You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by sm...@apache.org on 2014/11/11 21:16:27 UTC
[3/5] directory-fortress-realm git commit: change package structure,
names, license, and pom improvements
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/Tc7AccessMgrProxy.java
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/Tc7AccessMgrProxy.java b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/Tc7AccessMgrProxy.java
new file mode 100644
index 0000000..6b5e587
--- /dev/null
+++ b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/Tc7AccessMgrProxy.java
@@ -0,0 +1,328 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import org.apache.directory.fortress.realm.util.CpUtil;
+import org.apache.catalina.LifecycleException;
+import org.apache.catalina.Wrapper;
+import org.apache.catalina.realm.RealmBase;
+
+import java.net.URL;
+import java.security.Principal;
+import java.net.URLClassLoader;
+import java.util.logging.Logger;
+
+import org.apache.directory.fortress.realm.util.ChildFirstUrlClassLoader;
+
+/**
+ * This class extends the Tomcat 7 and beyond RealmBase class and provides Java EE security services within the Tomcat container.
+ * This class is a "proxy" for the {@link org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl} class which isolates dependencies from the Tomcat
+ * runtime environment by loading the implementation on a URLClassLoader.
+ *
+ * @author Shawn McKinney
+ */
+public class Tc7AccessMgrProxy extends RealmBase
+{
+ private static final String CLS_NM = Tc7AccessMgrProxy.class.getName();
+ private static final Logger log = Logger.getLogger(CLS_NM);
+ private static final String REALM_IMPL = "org.apache.directory.fortress.realm.tomcat.TcAccessMgrImpl";
+ private static final String REALM_CLASSPATH = "REALM_CLASSPATH";
+ private static final String JBOSS_AGENT = "jboss";
+ private static String container = "Catalina7";
+ private static String defaultRoles;
+ private String realmClasspath;
+ private TcAccessMgr realm;
+
+ /**
+ * This method will load the Fortress Tomcat implementation on a URL classloader. Methods on the implementation are
+ * wrapped by methods on this class and are accessed via the {@code realm} instance variable of this class.
+ */
+ private void initialize()
+ {
+ try
+ {
+ URLClassLoader ucl;
+ if (container.equalsIgnoreCase(JBOSS_AGENT))
+ {
+ log.info(CLS_NM + ".initialize JBoss policy agent");
+ URL[] cp = CpUtil.getRealmClasspath(REALM_CLASSPATH);
+ if( cp != null )
+ {
+ ucl = new ChildFirstUrlClassLoader(cp, this.getClass().getClassLoader());
+ }
+ else
+ {
+ String error = CLS_NM + ".initialize invalid realm classpath setup";
+ log.severe(error);
+ throw new java.lang.RuntimeException(error);
+ }
+ }
+ else if (container.equalsIgnoreCase("TomcatContext"))
+ {
+ log.info(CLS_NM + ".initialize Tomcat7 Context-based policy agent");
+ ucl = new URLClassLoader(new URL[]{}, Thread.currentThread().getContextClassLoader());
+ }
+ else
+ {
+ log.info(CLS_NM + ".initialize Tomcat7 policy agent");
+ if ( realmClasspath != null && realmClasspath.length() > 0 )
+ {
+ ucl = new URLClassLoader(CpUtil.parseRealmClasspath(realmClasspath), this.getClass().getClassLoader());
+ }
+ else
+ {
+ URL[] cp = CpUtil.getRealmClasspath(REALM_CLASSPATH);
+ if(cp != null)
+ {
+ ucl = new URLClassLoader(cp, this.getClass().getClassLoader());
+ }
+ else
+ {
+ String error = CLS_NM + ".initialize could not resolve realm classpath";
+ log.severe(error);
+ throw new java.lang.RuntimeException(error);
+ }
+ }
+ }
+
+ log.info(CLS_NM + ".initialize - instantiate policy agent name: " + REALM_IMPL);
+ Class sc = ucl.loadClass(REALM_IMPL);
+ realm = (TcAccessMgr) sc.newInstance();
+ realm.setDefaultRoles( defaultRoles );
+ log.info(CLS_NM + " J2EE Tomcat7 policy agent initialization successful");
+ }
+ catch (java.lang.ClassNotFoundException e)
+ {
+ String error = CLS_NM + ".initialize caught java.lang.ClassNotFoundException=" + e.toString();
+ log.severe(error);
+ throw new java.lang.RuntimeException(error, e);
+ }
+ catch (java.lang.InstantiationException ie)
+ {
+ String error = CLS_NM + ".initialize caught java.lang.InstantiationException=" + ie.toString();
+ log.severe(error);
+ throw new java.lang.RuntimeException(error, ie);
+ }
+ catch (java.lang.IllegalAccessException iae)
+ {
+ String error = CLS_NM + ".initialize caught java.lang.IllegalAccessException=" + iae.toString();
+ log.severe(error);
+ throw new java.lang.RuntimeException(error, iae);
+ }
+ }
+
+
+ /**
+ * Gets the info attribute of the TcAccessMgrProxy object
+ *
+ * @return The info value
+ */
+ @Override
+ public String getInfo()
+ {
+ return info;
+ }
+
+
+ /**
+ * Perform user authentication and evaluate password policies.
+ *
+ * @param userId Contains the userid of the user signing on.
+ * @param password Contains the user's password.
+ * @return Principal whic * This method will load the Fortress Tomcat implementation on a URL classloader. Methods on the implementation are
+ * wrapped by methods on this class and are accessed via the {@code realm} instance variable of this class.
+ */
+ @Override
+ public Principal authenticate(String userId, String password)
+ {
+ if(realm == null)
+ {
+ throw new RuntimeException(CLS_NM + "authenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration");
+ }
+ return realm.authenticate(userId, password.toCharArray());
+ }
+
+
+ /**
+ * Determine if given Role is contained within User's Tomcat Principal object. This method does not need to hit
+ * the ldap server as the User's activated Roles are loaded into {@link org.apache.directory.fortress.realm.tomcat.TcPrincipal#setContext(java.util.HashMap)}
+ *
+ * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+ * @param role Maps to {@code org.apache.directory.fortress.core.rbac.Role#name}.
+ * @return True if Role is found in TcPrincipal, false otherwise.
+ */
+ @Override
+ public boolean hasRole(Wrapper wrapper, Principal principal, String role)
+ {
+ if(realm == null)
+ {
+ throw new RuntimeException(CLS_NM + "authenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration");
+ }
+ return realm.hasRole(principal, role);
+ }
+
+ /**
+ * Gets the name attribute of the TcAccessMgrProxy object
+ *
+ * @return The name value
+ */
+ @Override
+ protected String getName()
+ {
+ return (CLS_NM);
+ }
+
+
+ /**
+ * Gets the password attribute of the TcAccessMgrProxy object
+ *
+ * @param username Description of the Parameter
+ * @return The password value
+ */
+ @Override
+ protected String getPassword(String username)
+ {
+ return (null);
+ }
+
+
+ /**
+ * Gets the principal attribute of the TcAccessMgrProxy object
+ *
+ * @param username Description of the Parameter
+ * @return The principal value
+ */
+ @Override
+ protected Principal getPrincipal(String username)
+ {
+ return (null);
+ }
+
+
+ /**
+ * Prepare for the beginning of active use of the public methods of this
+ * component and implement the requirements of
+ * {@link org.apache.catalina.util.LifecycleBase#startInternal()}.
+ *
+ * @throws LifecycleException if this component detects a fatal error
+ * that prevents this component from being used
+ */
+ @Override
+ protected void startInternal() throws LifecycleException
+ {
+ try
+ {
+ initialize();
+ }
+ catch (Throwable e)
+ {
+ String error = CLS_NM + ".startInternal caught Throwable=" + e;
+ log.severe(error);
+ e.printStackTrace();
+ throw new LifecycleException(error);
+ }
+ super.startInternal();
+ }
+
+ /**
+ * Gracefully terminate the active use of the public methods of this
+ * component and implement the requirements of
+ * {@link org.apache.catalina.util.LifecycleBase#stopInternal()}.
