[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: ejort
Date: 02/01/04 23:53:43
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
Guarded debug logging
Revision ChangesPath
1.9 +15 -8
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- JBossSecurityMgrRealm.java2001/07/28 18:28:46 1.8
+++ JBossSecurityMgrRealm.java2002/01/05 07:53:43 1.9
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.8 $
+@version $Revision: 1.9 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -80,6 +80,7 @@
public int authenticate(Request request, Response response)
{
+boolean debug = category.isDebugEnabled();
/* Get the username credentials from the request. We dont check
that they are null as the security domain may consider this
a valid indication of an unauthenticated user requesting
@@ -97,7 +98,7 @@
*/
ClassLoader cl = Thread.currentThread().getContextClassLoader();
ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
-if( category.isDebugEnabled() )
+if (debug)
{
category.debug(Authenticating access, username: + username +
+request);
category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
@@ -130,7 +131,8 @@
org.apache.tomcat.core.Context ctx = request.getContext();
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
-category.debug(User: +username+ is authenticated);
+if (debug)
+ category.debug(User: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(passwordChars);
if( useJAAS == true securityMgr instanceof
SubjectSecurityManager )
@@ -142,7 +144,8 @@
}
else
{
-category.debug(User: +username+ is NOT authenticated);
+if (debug)
+ category.debug(User: +username+ is NOT authenticated);
}
}
catch(NamingException e)
@@ -165,10 +168,12 @@
return 0;
}
-String username = request.getRemoteUser();
+String username = request.getRemoteUser();
if( username == null )
return 401;
+boolean debug = category.isDebugEnabled();
+
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
it does not do it for the authenticate/authorize phases of a
@@ -176,7 +181,7 @@
*/
ClassLoader cl = Thread.currentThread().getContextClassLoader();
ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
-if( category.isDebugEnabled() )
+if (debug)
{
category.debug(Authorizing access, username: + username +
+request);
category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
@@ -209,11 +214,13 @@
// Need to get roles from the security mgr. Needs updated
interface...
String userRoles[] = {};
request.setUserRoles( userRoles );
-category.debug(User: +username+ is authorized);
+if (debug)
+ category.debug(User: +username+ is authorized);
}
else
{
-category.debug(User: +username+ is NOT authorized,
requiredRoles=+requiredRoles);
+if (debug)
+ category.debug(User: +username+ is NOT authorized,
requiredRoles=+requiredRoles);
code = 401;
}
}
___
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/12/09 11:39:19
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Don't clear the SecurityAssociation information until the entry point request
has completed or else included content will not leave the security identity
in tact for subsequent operations performed in the including request.
Revision ChangesPath
No revision
No revision
1.4.2.10 +10 -4
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.9
retrieving revision 1.4.2.10
diff -u -r1.4.2.9 -r1.4.2.10
--- JBossSecurityMgrRealm.java2001/11/20 09:49:01 1.4.2.9
+++ JBossSecurityMgrRealm.java2001/12/09 19:39:19 1.4.2.10
@@ -38,7 +38,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
- @version $Revision: 1.4.2.9 $
+ @version $Revision: 1.4.2.10 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -262,7 +262,7 @@
}
/** Called after service method ends. We clear any SecurityAssociation that
-may have been set on this thread.
+may have been set on this thread when the entry point request completes.
*/
public int postService(Request request, Response response)
{
@@ -272,13 +272,19 @@
Principal p = SecurityAssociation.getPrincipal();
log.trace(postService, auth=+info+, SA.principal=+p+, request=
+request);
}
- SecurityAssociation.setPrincipal(null);
- SecurityAssociation.setCredential(null);
if( info != null )
{
info.depth --;
if( info.depth = 0 )
+ {
+/* The entry point request has completed so clear any SA to avoid
+reuse of the security credentials by the next request services by
+this thread.
+*/
authInfo.set(null);
+SecurityAssociation.setPrincipal(null);
+SecurityAssociation.setCredential(null);
+ }
}
return 0;
}
___
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/11/20 01:49:01
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Change to the unified log4j based org.jboss.logging.Logger class.
Revision ChangesPath
No revision
No revision
1.4.2.9 +27 -27
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.8
retrieving revision 1.4.2.9
diff -u -r1.4.2.8 -r1.4.2.9
--- JBossSecurityMgrRealm.java2001/09/14 17:55:08 1.4.2.8
+++ JBossSecurityMgrRealm.java2001/11/20 09:49:01 1.4.2.9
@@ -17,8 +17,8 @@
import org.apache.tomcat.core.Response;
import org.apache.tomcat.util.SecurityTools;
-import org.jboss.logging.log4j.JBossCategory;
-import org.jboss.security.EJBSecurityManager;
+import org.jboss.logging.Logger;
+import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.SecurityAssociation;
@@ -31,24 +31,24 @@
for authorization and authenticaton.
