You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2008/06/21 19:39:11 UTC
svn commit: r670236 - in
/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src:
main/java/org/apache/geronimo/tomcat/interceptor/
main/java/org/apache/geronimo/tomcat/listener/
main/java/org/apache/geronimo/tomcat/realm/ test/java/org/apache/geron...
Author: djencks
Date: Sat Jun 21 10:39:10 2008
New Revision: 670236
URL: http://svn.apache.org/viewvc?rev=670236&view=rev
Log:
GERONIMO-4124 clean up jacc usage
Modified:
geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java
geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/listener/DispatchListener.java
geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/test/java/org/apache/geronimo/tomcat/JACCSecurityTest.java
Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java?rev=670236&r1=670235&r2=670236&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/interceptor/PolicyContextBeforeAfter.java Sat Jun 21 10:39:10 2008
@@ -72,6 +72,7 @@
//Replace the old
PolicyContext.setContextID((String)context[policyContextIDIndex]);
+ PolicyContext.setHandlerData(httpRequest);
ContextManager.popCallers((Callers) context[callersIndex]);
if (httpRequest != null)
httpRequest.setAttribute(DEFAULT_SUBJECT, context[defaultSubjectIndex]);
Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/listener/DispatchListener.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/listener/DispatchListener.java?rev=670236&r1=670235&r2=670236&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/listener/DispatchListener.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/listener/DispatchListener.java Sat Jun 21 10:39:10 2008
@@ -38,8 +38,8 @@
private static final Logger log = LoggerFactory.getLogger(DispatchListener.class);
- private static ThreadLocal currentContext = new ThreadLocal() {
- protected Object initialValue() {
+ private static ThreadLocal<Stack<Object[]>> currentContext = new ThreadLocal<Stack<Object[]>>() {
+ protected Stack<Object[]> initialValue() {
return new Stack<Object[]>();
}
};
@@ -65,7 +65,7 @@
BeforeAfter beforeAfter = webContext.getBeforeAfter();
if (beforeAfter != null) {
- Stack<Object[]> stack = (Stack<Object[]>) currentContext.get();
+ Stack<Object[]> stack = currentContext.get();
Object context[] = new Object[webContext.getContextCount() + 1];
String wrapperName = getWrapperName(request, webContext);
context[webContext.getContextCount()] = TomcatGeronimoRealm.setRequestWrapperName(wrapperName);
@@ -80,8 +80,8 @@
BeforeAfter beforeAfter = webContext.getBeforeAfter();
if (beforeAfter != null) {
- Stack stack = (Stack) currentContext.get();
- Object context[] = (Object[]) stack.pop();
+ Stack<Object[]> stack = currentContext.get();
+ Object context[] = stack.pop();
beforeAfter.after(context, request, response, BeforeAfter.DISPATCHED);
Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java?rev=670236&r1=670235&r2=670236&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java Sat Jun 21 10:39:10 2008
@@ -29,8 +29,6 @@
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
-import javax.security.jacc.PolicyContext;
-import javax.security.jacc.PolicyContextException;
import javax.security.jacc.WebResourcePermission;
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
@@ -42,14 +40,13 @@
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.deploy.SecurityConstraint;
import org.apache.catalina.realm.JAASRealm;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
import org.apache.geronimo.security.ContextManager;
-import org.apache.geronimo.security.jacc.PolicyContextHandlerContainerSubject;
import org.apache.geronimo.security.realm.providers.CertificateChainCallbackHandler;
import org.apache.geronimo.security.realm.providers.PasswordCallbackHandler;
import org.apache.geronimo.tomcat.JAASTomcatPrincipal;
import org.apache.geronimo.tomcat.interceptor.PolicyContextBeforeAfter;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
* This class adapts the tomcat framework to use JACC security.
@@ -96,25 +93,7 @@
SecurityConstraint[] constraints)
throws IOException {
- //Get an authenticated subject, if there is one
- Subject subject = null;
- try {
-
- //We will use the PolicyContextHandlerContainerSubject.HANDLER_KEY to see if a user
- //has authenticated, since a request.getUserPrincipal() will not pick up the user
- //unless its using a cached session.