+ *
+ * @throws LifecycleException if this component detects a fatal error
+ * that needs to be reported
+ */
+ @Override
+ protected void stopInternal() throws LifecycleException
+ {
+
+ // Perform normal superclass finalization
+ super.stopInternal();
+
+ // Release reference to our sentry impl
+ realm = null;
+
+ }
+
+ /**
+ * Gets the containerType attribute of the TcAccessMgrProxy object
+ *
+ * @return The containerType value
+ */
+ public String getContainerType()
+ {
+ return container;
+ }
+
+ /**
+ * Sets the containerType attribute of the TcAccessMgrProxy object
+ *
+ * @param container The new containerType value
+ */
+ public void setContainerType(String container)
+ {
+ log.info(CLS_NM + ".setContainerType <" + container + ">");
+ this.container = container;
+ }
+
+ /**
+ * Gets the realmClasspath attribute of the TcAccessMgrProxy object
+ *
+ * @return The realmClasspath value
+ */
+ public String getRealmClasspath()
+ {
+ log.info(CLS_NM + ".getRealmClasspath <" + realmClasspath + ">");
+ return realmClasspath;
+ }
+
+ /**
+ * Sets the realmClasspath attribute of the TcAccessMgrProxy object
+ *
+ * @param rCpth The new realmClasspath value
+ */
+ public void setRealmClasspath(String rCpth)
+ {
+ log.info(CLS_NM + ".setRealmClasspath <" + rCpth + ">");
+ this.realmClasspath = rCpth;
+ }
+
+ /**
+ * Gets the defaultRoles attribute of the TcAccessMgrProxy object. When set, it will be passed into all subsequent calls to Fortress createSession.
+ *
+ * @return String containing comma delimited list of role names.
+ */
+ public static String getDefaultRoles()
+ {
+ log.info(CLS_NM + ".getDefaultRoles <" + defaultRoles + ">");
+ return defaultRoles;
+ }
+
+ /**
+ * Sets the defaultRoles attribute of the TcAccessMgrProxy object. When set, it will be passed into all subsequent calls to Fortress createSession.
+ *
+ * @param defaultRoles containing comma delimited list of role names.
+ */
+ public static void setDefaultRoles( String defaultRoles )
+ {
+ log.info(CLS_NM + ".setDefaultRoles <" + defaultRoles + ">");
+ Tc7AccessMgrProxy.defaultRoles = defaultRoles;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgr.java
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgr.java b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgr.java
new file mode 100644
index 0000000..c6ccae3
--- /dev/null
+++ b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/TcAccessMgr.java
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.tomcat;
+
+import java.security.Principal;
+
+/**
+ * This interface prescribes runtime methods that are needed to perform security in Tomcat. The
+ * interface is implemented by Fortress Tomcat Proxy and sentry implementation and allows isolation of
+ * runtime dependencies from Tomcat's system classpath..
+ *
+ * @author Shawn McKinney
+ */
+public interface TcAccessMgr
+{
+ /**
+ * Determine if given Role is contained within User's Tomcat Principal object. This method does not need to hit
+ * the ldap server as the User's activated Roles are loaded into {@link org.apache.directory.fortress.realm.tomcat.TcPrincipal#setContext(java.util.HashMap)}
+ *
+ * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
+ * @param role Maps to {@code org.apache.directory.fortress.core.rbac.Role#name}.
+ * @return True if Role is found in TcPrincipal, false otherwise.
+ */
+ public boolean hasRole(Principal principal, String role);
+
+
+ /**
+ * Perform user authentication and evaluate password policies.
+ *
+ * @param userId Contains the userid of the user signing on.
+ * @param password Contains the user's password.
+ * @return Principal which contains the Fortress RBAC session data.
+ */
+ public Principal authenticate(String userId, char[] password);
+
+ /**
+ * When the 'defaultRoles' parameter is set on realm proxy config (e.g. in server.xml or context.xml) it will be used to pass into
+ * createSession calls into Fortress. This will scope the roles to be considered for activation to this particular set.
+ *
+ * @param roles contains a String containing comma delimited roles names.
+ */
+ public void setDefaultRoles(String roles);
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html
new file mode 100644
index 0000000..6472a6b
--- /dev/null
+++ b/proxy/src/main/java/org/apache/directory/fortress/realm/tomcat/package.html
@@ -0,0 +1,348 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<body>
+ <p>
+ This package is the component that allows security checks to be performed within a
+ Tomcat runtime environment. The Fortress Realm for Tomcat has been split into two packages each contained within
+ its own jar file.
+ The Realm Jars used in Tomcat include:
+ <ol>
+ <li>fortressProxyTomcat-[version].jar or </li>
+ <li>fortressSentry-[version].jar and configuration artifacts</li>
+ </ol>
+
+ The fortressProxyTomcat jar is a thin layer of code that calls the fortressSentry implementation code via standard
+ Java URLClassloader logic. The Fortress implementation code and configuration artifacts must remain separate from
+ Tomcat's runtime system classpath. The rationale for separation is it necessary to allow a
+ predictable and repeatable installation process as throwing non-native jars on any application server
+ system classpath contains risk due to variability of the runtime environment itself.
+ To put it simply, it is to keep Fortress code out of the application server's visibility which means
+ setting up Fortress in Tomcat will work every time if the instructions are followed faithfully.
+ </p>
+
+ <h3>Fortress Realm Setup Notes for Tomcat Container</h3>
+ This installation document contains instructions for installing the Fortress Java Sentry for Tomcat. This component works
+ in Tomcat 4,5,6,7 and JBoss application server environments.
+<h4>Guidelines & Tips</h4>
+ <ul>
+ <li>In the document that follows, replace <em>[version]</em> with Fortress version label. For example - if Fortress <em>1.0.0</em> release, change fortressProxyTomcat-<em>[version]</em>.jar to fortressProxyTomcat-<em>1.0.0</em>.jar</li>
+ <li>Restart Tomcat server after any changes to Tomcat config, Fortress config or lib files.</li>
+ <li>You (usually) do NOT need to restart Tomcat after changes to the LDAP data, i.e. users, passwords, roles.</li>
+ <li>Steps I - III below are mandatory.</li>
+ <li>Step IV is optional, for testing purposes.</li>
+ <li>Common misconfiguration issues related to Fortress, LDAP and Tomcat are located in section V.</li>
+ <li>Tomcat 7 and beyond uses a different proxy jar. Take special note of this difference in Step III.A.</li>
+ </ul>
+</p>
+
+<ol type="I">
+ <li>
+ <h3>Instructions to extract Fortress Realm Package to Target System</h3>
+ <ol type="A">
+ <li>Copy fortressSentryDist-<em>[version]</em>.zip to hard drive on target server env.</li>
+ <li>Extract the zip. The location for archive can vary according to runtime requirements but must be readable by Tomcat process but cannot reside directly on Tomcat's system classpath. The location this package was extracted to will be referred to as <em>FORTRESS_HOME</em> from this point on.</li>
+ </ol>
+ </li>
+
+ <li>
+ <h3>Instructions to configure Fortress Realm to use Target System LDAP</h3>
+ Note: the <b>dist</b> Ant target on this project will use settings contained within the <em>build.properties</em> file contained within the root folder of this component and replace substitution params contained within <em>fortress.properties.src</em> and create new <em>fortress.properties</em> file automatically.<br><br>
+ <ol type="A">
+ <li>Edit the FORTRESS_HOME properties file located in $FORTRESS_HOME/conf/fortress.properties. If you did not run Ant <b>dist</b> target you will need to create using fortress.properties.src
+<font size="3" color="#000000"><pre>vi /home/user/fortressSentry-1.0.0/conf/fortress.properties</pre></font>
+ </li>
+
+ <li>
+ Set the LDAP Host name (or IP) and port properties:
