User: cgjung
Date: 02/03/15 02:04:25
Modified: jboss.net/src/main/org/jboss/net/axis/server Constants.java
Added: jboss.net/src/main/org/jboss/net/axis/server
JBossAuthenticationHandler.java
JBossAuthorizationHandler.java
Log:
security for jboss.net has finally arrived (although the corresponding testcases
still need
to be checked-in).
Revision Changes Path
1.9 +73 -44
contrib/jboss.net/src/main/org/jboss/net/axis/server/Constants.java
Index: Constants.java
===================================================================
RCS file:
/cvsroot/jboss/contrib/jboss.net/src/main/org/jboss/net/axis/server/Constants.java,v
retrieving revision 1.8
retrieving revision 1.9
diff -u -r1.8 -r1.9
--- Constants.java 1 Mar 2002 22:12:57 -0000 1.8
+++ Constants.java 15 Mar 2002 10:04:24 -0000 1.9
@@ -5,59 +5,88 @@
* See terms of license at gnu.org.
*/
-// $Id: Constants.java,v 1.8 2002/03/01 22:12:57 cgjung Exp $
+// $Id: Constants.java,v 1.9 2002/03/15 10:04:24 cgjung Exp $
package org.jboss.net.axis.server;
/**
* Some Constants for the axis package
+ * <br>
+ * <h3>Change History</h3>
+ * <ul>
+ * <li> jung, 15.03.2002: Added a few security related option keys. </li>
+ * </ul>
* @author <a href="mailto:[EMAIL PROTECTED]";>Christoph G. Jung</a>
* @created 28. September 2001
- * @version $Revision: 1.8 $
+ * @version $Revision: 1.9 $
*/
public interface Constants extends org.jboss.net.Constants {
- static final String DOMAIN="jboss.net";
- static final String NAME = "Axis";
- static final String TYPE="service";
- static final String
SERVER_DELEGATE_NAME="JMImplementation:type=MBeanServerDelegate";
- static final String SERVER_ID_ATTRIBUTE="MBeanServerId";
- static final String AXIS_DEPLOYMENT_DESCRIPTOR="META-INF/install-axis.xml";
- static final String AXIS_DEPLOY_DIR="_axis_";
- static final String WEB_DEPLOYMENT_DESCRIPTOR="/WEB-INF/web.xml";
- static final String JBOSS_WEB_DEPLOYMENT_DESCRIPTOR="/WEB-INF/jboss-web.xml";
- static final String DEFAULT_ROOT_CONTEXT="axis";
- static final String WSR_FILE_EXTENSION=".wsr";
- static final String XML_FILE_EXTENSION=".xml";
- static final String AXIS_ENGINE_ATTRIBUTE="AxisEngine";
- static final String GET_AXIS_SERVER_METHOD_NAME="getAxisServer";
- static final String AXIS_CONFIGURATION_FILE="axis-config.xml";
- static final String WEB_SERVICE_DESCRIPTOR="META-INF/web-service.xml";
-
- static final String AXIS_DEPLOYMENT_DESCRIPTOR_NOT_FOUND="The axis deployment
descriptor is lacking in the service archive!";
- static final String ABOUT_TO_DEPLOY_0_UNDER_CONTEXT_1="About to deploy axis web
application from {0} under context {1}.";
- static final String AXIS_ALREADY_STARTED="Axis has already been started.";
- static final String ABOUT_TO_UNDEPLOY_0="About to undeploy axis web application
from {0}.";
- static final String COULD_NOT_STOP_AXIS="Could not correctly stop Axis.";
- static final String AXIS_ALREADY_STOPPED="Axis has already been stopped.";
- static final String SET_WAR_DEPLOYER_0="Seting WarDeployerName to {0}.";
- static final String SET_ROOT_CONTEXT_0="Seting RootContext to {0}.";
- static final String SET_SECURITY_DOMAIN_TO_0="Setting Security Domain to {0}.";
- static final String ABOUT_TO_CREATE_AXIS_0="About to deploy axis descriptor
{0}, create step.";
- static final String ABOUT_TO_START_AXIS_0="About to deploy axis descriptor {0},
start step.";
- static final String ABOUT_TO_STOP_AXIS_0="About to undeploy axis descriptor
{0}, stop step.";
- static final String ABOUT_TO_DESTROY_AXIS_0="About to undeploy axis descriptor
