You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by ad...@apache.org on 2004/11/10 20:39:51 UTC
svn commit: rev 57351 - in geronimo/trunk: applications/demo/src/webapp/WEB-INF modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF modules/jetty/src/java/org/apache/geronimo/jetty modules/jetty/src/test-resources/deployables/war3/WEB-INF modules/jetty/src/test/org/apache/geronimo/jetty modules/security-builder/src/java/org/apache/geronimo/security/deployment modules/security-builder/src/schema modules/security/src/java/org/apache/geronimo/security/deploy modules/security/src/java/org/apache/geronimo/security/realm modules/security/src/java/org/apache/geronimo/security/realm/providers
Author: adc
Date: Wed Nov 10 11:39:50 2004
New Revision: 57351
Added:
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/AutoMapAssistant.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/AutoMapAssistant.java
Modified:
geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml
geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java
geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java
Log:
Support Group Name = Role Name Role Mapping
http://nagoya.apache.org/jira/browse/GERONIMO-454
Modified: geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml
==============================================================================
--- geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml (original)
+++ geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml Wed Nov 10 11:39:50 2004
@@ -16,21 +16,26 @@
limitations under the License.
-->
-<web-app xmlns="http://geronimo.apache.org/xml/ns/web/jetty" configId="org/apache/geronimo/Demo" parentId="org/apache/geronimo/Secure">
+<web-app
+ xmlns="http://geronimo.apache.org/xml/ns/web/jetty"
+ xmlns:sec="http://geronimo.apache.org/xml/ns/security"
+ configId="org/apache/geronimo/Demo"
+ parentId="org/apache/geronimo/Secure">
+
<context-root>/demo</context-root>
<context-priority-classloader>false</context-priority-classloader>
- <security>
- <default-principal realm-name="demo-properties-realm">
- <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="izumi"/>
- </default-principal>
- <role-mappings>
- <role role-name="content-administrator">
- <realm realm-name="demo-properties-realm">
- <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileGroupPrincipal" name="it" designated-run-as="true"/>
- <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="metro"/>
- <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="george"/>
- </realm>
- </role>
- </role-mappings>
- </security>
+ <sec:security>
+ <sec:default-principal realm-name="demo-properties-realm">
+ <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="izumi"/>
+ </sec:default-principal>
+ <sec:role-mappings>
+ <sec:role role-name="content-administrator">
+ <sec:realm realm-name="demo-properties-realm">
+ <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileGroupPrincipal" name="it" designated-run-as="true"/>
+ <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="metro"/>
+ <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="george"/>
+ </sec:realm>
+ </sec:role>
+ </sec:role-mappings>
+ </sec:security>
</web-app>
Modified: geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
==============================================================================
--- geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml (original)
+++ geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml Wed Nov 10 11:39:50 2004
@@ -16,12 +16,17 @@
limitations under the License.
-->
-<web-app xmlns="http://geronimo.apache.org/xml/ns/web/jetty" configId="org/apache/geronimo/test">
+<web-app
+ xmlns="http://geronimo.apache.org/xml/ns/web/jetty"
+ xmlns:sec="http://geronimo.apache.org/xml/ns/security"
+ configId="org/apache/geronimo/test">
+
<context-root>/test</context-root>
<context-priority-classloader>false</context-priority-classloader>
- <security>
- <default-principal realm-name="demo-properties-realm">
