You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2012/04/24 23:45:03 UTC
svn commit: r1330031 - in /geronimo/server/branches/3.0-beta:
framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/
framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/
plugins/connec...
Author: djencks
Date: Tue Apr 24 21:45:02 2012
New Revision: 1330031
URL: http://svn.apache.org/viewvc?rev=1330031&view=rev
Log:
GERONIMO-6337, GERONIMO-6338 initial fix for tomcat, connector, and jetty. More work needed for jetty at eclipse. Code unification may be a good idea too
Added:
geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java (with props)
Modified:
geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java
geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java
geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java
geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java
geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java
geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java
geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java
geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java
geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java
geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java
geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java
geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java
Modified: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java (original)
+++ geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java Tue Apr 24 21:45:02 2012
@@ -34,14 +34,12 @@ public class Context {
private final AccessControlContext context;
private final Subject subject;
private final Principal principal;
- private final List<String> groups;
- public Context(SubjectId id, AccessControlContext context, Subject subject, Principal principal, List<String> groups) {
+ public Context(SubjectId id, AccessControlContext context, Subject subject, Principal principal) {
this.id = id;
this.context = context;
this.subject = subject;
this.principal = principal;
- this.groups = groups;
}
public SubjectId getId() {
@@ -60,7 +58,4 @@ public class Context {
return principal;
}
- public List<String> getGroups() {
- return groups;
- }
}
Modified: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java (original)
+++ geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java Tue Apr 24 21:45:02 2012
@@ -296,14 +296,14 @@ public class ContextManager {
throw new ProviderException("Invalid key: " + key.toString());
}
List<String> groups = Collections.emptyList();
- Context context = new Context(subjectId, acc, subject, principal, groups);
+ Context context = new Context(subjectId, acc, subject, principal);
subjectIds.put(context.getId(), subject);
subjectContexts.put(subject, context);
return context.getId();
}
- public static synchronized AccessControlContext registerSubjectShort(Subject subject, Principal callerPrincipal, List<String> groups) {
+ public static synchronized AccessControlContext registerSubjectShort(Subject subject, Principal callerPrincipal) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission(SET_CONTEXT);
@@ -334,7 +334,7 @@ public class ContextManager {
if(!subject.isReadOnly()){
subject.getPrincipals().add(principal);
}
- Context context = new Context(subjectId, acc, subject, callerPrincipal, groups);
+ Context context = new Context(subjectId, acc, subject, callerPrincipal);
subjectIds.put(context.getId(), subject);
subjectContexts.put(subject, context);
Added: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java?rev=1330031&view=auto
==============================================================================
--- geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java (added)
+++ geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java Tue Apr 24 21:45:02 2012
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.security.realm.providers;
+
+
+import java.security.Principal;
+
+/**
+ * @version $Rev$ $Date$
+ */
+public class WrappingCallerPrincipal implements GeronimoCallerPrincipal {
+
+ private final Principal wrapped;
+
+ public WrappingCallerPrincipal(Principal wrapped) {
+ this.wrapped = wrapped;
+ }
+
+ public Principal getWrapped() {
+ return wrapped;
+ }
+
+ @Override
+ public String getName() {
+ return null;
+ }
+
+ @Override
+ public boolean equals(Object o) {
+ if (this == o) {
+ return true;
+ }
+ if (o instanceof WrappingCallerPrincipal) {
+ return wrapped.equals(((WrappingCallerPrincipal)o).wrapped);
+ }
+ return wrapped.equals(o);
+ }
+
+ @Override
+ public int hashCode() {
+ return wrapped.hashCode();
+ }
+}
Propchange: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java Tue Apr 24 21:45:02 2012
@@ -24,6 +24,7 @@ import java.io.IOException;
import java.security.Principal;
import java.util.List;
import java.util.Arrays;
+import java.util.Set;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
@@ -42,6 +43,10 @@ import javax.security.auth.login.LoginCo
import javax.security.auth.login.LoginException;
import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
/**
* Spec 16.4.1: must support CallerPrincipalCallback, GroupPrincipalCallback, PasswordValidationCallback.