{0}, destroy step.";
- static final String COULD_NOT_DEPLOY_DESCRIPTOR="Could not deploy axis
descriptor.";
- static final String COULD_NOT_FIND_AXIS_CONFIGURATION_0="Could not find the
axis configuration file {0}.";
- static final String NO_VALID_WEB_SERVICE_DESCRIPTOR="Could not find a valid web
service descriptor.";
- static final String COULD_NOT_DEPLOY="Could not deploy url.";
- static final String COULD_NOT_UNDEPLOY="Could not undeploy url.";
- static final String COULD_NOT_COPY_URL="Could not download url.";
- static final String CANNOT_CHANGE_ROOT_CONTEXT="Cannot change root context
while service is running. Stop first.";
- static final String AXIS_SERVER_CONTEXT_OCCUPIED="There is already an Axis
service running under that root context.";
- static final String EJB_REF_MUST_HAVE_UNIQUE_NAME="An ejb-ref element must have
a unique ejb-ref-name element.";
- static final String EJB_REF_MUST_HAVE_UNIQUE_LINK="An ejb-ref element must have
a unique ejb-link element.";
- static final String CANNOT_FIND_WEB_DEPLOYER="Could not find a suitable web
container.";
+ /** programmatic constants */
+ static final String DOMAIN = "jboss.net";
+ static final String NAME = "Axis";
+ static final String TYPE = "service";
+ static final String SERVER_DELEGATE_NAME =
+ "JMImplementation:type=MBeanServerDelegate";
+ static final String SERVER_ID_ATTRIBUTE = "MBeanServerId";
+ static final String AXIS_DEPLOYMENT_DESCRIPTOR = "META-INF/install-axis.xml";
+ static final String AXIS_DEPLOY_DIR = "_axis_";
+ static final String WEB_DEPLOYMENT_DESCRIPTOR = "/WEB-INF/web.xml";
+ static final String JBOSS_WEB_DEPLOYMENT_DESCRIPTOR = "/WEB-INF/jboss-web.xml";
+ static final String DEFAULT_ROOT_CONTEXT = "axis";
+ static final String WSR_FILE_EXTENSION = ".wsr";
+ static final String XML_FILE_EXTENSION = ".xml";
+ static final String AXIS_ENGINE_ATTRIBUTE = "AxisEngine";
+ static final String GET_AXIS_SERVER_METHOD_NAME = "getAxisServer";
+ static final String AXIS_CONFIGURATION_FILE = "axis-config.xml";
+ static final String WEB_SERVICE_DESCRIPTOR = "META-INF/web-service.xml";
+
+ /** constants referring to options in the axis messagecontext or handler options
*/
+ static final String ALLOWED_ROLES_OPTION = "allowedRoles";
+ static final String DENIED_ROLES_OPTION = "deniedRoles";
+ static final String SECURITY_DOMAIN_OPTION = "securityDomain";
+
+ /** message id constants are english raw messages at the same time */
+ static final String AXIS_DEPLOYMENT_DESCRIPTOR_NOT_FOUND =
+ "The axis deployment descriptor is lacking in the service archive!";
+ static final String ABOUT_TO_DEPLOY_0_UNDER_CONTEXT_1 =
+ "About to deploy axis web application from {0} under context {1}.";
+ static final String AXIS_ALREADY_STARTED = "Axis has already been started.";
+ static final String ABOUT_TO_UNDEPLOY_0 =
+ "About to undeploy axis web application from {0}.";
+ static final String COULD_NOT_STOP_AXIS = "Could not correctly stop Axis.";
+ static final String AXIS_ALREADY_STOPPED = "Axis has already been stopped.";
+ static final String SET_WAR_DEPLOYER_0 = "Seting WarDeployerName to {0}.";
+ static final String SET_ROOT_CONTEXT_0 = "Seting RootContext to {0}.";
+ static final String SET_SECURITY_DOMAIN_TO_0 =
+ "Setting Security Domain to {0}.";
+ static final String ABOUT_TO_CREATE_AXIS_0 =
+ "About to deploy axis descriptor {0}, create step.";
+ static final String ABOUT_TO_START_AXIS_0 =
+ "About to deploy axis descriptor {0}, start step.";
+ static final String ABOUT_TO_STOP_AXIS_0 =