@see org.jboss.web.AbstractWebContainer
- @see org.jboss.security.EJBSecurityManager
+ @see org.jboss.security.AuthenticationManager
@see org.jboss.security.RealmMapping
@see org.jboss.security.SimplePrincipal
@see org.jboss.security.SecurityAssociation
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
- @version $Revision: 1.4.2.8 $
+ @version $Revision: 1.4.2.9 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
- private static JBossCategory category = (JBossCategory)
JBossCategory.getInstance(JBossSecurityMgrRealm.class);
+ private static Logger log = Logger.getLogger(JBossSecurityMgrRealm.class);
private static ThreadLocal authInfo = new ThreadLocal();
private String subjectAttributeName = j_subject;
private boolean useJAAS = false;
/** A flag to indicate if the security manager implements the
SubjectSecurityManager
-rather than EJBSecurityManager. When true, the authenticated Subject is obtained
+rather than AuthenticationManager. When true, the authenticated Subject is
obtained
from the SubjectSecurityManager and placed into the request under the
subjectAttributeName attribute.
*/
@@ -99,12 +99,12 @@
*/
ClassLoader cl = Thread.currentThread().getContextClassLoader();
ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
- boolean trace = category.isTraceEnabled();
+ boolean trace = log.isTraceEnabled();
if( trace )
{
- category.trace(Authenticating access, username: + username +
+request);
- category.trace(ClassLoader: +cl.toString()+':'+cl.hashCode());
- category.trace(Servlet ClassLoader: +scl.toString()+':'+scl.hashCode());
+ log.trace(Authenticating access, username: + username + +request);
+ log.trace(ClassLoader: +cl.toString()+':'+cl.hashCode());
+ log.trace(Servlet ClassLoader: +scl.toString()+':'+scl.hashCode());
}
// If we don't have a security context security is not required
@@ -114,14 +114,14 @@
if( securityCtx == null )
{
if( trace )
-category.trace(No SecurityContext, returning 0);
+log.trace(No SecurityContext, returning 0);
return 0;
}
try
{
// Get the JBoss security manager from the ENC context
- EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup(securityMgr);
+ AuthenticationManager securityMgr = (AuthenticationManager)
securityCtx.lookup(securityMgr);
SimplePrincipal principal = new SimplePrincipal(username);
char[] passwordChars = null;
if( password != null )
@@ -134,7 +134,7 @@
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
if( trace )
- category.trace(Username: +username+ is authenticated);
+ log.trace(Username: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(passwordChars);
authInfo.set(new AuthInfo(principal, passwordChars));
@@ -148,12 +148,12 @@
else
{
if( trace )
- category.trace(User: +username+ is NOT authenticated);
+ log.trace(User: +username+ is NOT authenticated);
}
}
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/09/14 10:55:08
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Need to restore setting of servlet class loader before calling
getSecurityContext because the tomcat class loader getParent does not
return the true parent class loader
Change debug level msgs to trace level msgs
Clear the AuthInfo thread local when the entering thread service
method exits
Revision ChangesPath
No revision
No revision
1.4.2.8 +61 -30
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.7
retrieving revision 1.4.2.8
diff -u -r1.4.2.7 -r1.4.2.8
--- JBossSecurityMgrRealm.java2001/09/03 22:46:09 1.4.2.7
+++ JBossSecurityMgrRealm.java2001/09/14 17:55:08 1.4.2.8
@@ -17,6 +17,7 @@
import org.apache.tomcat.core.Response;
import org.apache.tomcat.util.SecurityTools;
+import org.jboss.logging.log4j.JBossCategory;
import org.jboss.security.EJBSecurityManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.SimplePrincipal;
@@ -37,11 +38,11 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
- @version $Revision: 1.4.2.7 $
+ @version $Revision: 1.4.2.8 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
- private static Category category =
Category.getInstance(JBossSecurityMgrRealm.class);
+ private static JBossCategory category = (JBossCategory)
JBossCategory.getInstance(JBossSecurityMgrRealm.class);
private static ThreadLocal authInfo = new ThreadLocal();
private String subjectAttributeName = j_subject;
private boolean useJAAS = false;
@@ -98,20 +99,25 @@
*/
ClassLoader cl = Thread.currentThread().getContextClassLoader();
ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
- if( category.isDebugEnabled() )
+ boolean trace = category.isTraceEnabled();
+ if( trace )
{
- category.debug(Authenticating access, username: + username +
+request);
- category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
- category.debug(Servlet ClassLoader: +scl.toString()+':'+scl.hashCode());
+ category.trace(Authenticating access, username: + username +
+request);
+ category.trace(ClassLoader: +cl.toString()+':'+cl.hashCode());
+ category.trace(Servlet ClassLoader: +scl.toString()+':'+scl.hashCode());
}
// If we don't have a security context security is not required
+ if( scl != cl )
+ Thread.currentThread().setContextClassLoader(scl);
Context securityCtx = getSecurityContext();
if( securityCtx == null )
{
+ if( trace )
+category.trace(No SecurityContext, returning 0);
return 0;
}
-
+
try
{
// Get the JBoss security manager from the ENC context
@@ -127,7 +133,8 @@
org.apache.tomcat.core.Context ctx = request.getContext();
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
-category.debug(Username: +username+ is authenticated);
+if( trace )
+ category.trace(Username: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(passwordChars);
authInfo.set(new AuthInfo(principal, passwordChars));