@@ -53,9 +58,6 @@ public class ConnectorCallbackHandler im
private final String realm;
- private Principal callerPrincipal;
- private String[] groupsArray;
-
public ConnectorCallbackHandler(String realm) {
if (realm == null) throw new NullPointerException("No realm provided");
this.realm = realm;
@@ -65,17 +67,29 @@ public class ConnectorCallbackHandler im
{
for (Callback callback: callbacks)
{
- //jaspi to server communication
- if (callback instanceof CallerPrincipalCallback)
- {
- callerPrincipal = ((CallerPrincipalCallback) callback).getPrincipal();
- }
- else if (callback instanceof GroupPrincipalCallback)
- {
- groupsArray = ((GroupPrincipalCallback)callback).getGroups();
- }
- else if (callback instanceof PasswordValidationCallback)
- {
+ // jaspi to server communication
+ if (callback instanceof CallerPrincipalCallback) {
+ CallerPrincipalCallback callerPrincipalCallback = (CallerPrincipalCallback) callback;
+ if (callerPrincipalCallback.getPrincipal() != null) {
+ Principal callerPrincipal = callerPrincipalCallback.getPrincipal();
+ if (callerPrincipal instanceof GeronimoCallerPrincipal) {
+ callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+ } else {
+ callerPrincipalCallback.getSubject().getPrincipals().add(new WrappingCallerPrincipal(callerPrincipal));
+ }
+ } else if (callerPrincipalCallback.getName() != null) {
+ Principal callerPrincipal = new GeronimoUserPrincipal(callerPrincipalCallback.getName());
+ callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+ }
+ } else if (callback instanceof GroupPrincipalCallback) {
+ GroupPrincipalCallback groupPrincipalCallback = ( GroupPrincipalCallback ) callback;
+ if (groupPrincipalCallback.getGroups() != null) {
+ Set<Principal> principalSet = groupPrincipalCallback.getSubject().getPrincipals();
+ for (String groupName : groupPrincipalCallback.getGroups()) {
+ principalSet.add(new GeronimoGroupPrincipal(groupName));
+ }
+ }
+ } else if (callback instanceof PasswordValidationCallback) {
PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback) callback;
Subject subject = passwordValidationCallback.getSubject();
final String userName = passwordValidationCallback.getUsername();
@@ -119,12 +133,4 @@ public class ConnectorCallbackHandler im
}
}
- public Principal getCallerPrincipal() {
- return callerPrincipal;
- }
-
- public List<String> getGroups() {
- return groupsArray == null? null: Arrays.asList(groupsArray);
- }
-
}
Modified: geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java Tue Apr 24 21:45:02 2012
@@ -20,6 +20,7 @@
package org.apache.geronimo.connector.wrapper.work;
+import java.security.Principal;
import java.util.Stack;
import javax.resource.spi.work.WorkCompletedException;
@@ -35,6 +36,8 @@ import org.apache.geronimo.gbean.annotat
import org.apache.geronimo.gbean.annotation.GBean;
import org.apache.geronimo.gbean.annotation.ParamReference;
import org.apache.geronimo.connector.work.WorkContextHandler;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -86,7 +89,15 @@ public class SecurityContextHandler impl
clientSubject = new Subject();
ConnectorCallbackHandler callbackHandler = new ConnectorCallbackHandler(realm);
securityContext.setupSecurityContext(callbackHandler, clientSubject, serviceSubject);
- ContextManager.registerSubjectShort(clientSubject, callbackHandler.getCallerPrincipal(), callbackHandler.getGroups());
+ Principal callerPrincipal = null;
+ for (GeronimoCallerPrincipal principal: clientSubject.getPrincipals(GeronimoCallerPrincipal.class)) {
+ if (principal instanceof WrappingCallerPrincipal) {
+ callerPrincipal = ((WrappingCallerPrincipal)principal).getWrapped();
+ } else {
+ callerPrincipal = principal;
+ }
+ }
+ ContextManager.registerSubjectShort(clientSubject, callerPrincipal);
}
callers.get().push(ContextManager.getCallers());
ContextManager.setCallers(clientSubject, clientSubject);
Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java Tue Apr 24 21:45:02 2012
@@ -91,7 +91,7 @@ public class AuthConfigProviderHandlerFa
if (defaultSubject == null) {
defaultSubject = ContextManager.EMPTY;
}
- AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null, null);
+ AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null);
IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject, runAsSource);
authConfigProperties.put(POLICY_CONTEXT_ID_KEY, policyContextID);
Authenticator authenticator = new JaspiAuthenticator(serverAuthConfig, authConfigProperties, servletCallbackHandler, serviceSubject, allowLazyAuthentication, identityService);
Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java Tue Apr 24 21:45:02 2012
@@ -31,6 +31,8 @@ import org.apache.geronimo.jetty8.handle
import org.apache.geronimo.security.Callers;
import org.apache.geronimo.security.ContextManager;
import org.apache.geronimo.security.jacc.RunAsSource;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
import org.eclipse.jetty.security.IdentityService;
import org.eclipse.jetty.security.RunAsToken;