+ "About to undeploy axis descriptor {0}, stop step.";
+ static final String ABOUT_TO_DESTROY_AXIS_0 =
+ "About to undeploy axis descriptor {0}, destroy step.";
+ static final String COULD_NOT_DEPLOY_DESCRIPTOR =
+ "Could not deploy axis descriptor.";
+ static final String COULD_NOT_FIND_AXIS_CONFIGURATION_0 =
+ "Could not find the axis configuration file {0}.";
+ static final String NO_VALID_WEB_SERVICE_DESCRIPTOR =
+ "Could not find a valid web service descriptor.";
+ static final String COULD_NOT_DEPLOY = "Could not deploy url.";
+ static final String COULD_NOT_UNDEPLOY = "Could not undeploy url.";
+ static final String COULD_NOT_COPY_URL = "Could not download url.";
+ static final String CANNOT_CHANGE_ROOT_CONTEXT =
+ "Cannot change root context while service is running. Stop first.";
+ static final String AXIS_SERVER_CONTEXT_OCCUPIED =
+ "There is already an Axis service running under that root context.";
+ static final String EJB_REF_MUST_HAVE_UNIQUE_NAME =
+ "An ejb-ref element must have a unique ejb-ref-name element.";
+ static final String EJB_REF_MUST_HAVE_UNIQUE_LINK =
+ "An ejb-ref element must have a unique ejb-link element.";
+ static final String CANNOT_FIND_WEB_DEPLOYER =
+ "Could not find a suitable web container.";
-}
+}
\ No newline at end of file
1.1
contrib/jboss.net/src/main/org/jboss/net/axis/server/JBossAuthenticationHandler.java
Index: JBossAuthenticationHandler.java
===================================================================
/*
* JBoss, the OpenSource J2EE webOS
*
* Distributable under LGPL license.
* See terms of license at gnu.org.
*/
// $Id: JBossAuthenticationHandler.java,v 1.1 2002/03/15 10:04:24 cgjung Exp $
package org.jboss.net.axis.server;
import org.apache.axis.AxisFault;
import org.apache.axis.handlers.BasicHandler;
import org.apache.axis.MessageContext;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SubjectSecurityManager;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.security.Principal;
import javax.security.auth.Subject;
/**
* AuthenticationHandler that interacts with a given JBoss autentication
* manager via default simple principals and passchars from the HTTP Basic
Authentication.
* Derived from org.apache.axis.handlers.SimpleAuthenticationHandler.
* Note that this is somehow redundant to the WebContainer security, but we want
* to be able to install different such handlers for different
* web servcies behind a single entry-point.
* <br>
* <h3>Change History</h3>
* <ul>
* <li> jung, 15.03.2002: Added security domain option. </li>
* </ul>
* <br>
* <h3>To Do</h3>
* <ul>
* <li> jung, 14.03.2002: Cache simple principals. Principal factory for
* interacting with various security domains.
* </ul>
* @author <a href="mailto:[EMAIL PROTECTED]";>Christoph G. Jung</a>
* @created 14.03.2002
* @version $Revision: 1.1 $
*/
public class JBossAuthenticationHandler extends BasicHandler {
//
// Attributes
//
/** whether this handler has been initialized already */
protected boolean isInitialised;
/**
* this is the authentication manager that is responsible for our security domain
* if that is null, this authenticationhandler will block any call, rather
deactivate
* the handler, then, or run against a NullSecurityManager
*/
protected SubjectSecurityManager authMgr;
//
// Constructors
//
/** default, all options are set afterwards */
public JBossAuthenticationHandler() {
}
//
// Protected helpers
//
/**
* initialize this authenticationhandler lazy, after the options have been
* set.
