You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2005/04/15 07:35:29 UTC
svn commit: r161394 [1/2] - in geronimo/trunk/modules: axis-builder/
j2ee-builder/ j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/
j2ee-builder/src/schema/
j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/
jetty-builder/src/java/org/apache/geronimo/jetty/deployment/
jetty-builder/src/schema/ jetty/src/java/org/apache/geronimo/jetty/
jetty/src/java/org/apache/geronimo/jetty/interceptor/
jetty/src/test/org/apache/geronimo/jetty/
security-builder/src/java/org/apache/geronimo/security/deployment/
security/src/java/org/apache/geronimo/security/
security/src/java/org/apache/geronimo/security/deploy/
security/src/java/org/apache/geronimo/security/jacc/
Author: djencks
Date: Thu Apr 14 22:35:25 2005
New Revision: 161394
URL: http://svn.apache.org/viewcvs?view=rev&rev=161394
Log:
GERONIMO-632 Application-wide JACC GBean
Added:
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityConfiguration.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/ApplicationPolicyConfigurationManager.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/ComponentPermissions.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/RoleDesignateSource.java
Modified:
geronimo/trunk/modules/axis-builder/maven.xml
geronimo/trunk/modules/j2ee-builder/project.xml
geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARConfigBuilder.java
geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARContext.java
geronimo/trunk/modules/j2ee-builder/src/schema/geronimo-application.xsd
geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java
geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java
geronimo/trunk/modules/jetty-builder/src/schema/geronimo-jetty.xsd
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java
geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/ContextManager.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/RoleMappingConfiguration.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/RoleMappingConfigurationImpl.java
Modified: geronimo/trunk/modules/axis-builder/maven.xml
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/axis-builder/maven.xml?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/axis-builder/maven.xml (original)
+++ geronimo/trunk/modules/axis-builder/maven.xml Thu Apr 14 22:35:25 2005
@@ -6,16 +6,16 @@
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
+
http://www.apache.org/licenses/LICENSE-2.0
-
+
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
-
+
<!-- $Rev: 46019 $ $Date: 2004-09-14 02:56:06 -0700 (Tue, 14 Sep 2004) $ -->
@@ -23,10 +23,16 @@
xmlns:j="jelly:core"
xmlns:ant="jelly:ant"
xmlns:maven="jelly:maven"
+ xmlns:xmlbeans="geronimo:xmlbeans"
>
- <!-- <preGoal name="java:compile">
- <attainGoal name="axis:axis"/>
- </preGoal>
--->
+<!-- <preGoal name="java:compile">-->
+<!-- <xmlbeans:schema2java-->
+<!-- sourcedir="${basedir}/src"-->
+<!-- sourceschema="schema/XMLSchema.xsd"-->
+<!-- xmlconfigs="${basedir}/src/schema/xmlconfig.xml"-->
+<!-- targetdir="${basedir}/target/xmlbeans"-->
+<!-- cataloglocation="${basedir}/../j2ee-schema/src/catalog/resolver-catalog.xml"/>-->
+<!-- </preGoal>-->
+
</project>
Modified: geronimo/trunk/modules/j2ee-builder/project.xml
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/j2ee-builder/project.xml?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/j2ee-builder/project.xml (original)
+++ geronimo/trunk/modules/j2ee-builder/project.xml Thu Apr 14 22:35:25 2005
@@ -6,16 +6,16 @@
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
+
http://www.apache.org/licenses/LICENSE-2.0
-
+
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
-
+
<!-- $Rev$ $Date$ -->
<project>
@@ -64,6 +64,19 @@
<groupId>geronimo</groupId>
<artifactId>geronimo-deployment</artifactId>
<version>${pom.currentVersion}</version>
+ </dependency>
+ <dependency>
+ <groupId>geronimo</groupId>
+ <artifactId>geronimo-security</artifactId>
+ <version>${pom.currentVersion}</version>
+ </dependency>
+ <dependency>
+ <groupId>geronimo</groupId>
+ <artifactId>geronimo-security-builder</artifactId>
+ <version>${pom.currentVersion}</version>
+ <properties>
+ <xmlbeans>true</xmlbeans>
+ </properties>
</dependency>
<dependency>
<groupId>geronimo</groupId>
Modified: geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARConfigBuilder.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARConfigBuilder.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARConfigBuilder.java (original)
+++ geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARConfigBuilder.java Thu Apr 14 22:35:25 2005
@@ -54,6 +54,8 @@
import org.apache.geronimo.kernel.config.ConfigurationModuleType;
import org.apache.geronimo.kernel.repository.Repository;
import org.apache.geronimo.schema.SchemaConversionUtils;
+import org.apache.geronimo.security.deployment.SecurityBuilder;
+import org.apache.geronimo.security.deployment.SecurityConfiguration;
import org.apache.geronimo.xbeans.geronimo.j2ee.GerApplicationDocument;
import org.apache.geronimo.xbeans.geronimo.j2ee.GerApplicationType;
import org.apache.geronimo.xbeans.geronimo.j2ee.GerModuleType;
@@ -110,7 +112,7 @@
return null;
}
- Object plan = getEarPlan(planFile, jarFile);
+ ApplicationInfo plan = getEarPlan(planFile, jarFile);
if (plan != null) {
return plan;
}
@@ -144,7 +146,7 @@
null);
}
- private Object getEarPlan(File planFile, JarFile earFile) throws DeploymentException {
+ private ApplicationInfo getEarPlan(File planFile, JarFile earFile) throws DeploymentException {
String specDD;
ApplicationType application;
try {
@@ -224,16 +226,16 @@
}
if (e instanceof DeploymentException) {
- throw (DeploymentException)e;
+ throw (DeploymentException) e;
} else if (e instanceof RuntimeException) {
- throw (RuntimeException)e;
+ throw (RuntimeException) e;
} else if (e instanceof Error) {
- throw (Error)e;
+ throw (Error) e;
}
throw new DeploymentException(e);
}
- String applicationName = gerApplication.isSetApplicationName()? gerApplication.getApplicationName(): configId.toString();
+ String applicationName = gerApplication.isSetApplicationName() ? gerApplication.getApplicationName() : configId.toString();
return new ApplicationInfo(ConfigurationModuleType.EAR,
configId,
@@ -348,6 +350,29 @@
earContext.addGBean(gbeanData);
}
+
+ //TODO this might need to be constructed only if there is security...
