceptor.ServerRequestInfo;
import org.omg.PortableInterceptor.ServerRequestInterceptor;
import org.openorb.orb.net.AbstractServerRequest;
-import org.openejb.corba.security.wrappers.EstablishContextWrapper;
+import org.apache.geronimo.security.ContextManager;
+
+import org.openejb.corba.security.config.tss.TSSConfig;
import org.openejb.corba.util.Util;
@@ -80,31 +80,38 @@
private final Log log =
LogFactory.getLog(ServerSecurityInterceptor.class);
- public ServerSecurityInterceptor() {
+ private final int slotId;
+ private final Subject defaultSubject;
+
+ public ServerSecurityInterceptor(int slotId, Subject defaultSubject) {
+ this.slotId = slotId;
+ this.defaultSubject = defaultSubject;
+
+ if (defaultSubject != null)
ContextManager.registerSubject(defaultSubject);
AbstractServerRequest.disableServiceContextExceptions();
}
- public void receive_request(ServerRequestInfo ri) throws ForwardRequest {
+ public void receive_request(ServerRequestInfo ri) {
+
+ Subject identity = null;
+
try {
- SSLSession session =
SSLSessionManager.getSSLSession(ri.request_id());
- X509Certificate[] chain = session.getPeerCertificateChain();
- String host = session.getPeerHost();
-
- ServerPolicy policy = (ServerPolicy)
ri.get_server_policy(ServerPolicyFactory.POLICY_TYPE);
- if (policy.getConfig() == null) return;
- ri.toString();
+ ServerPolicy serverPolicy = (ServerPolicy)
ri.get_server_policy(ServerPolicyFactory.POLICY_TYPE);
+ TSSConfig tssPolicy = serverPolicy.getConfig();
+ if (tssPolicy == null) return;
ServiceContext serviceContext =
ri.get_request_service_context(SecurityAttributeService.value);
if (serviceContext == null) return;
- Codec codec = Util.getCodec();
- Any any = codec.decode_value(serviceContext.context_data,
SASContextBodyHelper.type());
+ Any any =
Util.getCodec().decode_value(serviceContext.context_data,
SASContextBodyHelper.type());
SASContextBody contextBody = SASContextBodyHelper.extract(any);
short msgType = contextBody.discriminator();
switch (msgType) {
case MTEstablishContext.value:
- EstablishContextWrapper establishMsg = new
EstablishContextWrapper(contextBody.establish_msg());
+ identity =
tssPolicy.check(SSLSessionManager.getSSLSession(ri.request_id()),
contextBody.establish_msg());
+
+ ContextManager.registerSubject(identity);
break;
@@ -122,12 +129,29 @@
}
} catch (INV_POLICY e) {
- // do nothing
- } catch (UserException ue) {
- log.error("UserException thrown", ue);
- throw new INTERNAL("UserException thrown: " + ue);
- } catch (SSLPeerUnverifiedException e) {
- // do nothing
+ identity = defaultSubject;
+ } catch (TypeMismatch tm) {
+ log.error("TypeMismatch thrown", tm);
+ throw new INTERNAL("TypeMismatch thrown: " + tm);
+ } catch (FormatMismatch fm) {
+ log.error("FormatMismatch thrown", fm);
+ throw new INTERNAL("FormatMismatch thrown: " + fm);
+ }
+
+ if (identity != null) {
+ try {
+ ContextManager.setCurrentCaller(identity);
+ ContextManager.setNextCaller(identity);
+
+ Any subjectAny = ri.get_slot(slotId);
+ subjectAny.insert_Value(identity);
+ ri.set_slot(slotId, subjectAny);
+
+ SubjectManager.setSubject(ri.request_id(), identity);
+ } catch (InvalidSlot is) {
+ log.error("InvalidSlot thrown", is);
+ throw new INTERNAL("InvalidSlot thrown: " + is);
+ }
}
}
@@ -141,9 +165,20 @@
}
public void send_reply(ServerRequestInfo ri) {
+ try {
+ Any subjectAny = ri.get_slot(slotId);
+// Subject identity = (Subject) subjectAny.extract_Value();
+ Subject identity = SubjectManager.clearSubject(ri.request_id());
+
+ if (identity != null) ContextManager.unregisterSubject(identity);
+ } catch (InvalidSlot is) {
+ log.error("InvalidSlot thrown", is);
+ throw new INTERNAL("InvalidSlot thrown: " + is);
+ }
}
public void destroy() {
+ if (defaultSubject != null)
ContextManager.unregisterSubject(defaultSubject);
}
public String name() {