+ <font size="3" color="#000000">
+<pre>
+host=myldaphostname
+port=389
+</pre>
+ </font>
+ </li>
+ <li>
+ Set the LDAP admin creds:
+<font size="" color="#000000"><pre>
+admin=cn=Manager\,dc=jts\,dc=com
+adminPw=secret
+</pre>
+</font> </li>
+ <li>
+ Set the LDAP connection pool info:
+<font size="3" color="#000000"><pre>
+minUserConn=1
+maxUserConn=10
+minConn=1
+maxConn=10
+</pre>
+</font> <em>note: the min/max will vary according to anticipated load on your Tomcat server. For busy systems, the max number of
+ ldap connections may be much higher.</em>
+ </li>
+ </ol>
+ </p>
+ </li>
+ <li>
+ <h3>Instructions to configure Tomcat to use Fortress Java Sentry</h3>
+ <ol type="A">
+ <li>Load the Proxy jar onto server classpath (TOMCAT_HOME/lib).<br><br>
+
+ <em>if Tomcat 7 and beyond:</em>
+ <font size="3" color="#000000"><pre>$TOMCAT_HOME/lib>cp $FORTRESS_HOME/lib/fortressProxyTomcat<b>7</b>-[version].jar .</pre></font>
+
+ <em>else if Tomcat 4, 5, or 6:</em>
+ <font size="3" color="#000000"><pre>$TOMCAT_HOME/lib>cp $FORTRESS_HOME/lib/fortressProxyTomcat-[version].jar .</pre></font>
+
+ </li>
+ <em>note: This is the only Fortress binary or configuration artifact that will reside directly on Tomcat's server classpath.</em><br><br>
+ </p>
+
+ <li>Edit the Tomcat server.xml in the $TOMCAT_HOME/conf folder.</li>
+ <font size="3" color="#000000"><pre>vi $TOMCAT_HOME/conf/server.xml</pre></font>
+ <li>Comment out existing "Realm" config (if present)
+ <font size="3" color="#000000"><pre>
+<!--Realm className="org.apache.catalina.realm.UserDatabaseRealm"
+ resourceName="UserDatabase"/-->
+ </pre></font>
+ </li>
+ <li>Add the following to Tomcat's server.xml file:</li>
+ <font size="3" color="#000000"><pre><Realm className="org.apache.directory.fortress.core.realm.tomcat.TcAccessMgrProxy"
+ debug="0"
+ resourceName="UserDatabase"
+ containerType="Tomcat7"
+ realmClasspath="/home/user/fortressSentry-1.0.0/conf:/home/user/fortressSentry-1.0.0/lib/fortressSentry-1.0.0.jar"
+ /></pre></font>
+ <em>note: <em>/home/user/fortressSentry-1.0.0</em> is an example of where Fortress Java Sentry binaries were extracted. Be sure to enter location of where your Fortress Java Sentry package was extracted on local harddrive as discussed on step I.B above.<br><br>
+ i.e. /home/user/fortressSentry-1.0.0 or /usr/local/fortressSentry-1.0.0.<br><br>
+ These packages must remain off the Tomcat server classpath but must be correctly entered in server.xml or Tomcat will fail to initialize.</em><br><br> <li>Save and exit.</li>
+ <li>Restart Tomcat server.</li>
+ <li>Verify that Fortress Java Sentry started successfully by viewing following message in catalina.log</li>
+ <font size="3" color="#000000"><pre>
+>/opt/apache-tomcat-6.0.24/bin$ tail -f -n10000 ../logs/catalina.out
+...
+INFO: org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy J2EE policy agent initialization successful
+
+If Tomcat 7 and beyond:
+
+INFO: org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy J2EE Tomcat7 policy agent initialization successful
+
+ </pre></font>
+ <em>Note: If you experience problems check out the Common Troubleshooting Tips section at the end of this document.</em><br><br>
+ </ol>
+ </p>
+ </li>
+ <em>If you made it this far without errors you are now ready to use Fortress enabled security in Tomcat runtime environment.
+ If you need help understanding how Java EE security works, check out this link:
+ <br><a href="http://download.oracle.com/javaee/5/tutorial/doc/bnbwk.html">The Java EE 5 Tutorial</a></em><br>
+ <li>
+ <h3>Instructions to test Tomcat Security (Optional)</h3>
+ <em>Note: this section provides instructions for using the Tomcat Manager application
+ to test Fortress security functionality. This is not necessary if you have your own Java EE security enabled web application to test with.</em><br><br>
+ <ol type="A">
+ <li>Enable Tomcat Manager application. note: check the Tomcat documentation on how to do this.</li>
+ <li>Verify/enable role name. Edit TOMCAT_HOME/webapps/manager/WEB-INF/web.xml</li>
+ <font size="3" color="#000000"><pre><!-- Security roles referenced by this web application --/>
+ <security-role/>
+ <description/>
+ The role that is required to log in to the Manager Application
+ </description/>
+ <role-name/>manager</role-name/>
+ </security-role/>
+ </pre></font>
+ <li>Add Role to access Tomcat Manager application</li><pre>
+<em>Note: If Fortress <b>init-slapd</b> Ant task was run this data will already be loaded into the directory using the
+ <b>FortressDemoUsers.xml</b> load script.</em>
+
+<em>If Tomcat 7 and beyond:</em>
+ Add Role named <b>manager-gui</b>
+
+<em>else if Tomcat 6 and before:</em>
+ Add Role named <b>manager</b>
+ </pre>
+
+ <li>Add User named <strong>tcmanager</strong>: (or whatever you want to name it)</li>
+ <li>Assign Test User <strong>tcmanager</strong> Role <strong>manager</strong>, (if Tomcat 7 this role is <strong>manager-gui</strong>)</li>
+ <li>Test logon onto the Tomcat Manager app.</li>
+ <li>Enter URL to manager web app:</li>
+<font size="3" color="#000000"><pre>http://localhost:8080/manager/html</pre></font>
+ <li>Enter creds (tcmanager, password) into basic logon form</li>
+ <li>Verify authentication/authorization success to web app.</li>
+ </ol>
+ </p>
+ </li>
+ <li>
+ <h3>Common Troubleshooting Tips</h3>
+ <ol type="A">
+ <li>Server can't find config files (realmClasspath="/fortressSentry-1.0.0/conf/")
+ <h4>Error</h4>
+
+<font size="3" color="#000000"> <pre>
+ Jul 15, 2011 8:21:16 PM Tc7AccessMgrProxy initialize
+ INFO: Tc7AccessMgrProxy.initialize - instantiate policy agent name: TcAccessMgrImpl
+ 2011-07-15 20:21:17,053 (FATAL) org.apache.directory.fortress.core.configuration.Config static init: Error, null configuration file: fortress.properties
+ Jul 15, 2011 8:21:17 PM Tc7AccessMgrProxy startInternal
+ SEVERE: Tc7AccessMgrProxy.startInternal caught Throwable=java.lang.ExceptionInInitializerError
+ java.lang.ExceptionInInitializerError
+ at J2eePolicyMgrFactory.<clinit>(J2eePolicyMgrFactory.java:32)
+ at TcAccessMgrImpl.<init>(TcAccessMgrImpl.java:35)
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
+ at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
+ at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
+ at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
+ at java.lang.Class.newInstance0(Class.java:355)
+ at java.lang.Class.newInstance(Class.java:308)
+ at Tc7AccessMgrProxy.initialize(Tc7AccessMgrProxy.java:112)
+ at Tc7AccessMgrProxy.startInternal(Tc7AccessMgrProxy.java:236)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.core.ContainerBase.startInternal(ContainerBase.java:1026)
+ at org.apache.catalina.core.StandardEngine.startInternal(StandardEngine.java:291)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.core.StandardService.startInternal(StandardService.java:443)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:727)
+ at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
+ at org.apache.catalina.startup.Catalina.start(Catalina.java:620)
+ at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+ at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
+ at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
+ at java.lang.reflect.Method.invoke(Method.java:597)
+ at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:303)
+ at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:431)
+ Caused by: java.lang.RuntimeException: org.apache.directory.fortress.core.configuration.Config static init: Error, null configuration file: fortress.properties
+ at org.apache.directory.fortress.core.configuration.Config.<clinit>(Config.java:51)
+ ... 25 more
+ </pre>
+</font> <h4>Corrective Action</h4>
+ <pre>
+<em>Ensure step III.D points to Fortress sentry configuration folder.</em>
+ </pre>
+ </li>
+ <li>Server can't find proxy jar (Realm className="TcAccessMgrProxy")
+ <h4>Error</h4>
+<font size="3" color="#000000"> <pre>
+INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/i386/server:/usr/lib/jvm/java-6-sun-1.6.0.22/jre/lib/i386:/usr/lib/jvm/java-6-sun-1.6.0.22/jre/../lib/i386:/usr/java/packages/lib/i386:/lib:/usr/lib
+Apr 22, 2011 10:24:04 PM org.apache.tomcat.util.digester.Digester startElement
+SEVERE: Begin event threw exception
+java.lang.ClassNotFoundException: org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy
+ </pre>
+</font>
+ <h4>Corrective Action</h4>
+ <pre>
+<em>Ensure step III.A copied the Fortress sentry proxy jar to TOMCAT_HOME/lib folder.</em>
+ </pre>
+ </li>
+ <li>Server can't find binaries (realmClasspath="...FORTRESS_HOME/lib/fortressSentry-[version].jar")
+ <h4>Error</h4>
+<font size="3" color="#000000"> <pre>
+Apr 22, 2011 10:22:25 PM org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy initialize
+SEVERE: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: TcAccessMgrImpl
+Apr 22, 2011 10:22:25 PM org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy start
+SEVERE: Fortress Tomcat Realm.start caught Exception=java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: TcAccessMgrImpl
+java.lang.RuntimeException: Fortress Tomcat Realm.initialize java.lang.ClassNotFoundException=java.lang.ClassNotFoundException: TcAccessMgrImpl
+ at org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy.initialize(TcAccessMgrProxy.java:118)
+ </pre>
+</font>
+ <h4>Corrective Action</h4>
+ <pre>
+<em>Ensure step III.D configuration points fortressSentry jar,
+i.e. FORTRESS_HOME/lib/fortressProxyTomcat[version].jar.</em>
+ </pre>
+ </li>
+ <li>Incompatible Tomcat Proxy jar loaded for Tomcat 7 and beyond
+ The Tomcat sentry base class changed between Tomcat version's 6 and 7. If you are running Tomcat7 and see error that looks like this:
+ <h4>Error</h4>
+<font size="3" color="#000000"> <pre>
+Jun 4, 2011 3:01:41 PM org.apache.tomcat.util.digester.Digester startElement
+SEVERE: Begin event threw error
+java.lang.VerifyError: class org.apache.directory.fortress.realm.tomcat.TcAccessMgrProxy overrides final method start.()V
+ at java.lang.ClassLoader.defineClass1(Native Method)
+ at java.lang.ClassLoader.defineClassCond(ClassLoader.java:632)
+ at java.lang.ClassLoader.defineClass(ClassLoader.java:616)
+ at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:141)
+ at java.net.URLClassLoader.defineClass(URLClassLoader.java:283)
+ at java.net.URLClassLoader.access$000(URLClassLoader.java:58)
+ at java.net.URLClassLoader$1.run(URLClassLoader.java:197)
+ at java.security.AccessController.doPrivileged(Native Method)
+ at java.net.URLClassLoader.findClass(URLClassLoader.java:190)
+ at java.lang.ClassLoader.loadClass(ClassLoader.java:307)
+ at java.lang.ClassLoader.loadClass(ClassLoader.java:248)
+ at org.apache.tomcat.util.digester.ObjectCreateRule.begin(ObjectCreateRule.java:144)
+ at org.apache.tomcat.util.digester.Digester.startElement(Digester.java:1282)
+ at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.startElement(AbstractSAXParser.java:501)
+ at com.sun.org.apache.xerces.internal.parsers.AbstractXMLDocumentParser.emptyElement(AbstractXMLDocumentParser.java:179)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanStartElement(XMLDocumentFragmentScannerImpl.java:1343)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2755)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:648)
+ at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:511)
+ at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:808)
+ at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:737)
+ at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:119)
+ at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1205)
+ at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:522)
+ at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1543)
+ at org.apache.catalina.startup.Catalina.load(Catalina.java:554)
+ at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
+ at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
+ at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
+ at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
+ at java.lang.reflect.Method.invoke(Method.java:597)
+ at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
+ at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
+ </pre>
+</font>
+ <h4>Corrective Action</h4>
+ <pre>
+<em>You have the wrong Tomcat Proxy jar on the server's classpath.
+You need to get the proxy jar that is compatible with Tomcat version 7 and beyond.
+Ensure step III.A configuration uses fortressProxyTomcat7-[version].jar,
+i.e. FORTRESS_HOME/lib/fortressProxyTomcat7-[version].jar.</em>
+ </pre>
+ </li>
+ <li>Incompatible Tomcat Proxy jar loaded for Tomcat 6 and before
+ The Tomcat sentry base class changed between Tomcat version's 6 and 7. If you are running Tomcat 4, 5 or 6 and see error that looks like this
+ <h4>Error</h4>
+<font size="3" color="#000000"> <pre>
+SEVERE: An exception or error occurred in the container during the request processing
+java.lang.RuntimeException: org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxyauthenticate detected Fortress Tomcat7 Realm not initialized correctly. Check your Fortress Realm configuration
+ at org.apache.directory.fortress.realm.tomcat.Tc7AccessMgrProxy.authenticate(Tc7AccessMgrProxy.java:161)
+ at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:259)
+ at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:449)
+ at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
+ at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
+ at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
+ at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
+ at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:852)
+ at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
+ at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
+ at java.lang.Thread.run(Thread.java:662)
+ </pre>
+</font>
+ <h4>Corrective Action</h4>
+ <pre>
+<em>You have the wrong Tomcat Proxy jar on the server's classpath.
+You need to get the proxy jar that is compatible with Tomcat version 6 and before:
+Ensure step III.A configuration uses fortressProxyTomcat-[version].jar,
+i.e. FORTRESS_HOME/lib/fortressProxyTomcat-[version].jar.</em>
+ </pre>
+ </li>
+ </ol>
+ </p>
+ </li>
+</ol>
+</body>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/org/apache/directory/fortress/realm/util/ChildFirstUrlClassLoader.java
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/org/apache/directory/fortress/realm/util/ChildFirstUrlClassLoader.java b/proxy/src/main/java/org/apache/directory/fortress/realm/util/ChildFirstUrlClassLoader.java
new file mode 100644
index 0000000..9c96b8f
--- /dev/null
+++ b/proxy/src/main/java/org/apache/directory/fortress/realm/util/ChildFirstUrlClassLoader.java
@@ -0,0 +1,125 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.util;
+
+import java.net.URL;
+import java.net.URLClassLoader;
+
+/**
+ * This class extends the standard Java URLClassloader and provides a child first lookup for system classpath and is used when
+ * JBoss application server is in use. The child first URLClassloader behaves as one would expect and always looks in child classloader
+ * before going to parent to search. This inversion is needed in JBoss to allow isolation of Fortress code from the server and application classpaths.
+ *
+ * @author Shawn McKinney
+ */
+public class ChildFirstUrlClassLoader extends URLClassLoader
+{
+ /**
+ * Constructor for the ChildFirstUrlClassLoader object accepts an array of URLs and parent reference.
+ *
+ * @param urls Contains a list of value Java classpath entries.
+ * @param parent Reference to parent classloader.
+ */
+ public ChildFirstUrlClassLoader(URL[] urls, ClassLoader parent)
+ {
+ super(urls, parent);
+ }
+
+
+ /**
+ * Constructor for the ChildFirstUrlClassLoader object accepts an array of URLs.
+ *
+ * @param urls Contains a list of value Java classpath entries.