+ ObjectName jaccBeanName = null;
+ String moduleName;
+ if (ConfigurationModuleType.EAR == applicationType) {
+ moduleName = NameFactory.NULL;
+ } else {
+ Module module = (Module) modules.iterator().next();
+ moduleName = module.getName();
+ }
+ try {
+ jaccBeanName = NameFactory.getComponentName(null, null, null, moduleName, NameFactory.JACC_MANAGER, NameFactory.JACC_MANAGER, earContext.getJ2eeContext());
+ } catch (MalformedObjectNameException e) {
+ throw new DeploymentException("Could not construct name for JACCBean", e);
+ }
+ earContext.setJaccManagerName(jaccBeanName);
+
+ //look for application plan security config
+ if (geronimoApplication != null && geronimoApplication.isSetSecurity()) {
+ SecurityConfiguration securityConfiguration = SecurityBuilder.buildSecurityConfiguration(geronimoApplication.getSecurity());
+ earContext.setSecurityConfiguration(securityConfiguration);
+ }
+
// each module can now add it's GBeans
for (Iterator iterator = modules.iterator(); iterator.hasNext();) {
Module module = (Module) iterator.next();
@@ -359,6 +384,11 @@
}
}
+ //add the JACC gbean if there is a principal-role mapping
+ if (earContext.getSecurityConfiguration() != null) {
+ GBeanData jaccBeanData = SecurityBuilder.configureApplicationPolicyManager(jaccBeanName, earContext.getContextIDToPermissionsMap(), earContext.getSecurityConfiguration());
+ earContext.addGBean(jaccBeanData);
+ }
earContext.close();
return moduleIDs;
} finally {
@@ -491,7 +521,7 @@
for (Iterator iterator = altVendorDDs.values().iterator(); iterator.hasNext();) {
Object altVendorDD = iterator.next();
if (altVendorDD instanceof File) {
- ((File)altVendorDD).delete();
+ ((File) altVendorDD).delete();
}
}
}
Modified: geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARContext.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARContext.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARContext.java (original)
+++ geronimo/trunk/modules/j2ee-builder/src/java/org/apache/geronimo/j2ee/deployment/EARContext.java Thu Apr 14 22:35:25 2005
@@ -18,22 +18,25 @@
import java.io.File;
import java.net.URI;
+import java.util.HashMap;
+import java.util.Map;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
-import org.apache.geronimo.deployment.DeploymentContext;
import org.apache.geronimo.common.DeploymentException;
+import org.apache.geronimo.deployment.DeploymentContext;
import org.apache.geronimo.j2ee.j2eeobjectnames.J2eeContext;
import org.apache.geronimo.j2ee.j2eeobjectnames.J2eeContextImpl;
import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
import org.apache.geronimo.kernel.Kernel;
import org.apache.geronimo.kernel.config.ConfigurationModuleType;
+import org.apache.geronimo.security.deployment.SecurityConfiguration;
/**
* @version $Rev$ $Date$
*/
public class EARContext extends DeploymentContext {
- private final ObjectName domainObjectName;
+ private final ObjectName domainObjectName;
private final ObjectName serverObjectName;
private final ObjectName applicationObjectName;
@@ -48,6 +51,10 @@
private final RefContext refContext;
private final J2eeContext j2eeContext;
+ private final Map contextIDToPermissionsMap = new HashMap();
+ private ObjectName jaccManagerName;
+ private SecurityConfiguration securityConfiguration;
+
public EARContext(File baseDir, URI id, ConfigurationModuleType moduleType, URI parentID, Kernel kernel, String j2eeApplicationName, ObjectName transactionContextManagerObjectName, ObjectName connectionTrackerObjectName, ObjectName transactedTimerName, ObjectName nonTransactedTimerName, ObjectName corbaGBeanObjectName, RefContext refContext) throws MalformedObjectNameException, DeploymentException {
super(baseDir, id, moduleType, parentID, kernel);
j2eeContext = new J2eeContextImpl(getDomain(), getServer(), j2eeApplicationName == null ? NameFactory.NULL : j2eeApplicationName, NameFactory.J2EE_MODULE, NameFactory.NULL, null, null);
@@ -118,5 +125,35 @@
public J2eeContext getJ2eeContext() {
return j2eeContext;
+ }
+
+ public Map getContextIDToPermissionsMap() {
+ return contextIDToPermissionsMap;
+ }
+
+ public void addSecurityContext(String contextID, Object componentPermissions) throws DeploymentException {
+ Object old = contextIDToPermissionsMap.put(contextID, componentPermissions);
+ if (old != null) {
+ throw new DeploymentException("Duplicate contextID registered! " + contextID);
+ }
+ }
+
+ public void setJaccManagerName(ObjectName jaccManagerName) {
+ this.jaccManagerName = jaccManagerName;
+ }
+
+ public ObjectName getJaccManagerName() {
+ return jaccManagerName;
+ }
+
+ public void setSecurityConfiguration(SecurityConfiguration securityConfiguration) throws DeploymentException {
+ if (this.securityConfiguration != null) {
+ throw new DeploymentException("Only one security configuration allowed per application");
+ }
+ this.securityConfiguration = securityConfiguration;
+ }
+
+ public SecurityConfiguration getSecurityConfiguration() {
+ return securityConfiguration;
}
}
Modified: geronimo/trunk/modules/j2ee-builder/src/schema/geronimo-application.xsd
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/j2ee-builder/src/schema/geronimo-application.xsd?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/j2ee-builder/src/schema/geronimo-application.xsd (original)
+++ geronimo/trunk/modules/j2ee-builder/src/schema/geronimo-application.xsd Thu Apr 14 22:35:25 2005
@@ -6,9 +6,9 @@
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
+
http://www.apache.org/licenses/LICENSE-2.0
-
+
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -19,12 +19,14 @@
<xs:schema
xmlns:geronimo="http://geronimo.apache.org/xml/ns/j2ee/application"
targetNamespace="http://geronimo.apache.org/xml/ns/j2ee/application"
+ xmlns:security="http://geronimo.apache.org/xml/ns/security"
xmlns:sys="http://geronimo.apache.org/xml/ns/deployment"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
attributeFormDefault="unqualified"
version="1.0">
+ <xs:import namespace="http://geronimo.apache.org/xml/ns/security" schemaLocation="../../../security-builder/src/schema/geronimo-security.xsd"/>
<xs:import namespace="http://geronimo.apache.org/xml/ns/deployment" schemaLocation="../../../service-builder/src/schema/geronimo-config.xsd"/>
<xs:element name="application" type="geronimo:applicationType"/>
@@ -33,6 +35,7 @@
<xs:sequence>
<xs:element ref="sys:dependency" minOccurs="0" maxOccurs="unbounded"/>
<xs:element name="module" type="geronimo:moduleType" minOccurs="0" maxOccurs="unbounded"/>
+ <xs:element ref="security:security" minOccurs="0"/>
<xs:element ref="sys:gbean" minOccurs="0" maxOccurs="unbounded"/>
</xs:sequence>
Modified: geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java (original)
+++ geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java Thu Apr 14 22:35:25 2005
@@ -79,6 +79,7 @@
public static final String URL_PATTERN = "URLPattern";
public static final String GERONIMO_SERVICE = "GBean"; //copied in GBeanInfoBuilder to avoid dependencies in the wrong direction.
public static final String CORBA_SERVICE = "CORBABean";
+ public static final String JACC_MANAGER = "JACCManager";
public static String JAXR_CONNECTION_FACTORY = "JAXRConnectionFactory";
Modified: geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java (original)
+++ geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java Thu Apr 14 22:35:25 2005
@@ -24,6 +24,7 @@
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
+import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.util.ArrayList;
@@ -48,7 +49,6 @@
import org.apache.geronimo.axis.builder.PortInfo;
import org.apache.geronimo.axis.builder.WSDescriptorParser;
-import org.apache.geronimo.axis.builder.SchemaInfoBuilder;
import org.apache.geronimo.common.DeploymentException;
import org.apache.geronimo.deployment.service.ServiceConfigBuilder;
import org.apache.geronimo.deployment.util.DeploymentUtil;
@@ -76,8 +76,10 @@
import org.apache.geronimo.naming.deployment.ENCConfigBuilder;
import org.apache.geronimo.naming.deployment.GBeanResourceEnvironmentBuilder;
import org.apache.geronimo.schema.SchemaConversionUtils;
-import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.deploy.DefaultPrincipal;
import org.apache.geronimo.security.deployment.SecurityBuilder;
+import org.apache.geronimo.security.deployment.SecurityConfiguration;
+import org.apache.geronimo.security.jacc.ComponentPermissions;
import org.apache.geronimo.security.util.URLPattern;
import org.apache.geronimo.transaction.context.OnlineUserTransaction;
import org.apache.geronimo.xbeans.geronimo.jetty.JettyWebAppDocument;
@@ -384,20 +386,7 @@
webModuleData.setAttribute("deploymentDescriptor", module.getOriginalSpecDD());
Set securityRoles = collectRoleNames(webApp);
- if (jettyWebApp.isSetSecurityRealmName()) {
- String securityRealmName = jettyWebApp.getSecurityRealmName().trim();
- Security security = SecurityBuilder.buildSecurityConfig(jettyWebApp.getSecurity(), securityRoles);
- webModuleData.setAttribute("securityRealmName", securityRealmName);
- webModuleData.setAttribute("securityConfig", security);
-
- /**
- * TODO - go back to commented version when possible.
- */
- String policyContextID = webModuleName.getCanonicalName().replaceAll("[, ]","_");
- //String policyContextID = webModuleName.getCanonicalName();
- webModuleData.setAttribute("policyContextID", policyContextID);
- buildSpecSecurityConfig(webApp, webModuleData, securityRoles);
- }
+ Map rolePermissions = new HashMap();
webModuleData.setAttribute("uri", URI.create(module.getTargetPath() + "/"));
webModuleData.setAttribute("componentContext", compContext);
@@ -707,7 +696,42 @@
for (int i = 0; i < servletTypes.length; i++) {
ServletType servletType = servletTypes[i];
- addServlet(webModuleName, webModule.getModuleFile(), servletType, servletMappings, securityRoles, portMap, webClassLoader, moduleJ2eeContext, earContext);
+ addServlet(webModuleName, webModule.getModuleFile(), servletType, servletMappings, securityRoles, rolePermissions, portMap, webClassLoader, moduleJ2eeContext, earContext);
+ }
+ if (jettyWebApp.isSetSecurityRealmName()) {
+ String securityRealmName = jettyWebApp.getSecurityRealmName().trim();
+ webModuleData.setAttribute("securityRealmName", securityRealmName);
+// webModuleData.setAttribute("securityConfig", security);
+
+ /**
+ * TODO - go back to commented version when possible.