- subject = (Subject) PolicyContext.getContext(PolicyContextHandlerContainerSubject.HANDLER_KEY);
-
- } catch (PolicyContextException e) {
- log.error("Failed to get subject from context", e);
- }
-
- //If nothing has authenticated yet, do the normal
- if (subject == null)
- return super.hasUserDataPermission(request, response, constraints);
-
- ContextManager.setCallers(subject, subject);
-
+ setSubject(request);
try {
AccessControlContext acc = ContextManager.getCurrentContext();
@@ -175,21 +154,11 @@
}
}
+ setSubject(request);
+
//Set the current wrapper name (Servlet mapping)
currentRequestWrapperName.set(request.getWrapper().getName());
- // Which user principal have we already authenticated?
- Principal principal = request.getUserPrincipal();
-
- //If we have no principal, then we should use the default.
- if (principal == null) {
- Subject defaultSubject = (Subject) request.getAttribute(PolicyContextBeforeAfter.DEFAULT_SUBJECT);
- ContextManager.setCallers(defaultSubject, defaultSubject);
- } else {
- Subject currentCaller = ((JAASTomcatPrincipal) principal).getSubject();
- ContextManager.setCallers(currentCaller, currentCaller);
- }
-
try {
AccessControlContext acc = ContextManager.getCurrentContext();
@@ -208,6 +177,18 @@
}
+ private void setSubject(Request request) {
+ Principal principal = request.getUserPrincipal();
+ //If we have no principal, then we should use the default.
+ if (principal == null) {
+ Subject defaultSubject = (Subject) request.getAttribute(PolicyContextBeforeAfter.DEFAULT_SUBJECT);
+ ContextManager.setCallers(defaultSubject, defaultSubject);
+ } else {
+ Subject subject = ((JAASTomcatPrincipal) principal).getSubject();
+ ContextManager.setCallers(subject, subject);
+ }
+ }
+
/**
* Return <code>true</code> if the specified Principal has the specified
* security role, within the context of this Realm; otherwise return
@@ -323,6 +304,7 @@
// Negotiate a login via this LoginContext
Subject subject = loginContext.getSubject();
+ //very iffy -- see if needed for basic auth
ContextManager.setCallers(subject, subject);
if (log.isDebugEnabled())
Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/test/java/org/apache/geronimo/tomcat/JACCSecurityTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/test/java/org/apache/geronimo/tomcat/JACCSecurityTest.java?rev=670236&r1=670235&r2=670236&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/test/java/org/apache/geronimo/tomcat/JACCSecurityTest.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat6/src/test/java/org/apache/geronimo/tomcat/JACCSecurityTest.java Sat Jun 21 10:39:10 2008
@@ -75,19 +75,19 @@
securityConfig.getRoleMappings().put(role.getRoleName(), role);
- Map roleDesignates = new HashMap();
- Map principalRoleMap = new HashMap();
+ Map<String, SubjectInfo> roleDesignates = new HashMap<String, SubjectInfo>();
+ Map<String, Set<Principal>> principalRoleMap = new HashMap<String, Set<Principal>>();
buildPrincipalRoleMap(securityConfig, roleDesignates, principalRoleMap);
PermissionCollection uncheckedPermissions = new Permissions();
+ uncheckedPermissions.add(new WebUserDataPermission("/protected/*", ""));
PermissionCollection excludedPermissions = new Permissions();
- excludedPermissions.add(new WebResourcePermission("/auth/login.html", ""));
- excludedPermissions.add(new WebUserDataPermission("/auth/login.html", ""));
+ uncheckedPermissions.add(new WebResourcePermission("/auth/logon.html", ""));
+ uncheckedPermissions.add(new WebUserDataPermission("/auth/logon.html", ""));
- Map rolePermissions = new HashMap();
+ Map<String, PermissionCollection> rolePermissions = new HashMap<String, PermissionCollection>();
PermissionCollection permissions = new Permissions();
- permissions.add(new WebUserDataPermission("/protected/*", ""));
permissions.add(new WebResourcePermission("/protected/*", ""));
rolePermissions.put("content-administrator", permissions);
rolePermissions.put("auto-administrator", permissions);