You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by db...@apache.org on 2007/03/26 04:30:57 UTC
svn commit: r522403 - in /incubator/openejb/trunk/openejb3:
container/openejb-core/src/main/java/org/apache/openejb/config/
container/openejb-core/src/main/java/org/apache/openejb/core/security/
container/openejb-core/src/test/java/org/apache/openejb/c...
Author: dblevins
Date: Sun Mar 25 19:30:56 2007
New Revision: 522403
URL: http://svn.apache.org/viewvc?view=rev&rev=522403
Log:
IsCallerInRole working.
Fixed AuthRequestHandeler to respond on failed login.
Modified:
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/SecurityServiceImpl.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java
incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java?view=diff&rev=522403&r1=522402&r2=522403
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/config/EjbJarInfoBuilder.java Sun Mar 25 19:30:56 2007
@@ -90,7 +90,6 @@
public static Messages messages = new Messages("org.apache.openejb.util.resources");
public static Logger logger = Logger.getInstance("OpenEJB", "org.apache.openejb.util.resources");
- public static final String DEFAULT_SECURITY_ROLE = "openejb.default.security.role";
private final List<String> deploymentIds = new ArrayList<String>();
private final List<String> securityRoles = new ArrayList<String>();
@@ -342,8 +341,7 @@
info.roleName = ref.getRoleName();
if (info.roleLink == null) {
- ConfigUtils.logger.i18n.warning("conf.0009", info.roleName, bean.ejbName, jar.getJarURI());
- info.roleLink = DEFAULT_SECURITY_ROLE;
+ info.roleLink = info.roleName;
}
bean.securityRoleReferences.add(info);
}
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/SecurityServiceImpl.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/SecurityServiceImpl.java?view=diff&rev=522403&r1=522402&r2=522403
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/SecurityServiceImpl.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/security/SecurityServiceImpl.java Sun Mar 25 19:30:56 2007
@@ -59,6 +59,9 @@
*/
public class SecurityServiceImpl implements SecurityService, ThreadContextListener {
static private final Map<Object, Identity> identities = new java.util.concurrent.ConcurrentHashMap();
+ static private final ThreadLocal<Subject> clientIdentity = new ThreadLocal<Subject>();
+
+
private final String defaultUser = "guest";
private final Subject defaultSubject;
@@ -79,6 +82,9 @@
defaultContext = new SecurityContext(defaultSubject);
}
+ public void init(Properties props) throws Exception {
+ }
+
public Object login(String username, String password) throws LoginException {
LoginContext context = new LoginContext("PropertiesLogin", new UsernamePasswordCallbackHandler(username, password));
context.login();
@@ -91,59 +97,6 @@
return token;
}
- public static class Group implements java.security.acl.Group {
- private final List<Principal> members = new ArrayList<Principal>();
- private final String name;
-
- public Group(String name) {
- this.name = name;
- }
-
- public boolean addMember(Principal user) {
- return members.add(user);
- }
-
- public boolean removeMember(Principal user) {
- return members.remove(user);
- }
-
- public boolean isMember(Principal member) {
- return members.contains(member);
- }
-
- public Enumeration<? extends Principal> members() {
- return Collections.enumeration(members);
- }
-
- public String getName() {
- return name;
- }
- }
-
- public static class User implements Principal {
- private final String name;
-
- public User(String name) {
- this.name = name;
- }
-
- public String getName() {
- return name;
- }
- }
-
- private Subject createSubject(String name) {
- SecurityServiceImpl.User user = new SecurityServiceImpl.User(name);
- SecurityServiceImpl.Group group = new SecurityServiceImpl.Group(name);
- group.addMember(user);
-
- HashSet<Principal> principals = new HashSet<Principal>();
- principals.add(user);
- principals.add(group);
-
- return new Subject(true, principals, new HashSet(), new HashSet());
- }
-
private final static class SecurityContext {
private final Subject subject;
private final AccessControlContext acc;
@@ -217,8 +170,6 @@
return securityContext.subject;
}