*/
protected void initialise() throws AxisFault {
isInitialised = true;
authMgr=null;
String securityDomain = (String) getOption(Constants.SECURITY_DOMAIN_OPTION);
if (securityDomain != null) {
try {
// bind against the jboss security subsystem
authMgr =
(SubjectSecurityManager) new InitialContext().lookup(securityDomain);
} catch (NamingException e) {
throw new AxisFault(
"Could not lookup associated security domain " + securityDomain,
e);
}
}
}
/**
* creates a new principal belonging to the given username,
* override to adapt to specific security domains.
*/
protected Principal getPrincipal(String userName) {
if (userName == null) {
return NobodyPrincipal.NOBODY_PRINCIPAL;
} else {
return new SimplePrincipal(userName);
}
}
/** validates the given principal with the given password */
protected void validate(Principal userPrincipal, String passwd) throws AxisFault {
// build passchars
char[] passChars = passwd != null ? passwd.toCharArray() : null;
// have to use pointer comparison here, but itīs a singleton, right?
if (userPrincipal != NobodyPrincipal.NOBODY_PRINCIPAL
&& !authMgr.isValid(userPrincipal, passChars)) {
throw new AxisFault("Could not authenticate user " +
userPrincipal.getName());
}
}
/** associates the call context with the given info */
protected Subject associate(Principal userPrincipal, String passwd) {
// pointer comparison, again
if (userPrincipal != NobodyPrincipal.NOBODY_PRINCIPAL) {
SecurityAssociation.setPrincipal(userPrincipal);
SecurityAssociation.setCredential(passwd.toCharArray());
} else {
// Jboss security does not like nobody:null
SecurityAssociation.setPrincipal(null);
SecurityAssociation.setCredential(null);
}
return authMgr.getActiveSubject();
}
//
// API
//
/**
* Authenticate the user and password from the msgContext. Note that
* we do not disassociate the subject here, since that would have
* to be done by a separate handler in the response chain and we
* currently expect Jetty or the WebContainer to do that for us
*/
public void invoke(MessageContext msgContext) throws AxisFault {
// double check does not work on multiple processors, unfortunately
if (!isInitialised) {
synchronized (this) {
if (!isInitialised) {
initialise();
}
}
}
if (authMgr == null) {
throw new AxisFault("No security domain associated.");
}
// we take the id out of the
String userID = msgContext.getUsername();
// convert into a principal
Principal userPrincipal = getPrincipal(userID);
// the password that has been provided
String passwd = msgContext.getPassword();
// validate the user
validate(userPrincipal, passwd);
// associate the context
Subject subject = associate(userPrincipal, passwd);
// with the security subject
msgContext.setProperty(MessageContext.AUTHUSER, subject);
}
}
1.1
contrib/jboss.net/src/main/org/jboss/net/axis/server/JBossAuthorizationHandler.java
Index: JBossAuthorizationHandler.java
===================================================================
/*
* JBoss, the OpenSource J2EE webOS
*
* Distributable under LGPL license.
* See terms of license at gnu.org.
*/
// $Id: JBossAuthorizationHandler.java,v 1.1 2002/03/15 10:04:24 cgjung Exp $
package org.jboss.net.axis.server;
import org.apache.axis.AxisFault;
import org.apache.axis.handlers.BasicHandler;
import org.apache.axis.MessageContext;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.NobodyPrincipal;
import org.jboss.security.RealmMapping;
import javax.naming.InitialContext;
import javax.naming.NamingException;
import java.security.Principal;
import javax.security.auth.Subject;
import java.util.StringTokenizer;
import java.util.Set;
import java.util.Iterator;
import java.util.Collection;
import java.util.Collections;
/**
* AuthorizationHandler that checks allowed and denied roles against the active
* subject using a given realmMapping. Is somehow redundant to what, e.g., the JBoss
EJB invocation handler
* does, but maybe we need this to shield access to other container resources
* such as MBeans for which we will expose security-agnostic providers.
* <br>
* <h3>Change History</h3>
* <ul>
* <li> jung, 15.03.2002: Added security domain option. </li>
* </ul>
* <br>
* <h3>To Do</h3>
* <ul>
* <li> jung, 14.03.2002: Cache simple principals. Principal factory for
* interacting with various security domains.