- <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="izumi"/>
- </default-principal>
- </security>
+ <sec:security>
+ <sec:auto-map-roles security-realm="demo-properties-realm"/>
+ <sec:default-principal realm-name="demo-properties-realm">
+ <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="izumi"/>
+ </sec:default-principal>
+ </sec:security>
</web-app>
Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java (original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java Wed Nov 10 11:39:50 2004
@@ -36,6 +36,8 @@
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebUserDataPermission;
+import javax.management.ObjectName;
+import javax.management.MalformedObjectNameException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -49,13 +51,16 @@
import org.apache.geronimo.security.PrimaryRealmPrincipal;
import org.apache.geronimo.security.RealmPrincipal;
import org.apache.geronimo.security.SubjectId;
+import org.apache.geronimo.security.realm.SecurityRealm;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.deploy.AutoMapAssistant;
import org.apache.geronimo.security.util.ConfigurationUtil;
import org.apache.geronimo.transaction.TrackedConnectionAssociator;
-import org.apache.geronimo.transaction.UserTransactionImpl;
import org.apache.geronimo.transaction.OnlineUserTransaction;
import org.apache.geronimo.transaction.context.TransactionContextManager;
+import org.apache.geronimo.kernel.Kernel;
+
import org.mortbay.http.Authenticator;
import org.mortbay.http.HttpException;
import org.mortbay.http.HttpRequest;
@@ -78,6 +83,7 @@
public class JettyWebAppJACCContext extends JettyWebAppContext {
private static Log log = LogFactory.getLog(JettyWebAppJACCContext.class);
+ private final Kernel kernel;
private final String policyContextID;
private final Security securityConfig;
private final JAASJettyPrincipal defaultPrincipal;
@@ -91,12 +97,14 @@
private String formLoginPath;
public JettyWebAppJACCContext() {
+ kernel = null;
policyContextID = null;
securityConfig = null;
defaultPrincipal = null;
}
public JettyWebAppJACCContext(
+ Kernel kernel,
URI uri,
ReadOnlyContext componentContext,
OnlineUserTransaction userTransaction,
@@ -125,6 +133,7 @@
trackedConnectionAssociator,
jettyContainer);
+ this.kernel = kernel;
this.policyContextID = policyContextID;
this.securityConfig = securityConfig;
defaultPrincipal = generateDefaultPrincipal(securityConfig);
@@ -135,6 +144,10 @@
addHandler(new JettyWebAppHandler());
}
+ public Kernel getKernel() {
+ return kernel;
+ }
+
public String getPolicyContextID() {
return policyContextID;
}
@@ -361,16 +374,40 @@
* @return the default principal
*/
protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig) throws GeronimoSecurityException {
+
+ DefaultPrincipal defaultPrincipal = securityConfig.getDefaultPrincipal();
+ if (defaultPrincipal == null) {
+ AutoMapAssistant config = securityConfig.getAssistant();
+ try {
+ if (config != null) {
+ Set assistants = kernel.listGBeans(new ObjectName("geronimo.security:type=SecurityRealm,realm=" + config.getSecurityRealm()));
+ if (assistants.size() < 1 || assistants.size() > 1) throw new GeronimoSecurityException("Only one auto mapping assistant should match " + config.getSecurityRealm());
+
+ org.apache.geronimo.security.realm.AutoMapAssistant assistant = (org.apache.geronimo.security.realm.AutoMapAssistant) assistants.iterator().next();
+ org.apache.geronimo.security.deploy.Principal principal = assistant.obtainDefaultPrincipal();
+ defaultPrincipal = new DefaultPrincipal();
+ defaultPrincipal.setPrincipal(principal);
+ defaultPrincipal.setRealmName(((SecurityRealm)assistant).getRealmName());
+ }
+ } catch (MalformedObjectNameException e) {
+ throw new GeronimoSecurityException("Bad object name geronimo.security:type=SecurityRealm,realm=" + config.getSecurityRealm());
+ }
+
+ }
+ if (defaultPrincipal == null) throw new GeronimoSecurityException("Unable to generate default principal");
+
+ return generateDefaultPrincipal(securityConfig, defaultPrincipal);
