User: cgjung Date: 02/03/15 02:04:25 Modified: jboss.net/src/main/org/jboss/net/axis/server Constants.java Added: jboss.net/src/main/org/jboss/net/axis/server JBossAuthenticationHandler.java JBossAuthorizationHandler.java Log: security for jboss.net has finally arrived (although the corresponding testcases still need to be checked-in). Revision Changes Path 1.9 +73 -44 contrib/jboss.net/src/main/org/jboss/net/axis/server/Constants.java Index: Constants.java =================================================================== RCS file: /cvsroot/jboss/contrib/jboss.net/src/main/org/jboss/net/axis/server/Constants.java,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- Constants.java 1 Mar 2002 22:12:57 -0000 1.8 +++ Constants.java 15 Mar 2002 10:04:24 -0000 1.9 @@ -5,59 +5,88 @@ * See terms of license at gnu.org. */ -// $Id: Constants.java,v 1.8 2002/03/01 22:12:57 cgjung Exp $ +// $Id: Constants.java,v 1.9 2002/03/15 10:04:24 cgjung Exp $ package org.jboss.net.axis.server; /** * Some Constants for the axis package + * <br> + * <h3>Change History</h3> + * <ul> + * <li> jung, 15.03.2002: Added a few security related option keys. </li> + * </ul> * @author <a href="mailto:[EMAIL PROTECTED]">Christoph G. Jung</a> * @created 28. September 2001 - * @version $Revision: 1.8 $ + * @version $Revision: 1.9 $ */ public interface Constants extends org.jboss.net.Constants { - static final String DOMAIN="jboss.net"; - static final String NAME = "Axis"; - static final String TYPE="service"; - static final String SERVER_DELEGATE_NAME="JMImplementation:type=MBeanServerDelegate"; - static final String SERVER_ID_ATTRIBUTE="MBeanServerId"; - static final String AXIS_DEPLOYMENT_DESCRIPTOR="META-INF/install-axis.xml"; - static final String AXIS_DEPLOY_DIR="_axis_"; - static final String WEB_DEPLOYMENT_DESCRIPTOR="/WEB-INF/web.xml"; - static final String JBOSS_WEB_DEPLOYMENT_DESCRIPTOR="/WEB-INF/jboss-web.xml"; - static final String DEFAULT_ROOT_CONTEXT="axis"; - static final String WSR_FILE_EXTENSION=".wsr"; - static final String XML_FILE_EXTENSION=".xml"; - static final String AXIS_ENGINE_ATTRIBUTE="AxisEngine"; - static final String GET_AXIS_SERVER_METHOD_NAME="getAxisServer"; - static final String AXIS_CONFIGURATION_FILE="axis-config.xml"; - static final String WEB_SERVICE_DESCRIPTOR="META-INF/web-service.xml"; - - static final String AXIS_DEPLOYMENT_DESCRIPTOR_NOT_FOUND="The axis deployment descriptor is lacking in the service archive!"; - static final String ABOUT_TO_DEPLOY_0_UNDER_CONTEXT_1="About to deploy axis web application from {0} under context {1}."; - static final String AXIS_ALREADY_STARTED="Axis has already been started."; - static final String ABOUT_TO_UNDEPLOY_0="About to undeploy axis web application from {0}."; - static final String COULD_NOT_STOP_AXIS="Could not correctly stop Axis."; - static final String AXIS_ALREADY_STOPPED="Axis has already been stopped."; - static final String SET_WAR_DEPLOYER_0="Seting WarDeployerName to {0}."; - static final String SET_ROOT_CONTEXT_0="Seting RootContext to {0}."; - static final String SET_SECURITY_DOMAIN_TO_0="Setting Security Domain to {0}."; - static final String ABOUT_TO_CREATE_AXIS_0="About to deploy axis descriptor {0}, create step."; - static final String ABOUT_TO_START_AXIS_0="About to deploy axis descriptor {0}, start step."; - static final String ABOUT_TO_STOP_AXIS_0="About to undeploy axis descriptor {0}, stop step."; - static final String ABOUT_TO_DESTROY_AXIS_0="About to undeploy axis descriptor {0}, destroy step."; - static final String COULD_NOT_DEPLOY_DESCRIPTOR="Could not deploy axis descriptor."; - static final String COULD_NOT_FIND_AXIS_CONFIGURATION_0="Could not find the axis configuration file {0}."; - static final String