+ */
+ public ChildFirstUrlClassLoader(URL[] urls)
+ {
+ super(urls);
+ }
+
+
+ /**
+ * Description of the Method
+ *
+ * @param name Description of the Parameter
+ * @param resolve Description of the Parameter
+ * @return Description of the Return Value
+ * @throws ClassNotFoundException Description of the Exception
+ */
+ protected Class loadClass(String name, boolean resolve)
+ throws ClassNotFoundException
+ {
+
+ Class c = findLoadedClass(name);
+ if (c == null)
+ {
+ try
+ {
+ c = findClass(name);
+ }
+ catch (ClassNotFoundException ignore)
+ {
+
+ }
+ if (c == null)
+ {
+ if (getParent() != null)
+ {
+ c = getParent().loadClass(name);
+ }
+ else
+ {
+ c = getSystemClassLoader().loadClass(name);
+ }
+ }
+ }
+ if (resolve)
+ {
+ resolveClass(c);
+ }
+
+ return c;
+ }
+
+
+ /**
+ * Gets the resource attribute of the ChildFirstUrlClassLoader object
+ *
+ * @param name Description of the Parameter
+ * @return The resource value
+ */
+ public URL getResource(String name)
+ {
+ URL url;
+ url = findResource(name);
+ if (url == null)
+ {
+ if (getParent() != null)
+ {
+ url = getParent().getResource(name);
+ }
+ else
+ {
+ url = getSystemClassLoader().getResource(name);
+ }
+ }
+ return url;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/org/apache/directory/fortress/realm/util/CpUtil.java
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/org/apache/directory/fortress/realm/util/CpUtil.java b/proxy/src/main/java/org/apache/directory/fortress/realm/util/CpUtil.java
new file mode 100644
index 0000000..c6412da
--- /dev/null
+++ b/proxy/src/main/java/org/apache/directory/fortress/realm/util/CpUtil.java
@@ -0,0 +1,178 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ *
+ */
+package org.apache.directory.fortress.realm.util;
+
+import java.util.logging.Logger;
+import java.io.File;
+import java.net.URL;
+import java.util.StringTokenizer;
+
+/**
+ * This class interrogates the Java System for properties set on REALM_CLASSPATH by the
+ * caller. The system properties are converted into URL arrays for later URL classloader processing.
+ *
+ * @author Shawn McKinney
+ */
+public class CpUtil
+{
+ private static final String CLS_NM = CpUtil.class.getName();
+ private static Logger log = Logger.getLogger(CLS_NM);
+ private static final String PATH_SEPARATOR = "path.separator";
+ private static final String FILE_PREFIX = "file:/";
+ private static final String UNIX_SLASH = "/";
+ private static final String WIN_SLASH = "\\";
+ private static final String UNIX_SEPARATOR = ":";
+
+ /**
+ * This method is used by Tomcat Realm Proxy to retrieve REALM_CLASSPATH from the Server.xml config file.
+ *
+ * @param classpath String contains paths separated by ':' or ';' depending if Unix or Win.
+ * @return URL array containing the resource names that comprise the REALM_CLASSPATH.
+ */
+ public static URL[] parseRealmClasspath(String classpath)
+ {
+ URL urls[] = null;
+ try
+ {
+ String slash;
+ String filePrefix = FILE_PREFIX;
+ String pathSeparator = System.getProperty(PATH_SEPARATOR);
+
+ // Is this a Unix machine?
+ if (pathSeparator.compareTo(UNIX_SEPARATOR) == 0)
+ {
+ // unix requires adding extra forward slash:
+ filePrefix += UNIX_SLASH;
+ slash = UNIX_SLASH;
+ }
+ else
+ {
+ slash = WIN_SLASH;
+ }
+
+ log.info(CLS_NM + ".parseRealmClasspath <" + classpath + ">");
+ StringTokenizer st = new StringTokenizer(classpath, pathSeparator, false);
+ int size = st.countTokens();
+ urls = new URL[size];
+ for (int i = 0; i < size; i++)
+ {
+ String resource = st.nextToken();
+ resource = getResource(resource, slash);
+ String file = filePrefix + resource;
+ urls[i] = new URL(file);
+ log.info(CLS_NM + ".parseRealmClasspath path" + i + " <" + urls[i] + ">");
+ }
+ }
+ catch (java.net.MalformedURLException me)
+ {
+ String error = CLS_NM + ".parseRealmClasspath caught MalformedURLException=" + me;
+ log.severe(error);
+ error = CLS_NM + ".parseRealmClasspath check your Fortress REALM_CLASSPATH setting.";
+ log.severe(error);
+ }
+ return urls;
+ }
+
+
+ /**
+ * This method is used by Websphere Realm Proxy to retrieve REALM_CLASSPATH from the System.getProperty..
+ *
+ * @param cpProp contains paths separated by ':' or ';' depending if Unix or Win.
+ * @return URL array containing the resource names that comprise the REALM_CLASSPATH.
+ */
+ public static URL[] getRealmClasspath(String cpProp)
+ {
+ URL urls[] = null;
+ try
+ {
+ String slash;
+ String filePrefix = FILE_PREFIX;
+ String classpath = System.getProperty(cpProp);
+ String pathSeparator = System.getProperty(PATH_SEPARATOR);
+
+ if(classpath == null || classpath.length() == 0)
+ {
+ String error = CLS_NM + ".parseRealmClasspath invalid realm classpath detected";
+ log.severe(error);
+ throw new java.lang.RuntimeException(error);
+ }
+ else if(pathSeparator == null || pathSeparator.length() == 0)
+ {
+ String error = CLS_NM + ".parseRealmClasspath invalid classpath detected";
+ log.severe(error);
+ throw new java.lang.RuntimeException(error);
+ }
+
+ // Is this a Unix machine?
+ if (pathSeparator.compareTo(UNIX_SEPARATOR) == 0)
+ {
+ // unix requires adding extra forward slash:
+ filePrefix += UNIX_SLASH;
+ slash = UNIX_SLASH;
+ }
+ else
+ {
+ slash = WIN_SLASH;
+ }
+ log.info(CLS_NM + ".parseRealmClasspath <" + classpath + ">");
+ StringTokenizer st = new StringTokenizer(classpath, pathSeparator, false);
+ int size = st.countTokens();
+ urls = new URL[size];
+ for (int i = 0; i < size; i++)
+ {
+ String resource = st.nextToken();
+ resource = getResource(resource, slash);
+ String file = filePrefix + resource;
+ urls[i] = new URL(file);
+ log.info(CLS_NM + ".parseRealmClasspath path" + i + " <" + urls[i] + ">");
+ }
+ }
+ catch (java.net.MalformedURLException me)
+ {
+ String error = CLS_NM + ".parseRealmClasspath caught MalformedURLException=" + me;
+ log.severe(error);
+ throw new java.lang.RuntimeException(error);
+ }
+ return urls;
+ }
+
+
+ /**
+ * Check to see if resource is a folder and if the trailing slash was left off add it. Otherwise
+ * the folder will not be added to REALM_CLASSPATH causing problems with Fortress finding its config folder.
+ *
+ * @param name
+ * @param slash
+ * @return String containing resource value
+ */
+ private static String getResource(String name, String slash)
+ {
+ File rFile = new File(name);
+ if (rFile.isDirectory())
+ {
+ if (name.lastIndexOf(slash) != (name.length() - 1))
+ {
+ name += slash;
+ log.info(CLS_NM + ".getResource slash added to dir path");
+ }
+ }
+ return name;
+ }
+}
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/org/apache/directory/fortress/realm/util/package.html
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/org/apache/directory/fortress/realm/util/package.html b/proxy/src/main/java/org/apache/directory/fortress/realm/util/package.html
new file mode 100644
index 0000000..0249118
--- /dev/null
+++ b/proxy/src/main/java/org/apache/directory/fortress/realm/util/package.html
@@ -0,0 +1,30 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<html>
+ <head>
+ <title>Package Documentation for Fortress Java Sentry Utils</title>
+ </head>
+ <body>
+ <p>
+ This package contains utils used by Fortress Proxy to instantiate the Java Sentry implementation within a URL Classloader which
+ isolates dependencies from the application server's system classpath.
+ The APIs are not called directly by outside client programs rather they are called by the Fortress Java Sentry itself.
+ </p>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/proxy/src/main/java/overview.html
----------------------------------------------------------------------
diff --git a/proxy/src/main/java/overview.html b/proxy/src/main/java/overview.html
new file mode 100644
index 0000000..3e86dec
--- /dev/null
+++ b/proxy/src/main/java/overview.html
@@ -0,0 +1,46 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<html>
+ <head>
+ <title>Overview of Apache Directory Fortress Realm Component</title>
+ </head>
+ <body>
+ Authentication, Authorization and Audit facility for Java EE application servers.
+
+ <h3>How can I start using the Fortress Java Sentry to secure my runtime application server environment?</h3>
+
+ The following links provide installation instructions that describe how to setup these application sever plug-ins.