+ */
+ String policyContextID = webModuleName.getCanonicalName().replaceAll("[, ]", "_");
+ //String policyContextID = webModuleName.getCanonicalName();
+ webModuleData.setAttribute("policyContextID", policyContextID);
+// webModuleData.setAttribute("securityRoles", securityRoles);
+
+ ComponentPermissions componentPermissions = buildSpecSecurityConfig(webApp, securityRoles, rolePermissions);
+ webModuleData.setAttribute("excludedPermissions", componentPermissions.getExcludedPermissions());
+ PermissionCollection checkedPermissions = new Permissions();
+ for (Iterator iterator = rolePermissions.values().iterator(); iterator.hasNext();) {
+ PermissionCollection permissionsForRole = (PermissionCollection) iterator.next();
+ for (Enumeration iterator2 = permissionsForRole.elements(); iterator2.hasMoreElements();) {
+ Permission permission = (Permission) iterator2.nextElement();
+ checkedPermissions.add(permission);
+ }
+ }
+ webModuleData.setAttribute("checkedPermissions", checkedPermissions);
+
+ earContext.addSecurityContext(policyContextID, componentPermissions);
+ if (jettyWebApp.isSetSecurity()) {
+ SecurityConfiguration securityConfiguration = SecurityBuilder.buildSecurityConfiguration(jettyWebApp.getSecurity());
+ earContext.setSecurityConfiguration(securityConfiguration);
+ }
+ DefaultPrincipal defaultPrincipal = earContext.getSecurityConfiguration().getDefaultPrincipal();
+ webModuleData.setAttribute("defaultPrincipal", defaultPrincipal);
+
+ webModuleData.setReferencePattern("RoleDesignateSource", earContext.getJaccManagerName());
}
} catch (DeploymentException de) {
throw de;
@@ -746,7 +770,7 @@
ServletType servletType,
Map servletMappings,
Set securityRoles,
- Map portMap,
+ Map rolePermissions, Map portMap,
ClassLoader webClassLoader,
J2eeContext moduleJ2eeContext,
EARContext earContext) throws MalformedObjectNameException, DeploymentException {
@@ -813,7 +837,6 @@
//WebRoleRefPermissions
SecurityRoleRefType[] securityRoleRefTypeArray = servletType.getSecurityRoleRefArray();
- Map webRoleRefPermissions = new HashMap();
Set unmappedRoles = new HashSet(securityRoles);
for (int j = 0; j < securityRoleRefTypeArray.length; j++) {
SecurityRoleRefType securityRoleRefType = securityRoleRefTypeArray[j];
@@ -827,19 +850,19 @@
* WebRoleRefPermission object resulting from the translation to the role
* identified in the role-link appearing in the security-role-ref.
*/
- webRoleRefPermissions.put(new WebRoleRefPermission(servletName, roleName), roleLink);
+ addPermissionToRole(roleLink, new WebRoleRefPermission(servletName, roleName), rolePermissions);
unmappedRoles.remove(roleName);
}
for (Iterator iterator = unmappedRoles.iterator(); iterator.hasNext();) {
String roleName = (String) iterator.next();
- webRoleRefPermissions.put(new WebRoleRefPermission(servletName, roleName), roleName);
+ addPermissionToRole(roleName, new WebRoleRefPermission(servletName, roleName), rolePermissions);
}
- servletData.setAttribute("webRoleRefPermissions", webRoleRefPermissions);
+// servletData.setAttribute("webRoleRefPermissions", webRoleRefPermissions);
earContext.addGBean(servletData);
}
- private void buildSpecSecurityConfig(WebAppType webApp, GBeanData webModuleData, Set securityRoles) {
+ private ComponentPermissions buildSpecSecurityConfig(WebAppType webApp, Set securityRoles, Map rolePermissions) {
Map uncheckedPatterns = new HashMap();
Map uncheckedResourcePatterns = new HashMap();
Map uncheckedUserPatterns = new HashMap();
@@ -848,8 +871,6 @@
Set allSet = new HashSet(); // == allMap.values()
Map allMap = new HashMap(); //uncheckedPatterns union excludedPatterns union rolesPatterns.
- webModuleData.setAttribute("securityRoles", securityRoles);
-
SecurityConstraintType[] securityConstraintArray = webApp.getSecurityConstraintArray();
for (int i = 0; i < securityConstraintArray.length; i++) {
SecurityConstraintType securityConstraintType = securityConstraintArray[i];
@@ -923,7 +944,6 @@
PermissionCollection excludedPermissions = new Permissions();
PermissionCollection uncheckedPermissions = new Permissions();
- Map rolePermissions = new HashMap();
Iterator iter = excludedPatterns.keySet().iterator();
while (iter.hasNext()) {
@@ -942,15 +962,9 @@
String actions = pattern.getMethods();
WebResourcePermission permission = new WebResourcePermission(name, actions);
- Iterator names = pattern.getRoles().iterator();
- while (names.hasNext()) {
+ for (Iterator names = pattern.getRoles().iterator(); names.hasNext();) {
String roleName = (String) names.next();
- Set permissionsForRole = (Set) rolePermissions.get(roleName);
- if (permissionsForRole == null) {
- permissionsForRole = new HashSet();
- rolePermissions.put(roleName, permissionsForRole);
- }
- permissionsForRole.add(permission);
+ addPermissionToRole(roleName, permission, rolePermissions);
}
}
@@ -1016,29 +1030,38 @@
//Create the uncheckedPermissions for WebResourcePermissions
iter = uncheckedResourcePatterns.keySet().iterator();
while (iter.hasNext()) {
- UncheckedItem item = (UncheckedItem)iter.next();
- String actions = (String)uncheckedResourcePatterns.get(item);
+ UncheckedItem item = (UncheckedItem) iter.next();
+ String actions = (String) uncheckedResourcePatterns.get(item);
uncheckedPermissions.add(new WebResourcePermission(item.getName(), actions));
}
//Create the uncheckedPermissions for WebUserDataPermissions
iter = uncheckedUserPatterns.keySet().iterator();
while (iter.hasNext()) {
- UncheckedItem item = (UncheckedItem)iter.next();
- String actions = (String)uncheckedUserPatterns.get(item);
+ UncheckedItem item = (UncheckedItem) iter.next();
+ String actions = (String) uncheckedUserPatterns.get(item);
uncheckedPermissions.add(new WebUserDataPermission(item.getName(), actions));
}
- webModuleData.setAttribute("excludedPermissions", excludedPermissions);
- webModuleData.setAttribute("uncheckedPermissions", uncheckedPermissions);
- webModuleData.setAttribute("rolePermissions", rolePermissions);
+ ComponentPermissions componentPermissions = new ComponentPermissions(excludedPermissions, uncheckedPermissions, rolePermissions);
+ return componentPermissions;
+
+ }
+
+ private void addPermissionToRole(String roleName, Permission permission, Map rolePermissions) {
+ PermissionCollection permissionsForRole = (PermissionCollection) rolePermissions.get(roleName);
+ if (permissionsForRole == null) {
+ permissionsForRole = new Permissions();
+ rolePermissions.put(roleName, permissionsForRole);
+ }
+ permissionsForRole.add(permission);
}
- private void addOrUpdatePattern(Map patternMap, String name, String actions){
+ private void addOrUpdatePattern(Map patternMap, String name, String actions) {
UncheckedItem item = new UncheckedItem(name, actions);
- String existingActions = (String)patternMap.get(item);
- if (existingActions != null){
+ String existingActions = (String) patternMap.get(item);
+ if (existingActions != null) {
patternMap.put(item, actions + "," + existingActions);
return;
}
@@ -1142,7 +1165,7 @@
if (webApp.getLoginConfigArray().length > 1) throw new DeploymentException("Multiple <login-config> elements found");
}
- class UncheckedItem{
+ class UncheckedItem {
final static int NA = 0x00;
final static int INTEGRAL = 0x01;
final static int CONFIDENTIAL = 0x02;
@@ -1150,21 +1173,21 @@
private int transportType = NA;
private String name;
- public UncheckedItem(String name, String actions){
+ public UncheckedItem(String name, String actions) {
setName(name);
setTransportType(actions);
}
- public boolean equals(Object o){
- UncheckedItem item = (UncheckedItem)o;
+ public boolean equals(Object o) {
+ UncheckedItem item = (UncheckedItem) o;
return item.getKey().equals(this.getKey());
}
- public String getKey(){
+ public String getKey() {
return (name + transportType);
}
- public int hashCode(){
+ public int hashCode() {
return getKey().hashCode();
}
Modified: geronimo/trunk/modules/jetty-builder/src/schema/geronimo-jetty.xsd
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty-builder/src/schema/geronimo-jetty.xsd?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/jetty-builder/src/schema/geronimo-jetty.xsd (original)
+++ geronimo/trunk/modules/jetty-builder/src/schema/geronimo-jetty.xsd Thu Apr 14 22:35:25 2005
@@ -6,9 +6,9 @@
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
-
+
http://www.apache.org/licenses/LICENSE-2.0
-
+
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -43,7 +43,7 @@
<xs:sequence minOccurs="0">
<xs:element name="security-realm-name" type="xs:string"/>