+ }
+
+ protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig, DefaultPrincipal defaultPrincipal) throws GeronimoSecurityException {
JAASJettyPrincipal result = new JAASJettyPrincipal("default");
Subject defaultSubject = new Subject();
- DefaultPrincipal principal = securityConfig.getDefaultPrincipal();
-
- RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal.getPrincipal(), principal.getRealmName());
+ RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(defaultPrincipal.getPrincipal(), defaultPrincipal.getRealmName());
if (realmPrincipal == null) {
throw new GeronimoSecurityException("Unable to create realm principal");
}
- PrimaryRealmPrincipal primaryRealmPrincipal = ConfigurationUtil.generatePrimaryRealmPrincipal(principal.getPrincipal(), principal.getRealmName());
+ PrimaryRealmPrincipal primaryRealmPrincipal = ConfigurationUtil.generatePrimaryRealmPrincipal(defaultPrincipal.getPrincipal(), defaultPrincipal.getRealmName());
if (primaryRealmPrincipal == null) {
throw new GeronimoSecurityException("Unable to create primary realm principal");
}
@@ -497,10 +534,12 @@
static {
GBeanInfoBuilder infoFactory = new GBeanInfoBuilder("Jetty JACC WebApplication Context", JettyWebAppJACCContext.class, JettyWebAppContext.GBEAN_INFO);
+ infoFactory.addAttribute("kernel", Kernel.class, false);
infoFactory.addAttribute("policyContextID", String.class, true);
infoFactory.addAttribute("securityConfig", Security.class, true);
infoFactory.setConstructor(new String[]{
+ "kernel",
"uri",
"componentContext",
"userTransaction",
Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java (original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java Wed Nov 10 11:39:50 2004
@@ -16,13 +16,6 @@
*/
package org.apache.geronimo.jetty;
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Set;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyContextException;
@@ -30,20 +23,32 @@
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
import javax.servlet.UnavailableException;
+import javax.management.ObjectName;
+import javax.management.MalformedObjectNameException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
+import org.mortbay.jetty.servlet.XMLConfiguration;
+import org.mortbay.xml.XmlParser;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+
import org.apache.geronimo.security.GeronimoSecurityException;
import org.apache.geronimo.security.RealmPrincipal;
+import org.apache.geronimo.security.deploy.AutoMapAssistant;
import org.apache.geronimo.security.deploy.Principal;
import org.apache.geronimo.security.deploy.Realm;
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
import org.apache.geronimo.security.jacc.RoleMappingConfiguration;
+import org.apache.geronimo.security.realm.SecurityRealm;
import org.apache.geronimo.security.util.ConfigurationUtil;
import org.apache.geronimo.security.util.URLPattern;
-import org.mortbay.jetty.servlet.XMLConfiguration;
-import org.mortbay.xml.XmlParser;
/**
@@ -53,6 +58,7 @@
* @version $Rev$ $Date$
*/
public class JettyXMLConfiguration extends XMLConfiguration {
+
private static Log log = LogFactory.getLog(JettyXMLConfiguration.class);
private final Set securityRoles = new HashSet();
@@ -118,10 +124,11 @@
* <code>PolicyConfiguration</code> object as defined in the JACC spec.
*
* @param node deployment descriptor from which to obtain the
- * security constraints that are to be translated.
- * @throws org.apache.geronimo.security.GeronimoSecurityException if there
- * is any violation of the semantics of the security descriptor or the state
- * of the module configuration.
+ * security constraints that are to be translated.
+ * @throws org.apache.geronimo.security.GeronimoSecurityException
+ * if there
+ * is any violation of the semantics of the security descriptor or the state
+ * of the module configuration.
* @see javax.security.jacc.PolicyConfiguration
* @see "Java Authorization Contract for Containers", section 3.1.3
*/
@@ -202,7 +209,7 @@
* PolicyConfiguration.