import org.eclipse.jetty.server.UserIdentity;
@@ -79,7 +81,16 @@ public class JettyIdentityService implem
public UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, String[] roles) {
if (subject != null) {
- AccessControlContext acc = ContextManager.registerSubjectShort(subject, userPrincipal, roles == null? null: Arrays.asList(roles));
+ Principal callerPrincipal = null;
+ for (GeronimoCallerPrincipal principal: subject.getPrincipals(GeronimoCallerPrincipal.class)) {
+ if (principal instanceof WrappingCallerPrincipal) {
+ callerPrincipal = ((WrappingCallerPrincipal)principal).getWrapped();
+ } else {
+ callerPrincipal = principal;
+ }
+ }
+
+ AccessControlContext acc = ContextManager.registerSubjectShort(subject, callerPrincipal);
return new GeronimoUserIdentity(subject, userPrincipal, acc);
}
return new GeronimoUserIdentity(null, null, defaultAcc);
Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java Tue Apr 24 21:45:02 2012
@@ -80,7 +80,7 @@ public class JettySecurityHandlerFactory
if (defaultSubject == null) {
defaultSubject = ContextManager.EMPTY;
}
- AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null, null);
+ AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null);
IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject, runAsSource);
if (checkRolePermissions) {
return new JaccSecurityHandler(policyContextID, authenticator, loginService, identityService, defaultAcc);
Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java Tue Apr 24 21:45:02 2012
@@ -128,7 +128,7 @@ public class AbstractWebModuleTest exten
LoginService loginService = newLoginService();
// final ServletCallbackHandler callbackHandler = new ServletCallbackHandler(loginService);
final Subject subject = new Subject();
- final AccessControlContext acc = ContextManager.registerSubjectShort(subject, null, null);
+ final AccessControlContext acc = ContextManager.registerSubjectShort(subject, null);
securityHandlerFactory = new ServerAuthenticationGBean(new Authenticator() {
public Authentication validateRequest(ServletRequest request, ServletResponse response, boolean mandatory) throws ServerAuthException {
return new UserAuthentication("test", new GeronimoUserIdentity(subject, new GeronimoUserPrincipal("foo"), acc));
Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java Tue Apr 24 21:45:02 2012
@@ -56,7 +56,7 @@ public class ServerAuthenticationGBean i
if (defaultSubject == null) {
defaultSubject = ContextManager.EMPTY;
}
- AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null, null);
+ AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null);
IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject, runAsSource);
return new JaccSecurityHandler(policyContextID, authenticator, loginService, identityService, defaultAcc);
}
Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java Tue Apr 24 21:45:02 2012
@@ -140,7 +140,7 @@ public abstract class BaseGeronimoContex
defaultSubject = ContextManager.EMPTY;
}
IdentityService identityService = new GeronimoIdentityService(defaultSubject);
- UserIdentity unauthenticatedIdentity = identityService.newUserIdentity(defaultSubject, null, null);
+ UserIdentity unauthenticatedIdentity = identityService.newUserIdentity(defaultSubject);
LoginService loginService = new GeronimoLoginService(configurationFactory, identityService);
Authenticator authenticator;
AuthConfigFactory authConfigFactory = AuthConfigFactory.getFactory();
@@ -183,7 +183,7 @@ public abstract class BaseGeronimoContex
authenticator = new NoneAuthenticator(unauthenticatedIdentity);
}
- AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null, null);
+ AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject, null);
Authorizer authorizer = createAuthorizer(defaultAcc);
SecurityValve securityValve = new JACCSecurityValve(authenticator, authorizer, identityService, policyContextId);
Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java Tue Apr 24 21:45:02 2012
@@ -33,6 +33,6 @@ public interface IdentityService {
void dissociate(Object previous);
- UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, List<String> gropus);
+ UserIdentity newUserIdentity(Subject subject);
}
Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java Tue Apr 24 21:45:02 2012
@@ -98,26 +98,7 @@ public class JaspicAuthenticator impleme
if (ids.size() > 0) {
userIdentity = ids.iterator().next();
} else {
- CallerPrincipalCallback principalCallback = callbackHandler.getThreadCallerPrincipalCallback();
- if (principalCallback == null) throw new NullPointerException("No CallerPrincipalCallback");
- Principal principal = principalCallback.getPrincipal();
- if (principal == null) {
- String principalName = principalCallback.getName();
- Set<Principal> principals = principalCallback.getSubject().getPrincipals();
- for (Principal p : principals) {
- if (p.getName().equals(principalName)) {
- principal = p;
- break;
- }
- }
- if (principal == null) {
- //TODO not clear what to do here.