+ <ol>
+ <li><a href="org/apache/directory/fortress/realm/tomcat/package-summary.html">Tomcat Java Sentry</a></li>
+ <li><a href="org/apache/directory/fortress/realm/websphere/package-summary.html">Websphere Java Sentry</a></li>
+ </ol>
+
+ <h3>How does the Fortress Realm work?</h3>
+
+ The Apache Directory Fortress Realm implements the following SPIs:
+ <ol>
+ <li><a href="http://tomcat.apache.org/tomcat-5.5-doc/catalina/docs/api/org/apache/catalina/realm/RealmBase.html">Tomcat 4,5,6</a></li>
+ <li><a href="http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/realm/RealmBase.html">Tomcat 7</a></li>
+ <li><a href="http://publib.boulder.ibm.com/infocenter/wasinfo/fep/index.jsp?topic=/com.ibm.websphere.javadoc.doc/web/spidocs/com/ibm/websphere/security/UserRegistry.html">Websphere UserRegistry</a></li>
+ </ol>
+ </body>
+</html>
+
+
+
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/src/main/assembly/distsrc.xml
----------------------------------------------------------------------
diff --git a/src/main/assembly/distsrc.xml b/src/main/assembly/distsrc.xml
new file mode 100644
index 0000000..de942d9
--- /dev/null
+++ b/src/main/assembly/distsrc.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<assembly xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/xsd/assembly-1.1.1.xsd">
+ <id>dist</id>
+ <formats>
+ <format>jar</format>
+ </formats>
+ <fileSets>
+ <fileSet>
+ <directory>.</directory>
+ <includes>
+ <include>pom.xml</include>
+ <include>TOMCAT-SETUP-NOTES.txt</include>
+ <include>LICENSE.txt</include>
+ <include>NOTICE.txt</include>
+ </includes>
+ <excludes>
+ <exclude>**/target/</exclude>
+ <exclude>**/*.log</exclude>
+ </excludes>
+ </fileSet>
+ <fileSet>
+ <directory>conf</directory>
+ <outputDirectory>conf</outputDirectory>
+ <excludes>
+ <exclude>*.properties</exclude>
+ </excludes>
+ </fileSet>
+ <fileSet>
+ <directory>impl</directory>
+ <outputDirectory>impl</outputDirectory>
+ <excludes>
+ <exclude>**/target/</exclude>
+ <exclude>**/*.log</exclude>
+ </excludes>
+ </fileSet>
+ <fileSet>
+ <directory>proxy</directory>
+ <outputDirectory>proxy</outputDirectory>
+ <excludes>
+ <exclude>**/target/</exclude>
+ <exclude>**/*.log</exclude>
+ </excludes>
+ </fileSet>
+ </fileSets>
+</assembly>
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/src/main/java/Prod.iml
----------------------------------------------------------------------
diff --git a/src/main/java/Prod.iml b/src/main/java/Prod.iml
deleted file mode 100644
index 2089fec..0000000
--- a/src/main/java/Prod.iml
+++ /dev/null
@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<module type="JAVA_MODULE" version="4">
- <component name="NewModuleRootManager" inherit-compiler-output="true">
- <exclude-output />
- <content url="file://$MODULE_DIR$">
- <sourceFolder url="file://$MODULE_DIR$/proxy" isTestSource="false" />
- <sourceFolder url="file://$MODULE_DIR$/impl" isTestSource="false" />
- </content>
- <orderEntry type="inheritedJdk" />
- <orderEntry type="sourceFolder" forTests="false" />
- <orderEntry type="library" name="lib" level="project" />
- </component>
-</module>
-
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/src/main/java/fortress-javadoc.css
----------------------------------------------------------------------
diff --git a/src/main/java/fortress-javadoc.css b/src/main/java/fortress-javadoc.css
deleted file mode 100644
index 44ace3f..0000000
--- a/src/main/java/fortress-javadoc.css
+++ /dev/null
@@ -1,32 +0,0 @@
-BODY { color: #000000;
- background-color: #FFFFFF;
- font-family: sans-serif }
-
-A:link { color: #0101DF;
- text-decoration: underline }
-
-A:visited { color: #610B38;
- text-decoration: underline }
-
-A:hover { color: #0B3B0B;
- text-decoration: underline }
-
-PRE { background-color: #99CC66;
- margin: 15px 30px;
- padding: 10px 10px;
- border: 1px solid #000000 }
-
-# the following will add space between list items:
-#LI { margin: 10px 0px }
-
-TH { background-color: #FFFFFF; color: #003300;
- font-size: 125%;
- font-weight: bold }
-
-
-# Classes defined specifically for Javadoc
-.TableHeadingColor { background-color: #D8D8D8 }
-
-.NavBarCell1 { background-color: #99CC66 }
-
-.FrameItemFont { font-size: 90% }
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/src/main/java/impl/org/openldap/sentry/J2eePolicyMgr.java
----------------------------------------------------------------------
diff --git a/src/main/java/impl/org/openldap/sentry/J2eePolicyMgr.java b/src/main/java/impl/org/openldap/sentry/J2eePolicyMgr.java
deleted file mode 100644
index 8930a15..0000000
--- a/src/main/java/impl/org/openldap/sentry/J2eePolicyMgr.java
+++ /dev/null
@@ -1,318 +0,0 @@
-/*
- * This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1998-2014 The OpenLDAP Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-package org.openldap.sentry;
-
-import java.util.List;
-import java.security.Principal;
-
-import org.openldap.fortress.rbac.User;
-import org.openldap.fortress.rbac.Role;
-import org.openldap.fortress.SecurityException;
-import org.openldap.fortress.rbac.Session;
-import org.openldap.sentry.tomcat.TcPrincipal;
-
-/**
- * This interface is for components that use Websphere and Tomcat Container SPI's to provide
- * Java EE Security capabilities. These APIs may be called by external programs as needed though the recommended
- * practice is to use Fortress Core APIs like {@link org.openldap.fortress.AccessMgr} and {@link org.openldap.fortress.ReviewMgr}.
- *
- * @author Shawn McKinney
- */
-public interface J2eePolicyMgr
-{
- /**
- * Perform user authentication and evaluate password policies.
- *
- * @param userId Contains the userid of the user signing on.
- * @param password Contains the user's password.
- * @return boolean true if succeeds, false otherwise.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public boolean authenticate(String userId, char[] password)
- throws SecurityException;
-
-
- /**
- * Perform user authentication {@link User#password} and role activations.<br />
- * This method must be called once per user prior to calling other methods within this class.
- * The successful result is {@link org.openldap.fortress.rbac.Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
- * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap.fortress.rbac.User#pwPolicy}..<br />
- * Method may also store parms passed in for audit trail {@link org.openldap.fortress.rbac.FortEntity}.
- * <h4> This API will...</h4>
- * <ul>
- * <li> authenticate user password if trusted == false.
- * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
- * <li> fail for any user who is locked by OpenLDAP's policies {@link org.openldap.fortress.rbac.User#isLocked()}, regardless of trusted flag being set as parm on API.
- * <li> evaluate temporal {@link org.openldap.fortress.util.time.Constraint}(s) on {@link User}, {@link org.openldap.fortress.rbac.UserRole} and {@link org.openldap.fortress.rbac.UserAdminRole} entities.
- * <li> process selective role activations into User RBAC Session {@link User#roles}.
- * <li> check Dynamic Separation of Duties {@link org.openldap.fortress.rbac.DSDChecker#validate(org.openldap.fortress.rbac.Session, org.openldap.fortress.util.time.Constraint, org.openldap.fortress.util.time.Time)} on {@link org.openldap.fortress.rbac.User#roles}.
- * <li> process selective administrative role activations {@link User#adminRoles}.
- * <li> return a {@link org.openldap.fortress.rbac.Session} containing {@link org.openldap.fortress.rbac.Session#getUser()}, {@link org.openldap.fortress.rbac.Session#getRoles()} and {@link org.openldap.fortress.rbac.Session#getAdminRoles()} if everything checks out good.
- * <li> throw a checked exception that will be {@link org.openldap.fortress.SecurityException} or its derivation.
- * <li> throw a {@link SecurityException} for system failures.
- * <li> throw a {@link org.openldap.fortress.PasswordException} for authentication and password policy violations.
- * <li> throw a {@link org.openldap.fortress.ValidationException} for data validation errors.
- * <li> throw a {@link org.openldap.fortress.FinderException} if User id not found.
- * </ul>
- * <h4>
- * The function is valid if and only if:
- * </h4>
- * <ul>
- * <li> the user is a member of the USERS data set
- * <li> the password is supplied (unless trusted).