NO_VALID_WEB_SERVICE_DESCRIPTOR="Could not find a valid web service descriptor."; - static final String COULD_NOT_DEPLOY="Could not deploy url."; - static final String COULD_NOT_UNDEPLOY="Could not undeploy url."; - static final String COULD_NOT_COPY_URL="Could not download url."; - static final String CANNOT_CHANGE_ROOT_CONTEXT="Cannot change root context while service is running. Stop first."; - static final String AXIS_SERVER_CONTEXT_OCCUPIED="There is already an Axis service running under that root context."; - static final String EJB_REF_MUST_HAVE_UNIQUE_NAME="An ejb-ref element must have a unique ejb-ref-name element."; - static final String EJB_REF_MUST_HAVE_UNIQUE_LINK="An ejb-ref element must have a unique ejb-link element."; - static final String CANNOT_FIND_WEB_DEPLOYER="Could not find a suitable web container."; + /** programmatic constants */ + static final String DOMAIN = "jboss.net"; + static final String NAME = "Axis"; + static final String TYPE = "service"; + static final String SERVER_DELEGATE_NAME = + "JMImplementation:type=MBeanServerDelegate"; + static final String SERVER_ID_ATTRIBUTE = "MBeanServerId"; + static final String AXIS_DEPLOYMENT_DESCRIPTOR = "META-INF/install-axis.xml"; + static final String AXIS_DEPLOY_DIR = "_axis_"; + static final String WEB_DEPLOYMENT_DESCRIPTOR = "/WEB-INF/web.xml"; + static final String JBOSS_WEB_DEPLOYMENT_DESCRIPTOR = "/WEB-INF/jboss-web.xml"; + static final String DEFAULT_ROOT_CONTEXT = "axis"; + static final String WSR_FILE_EXTENSION = ".wsr"; + static final String XML_FILE_EXTENSION = ".xml"; + static final String AXIS_ENGINE_ATTRIBUTE = "AxisEngine"; + static final String GET_AXIS_SERVER_METHOD_NAME = "getAxisServer"; + static final String AXIS_CONFIGURATION_FILE = "axis-config.xml"; + static final String WEB_SERVICE_DESCRIPTOR = "META-INF/web-service.xml"; + + /** constants referring to options in the axis messagecontext or handler options */ + static final String ALLOWED_ROLES_OPTION = "allowedRoles"; + static final String DENIED_ROLES_OPTION = "deniedRoles"; + static final String SECURITY_DOMAIN_OPTION = "securityDomain"; + + /** message id constants are english raw messages at the same time */ + static final String AXIS_DEPLOYMENT_DESCRIPTOR_NOT_FOUND = + "The axis deployment descriptor is lacking in the service archive!"; + static final String ABOUT_TO_DEPLOY_0_UNDER_CONTEXT_1 = + "About to deploy axis web application from {0} under context {1}."; + static final String AXIS_ALREADY_STARTED = "Axis has already been started."; + static final String ABOUT_TO_UNDEPLOY_0 = + "About to undeploy axis web application from {0}."; + static final String COULD_NOT_STOP_AXIS = "Could not correctly stop Axis."; + static final String AXIS_ALREADY_STOPPED = "Axis has already been stopped."; + static final String SET_WAR_DEPLOYER_0 = "Seting WarDeployerName to {0}."; + static final String SET_ROOT_CONTEXT_0 = "Seting RootContext to {0}."; + static final String SET_SECURITY_DOMAIN_TO_0 = + "Setting Security Domain to {0}."; + static final String ABOUT_TO_CREATE_AXIS_0 = + "About to deploy axis descriptor {0}, create step."; + static final String ABOUT_TO_START_AXIS_0 = + "About to deploy axis descriptor {0}, start step."; + static final String ABOUT_TO_STOP_AXIS_0 = + "About to undeploy axis descriptor {0}, stop step."; + static final String ABOUT_TO_DESTROY_AXIS_0 = + "About to undeploy axis descriptor {0}, destroy step."; + static final String COULD_NOT_DEPLOY_DESCRIPTOR = + "Could not deploy axis descriptor."; + static final String COULD_NOT_FIND_AXIS_CONFIGURATION_0 = + "Could not find the axis configuration file {0}."; + static final String NO_VALID_WEB_SERVICE_DESCRIPTOR = + "Could not find a valid web service descriptor."; + static