@@ -140,19 +147,22 @@
}
else
{
-category.debug(User: +username+ is NOT authenticated);
+if( trace )
+ category.trace(User: +username+ is NOT authenticated);
}
}
catch(NamingException e)
{
category.error(Error during authenticate, e);
}
- finally
+ finally
{
+ if( scl != cl )
+ Thread.currentThread().setContextClassLoader(cl);
}
return 0;
}
-
+
public int authorize(Request request, Response response, String roles[])
{
if( roles==null || roles.length==0 )
@@ -172,15 +182,18 @@
*/
ClassLoader cl = Thread.currentThread().getContextClassLoader();
ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
- if( category.isDebugEnabled() )
+ boolean trace = category.isTraceEnabled();
+ if( trace )
{
-
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/07/29 08:26:04
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Update the username authentication debug statement
Revision ChangesPath
No revision
No revision
1.4.2.6 +2 -2
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.5
retrieving revision 1.4.2.6
diff -u -r1.4.2.5 -r1.4.2.6
--- JBossSecurityMgrRealm.java2001/07/28 18:22:47 1.4.2.5
+++ JBossSecurityMgrRealm.java2001/07/29 15:26:04 1.4.2.6
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.4.2.5 $
+@version $Revision: 1.4.2.6 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -130,7 +130,7 @@
org.apache.tomcat.core.Context ctx = request.getContext();
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
-category.debug(User: +username+ is authenticated);
+category.debug(Username: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(passwordChars);
if( useJAAS == true securityMgr instanceof
SubjectSecurityManager )
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/07/28 11:22:47
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
The password passed to securityMgr.isValid() should be a char[] to be
compatible with the cached credential.
Revision ChangesPath
No revision
No revision
1.4.2.5 +7 -6
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.4
retrieving revision 1.4.2.5
diff -u -r1.4.2.4 -r1.4.2.5
--- JBossSecurityMgrRealm.java2001/07/27 03:51:33 1.4.2.4
+++ JBossSecurityMgrRealm.java2001/07/28 18:22:47 1.4.2.5
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.4.2.4 $
+@version $Revision: 1.4.2.5 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -120,7 +120,10 @@
// Get the JBoss security manager from the ENC context
EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup(securityMgr);
SimplePrincipal principal = new SimplePrincipal(username);
-if( securityMgr.isValid(principal, password) )
+char[] passwordChars = null;
+if( password != null )
+ passwordChars = password.toCharArray();
+if( securityMgr.isValid(principal, passwordChars) )
{
request.setRemoteUser(username);
request.setUserPrincipal(principal);
@@ -129,10 +132,7 @@
request.setAuthType(ctx.getAuthMethod());
category.debug(User: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
-char[] pass = null;
-if( password != null )
- pass = password.toCharArray();
-SecurityAssociation.setCredential(pass);
+SecurityAssociation.setCredential(passwordChars);
if( useJAAS == true securityMgr instanceof
SubjectSecurityManager )
{
SubjectSecurityManager subjectMgr = (SubjectSecurityManager)
securityMgr;
@@ -242,3 +242,4 @@
}
}
+
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/07/28 11:28:46
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
The password passed to securityMgr.isValid() should be a char[] to be
compatible with the cached credential
Revision ChangesPath
1.8 +6 -6
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- JBossSecurityMgrRealm.java2001/07/27 04:16:00 1.7
+++ JBossSecurityMgrRealm.java2001/07/28 18:28:46 1.8
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.7 $
+@version $Revision: 1.8 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -120,7 +120,10 @@
// Get the JBoss security manager from the ENC context
EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup(securityMgr);
SimplePrincipal principal = new SimplePrincipal(username);
-if( securityMgr.isValid(principal, password) )
+char[] passwordChars = null;
+if( password != null )
+ passwordChars = password.toCharArray();
+if( securityMgr.isValid(principal, passwordChars) )
{
request.setRemoteUser(username);
request.setUserPrincipal(principal);
@@ -129,10 +132,7 @@
request.setAuthType(ctx.getAuthMethod());
category.debug(User: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
-char[] pass = null;
-if( password != null )
- pass = password.toCharArray();
-SecurityAssociation.setCredential(pass);
+SecurityAssociation.setCredential(passwordChars);
if( useJAAS == true securityMgr instanceof
SubjectSecurityManager )
{
SubjectSecurityManager subjectMgr = (SubjectSecurityManager)
securityMgr;
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/07/26 20:51:33
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Clear any SecurityAssociation value at the end of the service call to
ensure that reuse of the thread with unsecure content does not allow access
to components it should not
Revision ChangesPath
No revision
No revision
1.4.2.4 +11 -1
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.3
retrieving revision 1.4.2.4
diff -u -r1.4.2.3 -r1.4.2.4
--- JBossSecurityMgrRealm.java2001/06/27 01:05:59 1.4.2.3
+++ JBossSecurityMgrRealm.java2001/07/27 03:51:33 1.4.2.4
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.4.2.3 $
+@version $Revision: 1.4.2.4 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -229,6 +229,16 @@
}
return code;
+}
+
+/** Called after service method ends. We clear any SecurityAssociation that
+ may have been set.