*
* @param configuration the JACC PolicyConfiguration
- * @param security the augmented security information from the geronimo-web.xml file
+ * @param security the augmented security information from the geronimo-web.xml file
*/
public void configure(PolicyConfiguration configuration, Security security) throws GeronimoSecurityException {
@@ -289,38 +296,7 @@
configuration.addToUncheckedPolicy(new WebUserDataPermission(name, actions));
}
- JettyWebAppJACCContext context = (JettyWebAppJACCContext) getWebApplicationContext();
- RoleMappingConfiguration roleMapper = (RoleMappingConfiguration) configuration;
- Iterator rollMappings = security.getRoleMappings().iterator();
- while (rollMappings.hasNext()) {
- Role role = (Role) rollMappings.next();
- String roleName = role.getRoleName();
- Set principalSet = new HashSet();
-
- if (!securityRoles.contains(roleName)) throw new GeronimoSecurityException("Role does not exist in this configuration");
-
- Subject roleDesignate = new Subject();
-
- Iterator realms = role.getRealms().iterator();
- while (realms.hasNext()) {
- Realm realm = (Realm) realms.next();
-
- Iterator principals = realm.getPrincipals().iterator();
- while (principals.hasNext()) {
- Principal principal = (Principal) principals.next();
-
- RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, realm.getRealmName());
-
- if (realmPrincipal == null) throw new GeronimoSecurityException("Unable to create realm principal");
-
- principalSet.add(realmPrincipal);
- if (principal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(realmPrincipal);
- }
- }
- roleMapper.addRoleMapping(roleName, principalSet);
-
- if (roleDesignate.getPrincipals().size() > 0) context.setRoleDesignate(roleName, roleDesignate);
- }
+ addRoleMappings((RoleMappingConfiguration) configuration, security);
Iterator keys = roleRefs.keySet().iterator();
while (keys.hasNext()) {
@@ -350,6 +326,91 @@
throw new GeronimoSecurityException("Policy configuration object does not implement RoleMappingConfiguration", cce.getCause());
} catch (PolicyContextException e) {
throw new GeronimoSecurityException(e);
+ }
+ }
+
+ protected void addRoleMappings(RoleMappingConfiguration roleMapper, Security security) throws PolicyContextException, GeronimoSecurityException {
+ autoMapRoles(roleMapper, security);
+ addExplicitMappings(roleMapper, security);
+ }
+
+ protected void autoMapRoles(RoleMappingConfiguration roleMapper, Security security) throws PolicyContextException, GeronimoSecurityException {
+
+ JettyWebAppJACCContext context = (JettyWebAppJACCContext) getWebApplicationContext();
+ AutoMapAssistant config = security.getAssistant();
+ try {
+ if (config != null) {
+ ObjectName assistantName = new ObjectName("geronimo.security:type=SecurityRealm,realm=" + config.getSecurityRealm());
+ Set assistants = context.getKernel().listGBeans(assistantName);
+ if (assistants.size() < 1 || assistants.size() > 1) throw new GeronimoSecurityException("Only one auto mapping assistant should match " + assistantName);
+
+ org.apache.geronimo.security.realm.AutoMapAssistant assistant = (org.apache.geronimo.security.realm.AutoMapAssistant) assistants.iterator().next();
+ String realmName = ((SecurityRealm) assistant).getRealmName();
+ Iterator principalClasses = null;
+ if (config.getClassOverrides().size() > 0) {
+ principalClasses = config.getClassOverrides().iterator();
+ } else {
+ principalClasses = assistant.obtainRolePrincipalClasses().iterator();
+ }
+
+ Iterator roles = securityRoles.iterator();
+ while (roles.hasNext()) {
+ String roleName = (String) roles.next();
+ Set principalSet = new HashSet();
+ Subject roleDesignate = new Subject();
+
+ while (principalClasses.hasNext()) {
+ Principal principal = new Principal();
+ principal.setClassName((String) principalClasses.next());
+ principal.setPrincipalName(roleName);
+
+ RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, realmName);
+ if (realmPrincipal == null) throw new GeronimoSecurityException("Unable to create realm principal");
+
+ principalSet.add(realmPrincipal);
+ roleDesignate.getPrincipals().add(realmPrincipal);
+ }
+ roleMapper.addRoleMapping(roleName, principalSet);
+ if (roleDesignate.getPrincipals().size() > 0) context.setRoleDesignate(roleName, roleDesignate);
+ }
+ }
+ } catch (MalformedObjectNameException e) {
+ throw new GeronimoSecurityException("Bad object name geronimo.security:type=SecurityRealm,realm=" + config.getSecurityRealm());
+ }
+ }
+
+ protected void addExplicitMappings(RoleMappingConfiguration roleMapper, Security security) throws PolicyContextException, GeronimoSecurityException {
+
+ JettyWebAppJACCContext context = (JettyWebAppJACCContext) getWebApplicationContext();
+
+ Iterator rollMappings = security.getRoleMappings().iterator();
+ while (rollMappings.hasNext()) {
+ Role role = (Role) rollMappings.next();
+ String roleName = role.getRoleName();
+ Set principalSet = new HashSet();
+
+ if (!securityRoles.contains(roleName)) throw new GeronimoSecurityException("Role does not exist in this configuration");
+
+ Subject roleDesignate = new Subject();
+
+ Iterator realms = role.getRealms().iterator();
+ while (realms.hasNext()) {
+ Realm realm = (Realm) realms.next();
+
+ Iterator principals = realm.getPrincipals().iterator();
+ while (principals.hasNext()) {
+ Principal principal = (Principal) principals.next();
+
+ RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal, realm.getRealmName());
+ if (realmPrincipal == null) throw new GeronimoSecurityException("Unable to create realm principal");
+
+ principalSet.add(realmPrincipal);
+ if (principal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(realmPrincipal);
+ }
+ }
+ roleMapper.addRoleMapping(roleName, principalSet);
+
+ if (roleDesignate.getPrincipals().size() > 0) context.setRoleDesignate(roleName, roleDesignate);
}
}
}
Modified: geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
==============================================================================
--- geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml (original)
+++ geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml Wed Nov 10 11:39:50 2004
@@ -16,12 +16,16 @@
limitations under the License.
