You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by va...@apache.org on 2007/01/08 14:25:19 UTC
svn commit: r494061 - in
/geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat:
GeronimoStandardContext.java interceptor/PolicyContextBeforeAfter.java
realm/TomcatGeronimoRealm.java
Author: vamsic007
Date: Mon Jan 8 05:25:18 2007
New Revision: 494061
URL: http://svn.apache.org/viewvc?view=rev&rev=494061
Log:
GERONIMO-2695 Requests using Non-secure HTTP connections cannot access unsecured web resources
o Back porting the fix committed by Jeff in rev 493193
o Use default principal when no authentication has occurred
Modified:
geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java
geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
Modified: geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java?view=diff&rev=494061&r1=494060&r2=494061
==============================================================================
--- geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java (original)
+++ geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java Mon Jan 8 05:25:18 2007
@@ -42,6 +42,7 @@
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.geronimo.common.DeploymentException;
+import org.apache.geronimo.common.GeronimoSecurityException;
import org.apache.geronimo.naming.enc.EnterpriseNamingContext;
import org.apache.geronimo.naming.reference.ClassLoaderAwareReference;
import org.apache.geronimo.naming.reference.KernelAwareReference;
@@ -64,6 +65,9 @@
import org.apache.geronimo.webservices.WebServiceContainerInvoker;
+/**
+ * @version $Rev$ $Date$
+ */
public class GeronimoStandardContext extends StandardContext {
private static final Log log = LogFactory.getLog(GeronimoStandardContext.class);
@@ -134,14 +138,15 @@
* Register our default subject with the ContextManager
*/
DefaultPrincipal defaultPrincipal = securityHolder.getDefaultPrincipal();
- if (defaultPrincipal != null) {
- defaultSubject = ConfigurationUtil.generateDefaultSubject(defaultPrincipal, ctx.getClassLoader());
- ContextManager.registerSubject(defaultSubject);
- SubjectId id = ContextManager.getSubjectId(defaultSubject);
- defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
+ if (defaultPrincipal == null) {
+ throw new GeronimoSecurityException("Unable to generate default principal");
}
+ defaultSubject = ConfigurationUtil.generateDefaultSubject(defaultPrincipal, ctx.getClassLoader());
+ ContextManager.registerSubject(defaultSubject);
+ SubjectId id = ContextManager.getSubjectId(defaultSubject);
+ defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
- interceptor = new PolicyContextBeforeAfter(interceptor, index++, index++, securityHolder.getPolicyContextID());
+ interceptor = new PolicyContextBeforeAfter(interceptor, index++, index++, index++, securityHolder.getPolicyContextID(), defaultSubject);
}
}
Modified: geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java?view=diff&rev=494061&r1=494060&r2=494061
==============================================================================
--- geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java (original)
+++ geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java Mon Jan 8 05:25:18 2007
@@ -17,24 +17,34 @@
package org.apache.geronimo.tomcat.interceptor;
import javax.security.jacc.PolicyContext;
+import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import org.apache.geronimo.security.Callers;
import org.apache.geronimo.security.ContextManager;
+/**
+ * @version $Rev$ $Date$
+ */
public class PolicyContextBeforeAfter implements BeforeAfter{
+ public static final String DEFAULT_SUBJECT = "~DEFAULT_SUBJECT";
+
private final BeforeAfter next;
private final String policyContextID;
private final int policyContextIDIndex;
private final int callersIndex;
+ private final int defaultSubjectIndex;
+ private final Subject defaultSubject;
- public PolicyContextBeforeAfter(BeforeAfter next, int policyContextIDIndex, int callersIndex, String policyContextID) {
+ public PolicyContextBeforeAfter(BeforeAfter next, int policyContextIDIndex, int callersIndex, int defaultSubjectIndex, String policyContextID, Subject defaultSubject) {
this.next = next;
this.policyContextIDIndex = policyContextIDIndex;
this.callersIndex = callersIndex;
+ this.defaultSubjectIndex = defaultSubjectIndex;
this.policyContextID = policyContextID;
+ this.defaultSubject = defaultSubject;
}
public void before(Object[] context, ServletRequest httpRequest, ServletResponse httpResponse) {
@@ -47,6 +57,10 @@
//Set the new
PolicyContext.setContextID(policyContextID);
PolicyContext.setHandlerData(httpRequest);
+ if (httpRequest != null){
+ httpRequest.setAttribute(DEFAULT_SUBJECT, defaultSubject);
+ context[defaultSubjectIndex] = httpRequest.getAttribute(DEFAULT_SUBJECT);
+ }
if (next != null) {
next.before(context, httpRequest, httpResponse);
@@ -61,6 +75,8 @@
//Replace the old
PolicyContext.setContextID((String)context[policyContextIDIndex]);
ContextManager.popCallers((Callers) context[callersIndex]);
+ if (httpRequest != null)
+ httpRequest.setAttribute(DEFAULT_SUBJECT, context[defaultSubjectIndex]);
}
}
Modified: geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java?view=diff&rev=494061&r1=494060&r2=494061
==============================================================================
--- geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java (original)
+++ geronimo/server/branches/1.1/modules/tomcat/src/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java Mon Jan 8 05:25:18 2007
@@ -31,6 +31,7 @@
import org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler;
import org.apache.geronimo.security.realm.providers.PasswordCallbackHandler;
import org.apache.geronimo.tomcat.JAASTomcatPrincipal;
+import org.apache.geronimo.tomcat.interceptor.PolicyContextBeforeAfter;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
@@ -53,6 +54,9 @@
import java.security.cert.X509Certificate;
+/**
+ * @version $Rev$ $Date$
+ */
public class TomcatGeronimoRealm extends JAASRealm {
private static final Log log = LogFactory.getLog(TomcatGeronimoRealm.class);
@@ -182,7 +186,8 @@
//If we have no principal, then we should use the default.
if (principal == null) {
- return request.isSecure();
+ Subject defaultSubject = (Subject)request.getAttribute(PolicyContextBeforeAfter.DEFAULT_SUBJECT);
+ ContextManager.setCallers(defaultSubject, defaultSubject);
} else {
Subject currentCaller = ((JAASTomcatPrincipal) principal).getSubject();