- <xs:element ref="security:security"/>
+ <xs:element ref="security:security" minOccurs="0"/>
</xs:sequence>
<!--xs:group ref="naming:jndiEnvironmentRefsGroup"/-->
Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java (original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Thu Apr 14 22:35:25 2005
@@ -17,62 +17,61 @@
package org.apache.geronimo.jetty;
+import java.io.IOException;
import java.net.URI;
import java.net.URL;
+import java.security.PermissionCollection;
import java.util.Collection;
import java.util.EventListener;
+import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
-import java.util.Hashtable;
-import java.security.PermissionCollection;
-import java.io.IOException;
-
-import javax.naming.Context;
import javax.management.MalformedObjectNameException;
import javax.management.ObjectName;
+import javax.naming.Context;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
-import org.mortbay.http.Authenticator;
-import org.mortbay.http.HttpRequest;
-import org.mortbay.http.HttpResponse;
-import org.mortbay.http.HttpException;
-import org.mortbay.jetty.servlet.AbstractSessionManager;
-import org.mortbay.jetty.servlet.Dispatcher;
-import org.mortbay.jetty.servlet.FilterHolder;
-import org.mortbay.jetty.servlet.JSR154Filter;
-import org.mortbay.jetty.servlet.ServletHolder;
-import org.mortbay.jetty.servlet.WebApplicationContext;
-import org.mortbay.jetty.servlet.WebApplicationHandler;
-
import org.apache.geronimo.gbean.GBeanInfo;
import org.apache.geronimo.gbean.GBeanInfoBuilder;
import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.apache.geronimo.j2ee.j2eeobjectnames.J2eeContext;
+import org.apache.geronimo.j2ee.j2eeobjectnames.J2eeContextImpl;
+import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.j2ee.management.J2EEApplication;
+import org.apache.geronimo.j2ee.management.J2EEServer;
+import org.apache.geronimo.j2ee.management.impl.InvalidObjectNameException;
+import org.apache.geronimo.j2ee.management.impl.Util;
import org.apache.geronimo.jetty.interceptor.BeforeAfter;
import org.apache.geronimo.jetty.interceptor.ComponentContextBeforeAfter;
import org.apache.geronimo.jetty.interceptor.InstanceContextBeforeAfter;
+import org.apache.geronimo.jetty.interceptor.RequestWrappingBeforeAfter;
+import org.apache.geronimo.jetty.interceptor.SecurityContextBeforeAfter;
import org.apache.geronimo.jetty.interceptor.ThreadClassloaderBeforeAfter;
import org.apache.geronimo.jetty.interceptor.TransactionContextBeforeAfter;
import org.apache.geronimo.jetty.interceptor.WebApplicationContextBeforeAfter;
-import org.apache.geronimo.jetty.interceptor.RequestWrappingBeforeAfter;
-import org.apache.geronimo.jetty.interceptor.SecurityContextBeforeAfter;
-import org.apache.geronimo.transaction.context.OnlineUserTransaction;
-import org.apache.geronimo.transaction.TrackedConnectionAssociator;
-import org.apache.geronimo.transaction.context.TransactionContextManager;
-import org.apache.geronimo.security.deploy.Security;
import org.apache.geronimo.kernel.Kernel;
import org.apache.geronimo.kernel.jmx.JMXUtil;
-import org.apache.geronimo.naming.reference.KernelAwareReference;
-import org.apache.geronimo.naming.reference.ClassLoaderAwareReference;
import org.apache.geronimo.naming.java.SimpleReadOnlyContext;
-import org.apache.geronimo.j2ee.management.J2EEServer;
-import org.apache.geronimo.j2ee.management.J2EEApplication;
-import org.apache.geronimo.j2ee.management.impl.Util;
-import org.apache.geronimo.j2ee.management.impl.InvalidObjectNameException;
-import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
-import org.apache.geronimo.j2ee.j2eeobjectnames.J2eeContext;
-import org.apache.geronimo.j2ee.j2eeobjectnames.J2eeContextImpl;
+import org.apache.geronimo.naming.reference.ClassLoaderAwareReference;
+import org.apache.geronimo.naming.reference.KernelAwareReference;
+import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.jacc.RoleDesignateSource;
+import org.apache.geronimo.transaction.TrackedConnectionAssociator;
+import org.apache.geronimo.transaction.context.OnlineUserTransaction;
+import org.apache.geronimo.transaction.context.TransactionContextManager;
+import org.mortbay.http.Authenticator;
+import org.mortbay.http.HttpException;
+import org.mortbay.http.HttpRequest;
+import org.mortbay.http.HttpResponse;
+import org.mortbay.jetty.servlet.AbstractSessionManager;
+import org.mortbay.jetty.servlet.Dispatcher;
+import org.mortbay.jetty.servlet.FilterHolder;
+import org.mortbay.jetty.servlet.JSR154Filter;
+import org.mortbay.jetty.servlet.ServletHolder;
+import org.mortbay.jetty.servlet.WebApplicationContext;
+import org.mortbay.jetty.servlet.WebApplicationHandler;
/**
* Wrapper for a WebApplicationContext that sets up its J2EE environment.
@@ -149,16 +148,14 @@
String policyContextID,
String securityRealmName,
- Security securityConfig,
- //from jettyxmlconfig
- Set securityRoles,
- PermissionCollection uncheckedPermissions,
+ DefaultPrincipal defaultPrincipal,
+ PermissionCollection checkedPermissions,
PermissionCollection excludedPermissions,
- Map rolePermissions,
TransactionContextManager transactionContextManager,
TrackedConnectionAssociator trackedConnectionAssociator,
JettyContainer jettyContainer,
+ RoleDesignateSource roleDesignateSource,
J2EEServer server,
J2EEApplication application,
Kernel kernel) throws Exception, IllegalAccessException, InstantiationException, ClassNotFoundException {
@@ -241,10 +238,14 @@
interceptor = new WebApplicationContextBeforeAfter(interceptor, index++, this);
//JACC
if (securityRealmName != null) {
+ if (roleDesignateSource == null) {
+ throw new IllegalArgumentException("RoleDesignateSource must be supplied for a secure web app");
+ }
+ Map roleDesignates = roleDesignateSource.getRoleDesignateMap();
//set the JAASJettyRealm as our realm.
JAASJettyRealm realm = new JAASJettyRealm(realmName, securityRealmName);
setRealm(realm);
- this.securityInterceptor = new SecurityContextBeforeAfter(interceptor, index++, index++, policyContextID, securityConfig, authenticator, securityRoles, uncheckedPermissions, excludedPermissions, rolePermissions, realm);
+ this.securityInterceptor = new SecurityContextBeforeAfter(interceptor, index++, index++, policyContextID, defaultPrincipal, authenticator, checkedPermissions, excludedPermissions, roleDesignates, realm);
interceptor = this.securityInterceptor;
} else {
securityInterceptor = null;
@@ -460,9 +461,9 @@
handler.mapPathToServlet(urlPattern, servletName);
}
}
- if (securityInterceptor != null) {
- securityInterceptor.registerServletHolder(webRoleRefPermissions);
- }
+// if (securityInterceptor != null) {
+// securityInterceptor.registerServletHolder(webRoleRefPermissions);
+// }
Object context = enterContextScope(null, null);
try {
servletHolder.start();
@@ -516,17 +517,16 @@
infoBuilder.addReference("TransactionContextManager", TransactionContextManager.class, NameFactory.JTA_RESOURCE);
infoBuilder.addReference("TrackedConnectionAssociator", TrackedConnectionAssociator.class, NameFactory.JCA_RESOURCE);
infoBuilder.addReference("JettyContainer", JettyContainer.class, NameFactory.GERONIMO_SERVICE);
+ infoBuilder.addReference("RoleDesignateSource", RoleDesignateSource.class, NameFactory.JACC_MANAGER);
infoBuilder.addInterface(JettyServletRegistration.class);
infoBuilder.addAttribute("policyContextID", String.class, true);
infoBuilder.addAttribute("securityRealmName", String.class, true);
- infoBuilder.addAttribute("securityConfig", Security.class, true);
+ infoBuilder.addAttribute("defaultPrincipal", DefaultPrincipal.class, true);
- infoBuilder.addAttribute("securityRoles", Set.class, true);
- infoBuilder.addAttribute("uncheckedPermissions", PermissionCollection.class, true);
+ infoBuilder.addAttribute("checkedPermissions", PermissionCollection.class, true);
infoBuilder.addAttribute("excludedPermissions", PermissionCollection.class, true);
- infoBuilder.addAttribute("rolePermissions", Map.class, true);
infoBuilder.addReference("J2EEServer", J2EEServer.class);
infoBuilder.addReference("J2EEApplication", J2EEApplication.class);
@@ -566,16 +566,15 @@
"policyContextID",
"securityRealmName",
- "securityConfig",
+ "defaultPrincipal",
- "securityRoles",
- "uncheckedPermissions",
+ "checkedPermissions",
"excludedPermissions",
- "rolePermissions",
"TransactionContextManager",
"TrackedConnectionAssociator",
"JettyContainer",
+ "RoleDesignateSource",
"J2EEServer",
"J2EEApplication",
Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java (original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Thu Apr 14 22:35:25 2005