- * <li> the (optional) active role set is a subset of the roles authorized for that user.
- * </ul>
- * <h4>
- * The following attributes may be set when calling this method
- * </h4>
- * <ul>
- * <li> {@link User#userId} - required
- * <li> {@link org.openldap.fortress.rbac.User#password}
- * <li> {@link org.openldap.fortress.rbac.User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
- * <li> {@link org.openldap.fortress.rbac.User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
- * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
- * </ul>
- * <h4>
- * Notes:
- * </h4>
- * <ul>
- * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
- * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
- * </ul>
- * </p>
- *
- * @param userId maps to {@link org.openldap.fortress.rbac.User#userId}.
- * @param password maps to {@link org.openldap.fortress.rbac.User#password}.
- * @return TcPrincipal which contains the User's RBAC Session data formatted into a java.security.Principal that is used by Tomcat runtime.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public TcPrincipal createSession(String userId, char[] password)
- throws SecurityException;
-
-
- /**
- * Perform user authentication {@link User#password} and role activations.<br />
- * This method must be called once per user prior to calling other methods within this class.
- * The successful result is {@link org.openldap.fortress.rbac.Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
- * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap.fortress.rbac.User#pwPolicy}..<br />
- * Method may also store parms passed in for audit trail {@link org.openldap.fortress.rbac.FortEntity}.
- * <h4> This API will...</h4>
- * <ul>
- * <li> authenticate user password if trusted == false.
- * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
- * <li> fail for any user who is locked by OpenLDAP's policies {@link org.openldap.fortress.rbac.User#isLocked()}, regardless of trusted flag being set as parm on API.
- * <li> evaluate temporal {@link org.openldap.fortress.util.time.Constraint}(s) on {@link User}, {@link org.openldap.fortress.rbac.UserRole} and {@link org.openldap.fortress.rbac.UserAdminRole} entities.
- * <li> process selective role activations into User RBAC Session {@link User#roles}.
- * <li> check Dynamic Separation of Duties {@link org.openldap.fortress.rbac.DSDChecker#validate(org.openldap.fortress.rbac.Session, org.openldap.fortress.util.time.Constraint, org.openldap.fortress.util.time.Time)} on {@link org.openldap.fortress.rbac.User#roles}.
- * <li> process selective administrative role activations {@link User#adminRoles}.
- * <li> return a {@link org.openldap.fortress.rbac.Session} containing {@link org.openldap.fortress.rbac.Session#getUser()}, {@link org.openldap.fortress.rbac.Session#getRoles()} and {@link org.openldap.fortress.rbac.Session#getAdminRoles()} if everything checks out good.
- * <li> throw a checked exception that will be {@link org.openldap.fortress.SecurityException} or its derivation.
- * <li> throw a {@link SecurityException} for system failures.
- * <li> throw a {@link org.openldap.fortress.PasswordException} for authentication and password policy violations.
- * <li> throw a {@link org.openldap.fortress.ValidationException} for data validation errors.
- * <li> throw a {@link org.openldap.fortress.FinderException} if User id not found.
- * </ul>
- * <h4>
- * The function is valid if and only if:
- * </h4>
- * <ul>
- * <li> the user is a member of the USERS data set
- * <li> the password is supplied (unless trusted).
- * <li> the (optional) active role set is a subset of the roles authorized for that user.
- * </ul>
- * <h4>
- * The following attributes may be set when calling this method
- * </h4>
- * <ul>
- * <li> {@link User#userId} - required
- * <li> {@link org.openldap.fortress.rbac.User#password}
- * <li> {@link org.openldap.fortress.rbac.User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
- * <li> {@link org.openldap.fortress.rbac.User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
- * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
- * </ul>
- * <h4>
- * Notes:
- * </h4>
- * <ul>
- * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
- * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
- * </ul>
- * </p>
- *
- * @param userId maps to {@link org.openldap.fortress.rbac.User#userId}.
- * @param password maps to {@link org.openldap.fortress.rbac.User#password}.
- * @param roles constains list of role names to activate.
- * @return TcPrincipal which contains the User's RBAC Session data formatted into a java.security.Principal that is used by Tomcat runtime.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public TcPrincipal createSession(String userId, char[] password, List<String> roles)
- throws SecurityException;
-
-
- /**
- * Perform user authentication {@link User#password} and role activations.<br />
- * This method must be called once per user prior to calling other methods within this class.
- * The successful result is {@link org.openldap.fortress.rbac.Session} that contains target user's RBAC {@link User#roles} and Admin role {@link User#adminRoles}.<br />
- * In addition to checking user password validity it will apply configured password policy checks {@link org.openldap.fortress.rbac.User#pwPolicy}..<br />
- * Method may also store parms passed in for audit trail {@link org.openldap.fortress.rbac.FortEntity}.
- * <h4> This API will...</h4>
- * <ul>
- * <li> authenticate user password if trusted == false.
- * <li> perform <a href="http://www.openldap.org/">OpenLDAP</a> <a href="http://tools.ietf.org/html/draft-behera-ldap-password-policy-10/">password policy evaluation</a>.
- * <li> fail for any user who is locked by OpenLDAP's policies {@link org.openldap.fortress.rbac.User#isLocked()}, regardless of trusted flag being set as parm on API.
- * <li> evaluate temporal {@link org.openldap.fortress.util.time.Constraint}(s) on {@link User}, {@link org.openldap.fortress.rbac.UserRole} and {@link org.openldap.fortress.rbac.UserAdminRole} entities.
- * <li> process selective role activations into User RBAC Session {@link User#roles}.
- * <li> check Dynamic Separation of Duties {@link org.openldap.fortress.rbac.DSDChecker#validate(org.openldap.fortress.rbac.Session, org.openldap.fortress.util.time.Constraint, org.openldap.fortress.util.time.Time)} on {@link org.openldap.fortress.rbac.User#roles}.
- * <li> process selective administrative role activations {@link User#adminRoles}.
- * <li> return a {@link org.openldap.fortress.rbac.Session} containing {@link org.openldap.fortress.rbac.Session#getUser()}, {@link org.openldap.fortress.rbac.Session#getRoles()} and {@link org.openldap.fortress.rbac.Session#getAdminRoles()} if everything checks out good.
- * <li> throw a checked exception that will be {@link org.openldap.fortress.SecurityException} or its derivation.
- * <li> throw a {@link SecurityException} for system failures.
- * <li> throw a {@link org.openldap.fortress.PasswordException} for authentication and password policy violations.
- * <li> throw a {@link org.openldap.fortress.ValidationException} for data validation errors.
- * <li> throw a {@link org.openldap.fortress.FinderException} if User id not found.
- * </ul>
- * <h4>
- * The function is valid if and only if:
- * </h4>
- * <ul>
- * <li> the user is a member of the USERS data set
- * <li> the password is supplied (unless trusted).
- * <li> the (optional) active role set is a subset of the roles authorized for that user.
- * </ul>
- * <h4>
- * The following attributes may be set when calling this method
- * </h4>
- * <ul>
- * <li> {@link User#userId} - required
- * <li> {@link org.openldap.fortress.rbac.User#password}
- * <li> {@link org.openldap.fortress.rbac.User#roles} contains a list of RBAC role names authorized for user and targeted for activation within this session. Default is all authorized RBAC roles will be activated into this Session.
- * <li> {@link org.openldap.fortress.rbac.User#adminRoles} contains a list of Admin role names authorized for user and targeted for activation. Default is all authorized ARBAC roles will be activated into this Session.
- * <li> {@link User#props} collection of name value pairs collected on behalf of User during signon. For example hostname:myservername or ip:192.168.1.99
- * </ul>
- * <h4>
- * Notes:
- * </h4>
- * <ul>
- * <li> roles that violate Dynamic Separation of Duty Relationships will not be activated into session.
- * <li> role activations will proceed in same order as supplied to User entity setter, see {@link User#setRole(String)}.
- * </ul>
- * </p>
- *
- * @param user Contains {@link User#userId}, {@link org.openldap.fortress.rbac.User#password} (optional if {@code isTrusted} is 'true'), optional {@link User#roles}, optional {@link org.openldap.fortress.rbac.User#adminRoles}
- * @param isTrusted if true password is not required.