-->
-<web-app xmlns="http://geronimo.apache.org/xml/ns/web/jetty" configId="org/apache/geronimo/test">
+<web-app
+ xmlns="http://geronimo.apache.org/xml/ns/web/jetty"
+ xmlns:sec="http://geronimo.apache.org/xml/ns/security"
+ configId="org/apache/geronimo/test">
+
<context-root>/test</context-root>
<context-priority-classloader>false</context-priority-classloader>
- <security>
- <default-principal realm-name="demo-properties-realm">
- <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="izumi"/>
- </default-principal>
- </security>
+ <sec:security>
+ <sec:default-principal realm-name="demo-properties-realm">
+ <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal" name="izumi"/>
+ </sec:default-principal>
+ </sec:security>
</web-app>
Modified: geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java
==============================================================================
--- geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java (original)
+++ geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java Wed Nov 10 11:39:50 2004
@@ -105,6 +105,7 @@
GBeanMBean app = new GBeanMBean(JettyWebAppJACCContext.GBEAN_INFO);
+ app.setAttribute("kernel", kernel);
app.setAttribute("uri", URI.create("war3/"));
app.setAttribute("componentContext", null);
OnlineUserTransaction userTransaction = new OnlineUserTransaction();
Modified: geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
==============================================================================
--- geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java (original)
+++ geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java Wed Nov 10 11:39:50 2004
@@ -16,17 +16,21 @@
*/
package org.apache.geronimo.security.deployment;
-import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.deploy.AutoMapAssistant;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
-import org.apache.geronimo.security.deploy.Role;
-import org.apache.geronimo.security.deploy.Realm;
import org.apache.geronimo.security.deploy.Principal;
-import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType;
+import org.apache.geronimo.security.deploy.Realm;
+import org.apache.geronimo.security.deploy.Role;
+import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.xbeans.geronimo.security.GerAutoMapRolesType;
+import org.apache.geronimo.xbeans.geronimo.security.GerClassOverrideType;
import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerRealmType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleType;
-import org.apache.geronimo.xbeans.geronimo.security.GerRealmType;
-import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType;
+
/**
* @version $Rev: $ $Date: $
@@ -74,6 +78,20 @@
security.getRoleMappings().add(role);
}
+ }
+
+ GerAutoMapRolesType autoMapRolesType = securityType.getAutoMapRoles();
+ if (autoMapRolesType != null) {
+ AutoMapAssistant assistant = new AutoMapAssistant();
+
+ assistant.setSecurityRealm(autoMapRolesType.getSecurityRealm());
+
+ GerClassOverrideType[] classOverrideArray = autoMapRolesType.getClassOverrideArray();
+ for (int i = 0; i < classOverrideArray.length; i++) {
+ assistant.getClassOverrides().add(classOverrideArray[i].getClass1());
+ }
+
+ security.setAssistant(assistant);
}
}
Modified: geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
==============================================================================
--- geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd (original)
+++ geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd Wed Nov 10 11:39:50 2004
@@ -40,7 +40,8 @@
</xsd:annotation>
<xsd:sequence>
<xsd:element name="description" type="j2ee:descriptionType" minOccurs="0" maxOccurs="unbounded"/>
- <xsd:element name="default-principal" type="geronimo:default-principalType"/>
+ <xsd:element name="auto-map-roles" type="geronimo:auto-map-rolesType" minOccurs="0"/>
+ <xsd:element name="default-principal" type="geronimo:default-principalType" minOccurs="0"/>
<xsd:element name="role-mappings" type="geronimo:role-mappingsType" minOccurs="0"/>
</xsd:sequence>
<xsd:attribute name="doas-current-caller" type="xsd:boolean" default="false">
@@ -111,6 +112,25 @@
</xsd:documentation>
</xsd:annotation>
</xsd:attribute>
+ </xsd:complexType>
+ <xsd:complexType name="auto-map-rolesType">
+ <xsd:sequence>
+ <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0" maxOccurs="unbounded"/>
+ <xsd:element name="class-override" type="geronimo:class-overrideType" minOccurs="0" maxOccurs="unbounded"/>
+ </xsd:sequence>
+ <xsd:attribute name="security-realm" type="xsd:string" use="required"/>
+ </xsd:complexType>
+ <xsd:complexType name="class-overrideType">
+ <xsd:annotation>
+ <xsd:documentation>
+ Class overrides allow a deployer to specify a different set of
+ principal classes to be used in the auto mapping of roles.