* </ul>
* @author <a href="mailto:[EMAIL PROTECTED]";>Christoph G. Jung</a>
* @created 14.03.2002
* @version $Revision: 1.1 $
*/
public class JBossAuthorizationHandler extends BasicHandler {
//
// Attributes
//
/** the security domain against which we call */
protected RealmMapping realmMapping;
/** the roles that we want to let through */
final protected Set rolesAllowed = new java.util.HashSet();
/** the roles that we want to deny access */
final protected Set rolesDenied = new java.util.HashSet();
/** whether this handler has been initialized */
protected boolean isInitialised;
//
// Constructors
//
public JBossAuthorizationHandler() {
}
//
// Protected helpers
//
/** initializes the roles checked by this handler */
protected void initialise() throws AxisFault {
// bind against the jboss security subsystem
isInitialised = true;
realmMapping = null;
String securityDomain = (String) getOption(Constants.SECURITY_DOMAIN_OPTION);
if (securityDomain != null) {
try {
realmMapping =
(RealmMapping) new InitialContext().lookup(securityDomain);
} catch (NamingException e) {
throw new AxisFault("Could not lookup security domain " +
securityDomain, e);
}
}
// parse role options
String allowedRoles = (String) getOption(Constants.ALLOWED_ROLES_OPTION);
// default:let all through
if (allowedRoles == null) {
allowedRoles = "*";
}
StringTokenizer tokenizer = new StringTokenizer(allowedRoles, ",");
while (tokenizer.hasMoreTokens()) {
rolesAllowed.add(getPrincipal(tokenizer.nextToken()));
}
String deniedRoles = (String) getOption(Constants.DENIED_ROLES_OPTION);
if (deniedRoles != null) {
tokenizer = new StringTokenizer(deniedRoles, ",");
while (tokenizer.hasMoreTokens()) {
rolesDenied.add(getPrincipal(tokenizer.nextToken()));
}
}
}
/**
* creates a new principal belonging to the given username,
* override to adapt to specific security domains.
*/
protected Principal getPrincipal(String userName) {
if (userName.equals("*")) {
return AnybodyPrincipal.ANYBODY_PRINCIPAL;
} else {
return new SimplePrincipal(userName);
}
}
/** returns a collection of principals that the context subject
* is associated with
*/
protected Collection getAssociatedPrincipals(MessageContext msgContext) {
// get the active subject
Subject activeSubject =
(Subject) msgContext.getProperty(MessageContext.AUTHUSER);
if (activeSubject == null) {
return Collections.singleton(NobodyPrincipal.NOBODY_PRINCIPAL);
} else {
return activeSubject.getPrincipals();
}
}
/** return whether the given Principal has the given roles */
protected boolean doesUserHaveRole(Principal principal, Set roles) {
return realmMapping.doesUserHaveRole(principal, roles);
}
//
// API
//
/**
* Authenticate the user and password from the msgContext. Note that
* we do not disassociate the subject here, since that would have
* to be done by a separate handler in the response chain and we
* currently expect Jetty or the WebContainer to do that for us
*/
public void invoke(MessageContext msgContext) throws AxisFault {
// initialize the handler
if (!isInitialised) {
synchronized (this) {
if (!isInitialised) {
initialise();
}
}
}
// check association
if (realmMapping == null) {
throw new AxisFault("No security domain associated.");
}
Iterator allPrincipals = getAssociatedPrincipals(msgContext).iterator();
boolean accessAllowed = false;
while (allPrincipals.hasNext()) {
Principal nextPrincipal = (Principal) allPrincipals.next();
// a single denied is enough to exclude the access
if (doesUserHaveRole(nextPrincipal, rolesDenied)) {
accessAllowed = false;
break;
// allowed
} else if (!accessAllowed && doesUserHaveRole(nextPrincipal, rolesAllowed))
{
accessAllowed = true;
}
}
if (!accessAllowed) {
throw new AxisFault("Access denied.");
}
}
}
_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development