@@ -19,23 +19,14 @@
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.AccessControlException;
-import java.security.Permission;
import java.security.PermissionCollection;
-import java.security.Permissions;
import java.security.Principal;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
-import javax.security.auth.x500.X500Principal;
-import javax.security.jacc.PolicyConfiguration;
-import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
-import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.http.HttpServletRequest;
@@ -43,15 +34,8 @@
import org.apache.geronimo.jetty.JAASJettyPrincipal;
import org.apache.geronimo.security.ContextManager;
import org.apache.geronimo.security.IdentificationPrincipal;
-import org.apache.geronimo.security.RealmPrincipal;
import org.apache.geronimo.security.SubjectId;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
-import org.apache.geronimo.security.deploy.DistinguishedName;
-import org.apache.geronimo.security.deploy.Realm;
-import org.apache.geronimo.security.deploy.Role;
-import org.apache.geronimo.security.deploy.Security;
-import org.apache.geronimo.security.jacc.RoleMappingConfiguration;
-import org.apache.geronimo.security.jacc.RoleMappingConfigurationFactory;
import org.apache.geronimo.security.util.ConfigurationUtil;
import org.mortbay.http.Authenticator;
import org.mortbay.http.HttpException;
@@ -73,14 +57,12 @@
private final int webAppContextIndex;
private final String policyContextID;
private final static ThreadLocal currentWebAppContext = new ThreadLocal();
- private final Map roleDesignates = new HashMap();
+ private final Map roleDesignates;
private final JAASJettyPrincipal defaultPrincipal;
private final String formLoginPath;
- private final PolicyConfigurationFactory factory;
- private final PolicyConfiguration policyConfiguration;
- private final PermissionCollection checked = new Permissions();
+ private final PermissionCollection checked;
private final PermissionCollection excludedPermissions;
private final Authenticator authenticator;
@@ -90,19 +72,21 @@
int policyContextIDIndex,
int webAppContextIndex,
String policyContextID,
- Security securityConfig,
+ DefaultPrincipal defaultPrincipal,
Authenticator authenticator,
- Set securityRoles,
- PermissionCollection uncheckedPermissions,
+ PermissionCollection checkedPermissions,
PermissionCollection excludedPermissions,
- Map rolePermissions,
- UserRealm realm) throws PolicyContextException, ClassNotFoundException {
+ Map roleDesignates,
+ UserRealm realm) {
this.next = next;
this.policyContextIDIndex = policyContextIDIndex;
this.webAppContextIndex = webAppContextIndex;
this.policyContextID = policyContextID;
- this.defaultPrincipal = generateDefaultPrincipal(securityConfig);
+ this.defaultPrincipal = generateDefaultPrincipal(defaultPrincipal);
+ this.roleDesignates = roleDesignates;
+ this.checked = checkedPermissions;
+ this.excludedPermissions = excludedPermissions;
if (authenticator instanceof FormAuthenticator) {
String formLoginPath = ((FormAuthenticator) authenticator).getLoginPage();
@@ -118,53 +102,21 @@
/**
* Register our default principal with the ContextManager
*/
- Subject defaultSubject = defaultPrincipal.getSubject();
+ Subject defaultSubject = this.defaultPrincipal.getSubject();
ContextManager.registerSubject(defaultSubject);
SubjectId id = ContextManager.getSubjectId(defaultSubject);
defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
// log.debug("Default subject " + id + " for JACC policy '" + policyContextID + "' registered.");
- /**
- * Get the JACC policy configuration that's associated with this
- * web application and configure it with the geronimo security
- * configuration. The work for this is done by the class
- * JettyXMLConfiguration.
- */
- factory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
-
- policyConfiguration = factory.getPolicyConfiguration(policyContextID, true);
- configure(uncheckedPermissions, excludedPermissions, rolePermissions);
- RoleMappingConfiguration roleMapper = RoleMappingConfigurationFactory.getRoleMappingFactory().getRoleMappingConfiguration(policyContextID, false);
- addRoleMappings(securityRoles, securityConfig, roleMapper);
- policyConfiguration.commit();
- this.excludedPermissions = excludedPermissions;
-
- Set allRolePermissions = new HashSet();
- for (Iterator iterator = rolePermissions.entrySet().iterator(); iterator.hasNext();) {
- Map.Entry entry = (Map.Entry) iterator.next();
- Set permissionsForRole = (Set) entry.getValue();
- allRolePermissions.addAll(permissionsForRole);
- }
- for (Iterator iterator = allRolePermissions.iterator(); iterator.hasNext();) {
- Permission permission = (Permission) iterator.next();
- checked.add(permission);
- }
this.realm = realm;
// log.info("JettyWebAppJACCContext started with JACC policy '" + policyContextID + "'");
}
- public void registerServletHolder(Map webRoleRefPermissions) throws PolicyContextException {
- PolicyConfiguration policyConfiguration = factory.getPolicyConfiguration(policyContextID, false);
- for (Iterator iterator = webRoleRefPermissions.entrySet().iterator(); iterator.hasNext();) {
- Map.Entry entry = (Map.Entry) iterator.next();
- String roleName = (String) entry.getValue();
- WebRoleRefPermission webRoleRefPermission = (WebRoleRefPermission) entry.getKey();
- policyConfiguration.addToRole(roleName, webRoleRefPermission);
- }
- policyConfiguration.commit();
-
+ public void stop() {
+ Subject defaultSubject = this.defaultPrincipal.getSubject();
+ ContextManager.unregisterSubject(defaultSubject);
}
public void before(Object[] context, HttpRequest httpRequest, HttpResponse httpResponse) {
@@ -214,12 +166,8 @@
return (Subject) roleDesignates.get(roleName);
}
- private void setRoleDesignate(String roleName, Subject subject) {
- roleDesignates.put(roleName, subject);
- }
-
//security check methods, delegated from WebAppContext
-
+
/**
* Check the security constraints using JACC.
*
@@ -345,12 +293,11 @@
/**
* Generate the default principal from the security config.
*
- * @param securityConfig The Geronimo security configuration.
+ * @param defaultPrincipal The Geronimo security configuration.
* @return the default principal
*/
- protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig) throws GeronimoSecurityException {
+ protected JAASJettyPrincipal generateDefaultPrincipal(DefaultPrincipal defaultPrincipal) throws GeronimoSecurityException {
- DefaultPrincipal defaultPrincipal = securityConfig.getDefaultPrincipal();
if (defaultPrincipal == null) {
throw new GeronimoSecurityException("Unable to generate default principal");
}
@@ -363,109 +310,4 @@
return result;
}
-
- public void addRoleMappings(Set securityRoles, Security security, RoleMappingConfiguration roleMapper) throws PolicyContextException, GeronimoSecurityException {
-
- for (Iterator roleMappings = security.getRoleMappings().values().iterator(); roleMappings.hasNext();) {
- Role role = (Role) roleMappings.next();
- String roleName = role.getRoleName();
- Set principalSet = new HashSet();
-
- if (!securityRoles.contains(roleName)) {
- throw new GeronimoSecurityException("Role '" + roleName + "' does not exist in this configuration");
- }
-
- Subject roleDesignate = new Subject();
-
- for (Iterator realms = role.getRealms().values().iterator(); realms.hasNext();) {
- Realm realm = (Realm) realms.next();
-
- for (Iterator principals = realm.getPrincipals().iterator(); principals.hasNext();) {
- org.apache.geronimo.security.deploy.Principal principal = (org.apache.geronimo.security.deploy.Principal) principals.next();
-
- RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, realm.getRealmName());
- if (realmPrincipal == null) {
- throw new GeronimoSecurityException("Unable to create realm principal");
- }
-
- principalSet.add(realmPrincipal);
- if (principal.isDesignatedRunAs()) {
- roleDesignate.getPrincipals().add(realmPrincipal);
- }
- }
- }
-
- for (Iterator names = role.getDNames().iterator(); names.hasNext();) {
- DistinguishedName dn = (DistinguishedName) names.next();
-
- X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName());
-
- principalSet.add(x500Principal);
- if (dn.isDesignatedRunAs()) {
- roleDesignate.getPrincipals().add(x500Principal);
- }
- }
-
- roleMapper.addRoleMapping(roleName, principalSet);
-
- if (roleDesignate.getPrincipals().size() > 0) {
- setRoleDesignate(roleName, roleDesignate);
- }
- }
-
- /**
- * Register the role designates with the context manager.