- return new AuthResult(TomcatAuthStatus.SUCCESS, null, false);
- }
- }
- GroupPrincipalCallback groupPrincipalCallback = callbackHandler.getThreadGroupPrincipalCallback();
- String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
- userIdentity = identityService.newUserIdentity(clientSubject, principal, groups == null ? Collections.<String>emptyList() : Arrays.asList(groups));
+ userIdentity = identityService.newUserIdentity(clientSubject);
}
return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, containerCaching);
}
Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java Tue Apr 24 21:45:02 2012
@@ -21,6 +21,8 @@
package org.apache.geronimo.tomcat.security.authentication.jaspic;
import java.io.IOException;
+import java.security.Principal;
+import java.util.Set;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.Callback;
@@ -34,6 +36,10 @@ import javax.security.auth.message.callb
import javax.security.auth.message.callback.TrustStoreCallback;
import javax.security.auth.Subject;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
import org.apache.geronimo.tomcat.security.LoginService;
import org.apache.geronimo.tomcat.security.UserIdentity;
@@ -43,9 +49,6 @@ import org.apache.geronimo.tomcat.securi
public class JaspicCallbackHandler implements CallbackHandler {
private final LoginService loginService;
- private final ThreadLocal<CallerPrincipalCallback> callerPrincipals = new ThreadLocal<CallerPrincipalCallback>();
- private final ThreadLocal<GroupPrincipalCallback> groupPrincipals = new ThreadLocal<GroupPrincipalCallback>();
-
public JaspicCallbackHandler(LoginService loginService) {
this.loginService = loginService;
}
@@ -54,9 +57,26 @@ public class JaspicCallbackHandler imple
for (Callback callback : callbacks) {
// jaspi to server communication
if (callback instanceof CallerPrincipalCallback) {
- callerPrincipals.set((CallerPrincipalCallback) callback);
+ CallerPrincipalCallback callerPrincipalCallback = (CallerPrincipalCallback) callback;
+ if (callerPrincipalCallback.getPrincipal() != null) {
+ Principal callerPrincipal = callerPrincipalCallback.getPrincipal();
+ if (callerPrincipal instanceof GeronimoCallerPrincipal) {
+ callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+ } else {
+ callerPrincipalCallback.getSubject().getPrincipals().add(new WrappingCallerPrincipal(callerPrincipal));
+ }
+ } else if (callerPrincipalCallback.getName() != null) {
+ Principal callerPrincipal = new GeronimoUserPrincipal(callerPrincipalCallback.getName());
+ callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+ }
} else if (callback instanceof GroupPrincipalCallback) {
- groupPrincipals.set((GroupPrincipalCallback) callback);
+ GroupPrincipalCallback groupPrincipalCallback = ( GroupPrincipalCallback ) callback;
+ if (groupPrincipalCallback.getGroups() != null) {
+ Set<Principal> principalSet = groupPrincipalCallback.getSubject().getPrincipals();
+ for (String groupName : groupPrincipalCallback.getGroups()) {
+ principalSet.add(new GeronimoGroupPrincipal(groupName));
+ }
+ }
} else if (callback instanceof PasswordValidationCallback) {
PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback) callback;
Subject subject = passwordValidationCallback.getSubject();
@@ -65,8 +85,8 @@ public class JaspicCallbackHandler imple
if (user != null) {
passwordValidationCallback.setResult(true);
- passwordValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals());
- passwordValidationCallback.getSubject().getPrivateCredentials().add(user);
+ subject.getPrincipals().addAll(user.getSubject().getPrincipals());
+ subject.getPrivateCredentials().add(user);
}
}
// server to jaspi communication
@@ -81,15 +101,4 @@ public class JaspicCallbackHandler imple