+ */
+public int postService(Request request, Response response)
+{
+ SecurityAssociation.setPrincipal(null);
+ SecurityAssociation.setCredential(null);
+ return 0;
}
}
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/07/26 21:16:01
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
Clear any SecurityAssociation value at the end of the service call to
ensure that reuse of the thread with unsecure content does not allow access
to components it should not
Revision ChangesPath
1.7 +11 -1
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- JBossSecurityMgrRealm.java2001/07/03 16:58:02 1.6
+++ JBossSecurityMgrRealm.java2001/07/27 04:16:00 1.7
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.6 $
+@version $Revision: 1.7 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -229,6 +229,16 @@
}
return code;
+}
+
+/** Called after service method ends. We clear any SecurityAssociation that
+ may have been set.
+ */
+public int postService(Request request, Response response)
+{
+ SecurityAssociation.setPrincipal(null);
+ SecurityAssociation.setCredential(null);
+ return 0;
}
}
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/07/03 09:58:02
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
Merge the latest 2.4 changes
Revision ChangesPath
1.6 +19 -13
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -r1.5 -r1.6
--- JBossSecurityMgrRealm.java2001/06/27 01:13:53 1.5
+++ JBossSecurityMgrRealm.java2001/07/03 16:58:02 1.6
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.5 $
+@version $Revision: 1.6 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -90,11 +90,6 @@
String username = (String) credentialMap.get(username);
String password = (String) credentialMap.get(password);
-// If we don't have a security context security is not required
-Context securityCtx = getSecurityContext();
-if( securityCtx == null )
-return 0;
-
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
it does not do it for the authenticate/authorize phases of a
@@ -106,12 +101,22 @@
{
category.debug(Authenticating access, username: + username +
+request);
category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
-category.debug(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
+category.debug(Servlet ClassLoader:
+scl.toString()+':'+scl.hashCode());
}
-try
+
+// If we don't have a security context security is not required
+if( scl != cl )
+Thread.currentThread().setContextClassLoader(scl);
+Context securityCtx = getSecurityContext();
+if( securityCtx == null )
{
if( scl != cl )
-Thread.currentThread().setContextClassLoader(scl);
+Thread.currentThread().setContextClassLoader(cl);
+return 0;
+}
+
+try
+{
// Get the JBoss security manager from the ENC context
EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup(securityMgr);
SimplePrincipal principal = new SimplePrincipal(username);
@@ -149,8 +154,7 @@
if( scl != cl )
Thread.currentThread().setContextClassLoader(cl);
}
-
- return 0;
+return 0;
}
public int authorize(Request request, Response response, String roles[])
@@ -176,7 +180,7 @@
{
category.debug(Authorizing access, username: + username +
+request);
category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
-category.debug(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
+category.debug(Servlet ClassLoader:
+scl.toString()+':'+scl.hashCode());
}
int code = 0;
try
@@ -184,7 +188,9 @@
if( scl != cl )
Thread.currentThread().setContextClassLoader(scl);
boolean userHasRole = false;
-Set requiredRoles = new HashSet(Arrays.asList(roles));
+Set requiredRoles = new HashSet();
+for(int r = 0; r roles.length; r ++)
+requiredRoles.add(new SimplePrincipal(roles[r]));
// Get the JBoss security manager from the ENC context
Context securityCtx = getSecurityContext();
if( securityCtx != null )
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/06/26 18:05:59
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
The password String may be null so validate before invoking
toCharArray()
Revision ChangesPath
No revision
No revision
1.4.2.3 +5 -2
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.2
retrieving revision 1.4.2.3
diff -u -r1.4.2.2 -r1.4.2.3
--- JBossSecurityMgrRealm.java2001/06/23 01:10:58 1.4.2.2
+++ JBossSecurityMgrRealm.java2001/06/27 01:05:59 1.4.2.3
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.4.2.2 $
+@version $Revision: 1.4.2.3 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -129,7 +129,10 @@
request.setAuthType(ctx.getAuthMethod());
category.debug(User: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
-SecurityAssociation.setCredential(password.toCharArray());
+char[] pass = null;
+if( password != null )
+ pass = password.toCharArray();
+SecurityAssociation.setCredential(pass);
if( useJAAS == true securityMgr instanceof
SubjectSecurityManager )
{
SubjectSecurityManager subjectMgr = (SubjectSecurityManager)
securityMgr;
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/06/26 18:13:53
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
Handle null passwords correctly
Revision ChangesPath
1.5 +5 -2
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- JBossSecurityMgrRealm.java2001/06/22 05:37:52 1.4
+++ JBossSecurityMgrRealm.java2001/06/27 01:13:53 1.5
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.4 $
+@version $Revision: 1.5 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -124,7 +124,10 @@
request.setAuthType(ctx.getAuthMethod());
category.debug(User: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
-SecurityAssociation.setCredential(password.toCharArray());
+char[] pass = null;
+if( password != null )
