You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2006/06/10 02:08:43 UTC
svn commit: r413195 - in
/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty:
JettyEJBWebServiceContext.java JettyWebAppContext.java
JettyWebApplicationHandler.java
Author: djencks
Date: Fri Jun 9 17:08:43 2006
New Revision: 413195
URL: http://svn.apache.org/viewvc?rev=413195&view=rev
Log:
GERONIMO-2100 Be sure defaultSubject is set properly for ejb web services and prevent subject from leaking back into the calling environment
Added:
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java (with props)
Modified:
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyEJBWebServiceContext.java
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java
Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyEJBWebServiceContext.java
URL: http://svn.apache.org/viewvc/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyEJBWebServiceContext.java?rev=413195&r1=413194&r2=413195&view=diff
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyEJBWebServiceContext.java (original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyEJBWebServiceContext.java Fri Jun 9 17:08:43 2006
@@ -16,9 +16,6 @@
*/
package org.apache.geronimo.jetty;
-import org.apache.geronimo.webservices.WebServiceContainer;
-import org.mortbay.http.*;
-
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
@@ -27,6 +24,20 @@
import java.util.HashMap;
import java.util.Map;
+import javax.security.auth.Subject;
+
+import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.webservices.WebServiceContainer;
+import org.mortbay.http.Authenticator;
+import org.mortbay.http.BasicAuthenticator;
+import org.mortbay.http.ClientCertAuthenticator;
+import org.mortbay.http.DigestAuthenticator;
+import org.mortbay.http.HttpContext;
+import org.mortbay.http.HttpException;
+import org.mortbay.http.HttpHandler;
+import org.mortbay.http.HttpRequest;
+import org.mortbay.http.HttpResponse;
+
/**
* Delegates requests to a WebServiceContainer which is presumably for an EJB WebService.
* <p/>
@@ -142,12 +153,19 @@
Thread currentThread = Thread.currentThread();
ClassLoader oldClassLoader = currentThread.getContextClassLoader();
currentThread.setContextClassLoader(classLoader);
+ //hard to imagine this could be anything but null, but....
+ Subject oldSubject = ContextManager.getCurrentCaller();
try {
if (authenticator != null) {
String pathInContext = org.mortbay.util.URI.canonicalPath(req.getPath());
if (authenticator.authenticate(realm, pathInContext, req, res) == null) {
throw new HttpException(403);
}
+ } else {
+ //EJB will figure out correct defaultSubject shortly
+ //TODO consider replacing the GenericEJBContainer.DefaultSubjectInterceptor with this line
+ //setting the defaultSubject.
+ ContextManager.setCurrentCaller(null);
}
try {
webServiceContainer.invoke(request, response);
@@ -158,6 +176,7 @@
throw (HttpException) new HttpException(500, "Could not process message!").initCause(e);
}
} finally {
+ ContextManager.setCurrentCaller(oldSubject);
currentThread.setContextClassLoader(oldClassLoader);
}
}
Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java
URL: http://svn.apache.org/viewvc/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java?rev=413195&r1=413194&r2=413195&view=diff
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java (original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Fri Jun 9 17:08:43 2006
@@ -237,7 +237,8 @@
setVirtualHosts(host.getVirtualHosts());
}
- handler = new WebApplicationHandler();
+ //use our wrapper to avoid leaking subject back to the caller
+ handler = new JettyWebApplicationHandler();
addHandler(handler);
userTransaction.setUp(transactionContextManager, trackedConnectionAssociator);
Added: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java
URL: http://svn.apache.org/viewvc/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java?rev=413195&view=auto
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java (added)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java Fri Jun 9 17:08:43 2006
@@ -0,0 +1,64 @@
+/**
+ *
+ * Copyright 2006 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.geronimo.jetty;
+
+import java.io.IOException;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.ServletException;
+import javax.servlet.UnavailableException;
+import javax.security.auth.Subject;
+
+import org.mortbay.jetty.servlet.WebApplicationHandler;
+import org.mortbay.jetty.servlet.ServletHolder;
+import org.apache.geronimo.security.ContextManager;
+
+/**
+ * @version $Rev:$ $Date:$
+ */
+public class JettyWebApplicationHandler extends WebApplicationHandler {
+
+ /**
+ * Wrap the dispatch call to prevent leaking Subject back into the environemnt.
+ *
+ * @param pathInContext
+ * @param request
+ * @param response
+ * @param servletHolder
+ * @param type
+ * @throws ServletException
+ * @throws UnavailableException
+ * @throws IOException
+ */
+ protected void dispatch(String pathInContext,
+ HttpServletRequest request,
+ HttpServletResponse response,
+ ServletHolder servletHolder,
+ int type)
+ throws ServletException, UnavailableException, IOException
+ {
+ Subject currentCaller = ContextManager.getCurrentCaller();
+ try {
+ super.dispatch(pathInContext, request, response, servletHolder, type);
+ } finally {
+ ContextManager.setCurrentCaller(currentCaller);
+ }
+
+ }
+}
Propchange: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebApplicationHandler.java
------------------------------------------------------------------------------
svn:mime-type = text/plain