+ </xsd:documentation>
+ </xsd:annotation>
+ <xsd:sequence>
+ <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0" maxOccurs="unbounded"/>
+ </xsd:sequence>
+ <xsd:attribute name="class" type="xsd:string" use="required"/>
</xsd:complexType>
</xsd:schema>
Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/AutoMapAssistant.java
==============================================================================
--- (empty file)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/AutoMapAssistant.java Wed Nov 10 11:39:50 2004
@@ -0,0 +1,44 @@
+/**
+ *
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.security.deploy;
+
+import javax.management.ObjectName;
+import java.io.Serializable;
+import java.util.HashSet;
+import java.util.Set;
+
+
+/**
+ * @version $Rev: $ $Date: $
+ */
+public class AutoMapAssistant implements Serializable {
+
+ private String securityRealm;
+ private Set classOverrides = new HashSet();
+
+ public String getSecurityRealm() {
+ return securityRealm;
+ }
+
+ public void setSecurityRealm(String securityRealm) {
+ this.securityRealm = securityRealm;
+ }
+
+ public Set getClassOverrides() {
+ return classOverrides;
+ }
+}
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java (original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java Wed Nov 10 11:39:50 2004
@@ -31,6 +31,7 @@
private String defaultRole;
private DefaultPrincipal defaultPrincipal;
private Set roleMappings = new HashSet();
+ private AutoMapAssistant assistant;
public boolean isDoAsCurrentCaller() {
return doAsCurrentCaller;
@@ -66,5 +67,13 @@
public Set getRoleMappings() {
return roleMappings;
+ }
+
+ public AutoMapAssistant getAssistant() {
+ return assistant;
+ }
+
+ public void setAssistant(AutoMapAssistant assistant) {
+ this.assistant = assistant;
}
}
Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/AutoMapAssistant.java
==============================================================================
--- (empty file)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/AutoMapAssistant.java Wed Nov 10 11:39:50 2004
@@ -0,0 +1,50 @@
+/**
+ *
+ * Copyright 2004 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.security.realm;
+
+import java.util.Set;
+
+import org.apache.geronimo.security.deploy.Principal;
+
+
+/**
+ * Provides a way for security realms to provide reasonable defaults for
+ * principal to role mapping.
+ * <p/>
+ * This interface is used by the deployment code to automatically map
+ * principals to roles.
+ *
+ * @version $Rev: $ $Date: $
+ */
+public interface AutoMapAssistant {
+
+ /**
+ * Provides the default principal to be used when an unauthenticated
+ * subject uses a container.
+ *
+ * @return the default principal
+ */
+ public Principal obtainDefaultPrincipal();
+
+ /**
+ * Provides a set of principal class names to be used when automatically
+ * mapping principals to roles.