+ pass = password.toCharArray();
+SecurityAssociation.setCredential(pass);
if( useJAAS == true securityMgr instanceof
SubjectSecurityManager )
{
SubjectSecurityManager subjectMgr = (SubjectSecurityManager)
securityMgr;
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/06/21 23:37:45
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Update to work with the 2.4 version of JBoss
Revision ChangesPath
No revision
No revision
1.4.2.1 +4 -2
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4
retrieving revision 1.4.2.1
diff -u -r1.4 -r1.4.2.1
--- JBossSecurityMgrRealm.java2001/06/22 05:37:52 1.4
+++ JBossSecurityMgrRealm.java2001/06/22 06:37:45 1.4.2.1
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.4 $
+@version $Revision: 1.4.2.1 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -181,7 +181,9 @@
if( scl != cl )
Thread.currentThread().setContextClassLoader(scl);
boolean userHasRole = false;
-Set requiredRoles = new HashSet(Arrays.asList(roles));
+Set requiredRoles = new HashSet();
+for(int r = 0; r roles.length; r ++)
+requiredRoles.add(new SimplePrincipal(roles[r]));
// Get the JBoss security manager from the ENC context
Context securityCtx = getSecurityContext();
if( securityCtx != null )
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/06/22 18:10:58
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_4
JBossSecurityMgrRealm.java
Log:
Fix TCL problem
Revision ChangesPath
No revision
No revision
1.4.2.2 +16 -12
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.4.2.1
retrieving revision 1.4.2.2
diff -u -r1.4.2.1 -r1.4.2.2
--- JBossSecurityMgrRealm.java2001/06/22 06:37:45 1.4.2.1
+++ JBossSecurityMgrRealm.java2001/06/23 01:10:58 1.4.2.2
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.4.2.1 $
+@version $Revision: 1.4.2.2 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -90,11 +90,6 @@
String username = (String) credentialMap.get(username);
String password = (String) credentialMap.get(password);
-// If we don't have a security context security is not required
-Context securityCtx = getSecurityContext();
-if( securityCtx == null )
-return 0;
-
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
it does not do it for the authenticate/authorize phases of a
@@ -106,12 +101,22 @@
{
category.debug(Authenticating access, username: + username +
+request);
category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
-category.debug(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
+category.debug(Servlet ClassLoader:
+scl.toString()+':'+scl.hashCode());
}
-try
+
+// If we don't have a security context security is not required
+if( scl != cl )
+Thread.currentThread().setContextClassLoader(scl);
+Context securityCtx = getSecurityContext();
+if( securityCtx == null )
{
if( scl != cl )
-Thread.currentThread().setContextClassLoader(scl);
+Thread.currentThread().setContextClassLoader(cl);
+return 0;
+}
+
+try
+{
// Get the JBoss security manager from the ENC context
EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup(securityMgr);
SimplePrincipal principal = new SimplePrincipal(username);
@@ -146,8 +151,7 @@
if( scl != cl )
Thread.currentThread().setContextClassLoader(cl);
}
-
- return 0;
+return 0;
}
public int authorize(Request request, Response response, String roles[])
@@ -173,7 +177,7 @@
{
category.debug(Authorizing access, username: + username +
+request);
category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
-category.debug(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
+category.debug(Servlet ClassLoader:
+scl.toString()+':'+scl.hashCode());
}
int code = 0;
try
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/06/21 22:37:52
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
Merged changes from the 2.2 branch
Revision ChangesPath
1.4 +28 -29
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- JBossSecurityMgrRealm.java2001/06/12 20:02:31 1.3
+++ JBossSecurityMgrRealm.java2001/06/22 05:37:52 1.4
@@ -9,10 +9,10 @@
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
-import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Category;
import org.apache.tomcat.core.BaseInterceptor;
+import org.apache.tomcat.core.TomcatException;
import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;
import org.apache.tomcat.util.SecurityTools;
@@ -37,13 +37,13 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.3 $
+@version $Revision: 1.4 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
static Category category =
Category.getInstance(JBossSecurityMgrRealm.class.getName());
-public String subjectAttributeName = j_subject;
-public boolean useJAAS = false;
+private String subjectAttributeName = j_subject;
+private boolean useJAAS = false;
/** A flag to indicate if the security manager implements the
SubjectSecurityManager
rather than EJBSecurityManager. When true, the authenticated Subject is
obtained
@@ -62,16 +62,32 @@
this.subjectAttributeName = subjectAttributeName;
}
- public int authenticate(Request request, Response response)
+private Context getSecurityContext()
{
+Context securityCtx = null;
+// Get the JBoss security manager from the ENC context
+try
+{
+InitialContext iniCtx = new InitialContext();
+securityCtx = (Context) iniCtx.lookup(java:comp/env/security);
+}
+catch(NamingException e)
+{
+// Apparently there is no security context?
+}
+return securityCtx;
+}
+
+public int authenticate(Request request, Response response)
+{
/* Get the username credentials from the request. We dont check
that they are null as the security domain may consider this
a valid indication of an unauthenticated user requesting
anonymous access.