- *
- * THIS MUST BE RUN AFTER JettyXMLConfiguration.configure()
- */
- for (Iterator iter = roleDesignates.keySet().iterator(); iter.hasNext();) {
- String roleName = (String) iter.next();
- Subject roleDesignate = (Subject) roleDesignates.get(roleName);
-
- ContextManager.registerSubject(roleDesignate);
- SubjectId id = ContextManager.getSubjectId(roleDesignate);
- roleDesignate.getPrincipals().add(new IdentificationPrincipal(id));
-
-// log.debug("Role designate " + id + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' registered.");
- }
-
- }
-
- private void configure(PermissionCollection uncheckedPermissions,
- PermissionCollection excludedPermissions,
- Map rolePermissions) throws GeronimoSecurityException {
- try {
- policyConfiguration.addToExcludedPolicy(excludedPermissions);
- policyConfiguration.addToUncheckedPolicy(uncheckedPermissions);
- for (Iterator iterator = rolePermissions.entrySet().iterator(); iterator.hasNext();) {
- Map.Entry entry = (Map.Entry) iterator.next();
- String roleName = (String) entry.getKey();
- Set permissions = (Set) entry.getValue();
- for (Iterator iterator1 = permissions.iterator(); iterator1.hasNext();) {
- Permission permission = (Permission) iterator1.next();
- policyConfiguration.addToRole(roleName, permission);
- }
- }
- } catch (PolicyContextException e) {
- throw new GeronimoSecurityException(e);
- }
- }
-
-
- public void stop() throws PolicyContextException {
- for (Iterator iter = roleDesignates.keySet().iterator(); iter.hasNext();) {
- String roleName = (String) iter.next();
- Subject roleDesignate = (Subject) roleDesignates.get(roleName);
-
- ContextManager.unregisterSubject(roleDesignate);
-// log.debug("Role designate " + ContextManager.getSubjectId(roleDesignate) + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' unregistered.");
- }
- ContextManager.unregisterSubject(defaultPrincipal.getSubject());
-
- if (policyConfiguration != null) {
- policyConfiguration.delete();
- }
-
-
- }
}
Modified: geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java (original)
+++ geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java Thu Apr 14 22:35:25 2005
@@ -37,8 +37,11 @@
import org.apache.geronimo.kernel.Kernel;
import org.apache.geronimo.kernel.management.State;
import org.apache.geronimo.security.SecurityServiceImpl;
+import org.apache.geronimo.security.jacc.ComponentPermissions;
+import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager;
import org.apache.geronimo.security.deploy.Principal;
import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.deploy.DefaultPrincipal;
import org.apache.geronimo.security.jaas.GeronimoLoginConfiguration;
import org.apache.geronimo.security.jaas.JaasLoginService;
import org.apache.geronimo.security.jaas.LoginModuleGBean;
@@ -125,14 +128,22 @@
start(app);
}
- protected void setUpSecureAppContext(Security securityConfig, PermissionCollection uncheckedPermissions, PermissionCollection excludedPermissions, Map rolePermissions, Set securityRoles) throws Exception {
+ protected void setUpSecureAppContext(Map roleDesignates, Map principalRoleMap, ComponentPermissions componentPermissions, DefaultPrincipal defaultPrincipal, PermissionCollection checked, Set securityRoles) throws Exception {
+ ObjectName jaccBeanName = NameFactory.getComponentName(null, null, null, null, "foo", NameFactory.JACC_MANAGER, moduleContext);
+ GBeanData jaccBeanData = new GBeanData(jaccBeanName, ApplicationPolicyConfigurationManager.GBEAN_INFO);
+ Map contextIDToPermissionsMap = new HashMap();
+ contextIDToPermissionsMap.put("TEST", componentPermissions);
+ jaccBeanData.setAttribute("contextIdToPermissionsMap", contextIDToPermissionsMap);
+ jaccBeanData.setAttribute("principalRoleMap", principalRoleMap);
+ jaccBeanData.setAttribute("roleDesignates", roleDesignates);
+ start(jaccBeanData);
+
GBeanData app = new GBeanData(webModuleName, JettyWebAppContext.GBEAN_INFO);
app.setAttribute("securityRealmName", "demo-properties-realm");
- app.setAttribute("securityConfig", securityConfig);
- app.setAttribute("uncheckedPermissions", uncheckedPermissions);
- app.setAttribute("excludedPermissions", excludedPermissions);
- app.setAttribute("rolePermissions", rolePermissions);
- app.setAttribute("securityRoles", securityRoles);
+ app.setAttribute("defaultPrincipal", defaultPrincipal);
+ app.setAttribute("checkedPermissions", checked);
+ app.setAttribute("excludedPermissions", componentPermissions.getExcludedPermissions());
+ app.setReferencePattern("RoleDesignateSource", jaccBeanName);
FormAuthenticator formAuthenticator = new FormAuthenticator();
formAuthenticator.setLoginPage("/auth/logon.html?param=test");
Modified: geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java (original)
+++ geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java Thu Apr 14 22:35:25 2005
@@ -17,8 +17,6 @@
package org.apache.geronimo.jetty;
-import javax.security.jacc.WebResourcePermission;
-import javax.security.jacc.WebUserDataPermission;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
@@ -28,14 +26,24 @@
import java.security.Permissions;
import java.util.HashMap;
import java.util.HashSet;
+import java.util.Iterator;
import java.util.Map;
import java.util.Set;
+import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
+import javax.security.jacc.WebResourcePermission;
+import javax.security.jacc.WebUserDataPermission;
+import org.apache.geronimo.common.DeploymentException;
+import org.apache.geronimo.security.RealmPrincipal;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
import org.apache.geronimo.security.deploy.Principal;
import org.apache.geronimo.security.deploy.Realm;
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.jacc.ComponentPermissions;
+import org.apache.geronimo.security.util.ConfigurationUtil;
/**
@@ -75,6 +83,10 @@
securityConfig.getRoleMappings().put(role.getRoleName(), role);
+ Map roleDesignates = new HashMap();
+ Map principalRoleMap = new HashMap();
+ buildPrincipalRoleMap(securityConfig, roleDesignates, principalRoleMap);
+
PermissionCollection uncheckedPermissions = new Permissions();
PermissionCollection excludedPermissions = new Permissions();
@@ -82,17 +94,21 @@
excludedPermissions.add(new WebUserDataPermission("/auth/login.html", ""));
Map rolePermissions = new HashMap();
- Set permissions = new HashSet();
+ PermissionCollection permissions = new Permissions();
permissions.add(new WebUserDataPermission("/protected/*", ""));
permissions.add(new WebResourcePermission("/protected/*", ""));
rolePermissions.put("content-administrator", permissions);
rolePermissions.put("auto-administrator", permissions);
+ PermissionCollection checked = permissions;
+
Set securityRoles = new HashSet();
securityRoles.add("content-administrator");
securityRoles.add("auto-administrator");
- startWebApp(securityConfig, uncheckedPermissions, excludedPermissions, rolePermissions, securityRoles);
+ ComponentPermissions componentPermissions = new ComponentPermissions(excludedPermissions, uncheckedPermissions, rolePermissions);
+
+ startWebApp(roleDesignates, principalRoleMap, componentPermissions, defaultPrincipal, checked, securityRoles);
HttpURLConnection connection = (HttpURLConnection) new URL("http://localhost:5678/test/protected/hello.txt").openConnection();
connection.setInstanceFollowRedirects(false);
@@ -159,8 +175,8 @@
stopWebApp();
}
- protected void startWebApp(Security securityConfig, PermissionCollection uncheckedPermissions, PermissionCollection excludedPermissions, Map rolePermissions, Set securityRoles) throws Exception {
- setUpSecureAppContext(securityConfig, uncheckedPermissions, excludedPermissions, rolePermissions, securityRoles);
+ protected void startWebApp(Map roleDesignates, Map principalRoleMap, ComponentPermissions componentPermissions, DefaultPrincipal defaultPrincipal, PermissionCollection checked, Set securityRoles) throws Exception {
+ setUpSecureAppContext(roleDesignates, principalRoleMap, componentPermissions, defaultPrincipal, checked, securityRoles);
setUpStaticContentServlet();
// start(appName, app);
}
@@ -179,4 +195,80 @@
super.tearDown();
}
+ //copied from SecurityBuilder
+ public static void buildPrincipalRoleMap(Security security, Map roleDesignates, Map principalRoleMap) throws DeploymentException {
+ Map roleToPrincipalMap = new HashMap();
+ buildRolePrincipalMap(security, roleDesignates, roleToPrincipalMap);
+ invertMap(roleToPrincipalMap, principalRoleMap);
+ }
+
+ private static Map invertMap(Map roleToPrincipalMap, Map principalRoleMapping) {
+ for (Iterator roles = roleToPrincipalMap.entrySet().iterator(); roles.hasNext();) {
+ Map.Entry entry = (Map.Entry) roles.next();
+ String role = (String) entry.getKey();
+ Set principals = (Set) entry.getValue();
+ for (Iterator iter = principals.iterator(); iter.hasNext();) {
+ java.security.Principal principal = (java.security.Principal) iter.next();
+
+ HashSet roleSet = (HashSet) principalRoleMapping.get(principal);
+ if (roleSet == null) {
+ roleSet = new HashSet();
+ principalRoleMapping.put(principal, roleSet);
+ }
+ roleSet.add(role);
+ }
+ }
+ return principalRoleMapping;
+ }
+
+ private static void buildRolePrincipalMap(Security security, Map roleDesignates, Map roleToPrincipalMap) throws DeploymentException {
+
+ Iterator rollMappings = security.getRoleMappings().values().iterator();
+ while (rollMappings.hasNext()) {
+ Role role = (Role) rollMappings.next();
+
+ String roleName = role.getRoleName();
+ Subject roleDesignate = new Subject();
+ Set principalSet = new HashSet();
+
+ Iterator realms = role.getRealms().values().iterator();
+ while (realms.hasNext()) {
+ Realm realm = (Realm) realms.next();
+