final String COULD_NOT_DEPLOY = "Could not deploy url."; + static final String COULD_NOT_UNDEPLOY = "Could not undeploy url."; + static final String COULD_NOT_COPY_URL = "Could not download url."; + static final String CANNOT_CHANGE_ROOT_CONTEXT = + "Cannot change root context while service is running. Stop first."; + static final String AXIS_SERVER_CONTEXT_OCCUPIED = + "There is already an Axis service running under that root context."; + static final String EJB_REF_MUST_HAVE_UNIQUE_NAME = + "An ejb-ref element must have a unique ejb-ref-name element."; + static final String EJB_REF_MUST_HAVE_UNIQUE_LINK = + "An ejb-ref element must have a unique ejb-link element."; + static final String CANNOT_FIND_WEB_DEPLOYER = + "Could not find a suitable web container."; -} +} \ No newline at end of file 1.1 contrib/jboss.net/src/main/org/jboss/net/axis/server/JBossAuthenticationHandler.java Index: JBossAuthenticationHandler.java =================================================================== /* * JBoss, the OpenSource J2EE webOS * * Distributable under LGPL license. * See terms of license at gnu.org. */ // $Id: JBossAuthenticationHandler.java,v 1.1 2002/03/15 10:04:24 cgjung Exp $ package org.jboss.net.axis.server; import org.apache.axis.AxisFault; import org.apache.axis.handlers.BasicHandler; import org.apache.axis.MessageContext; import org.jboss.security.SimplePrincipal; import org.jboss.security.NobodyPrincipal; import org.jboss.security.SecurityAssociation; import org.jboss.security.SubjectSecurityManager; import javax.naming.InitialContext; import javax.naming.NamingException; import java.security.Principal; import javax.security.auth.Subject; /** * AuthenticationHandler that interacts with a given JBoss autentication * manager via default simple principals and passchars from the HTTP Basic Authentication. * Derived from org.apache.axis.handlers.SimpleAuthenticationHandler. * Note that this is somehow redundant to the WebContainer security, but we want * to be able to install different such handlers for different * web servcies behind a single entry-point. * <br> * <h3>Change History</h3> * <ul> * <li> jung, 15.03.2002: Added security domain option. </li> * </ul> * <br> * <h3>To Do</h3> * <ul> * <li> jung, 14.03.2002: Cache simple principals. Principal factory for * interacting with various security domains. * </ul> * @author <a href="mailto:[EMAIL PROTECTED]">Christoph G. Jung</a> * @created 14.03.2002 * @version $Revision: 1.1 $ */ public class JBossAuthenticationHandler extends BasicHandler { // // Attributes // /** whether this handler has been initialized already */ protected boolean isInitialised; /** * this is the authentication manager that is responsible for our security domain * if that is null, this authenticationhandler will block any call, rather deactivate * the handler, then, or run against a NullSecurityManager */ protected SubjectSecurityManager authMgr; // // Constructors // /** default, all options are set afterwards */ public JBossAuthenticationHandler() { } // // Protected helpers // /** * initialize this authenticationhandler lazy, after the options have been * set. */ protected void initialise() throws AxisFault { isInitialised = true; authMgr=null; String securityDomain = (String) getOption(Constants.SECURITY_DOMAIN_OPTION); if (securityDomain != null) { try { // bind against the jboss security subsystem authMgr = (SubjectSecurityManager) new InitialContext().lookup(securityDomain); } catch (NamingException e) { throw new AxisFault( "Could not lookup associated security domain " + securityDomain, e); } } } /** * creates a new principal belonging to the given username, * override to adapt to specific security domains. */ protected Principal getPrincipal(String