*/
- Hashtable credentialMap = new Hashtable();
- SecurityTools.credentials(request, credentialMap);
- String username = (String) credentialMap.get(username);
+Hashtable credentialMap = new Hashtable();
+SecurityTools.credentials(request, credentialMap);
+String username = (String) credentialMap.get(username);
String password = (String) credentialMap.get(password);
// If we don't have a security context security is not required
@@ -144,7 +160,7 @@
String username = request.getRemoteUser();
if( username == null )
-return HttpServletResponse.SC_UNAUTHORIZED;
+return 401;
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
@@ -164,7 +180,6 @@
{
if( scl != cl )
Thread.currentThread().setContextClassLoader(scl);
-
boolean userHasRole = false;
Set requiredRoles = new HashSet(Arrays.asList(roles));
// Get the JBoss security manager from the ENC context
@@ -177,7 +192,7 @@
}
else
{
-category.warn(no security context available);
+category.warn(Warning: no security context available);
}
if( userHasRole )
@@ -190,13 +205,13 @@
else
{
category.debug(User: +username+ is NOT authorized,
requiredRoles=+requiredRoles);
-code = HttpServletResponse.SC_FORBIDDEN;
+code = 401;
}
}
catch(NamingException e)
{
category.error(Error during authorize, e);
-code = HttpServletResponse.SC_UNAUTHORIZED;
+code = 401;
}
finally
{
@@ -205,22 +220,6 @@
}
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/06/12 12:50:16
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_2
JBossSecurityMgrRealm.java
Log:
Handle getting called to authenticate a user when there is no
JBoss security context
Revision ChangesPath
No revision
No revision
1.1.2.4 +41 -10
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.1.2.3
retrieving revision 1.1.2.4
diff -u -r1.1.2.3 -r1.1.2.4
--- JBossSecurityMgrRealm.java2001/05/31 01:45:31 1.1.2.3
+++ JBossSecurityMgrRealm.java2001/06/12 19:50:16 1.1.2.4
@@ -5,12 +5,13 @@
import java.util.Hashtable;
import java.util.HashSet;
import java.util.Set;
+import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
import org.apache.tomcat.core.BaseInterceptor;
-import org.apache.tomcat.core.Context;
+import org.apache.tomcat.core.TomcatException;
import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;
import org.apache.tomcat.util.SecurityTools;
@@ -35,7 +36,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.1.2.3 $
+@version $Revision: 1.1.2.4 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -68,6 +69,22 @@
this.debug = debug;
}
+private Context getSecurityContext()
+{
+Context securityCtx = null;
+// Get the JBoss security manager from the ENC context
+try
+{
+InitialContext iniCtx = new InitialContext();
+securityCtx = (Context) iniCtx.lookup(java:comp/env/security);
+}
+catch(NamingException e)
+{
+// Apparently there is no security context?
+}
+return securityCtx;
+}
+
public int authenticate(Request request, Response response)
{
/* Get the username credentials from the request. We dont check
@@ -80,6 +97,11 @@
String username = (String) credentialMap.get(username);
String password = (String) credentialMap.get(password);
+// If we don't have a security context security is not required
+Context securityCtx = getSecurityContext();
+if( securityCtx == null )
+return 0;
+
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
it does not do it for the authenticate/authorize phases of a
@@ -98,14 +120,13 @@
if( scl != cl )
Thread.currentThread().setContextClassLoader(scl);
// Get the JBoss security manager from the ENC context
-InitialContext iniCtx = new InitialContext();
-EJBSecurityManager securityMgr = (EJBSecurityManager)
iniCtx.lookup(java:comp/env/security/securityMgr);
+EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup(securityMgr);
SimplePrincipal principal = new SimplePrincipal(username);
if( securityMgr.isValid(principal, password) )
{
request.setRemoteUser(username);
request.setUserPrincipal(principal);
-Context ctx = request.getContext();
+org.apache.tomcat.core.Context ctx = request.getContext();
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
System.out.println(User: +username+ is authenticated);
@@ -167,12 +188,22 @@
{
if( scl != cl )
Thread.currentThread().setContextClassLoader(scl);
-// Get the JBoss security manager from the ENC context
-InitialContext iniCtx = new InitialContext();
-RealmMapping securityMgr = (RealmMapping)
iniCtx.lookup(java:comp/env/security/realmMapping);
-SimplePrincipal principal = new SimplePrincipal(username);
+boolean userHasRole = false;
Set requiredRoles = new HashSet(Arrays.asList(roles));
-if( securityMgr.doesUserHaveRole(principal, requiredRoles) )