}
}
- public CallerPrincipalCallback getThreadCallerPrincipalCallback() {
- CallerPrincipalCallback callerPrincipalCallback = callerPrincipals.get();
- callerPrincipals.remove();
- return callerPrincipalCallback;
- }
-
- public GroupPrincipalCallback getThreadGroupPrincipalCallback() {
- GroupPrincipalCallback groupPrincipalCallback = groupPrincipals.get();
- groupPrincipals.remove();
- return groupPrincipalCallback;
- }
}
Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java Tue Apr 24 21:45:02 2012
@@ -20,12 +20,13 @@
package org.apache.geronimo.tomcat.security.impl;
-import java.security.Principal;
import java.security.AccessControlContext;
-import java.util.List;
+import java.security.Principal;
import javax.security.auth.Subject;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
import org.apache.geronimo.tomcat.security.IdentityService;
import org.apache.geronimo.tomcat.security.UserIdentity;
import org.apache.geronimo.tomcat.security.jacc.JACCUserIdentity;
@@ -53,8 +54,16 @@ public class GeronimoIdentityService imp
ContextManager.popCallers((Callers) previous);
}
- public UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, List<String> groups) {
- AccessControlContext acc = ContextManager.registerSubjectShort(subject, userPrincipal, groups);
- return new JACCUserIdentity(subject, userPrincipal, groups, acc);
+ public UserIdentity newUserIdentity(Subject subject) {
+ Principal callerPrincipal = null;
+ for (GeronimoCallerPrincipal principal: subject.getPrincipals(GeronimoCallerPrincipal.class)) {
+ if (principal instanceof WrappingCallerPrincipal) {
+ callerPrincipal = ((WrappingCallerPrincipal)principal).getWrapped();
+ } else {
+ callerPrincipal = principal;
+ }
+ }
+ AccessControlContext acc = ContextManager.registerSubjectShort(subject, callerPrincipal);
+ return new JACCUserIdentity(subject, callerPrincipal, acc);
}
}
Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java Tue Apr 24 21:45:02 2012
@@ -20,7 +20,6 @@
package org.apache.geronimo.tomcat.security.impl;
-import java.security.Principal;
import java.security.cert.X509Certificate;
import javax.security.auth.callback.CallbackHandler;
@@ -61,8 +60,7 @@ public class GeronimoLoginService implem
try {
LoginContext loginContext = ContextManager.login(configurationFactory.getConfigurationName(), callbackHandler, configurationFactory.getConfiguration());
Subject establishedSubject = loginContext.getSubject();
- Principal userPrincipal = ContextManager.getCurrentPrincipal(establishedSubject);
- return identityService.newUserIdentity(establishedSubject, userPrincipal, null);
+ return identityService.newUserIdentity(establishedSubject);
} catch (LoginException e) {
return null;
}
Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java (original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java Tue Apr 24 21:45:02 2012
@@ -34,14 +34,12 @@ import javax.security.auth.Subject;
public class JACCUserIdentity implements UserIdentity {
private final Subject subject;
private final Principal userPrincipal;
- private final List<String> groups;
private final AccessControlContext acc;
- public JACCUserIdentity(Subject subject, Principal userPrincipal, List<String> groups, AccessControlContext acc) {
+ public JACCUserIdentity(Subject subject, Principal userPrincipal, AccessControlContext acc) {
if (subject == null) throw new NullPointerException("No Subject in user identity");
this.subject = subject;
this.userPrincipal = userPrincipal;
- this.groups = groups;
this.acc = acc;
}
@@ -53,10 +51,6 @@ public class JACCUserIdentity implements
return subject;
}
- public List<String> getGroups() {
- return groups;
- }
-
public AccessControlContext getAccessControlContext() {
return acc;
}