userName) { if (userName == null) { return NobodyPrincipal.NOBODY_PRINCIPAL; } else { return new SimplePrincipal(userName); } } /** validates the given principal with the given password */ protected void validate(Principal userPrincipal, String passwd) throws AxisFault { // build passchars char[] passChars = passwd != null ? passwd.toCharArray() : null; // have to use pointer comparison here, but itīs a singleton, right? if (userPrincipal != NobodyPrincipal.NOBODY_PRINCIPAL && !authMgr.isValid(userPrincipal, passChars)) { throw new AxisFault("Could not authenticate user " + userPrincipal.getName()); } } /** associates the call context with the given info */ protected Subject associate(Principal userPrincipal, String passwd) { // pointer comparison, again if (userPrincipal != NobodyPrincipal.NOBODY_PRINCIPAL) { SecurityAssociation.setPrincipal(userPrincipal); SecurityAssociation.setCredential(passwd.toCharArray()); } else { // Jboss security does not like nobody:null SecurityAssociation.setPrincipal(null); SecurityAssociation.setCredential(null); } return authMgr.getActiveSubject(); } // // API // /** * Authenticate the user and password from the msgContext. Note that * we do not disassociate the subject here, since that would have * to be done by a separate handler in the response chain and we * currently expect Jetty or the WebContainer to do that for us */ public void invoke(MessageContext msgContext) throws AxisFault { // double check does not work on multiple processors, unfortunately if (!isInitialised) { synchronized (this) { if (!isInitialised) { initialise(); } } } if (authMgr == null) { throw new AxisFault("No security domain associated."); } // we take the id out of the String userID = msgContext.getUsername(); // convert into a principal Principal userPrincipal = getPrincipal(userID); // the password that has been provided String passwd = msgContext.getPassword(); // validate the user validate(userPrincipal, passwd); // associate the context Subject subject = associate(userPrincipal, passwd); // with the security subject msgContext.setProperty(MessageContext.AUTHUSER, subject); } } 1.1 contrib/jboss.net/src/main/org/jboss/net/axis/server/JBossAuthorizationHandler.java Index: JBossAuthorizationHandler.java =================================================================== /* * JBoss, the OpenSource J2EE webOS * * Distributable under LGPL license. * See terms of license at gnu.org. */ // $Id: JBossAuthorizationHandler.java,v 1.1 2002/03/15 10:04:24 cgjung Exp $ package org.jboss.net.axis.server; import org.apache.axis.AxisFault; import org.apache.axis.handlers.BasicHandler; import org.apache.axis.MessageContext; import org.jboss.security.SimplePrincipal; import org.jboss.security.AnybodyPrincipal; import org.jboss.security.NobodyPrincipal; import org.jboss.security.RealmMapping; import javax.naming.InitialContext; import javax.naming.NamingException; import java.security.Principal; import javax.security.auth.Subject; import java.util.StringTokenizer; import java.util.Set; import java.util.Iterator; import java.util.Collection; import java.util.Collections; /** * AuthorizationHandler that checks allowed and denied roles against the active * subject using a given realmMapping. Is somehow redundant to what, e.g., the JBoss EJB invocation handler * does, but maybe we need this to shield access to other container resources * such as MBeans for which we will expose security-agnostic providers. * <br> * <h3>Change History</h3> * <ul> * <li> jung, 15.03.2002: Added security domain option. </li> * </ul> * <br> * <h3>To Do</h3> * <ul> * <li> jung, 14.03.2002: Cache simple principals. Principal factory for * interacting with various security domains. * </ul> * @author <a href="mailto:[EMAIL