+// Get the JBoss security manager from the ENC context
+Context securityCtx = getSecurityContext();
+if( securityCtx != null )
+{
+RealmMapping securityMgr = (RealmMapping)
securityCtx.lookup(realmMapping);
+
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/06/12 13:02:31
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
Handle authentication callback when there is no JBoss security context
Revision ChangesPath
1.3 +41 -10
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- JBossSecurityMgrRealm.java2001/05/31 01:43:23 1.2
+++ JBossSecurityMgrRealm.java2001/06/12 20:02:31 1.3
@@ -5,6 +5,7 @@
import java.util.Hashtable;
import java.util.HashSet;
import java.util.Set;
+import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
@@ -12,7 +13,6 @@
import org.apache.log4j.Category;
import org.apache.tomcat.core.BaseInterceptor;
-import org.apache.tomcat.core.Context;
import org.apache.tomcat.core.Request;
import org.apache.tomcat.core.Response;
import org.apache.tomcat.util.SecurityTools;
@@ -37,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.2 $
+@version $Revision: 1.3 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -74,6 +74,11 @@
String username = (String) credentialMap.get(username);
String password = (String) credentialMap.get(password);
+// If we don't have a security context security is not required
+Context securityCtx = getSecurityContext();
+if( securityCtx == null )
+return 0;
+
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
it does not do it for the authenticate/authorize phases of a
@@ -92,14 +97,13 @@
if( scl != cl )
Thread.currentThread().setContextClassLoader(scl);
// Get the JBoss security manager from the ENC context
-InitialContext iniCtx = new InitialContext();
-EJBSecurityManager securityMgr = (EJBSecurityManager)
iniCtx.lookup(java:comp/env/security/securityMgr);
+EJBSecurityManager securityMgr = (EJBSecurityManager)
securityCtx.lookup(securityMgr);
SimplePrincipal principal = new SimplePrincipal(username);
if( securityMgr.isValid(principal, password) )
{
request.setRemoteUser(username);
request.setUserPrincipal(principal);
-Context ctx = request.getContext();
+org.apache.tomcat.core.Context ctx = request.getContext();
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
category.debug(User: +username+ is authenticated);
@@ -160,12 +164,23 @@
{
if( scl != cl )
Thread.currentThread().setContextClassLoader(scl);
-// Get the JBoss security manager from the ENC context
-InitialContext iniCtx = new InitialContext();
-RealmMapping securityMgr = (RealmMapping)
iniCtx.lookup(java:comp/env/security/realmMapping);
-SimplePrincipal principal = new SimplePrincipal(username);
+
+boolean userHasRole = false;
Set requiredRoles = new HashSet(Arrays.asList(roles));
-if( securityMgr.doesUserHaveRole(principal, requiredRoles) )
+// Get the JBoss security manager from the ENC context
+Context securityCtx = getSecurityContext();
+if( securityCtx != null )
+{
+RealmMapping securityMgr = (RealmMapping)
securityCtx.lookup(realmMapping);
+SimplePrincipal principal = new SimplePrincipal(username);
+userHasRole = securityMgr.doesUserHaveRole(principal,
requiredRoles);
+}
+else
+{
+category.warn(no security context available);
+}
+
+if( userHasRole )
{
// Need to get roles from the security mgr. Needs updated
interface...
String userRoles[] = {};
@@ -190,6 +205,22 @@
}
return code;
+}
+
+private Context getSecurityContext()
+{
+Context securityCtx = null;
+// Get the JBoss security manager from the ENC context
+try
+{
+InitialContext iniCtx = new InitialContext();
+securityCtx = (Context)
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/05/30 09:29:23
Modified:tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_2
JBossSecurityMgrRealm.java
Log:
Update the not authorized msg
Revision ChangesPath
No revision
No revision
1.1.2.2 +6 -6
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.1.2.1
retrieving revision 1.1.2.2
diff -u -r1.1.2.1 -r1.1.2.2
--- JBossSecurityMgrRealm.java2001/05/24 15:36:40 1.1.2.1
+++ JBossSecurityMgrRealm.java2001/05/30 16:29:23 1.1.2.2
@@ -35,7 +35,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.1.2.1 $
+@version $Revision: 1.1.2.2 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -68,16 +68,16 @@
this.debug = debug;
}
- public int authenticate(Request request, Response response)
+public int authenticate(Request request, Response response)
{
/* Get the username credentials from the request. We dont check
that they are null as the security domain may consider this
a valid indication of an unauthenticated user requesting
anonymous access.