+ Iterator principals = realm.getPrincipals().iterator();
+ while (principals.hasNext()) {
+ Principal principal = (Principal) principals.next();
+
+ RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, realm.getRealmName());
+
+ if (realmPrincipal == null) throw new DeploymentException("Unable to create realm principal");
+
+ principalSet.add(realmPrincipal);
+ if (principal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(realmPrincipal);
+ }
+ }
+
+ for (Iterator names = role.getDNames().iterator(); names.hasNext();) {
+ DistinguishedName dn = (DistinguishedName) names.next();
+
+ X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName());
+
+ principalSet.add(x500Principal);
+ if (dn.isDesignatedRunAs()) {
+ roleDesignate.getPrincipals().add(x500Principal);
+ }
+ }
+
+ Set roleMapping = (Set) roleToPrincipalMap.get(roleName);
+ if (roleMapping == null) {
+ roleMapping = new HashSet();
+ roleToPrincipalMap.put(roleName, roleMapping);
+ }
+ roleMapping.addAll(principalSet);
+
+ if (roleDesignate.getPrincipals().size() > 0) {
+ roleDesignates.put(roleName, roleDesignate);
+ }
+ }
+ }
}
Modified: geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java (original)
+++ geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java Thu Apr 14 22:35:25 2005
@@ -16,10 +16,18 @@
*/
package org.apache.geronimo.security.deployment;
-import java.util.Set;
+import java.util.HashMap;
import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+import javax.management.ObjectName;
+import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
import org.apache.geronimo.common.DeploymentException;
+import org.apache.geronimo.gbean.GBeanData;
+import org.apache.geronimo.security.RealmPrincipal;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
import org.apache.geronimo.security.deploy.DistinguishedName;
import org.apache.geronimo.security.deploy.Principal;
@@ -27,14 +35,16 @@
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
import org.apache.geronimo.security.jaas.NamedUsernamePasswordCredential;
+import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager;
+import org.apache.geronimo.security.util.ConfigurationUtil;
import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerDistinguishedNameType;
+import org.apache.geronimo.xbeans.geronimo.security.GerNamedUsernamePasswordCredentialType;
import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerRealmType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleType;
import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType;
-import org.apache.geronimo.xbeans.geronimo.security.GerNamedUsernamePasswordCredentialType;
/**
@@ -42,7 +52,92 @@
*/
public class SecurityBuilder {
- public static Security buildSecurityConfig(GerSecurityType securityType, Set roleNames) throws DeploymentException {
+ public static SecurityConfiguration buildSecurityConfiguration(GerSecurityType securityType) throws DeploymentException {
+ Security security = buildSecurityConfig(securityType);
+ return buildSecurityConfiguration(security);
+ }
+
+ public static SecurityConfiguration buildSecurityConfiguration(Security security) throws DeploymentException {
+ Map roleDesignates = new HashMap();
+ Map principalRoleMap = new HashMap();
+ Map roleToPrincipalMap = new HashMap();
+ buildRolePrincipalMap(security, roleDesignates, roleToPrincipalMap);
+ invertMap(roleToPrincipalMap, principalRoleMap);
+ SecurityConfiguration securityConfiguration = new SecurityConfiguration(principalRoleMap, roleDesignates, security.getDefaultPrincipal(), security.getDefaultRole(), security.isDoAsCurrentCaller(), security.isUseContextHandler());
+ return securityConfiguration;
+ }
+
+ private static Map invertMap(Map roleToPrincipalMap, Map principalRoleMapping) {
+ for (Iterator roles = roleToPrincipalMap.entrySet().iterator(); roles.hasNext();) {
+ Map.Entry entry = (Map.Entry) roles.next();
+ String role = (String) entry.getKey();
+ Set principals = (Set) entry.getValue();
+ for (Iterator iter = principals.iterator(); iter.hasNext();) {
+ java.security.Principal principal = (java.security.Principal) iter.next();
+
+ HashSet roleSet = (HashSet) principalRoleMapping.get(principal);
+ if (roleSet == null) {
+ roleSet = new HashSet();
+ principalRoleMapping.put(principal, roleSet);
+ }
+ roleSet.add(role);
+ }
+ }
+ return principalRoleMapping;
+ }
+
+ private static void buildRolePrincipalMap(Security security, Map roleDesignates, Map roleToPrincipalMap) throws DeploymentException {
+
+ Iterator rollMappings = security.getRoleMappings().values().iterator();
+ while (rollMappings.hasNext()) {
+ Role role = (Role) rollMappings.next();
+
+ String roleName = role.getRoleName();
+ Subject roleDesignate = new Subject();
+ Set principalSet = new HashSet();
+
+ Iterator realms = role.getRealms().values().iterator();
+ while (realms.hasNext()) {
+ Realm realm = (Realm) realms.next();
+
+ Iterator principals = realm.getPrincipals().iterator();
+ while (principals.hasNext()) {
+ Principal principal = (Principal) principals.next();
+
+ RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, realm.getRealmName());
+
+ if (realmPrincipal == null) throw new DeploymentException("Unable to create realm principal");
+
+ principalSet.add(realmPrincipal);
+ if (principal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(realmPrincipal);
+ }
+ }
+
+ for (Iterator names = role.getDNames().iterator(); names.hasNext();) {
+ DistinguishedName dn = (DistinguishedName) names.next();
+
+ X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName());
+
+ principalSet.add(x500Principal);
+ if (dn.isDesignatedRunAs()) {
+ roleDesignate.getPrincipals().add(x500Principal);
+ }
+ }
+
+ Set roleMapping = (Set) roleToPrincipalMap.get(roleName);
+ if (roleMapping == null) {
+ roleMapping = new HashSet();
+ roleToPrincipalMap.put(roleName, roleMapping);
+ }
+ roleMapping.addAll(principalSet);
+
+ if (roleDesignate.getPrincipals().size() > 0) {
+ roleDesignates.put(roleName, roleDesignate);
+ }
+ }
+ }
+
+ private static Security buildSecurityConfig(GerSecurityType securityType) {
Security security = null;
if (securityType == null) {
@@ -92,13 +187,12 @@
}
}
- security.getRoleNames().addAll(roleNames);
-
security.setDefaultPrincipal(buildDefaultPrincipal(securityType.getDefaultPrincipal()));
return security;
}
+ //used from app client builder
public static DefaultPrincipal buildDefaultPrincipal(GerDefaultPrincipalType defaultPrincipalType) {
DefaultPrincipal defaultPrincipal = new DefaultPrincipal();
@@ -117,6 +211,7 @@
return defaultPrincipal;
}
+ //used from TSSConfigEditor
public static Principal buildPrincipal(GerPrincipalType principalType) {
Principal principal = new Principal();
@@ -126,4 +221,13 @@
return principal;
}
+
+ public static GBeanData configureApplicationPolicyManager(ObjectName name, Map contextIDToPermissionsMap, SecurityConfiguration securityConfiguration) {
+ GBeanData jaccBeanData = new GBeanData(name, ApplicationPolicyConfigurationManager.GBEAN_INFO);
+ jaccBeanData.setAttribute("contextIdToPermissionsMap", contextIDToPermissionsMap);
+ jaccBeanData.setAttribute("principalRoleMap", securityConfiguration.getPrincipalRoleMap());
+ jaccBeanData.setAttribute("roleDesignates", securityConfiguration.getRoleDesignates());
+ return jaccBeanData;
+ }
+
}
Added: geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityConfiguration.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityConfiguration.java?view=auto&rev=161394
==============================================================================
--- geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityConfiguration.java (added)
+++ geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityConfiguration.java Thu Apr 14 22:35:25 2005
@@ -0,0 +1,67 @@
+/**
+ *
+ * Copyright 2003-2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.security.deployment;
+
+import java.util.Map;
+
+import org.apache.geronimo.security.deploy.DefaultPrincipal;
+
+/**
+ * @version $Rev: $ $Date: $
+ */
+public class SecurityConfiguration {
+
+ private final Map principalRoleMap;
+ private final Map roleDesignates;
+ private final DefaultPrincipal defaultPrincipal;
+ private final String defaultRole;
+ private final boolean doAsCurrentCaller;
+ private final boolean isUseContextHandler;
+
+ public SecurityConfiguration(Map principalRoleMap, Map roleDesignates, DefaultPrincipal defaultPrincipal, String defaultRole, boolean doAsCurrentCaller, boolean useContextHandler) {
+ this.principalRoleMap = principalRoleMap;
+ this.roleDesignates = roleDesignates;
+ this.defaultPrincipal = defaultPrincipal;
+ this.defaultRole = defaultRole;
+ this.doAsCurrentCaller = doAsCurrentCaller;
+ isUseContextHandler = useContextHandler;
+ }
+
+ public Map getPrincipalRoleMap() {
+ return principalRoleMap;
+ }
+
+ public Map getRoleDesignates() {
+ return roleDesignates;
+ }
+
+ public DefaultPrincipal getDefaultPrincipal() {
+ return defaultPrincipal;
+ }
+
+ public String getDefaultRole() {
+ return defaultRole;
+ }
+
+ public boolean isDoAsCurrentCaller() {
+ return doAsCurrentCaller;
+ }
+
+ public boolean isUseContextHandler() {
+ return isUseContextHandler;
+ }
+}
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/ContextManager.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/ContextManager.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/ContextManager.java (original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/ContextManager.java Thu Apr 14 22:35:25 2005
@@ -67,7 +67,7 @@
* the Subject used by the server has more important contents. This method
* lets a server-side component acting as an authentication client (such
* as Tocmat/Jetty) access the fully populated server-side Subject.