+ *
+ * @return a set of principal class names
+ */
+ public Set obtainRolePrincipalClasses();
+}
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java (original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java Wed Nov 10 11:39:50 2004
@@ -72,15 +72,9 @@
static {
GBeanInfoBuilder infoFactory = new GBeanInfoBuilder(AbstractSecurityRealm.class);
+ infoFactory.addInterface(SecurityRealm.class);
infoFactory.addAttribute("realmName", String.class, true);
- infoFactory.addAttribute("maxLoginModuleAge", long.class, true);
-
- infoFactory.addOperation("getGroupPrincipals");
- infoFactory.addOperation("getGroupPrincipals", new Class[]{RE.class});
- infoFactory.addOperation("getUserPrincipals");
- infoFactory.addOperation("getUserPrincipals", new Class[]{RE.class});
- infoFactory.addOperation("refresh");
- infoFactory.addOperation("getAppConfigurationEntries");
+ infoFactory.addAttribute("maxLoginModuleAge", Long.TYPE, true);
infoFactory.setConstructor(new String[]{"realmName"});
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java (original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java Wed Nov 10 11:39:50 2004
@@ -32,6 +32,8 @@
import org.apache.geronimo.gbean.GBeanInfo;
import org.apache.geronimo.gbean.GBeanInfoBuilder;
import org.apache.geronimo.security.GeronimoSecurityException;
+import org.apache.geronimo.security.deploy.Principal;
+import org.apache.geronimo.security.realm.AutoMapAssistant;
import org.apache.geronimo.system.serverinfo.ServerInfo;
import org.apache.regexp.RE;
@@ -39,7 +41,8 @@
/**
* @version $Rev$ $Date$
*/
-public class PropertiesFileSecurityRealm extends AbstractSecurityRealm {
+public class PropertiesFileSecurityRealm extends AbstractSecurityRealm implements AutoMapAssistant {
+
private static Log log = LogFactory.getLog(PropertiesFileSecurityRealm.class);
private final ServerInfo serverInfo;
@@ -47,8 +50,9 @@
private boolean running = false;
private URI usersURI;
private URI groupsURI;
- final Properties users = new Properties();
- final Properties groups = new Properties();
+ private final Properties users = new Properties();
+ private final Properties groups = new Properties();
+ private String defaultPrincipal;
final static String REALM_INSTANCE = "org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm";
@@ -99,6 +103,17 @@
this.groupsURI = groupsURI;
}
+ public String getDefaultPrincipal() {
+ return defaultPrincipal;
+ }
+
+ public void setDefaultPrincipal(String defaultPrincipal) {
+ if (running) {
+ throw new IllegalStateException("Cannot change the default principal after the realm is started");
+ }
+ this.defaultPrincipal = defaultPrincipal;
+ }
+
public Set getGroupPrincipals() throws GeronimoSecurityException {
if (!running) {
throw new IllegalStateException("Cannot obtain Groups until the realm is started");
@@ -194,17 +209,46 @@
return true;
}
+ /**
+ * Provides the default principal to be used when an unauthenticated
+ * subject uses a container.
+ *
+ * @return the default principal
+ */
+ public Principal obtainDefaultPrincipal() {
+ Principal principal = new Principal();
+
+ principal.setClassName(PropertiesFileUserPrincipal.class.getName());
+ principal.setPrincipalName(defaultPrincipal);
+
+ return principal;
+ }
+
+ /**
+ * Provides a set of principal class names to be used when automatically
+ * mapping principals to roles.