- * @return Session object will contain authentication result code {@link org.openldap.fortress.rbac.Session#errorId}, RBAC role activations {@link org.openldap.fortress.rbac.Session#getRoles()}, Admin Role activations {@link org.openldap.fortress.rbac.Session#getAdminRoles()},OpenLDAP pw policy codes {@link org.openldap.fortress.rbac.Session#warningId}, {@link org.openldap.fortress.rbac.Session#expirationSeconds}, {@link org.openldap.fortress.rbac.Session#graceLogins} and more.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure, security policy violation or DAO error.
- */
- public Session createSession(User user, boolean isTrusted)
- throws SecurityException;
-
-
- /**
- * Determine if given Role is contained within User's Tomcat Principal object. This method does not need to hit
- * the ldap server as the User's activated Roles are loaded into {@link org.openldap.sentry.tomcat.TcPrincipal#setContext(java.util.HashMap)}
- *
- * @param principal Contains User's Tomcat RBAC Session data that includes activated Roles.
- * @param roleName Maps to {@link org.openldap.fortress.rbac.Role#name}.
- * @return True if Role is found in TcPrincipal, false otherwise.
- * @throws org.openldap.fortress.SecurityException
- * data validation failure or system error..
- */
- public boolean hasRole(Principal principal, String roleName)
- throws SecurityException;
-
-
- /**
- * Method reads Role entity from the role container in directory.
- *
- * @param roleName maps to {@link Role#name}, to be read.
- * @return Role entity that corresponds with role name.
- * @throws org.openldap.fortress.SecurityException
- * will be thrown if role not found or system error occurs.
- */
- public Role readRole(String roleName)
- throws SecurityException;
-
-
- /**
- * Search for Roles assigned to given User.
- *
- * @param userId Maps to {@link org.openldap.fortress.rbac.User#userId}.
- * @param limit controls the size of ldap result set returned.
- * @return List of type String containing the {@link org.openldap.fortress.rbac.Role#name} of all assigned Roles.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation failure or DAO error.
- */
- public List<String> searchRoles(String userId, int limit)
- throws SecurityException;
-
-
- /**
- * Method returns matching User entity that is contained within the people container in the directory.
- *
- * @param userId maps to {@link User#userId} that matches record in the directory. userId is globally unique in
- * people container.
- * @return entity containing matching user data.
- * @throws SecurityException if record not found or system error occurs.
- */
- public User readUser(String userId)
- throws SecurityException;
-
-
- /**
- * Return a list of type String of all users in the people container that match the userId field passed in User entity.
- * This method is used by the Websphere sentry component. The max number of returned users may be set by the integer limit arg.
- *
- * @param userId contains all or some leading chars that correspond to users stored in the directory.
- * @param limit integer value sets the max returned records.
- * @return List of type String containing matching userIds.
- * @throws SecurityException in the event of system error.
- */
- public List<String> searchUsers(String userId, int limit)
- throws SecurityException;
-
-
- /**
- * This function returns the set of users assigned to a given role. The function is valid if and
- * only if the role is a member of the ROLES data set.
- * The max number of users returned is constrained by limit argument.
- * This method is used by the Websphere sentry component. This method does NOT use hierarchical rbac.
- *
- * @param roleName maps to {@link Role#name} of Role entity assigned to user.
- * @param limit integer value sets the max returned records.
- * @return List of type String containing userIds assigned to a particular role.
- * @throws org.openldap.fortress.SecurityException
- * in the event of data validation or system error.
- */
- public List<String> assignedUsers(String roleName, int limit)
- throws SecurityException;
-
-
- /**
- * This function returns the set of roles authorized for a given user. The function is valid if
- * and only if the user is a member of the USERS data set.
- *
- * @param userId maps to {@link User#userId} matching User entity stored in the directory.
- * @return Set of type String containing the roles assigned and roles inherited.
- * @throws SecurityException If user not found or system error occurs.
- */
- public List<String> authorizedRoles(String userId)
- throws SecurityException;
-}
-
http://git-wip-us.apache.org/repos/asf/directory-fortress-realm/blob/cdfe5ba7/src/main/java/impl/org/openldap/sentry/J2eePolicyMgrFactory.java
----------------------------------------------------------------------
diff --git a/src/main/java/impl/org/openldap/sentry/J2eePolicyMgrFactory.java b/src/main/java/impl/org/openldap/sentry/J2eePolicyMgrFactory.java
deleted file mode 100644
index 7717622..0000000
--- a/src/main/java/impl/org/openldap/sentry/J2eePolicyMgrFactory.java
+++ /dev/null
@@ -1,85 +0,0 @@
-/*
- * This work is part of OpenLDAP Software <http://www.openldap.org/>.
- *
- * Copyright 1998-2014 The OpenLDAP Foundation.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted only as authorized by the OpenLDAP
- * Public License.
- *
- * A copy of this license is available in the file LICENSE in the
- * top-level directory of the distribution or, alternatively, at
- * <http://www.OpenLDAP.org/license.html>.
- */
-
-package org.openldap.sentry;
-
-import org.openldap.fortress.cfg.Config;
-import org.openldap.fortress.SecurityException;
-import org.openldap.fortress.GlobalErrIds;
-import org.apache.log4j.Level;
-import org.apache.log4j.Logger;
-
-/**
- * Creates an instance of the J2eePolicyMgr object.
- * <p/>
- * The default implementation class is specified as {@link #J2EE_POLICYMGR_DEFAULT_CLASS} but can be overridden by
- * adding the {@link #J2EE_POLICYMGR_IMPLEMENTATION} config property.
- * <p/>
- *
- * @author Shawn McKinney
- */
-public class J2eePolicyMgrFactory
-{
- /**
- * When this optional tag, {@code realmImplementation}, is placed in Fortress properties, its class name will be the default {@code org.openldap.fortress.security.RealmMgr} instance used.
- */
- private static final String J2EE_POLICYMGR_IMPLEMENTATION = "realmImplementation";
- private static final String J2EE_POLICYMGR_DEFAULT_CLASS = J2eePolicyMgrImpl.class.getName();
- private static final String CLS_NM = J2eePolicyMgrFactory.class.getName();
- private static final Logger log = Logger.getLogger(CLS_NM);
- private static String j2eeClassName = Config.getProperty(J2EE_POLICYMGR_IMPLEMENTATION);
-
- /**
- * Create and return a reference to {@link J2eePolicyMgr} object.
- *
- * @return instance of {@link J2eePolicyMgr}.
- * @throws org.openldap.fortress.SecurityException in the event of failure during instantiation.
- */
- public static J2eePolicyMgr createInstance()
- throws SecurityException
- {
- J2eePolicyMgr realmMgr;
- try
- {
- if (j2eeClassName == null || j2eeClassName.compareTo("") == 0)
- {
- j2eeClassName = J2EE_POLICYMGR_DEFAULT_CLASS;
- if (log.isEnabledFor(Level.DEBUG))
- {
- log.debug(CLS_NM + ".createInstance <" + J2EE_POLICYMGR_IMPLEMENTATION + "> not found.");
- log.debug(CLS_NM + ".createInstance use default <" + J2EE_POLICYMGR_DEFAULT_CLASS + ">");
- }
- }
- realmMgr = (J2eePolicyMgr) Class.forName(j2eeClassName).newInstance();
- }
- catch (java.lang.ClassNotFoundException e)
- {
- String error = CLS_NM + ".createInstance caught java.lang.ClassNotFoundException=" + e;
- throw new SecurityException(GlobalErrIds.FT_MGR_CLASS_NOT_FOUND, error, e);
- }
- catch (java.lang.InstantiationException e)
- {
- String error = CLS_NM + ".createInstance caught java.lang.InstantiationException=" + e;
- throw new SecurityException(GlobalErrIds.FT_MGR_INST_EXCEPTION, error, e);
- }
- catch (java.lang.IllegalAccessException e)
- {
- String error = CLS_NM + ".createInstance caught java.lang.IllegalAccessException=" + e;
- log.fatal(error);
- throw new SecurityException(GlobalErrIds.FT_MGR_ILLEGAL_ACCESS, error, e);
- }
- return realmMgr;
- }
-}
\ No newline at end of file