*/
- Hashtable credentialMap = new Hashtable();
- SecurityTools.credentials(request, credentialMap);
- String username = (String) credentialMap.get(username);
+Hashtable credentialMap = new Hashtable();
+SecurityTools.credentials(request, credentialMap);
+String username = (String) credentialMap.get(username);
String password = (String) credentialMap.get(password);
/* Make sure the thread context class loader it set ot the servlet
@@ -180,7 +180,7 @@
}
else
{
-System.out.println(User: +username+ is not authorized);
+System.out.println(User: +username+ is NOT authorized,
requiredRoles=+requiredRoles);
code = 401;
}
}
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/05/30 18:43:23
Modified:tomcat/src/main/org/jboss/tomcat/security
JBossSecurityMgrRealm.java
Log:
Add request.setUserPrincipal(principal) call as tomcat 3.2.2 no
longer generates the user principal from the remote user
Revision ChangesPath
1.2 +7 -5
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- JBossSecurityMgrRealm.java2001/05/11 19:06:26 1.1
+++ JBossSecurityMgrRealm.java2001/05/31 01:43:23 1.2
@@ -8,6 +8,7 @@
import javax.naming.InitialContext;
import javax.naming.NamingException;
import javax.security.auth.Subject;
+import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Category;
import org.apache.tomcat.core.BaseInterceptor;
@@ -36,7 +37,7 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.1 $
+@version $Revision: 1.2 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
@@ -97,6 +98,7 @@
if( securityMgr.isValid(principal, password) )
{
request.setRemoteUser(username);
+request.setUserPrincipal(principal);
Context ctx = request.getContext();
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
@@ -138,7 +140,7 @@
String username = request.getRemoteUser();
if( username == null )
-return 401;
+return HttpServletResponse.SC_UNAUTHORIZED;
/* Make sure the thread context class loader it set ot the servlet
class loader. The Jdk12Interceptor should be handling this but
@@ -172,14 +174,14 @@
}
else
{
-category.debug(User: +username+ is not authorized);
-code = 401;
+category.debug(User: +username+ is NOT authorized,
requiredRoles=+requiredRoles);
+code = HttpServletResponse.SC_FORBIDDEN;
}
}
catch(NamingException e)
{
category.error(Error during authorize, e);
-code = 401;
+code = HttpServletResponse.SC_UNAUTHORIZED;
}
finally
{
___
Jboss-development mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/jboss-development
[JBoss-dev] CVS update: contrib/tomcat/src/main/org/jboss/tomcat/security JBossSecurityMgrRealm.java
User: starksm
Date: 01/05/24 08:36:40
Added: tomcat/src/main/org/jboss/tomcat/security Tag: Branch_2_2
JBossSecurityMgrRealm.java
Log:
Merge 2.3 changes into 2.2 branch
Revision ChangesPath
No revision
No revision
1.1.2.1 +28 -19
contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java
Index: JBossSecurityMgrRealm.java
===
RCS file:
/cvsroot/jboss/contrib/tomcat/src/main/org/jboss/tomcat/security/JBossSecurityMgrRealm.java,v
retrieving revision 1.1
retrieving revision 1.1.2.1
diff -u -r1.1 -r1.1.2.1
--- JBossSecurityMgrRealm.java2001/05/11 19:06:26 1.1
+++ JBossSecurityMgrRealm.java2001/05/24 15:36:40 1.1.2.1
@@ -9,7 +9,6 @@
import javax.naming.NamingException;
import javax.security.auth.Subject;
-import org.apache.log4j.Category;
import org.apache.tomcat.core.BaseInterceptor;
import org.apache.tomcat.core.Context;
import org.apache.tomcat.core.Request;
@@ -36,13 +35,13 @@
@see org.jboss.security.SubjectSecurityManager
@author [EMAIL PROTECTED]
-@version $Revision: 1.1 $
+@version $Revision: 1.1.2.1 $
*/
public class JBossSecurityMgrRealm extends BaseInterceptor
{
-static Category category =
Category.getInstance(JBossSecurityMgrRealm.class.getName());
-public String subjectAttributeName = j_subject;
-public boolean useJAAS = false;
+private String subjectAttributeName = j_subject;
+private boolean useJAAS = false;
+private boolean debug = false;
/** A flag to indicate if the security manager implements the
SubjectSecurityManager
rather than EJBSecurityManager. When true, the authenticated Subject is
obtained
@@ -60,6 +59,14 @@
{
this.subjectAttributeName = subjectAttributeName;
}
+public boolean getDebug()
+{
+return debug;
+}
+public void setDebug(boolean debug)
+{
+this.debug = debug;
+}
public int authenticate(Request request, Response response)
{
@@ -80,11 +87,11 @@
*/
ClassLoader cl = Thread.currentThread().getContextClassLoader();
ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
-if( category.isDebugEnabled() )
+if( debug )
{
-category.debug(Authenticating access, username: + username +
+request);
-category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
-category.debug(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
+System.out.println(Authenticating access, username: + username +
+request);
+System.out.println(ClassLoader: +cl.toString()+':'+cl.hashCode());
+System.out.println(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
}
try
{
@@ -100,7 +107,7 @@
Context ctx = request.getContext();
if (ctx != null)
request.setAuthType(ctx.getAuthMethod());
-category.debug(User: +username+ is authenticated);
+System.out.println(User: +username+ is authenticated);
SecurityAssociation.setPrincipal(principal);
SecurityAssociation.setCredential(password.toCharArray());
if( useJAAS == true securityMgr instanceof
SubjectSecurityManager )
@@ -112,12 +119,13 @@
}
else
{
-category.debug(User: +username+ is NOT authenticated);
+System.out.println(User: +username+ is NOT authenticated);
}
}
catch(NamingException e)
{
-category.error(Error during authenticate, e);
+System.out.println(Error during authenticate);
+e.printStackTrace();
}
finally
{
@@ -147,11 +155,11 @@
*/
ClassLoader cl = Thread.currentThread().getContextClassLoader();
ClassLoader scl = request.getContext().getServletLoader().getClassLoader();
-if( category.isDebugEnabled() )
+if( debug )
{
-category.debug(Authorizing access, username: + username +
+request);
-category.debug(ClassLoader: +cl.toString()+':'+cl.hashCode());
-category.debug(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
+System.out.println(Authorizing access, username: + username +
+request);
+System.out.println(ClassLoader: +cl.toString()+':'+cl.hashCode());
+System.out.println(Servlet ClassLoader:
+scl.toString()+':'+cl.hashCode());
}
int code = 0;
try