PROTECTED]">Christoph G. Jung</a> * @created 14.03.2002 * @version $Revision: 1.1 $ */ public class JBossAuthorizationHandler extends BasicHandler { // // Attributes // /** the security domain against which we call */ protected RealmMapping realmMapping; /** the roles that we want to let through */ final protected Set rolesAllowed = new java.util.HashSet(); /** the roles that we want to deny access */ final protected Set rolesDenied = new java.util.HashSet(); /** whether this handler has been initialized */ protected boolean isInitialised; // // Constructors // public JBossAuthorizationHandler() { } // // Protected helpers // /** initializes the roles checked by this handler */ protected void initialise() throws AxisFault { // bind against the jboss security subsystem isInitialised = true; realmMapping = null; String securityDomain = (String) getOption(Constants.SECURITY_DOMAIN_OPTION); if (securityDomain != null) { try { realmMapping = (RealmMapping) new InitialContext().lookup(securityDomain); } catch (NamingException e) { throw new AxisFault("Could not lookup security domain " + securityDomain, e); } } // parse role options String allowedRoles = (String) getOption(Constants.ALLOWED_ROLES_OPTION); // default:let all through if (allowedRoles == null) { allowedRoles = "*"; } StringTokenizer tokenizer = new StringTokenizer(allowedRoles, ","); while (tokenizer.hasMoreTokens()) { rolesAllowed.add(getPrincipal(tokenizer.nextToken())); } String deniedRoles = (String) getOption(Constants.DENIED_ROLES_OPTION); if (deniedRoles != null) { tokenizer = new StringTokenizer(deniedRoles, ","); while (tokenizer.hasMoreTokens()) { rolesDenied.add(getPrincipal(tokenizer.nextToken())); } } } /** * creates a new principal belonging to the given username, * override to adapt to specific security domains. */ protected Principal getPrincipal(String userName) { if (userName.equals("*")) { return AnybodyPrincipal.ANYBODY_PRINCIPAL; } else { return new SimplePrincipal(userName); } } /** returns a collection of principals that the context subject * is associated with */ protected Collection getAssociatedPrincipals(MessageContext msgContext) { // get the active subject Subject activeSubject = (Subject) msgContext.getProperty(MessageContext.AUTHUSER); if (activeSubject == null) { return Collections.singleton(NobodyPrincipal.NOBODY_PRINCIPAL); } else { return activeSubject.getPrincipals(); } } /** return whether the given Principal has the given roles */ protected boolean doesUserHaveRole(Principal principal, Set roles) { return realmMapping.doesUserHaveRole(principal, roles); } // // API // /** * Authenticate the user and password from the msgContext. Note that * we do not disassociate the subject here, since that would have * to be done by a separate handler in the response chain and we * currently expect Jetty or the WebContainer to do that for us */ public void invoke(MessageContext msgContext) throws AxisFault { // initialize the handler if (!isInitialised) { synchronized (this) { if (!isInitialised) { initialise(); } } } // check association if (realmMapping == null) { throw new AxisFault("No security domain associated."); } Iterator allPrincipals = getAssociatedPrincipals(msgContext).iterator(); boolean accessAllowed = false; while (allPrincipals.hasNext()) { Principal nextPrincipal = (Principal) allPrincipals.next(); // a single denied is enough to exclude the access if (doesUserHaveRole(nextPrincipal, rolesDenied)) { accessAllowed = false; break; // allowed } else if (!accessAllowed && doesUserHaveRole(nextPrincipal, rolesAllowed)) { accessAllowed = true; } } if (!accessAllowed) { throw new AxisFault("Access denied."); } } }
_______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development