- */
+ */
public static Subject getServerSideSubject(Subject clientSideSubject) {
Set set = clientSideSubject.getPrincipals(IdentificationPrincipal.class);
if(set == null || set.size() == 0) {
@@ -123,7 +123,9 @@
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission(GET_CONTEXT);
- Context context = (Context) subjectContexts.get(currentCaller.get());
+ Subject currentSubject = (Subject) currentCaller.get();
+ assert currentSubject != null : "No current caller";
+ Context context = (Context) subjectContexts.get(currentSubject);
assert context != null : "No registered context";
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java?view=diff&r1=161393&r2=161394
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java (original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java Thu Apr 14 22:35:25 2005
@@ -34,7 +34,6 @@
private String defaultRole;
private DefaultPrincipal defaultPrincipal;
private Map roleMappings = new HashMap();
- private Set roleNames = new HashSet();
public Security() {
}
@@ -73,10 +72,6 @@
public Map getRoleMappings() {
return roleMappings;
- }
-
- public Set getRoleNames() {
- return roleNames;
}
public void append(Role role) {
Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/ApplicationPolicyConfigurationManager.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/ApplicationPolicyConfigurationManager.java?view=auto&rev=161394
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/ApplicationPolicyConfigurationManager.java (added)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/ApplicationPolicyConfigurationManager.java Thu Apr 14 22:35:25 2005
@@ -0,0 +1,153 @@
+/**
+ *
+ * Copyright 2003-2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.security.jacc;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+import java.security.Policy;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+import javax.security.auth.Subject;
+import javax.security.jacc.PolicyConfiguration;
+import javax.security.jacc.PolicyConfigurationFactory;
+import javax.security.jacc.PolicyContextException;
+
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.IdentificationPrincipal;
+import org.apache.geronimo.security.SubjectId;
+
+/**
+ * @version $Rev: $ $Date: $
+ */
+public class ApplicationPolicyConfigurationManager implements GBeanLifecycle, RoleDesignateSource {
+
+ private final Map contextIdToPolicyConfigurationMap = new HashMap();
+ private final Map roleDesignates;
+
+ public ApplicationPolicyConfigurationManager(Map contextIdToPermissionsMap, Map principalRoleMap, Map roleDesignates) throws PolicyContextException, ClassNotFoundException {
+ PolicyConfigurationFactory policyConfigurationFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
+ for (Iterator iterator = contextIdToPermissionsMap.entrySet().iterator(); iterator.hasNext();) {
+ Map.Entry entry = (Map.Entry) iterator.next();
+ String contextID = (String) entry.getKey();
+ ComponentPermissions componentPermissions = (ComponentPermissions) entry.getValue();
+
+ PolicyConfiguration policyConfiguration = policyConfigurationFactory.getPolicyConfiguration(contextID, false);
+// if (policyConfiguration != policyConfigurationFactory.getPolicyConfiguration(contextID, false)) {
+// throw new IllegalStateException("JACC implementation is invalid: returns different instances of PolicyConfiguration for the same contextID");
+// }
+ contextIdToPolicyConfigurationMap.put(contextID, policyConfiguration);
+ policyConfiguration.addToExcludedPolicy(componentPermissions.getExcludedPermissions());
+ policyConfiguration.addToUncheckedPolicy(componentPermissions.getUncheckedPermissions());
+ for (Iterator roleIterator = componentPermissions.getRolePermissions().entrySet().iterator(); roleIterator.hasNext();) {
+ Map.Entry roleEntry = (Map.Entry) roleIterator.next();
+ String roleName = (String) roleEntry.getKey();
+ PermissionCollection rolePermissions = (PermissionCollection) roleEntry.getValue();
+ for (Enumeration permissions = rolePermissions.elements(); permissions.hasMoreElements();) {
+ Permission permission = (Permission) permissions.nextElement();
+ policyConfiguration.addToRole(roleName, permission);
+
+ }
+ }
+
+ GeronimoPolicyConfigurationFactory roleMapperFactory = GeronimoPolicyConfigurationFactory.getSingleton();
+ if (roleMapperFactory == null) {
+ throw new IllegalStateException("Inconsistent security setup. GeronimoPolicyConfigurationFactory is not being used");
+ }
+
+ GeronimoPolicyConfiguration geronimoPolicyConfiguration = roleMapperFactory.getGeronimoPolicyConfiguration(contextID);
+ geronimoPolicyConfiguration.setPrincipalRoleMapping(principalRoleMap);
+
+ }
+
+ //link everything together
+ for (Iterator iterator = contextIdToPolicyConfigurationMap.values().iterator(); iterator.hasNext();) {
+ PolicyConfiguration policyConfiguration = (PolicyConfiguration) iterator.next();
+ for (Iterator iterator2 = contextIdToPolicyConfigurationMap.values().iterator(); iterator2.hasNext();) {
+ PolicyConfiguration policyConfiguration2 = (PolicyConfiguration) iterator2.next();
+ if (policyConfiguration != policyConfiguration2) {
+ policyConfiguration.linkConfiguration(policyConfiguration2);
+ }
+ }
+ }
+
+ //commit
+ for (Iterator iterator = contextIdToPolicyConfigurationMap.values().iterator(); iterator.hasNext();) {
+ PolicyConfiguration policyConfiguration = (PolicyConfiguration) iterator.next();
+ policyConfiguration.commit();
+ }
+
+ //refresh policy
+ Policy policy = Policy.getPolicy();
+ policy.refresh();
+
+ for (Iterator iterator = roleDesignates.entrySet().iterator(); iterator.hasNext();) {
+ Map.Entry entry = (Map.Entry) iterator.next();
+ Subject roleDesignate = (Subject) entry.getValue();
+ ContextManager.registerSubject(roleDesignate);
+ SubjectId id = ContextManager.getSubjectId(roleDesignate);
+ roleDesignate.getPrincipals().add(new IdentificationPrincipal(id));
+ }
+ this.roleDesignates = roleDesignates;
+ }
+
+ public void doStart() throws Exception {
+
+ }
+
+ public void doStop() throws Exception {
+ for (Iterator iterator = roleDesignates.entrySet().iterator(); iterator.hasNext();) {
+ Map.Entry entry = (Map.Entry) iterator.next();
+ Subject roleDesignate = (Subject) entry.getValue();
+ ContextManager.unregisterSubject(roleDesignate);
+ }
+
+ for (Iterator iterator = contextIdToPolicyConfigurationMap.values().iterator(); iterator.hasNext();) {
+ PolicyConfiguration policyConfiguration = (PolicyConfiguration) iterator.next();
+ policyConfiguration.delete();
+ }
+ }
+
+ public void doFail() {
+
+ }
+
+ public Map getRoleDesignateMap() {
+ return roleDesignates;
+ }
+
+ public static final GBeanInfo GBEAN_INFO;
+
+ static {
+ GBeanInfoBuilder infoBuilder = new GBeanInfoBuilder(ApplicationPolicyConfigurationManager.class, NameFactory.JACC_MANAGER);
+ infoBuilder.addAttribute("contextIdToPermissionsMap", Map.class, true);
+ infoBuilder.addAttribute("principalRoleMap", Map.class, true);
+ infoBuilder.addAttribute("roleDesignates", Map.class, true);
+ infoBuilder.addInterface(RoleDesignateSource.class);
+ infoBuilder.setConstructor(new String[] {"contextIdToPermissionsMap", "principalRoleMap", "roleDesignates"});
+ GBEAN_INFO = infoBuilder.getBeanInfo();
+ }
+
+ public GBeanInfo getGBeanInfo() {
+ return GBEAN_INFO;
+ }
+}