+ *
+ * @return a set of principal class names
+ */
+ public Set obtainRolePrincipalClasses() {
+ Set principals = new HashSet();
+
+ principals.add(PropertiesFileGroupPrincipal.class.getName());
+
+ return principals;
+ }
+
public static final GBeanInfo GBEAN_INFO;
static {
GBeanInfoBuilder infoFactory = new GBeanInfoBuilder(PropertiesFileSecurityRealm.class, AbstractSecurityRealm.GBEAN_INFO);
+ infoFactory.addInterface(AutoMapAssistant.class);
infoFactory.addAttribute("usersURI", URI.class, true);
infoFactory.addAttribute("groupsURI", URI.class, true);
+ infoFactory.addAttribute("defaultPrincipal", String.class, true);
infoFactory.addReference("ServerInfo", ServerInfo.class);
-
- infoFactory.addOperation("isLoginModuleLocal");
infoFactory.setConstructor(new String[]{"realmName", "usersURI", "groupsURI", "ServerInfo"});
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java (original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java Wed Nov 10 11:39:50 2004
@@ -17,6 +17,7 @@
package org.apache.geronimo.security.realm.providers;
+import javax.security.auth.login.AppConfigurationEntry;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.PreparedStatement;
@@ -28,21 +29,24 @@
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
-import javax.security.auth.login.AppConfigurationEntry;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
+import org.apache.regexp.RE;
+
import org.apache.geronimo.gbean.GBeanInfo;
import org.apache.geronimo.gbean.GBeanInfoBuilder;
import org.apache.geronimo.security.GeronimoSecurityException;
-import org.apache.regexp.RE;
+import org.apache.geronimo.security.deploy.Principal;
+import org.apache.geronimo.security.realm.AutoMapAssistant;
/**
* @version $Rev$ $Date$
*/
-public class SQLSecurityRealm extends AbstractSecurityRealm {
+public class SQLSecurityRealm extends AbstractSecurityRealm implements AutoMapAssistant {
+
private static Log log = LogFactory.getLog(SQLSecurityRealm.class);
public final static String USER_SELECT = "org.apache.geronimo.security.realm.providers.SQLSecurityRealm.USER_SELECT";
public final static String GROUP_SELECT = "org.apache.geronimo.security.realm.providers.SQLSecurityRealm.GROUP_SELECT";
@@ -56,8 +60,9 @@
private String password = "";
private String userSelect = "SELECT UserName, Password FROM Users";
private String groupSelect = "SELECT GroupName, UserName FROM Groups";
- final Map users = new HashMap();
- final Map groups = new HashMap();
+ private final Map users = new HashMap();
+ private final Map groups = new HashMap();
+ private String defaultPrincipal;
/**
* @deprecated
@@ -147,6 +152,16 @@
this.groupSelect = groupSelect;
}
+ public String getDefaultPrincipal() {
+ return defaultPrincipal;
+ }
+
+ public void setDefaultPrincipal(String defaultPrincipal) {
+ if (running) {
+ throw new IllegalStateException("Cannot change the default principal after the realm is started");
+ }
+ this.defaultPrincipal = defaultPrincipal;
+ }
public Set getGroupPrincipals() throws GeronimoSecurityException {
if (!running) {
@@ -277,8 +292,8 @@
options.put(PASSWORD, password);
AppConfigurationEntry entry = new AppConfigurationEntry("org.apache.geronimo.security.realm.providers.SQLLoginModule",
- AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,
- options);
+ AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,
+ options);
return new AppConfigurationEntry[]{entry};
}
@@ -287,18 +302,47 @@
return true;
}
+ /**
+ * Provides the default principal to be used when an unauthenticated
+ * subject uses a container.
+ *
+ * @return the default principal
+ */
+ public Principal obtainDefaultPrincipal() {
+ Principal principal = new Principal();
+
+ principal.setClassName(PropertiesFileUserPrincipal.class.getName());
+ principal.setPrincipalName(defaultPrincipal);
+
+ return principal;
+ }
+
+ /**
+ * Provides a set of principal class names to be used when automatically
+ * mapping principals to roles.
+ *
+ * @return a set of principal class names
+ */
+ public Set obtainRolePrincipalClasses() {
+ Set principals = new HashSet();
+
+ principals.add(PropertiesFileGroupPrincipal.class.getName());
+
+ return principals;
+ }
+
public static final GBeanInfo GBEAN_INFO;
static {
GBeanInfoBuilder infoFactory = new GBeanInfoBuilder(SQLSecurityRealm.class, AbstractSecurityRealm.GBEAN_INFO);
+ infoFactory.addInterface(AutoMapAssistant.class);
infoFactory.addAttribute("connectionURL", String.class, true);
infoFactory.addAttribute("user", String.class, true);
infoFactory.addAttribute("password", String.class, true);
infoFactory.addAttribute("userSelect", String.class, true);
infoFactory.addAttribute("groupSelect", String.class, true);
-
- infoFactory.addOperation("isLoginModuleLocal");
+ infoFactory.addAttribute("defaultPrincipal", String.class, true);
infoFactory.setConstructor(new String[]{
"realmName",