- private static ThreadLocal<Subject> clientIdentity = new ThreadLocal<Subject>();
-
public void associate(Object securityIdentity) throws LoginException {
if (securityIdentity == null) return;
@@ -229,6 +180,24 @@
}
+ private static class Identity {
+ private final Subject subject;
+ private final UUID token;
+
+ public Identity(Subject subject) {
+ this.subject = subject;
+ this.token = UUID.randomUUID();
+ }
+
+ public Subject getSubject() {
+ return subject;
+ }
+
+ public Serializable getToken() {
+ return token;
+ }
+ }
+
public boolean isCallerInRole(String role) {
if (role == null) throw new IllegalArgumentException("Role must not be null");
@@ -237,6 +206,8 @@
try {
CoreDeploymentInfo deployment = threadContext.getDeploymentInfo();
+
+ role = deployment.getSecurityRole(role);
securityContext.acc.checkPermission(new EJBRoleRefPermission(deployment.getEjbName(), role));
} catch (AccessControlException e) {
return false;
@@ -278,28 +249,6 @@
return true;
}
- private static class Identity {
- private final Subject subject;
- private final UUID token;
-
- public Identity(Subject subject) {
- this.subject = subject;
- this.token = UUID.randomUUID();
- }
-
- public Subject getSubject() {
- return subject;
- }
-
- public Serializable getToken() {
- return token;
- }
- }
-
- public void init(Properties props) throws Exception {
- }
-
-
public Object getSecurityIdentity() {
return null;
}
@@ -355,4 +304,58 @@
throw new IllegalStateException("Could not install JACC Policy Provider: "+policyProvider, e);
}
}
+
+ private Subject createSubject(String name) {
+ SecurityServiceImpl.User user = new SecurityServiceImpl.User(name);
+ SecurityServiceImpl.Group group = new SecurityServiceImpl.Group(name);
+ group.addMember(user);
+
+ HashSet<Principal> principals = new HashSet<Principal>();
+ principals.add(user);
+ principals.add(group);
+
+ return new Subject(true, principals, new HashSet(), new HashSet());
+ }
+
+ public static class Group implements java.security.acl.Group {
+ private final List<Principal> members = new ArrayList<Principal>();
+ private final String name;
+
+ public Group(String name) {
+ this.name = name;
+ }
+
+ public boolean addMember(Principal user) {
+ return members.add(user);
+ }
+
+ public boolean removeMember(Principal user) {
+ return members.remove(user);
+ }
+
+ public boolean isMember(Principal member) {
+ return members.contains(member);
+ }
+
+ public Enumeration<? extends Principal> members() {
+ return Collections.enumeration(members);
+ }
+
+ public String getName() {
+ return name;
+ }
+ }
+
+ public static class User implements Principal {
+ private final String name;
+
+ public User(String name) {
+ this.name = name;
+ }
+
+ public String getName() {
+ return name;
+ }
+ }
+
}
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java?view=diff&rev=522403&r1=522402&r2=522403
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/security/SecurityTest.java Sun Mar 25 19:30:56 2007
@@ -32,10 +32,13 @@
import javax.naming.InitialContext;
import javax.naming.Context;
import javax.ejb.Stateless;
+import javax.ejb.SessionContext;
import javax.annotation.security.RolesAllowed;
import javax.annotation.security.PermitAll;
import javax.annotation.security.DenyAll;
import javax.annotation.security.RunAs;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.Resource;
import java.util.Properties;
/**
@@ -85,7 +88,7 @@
InitialContext ctx = new InitialContext(props);
- Foo foo = (Foo) ctx.lookup("FooBeanBusinessLocal");
+ Project foo = (Project) ctx.lookup("FooBeanBusinessLocal");
foo.svnCheckout("");
@@ -98,27 +101,41 @@
// good.
}
- foo = (Foo) ctx.lookup("BarBeanBusinessLocal");
+ assertTrue("not in role committer", foo.isCallerInRole("committer"));
+ assertTrue("not in role community", foo.isCallerInRole("community"));
+ assertFalse("in role contributor", foo.isCallerInRole("contributor"));
- foo.svnCheckout("");
+ Project bar = (Project) ctx.lookup("BarBeanBusinessLocal");
+
+ bar.svnCheckout("");
try {
- foo.svnCommit("");
+ bar.svnCommit("");
fail("Should not be allowed");
} catch (Exception e) {
// good
}
try {
- foo.deleteProject("");
+ bar.deleteProject("");
fail("Should not be allowed");
} catch (Exception e) {
// good.
}
+
+ assertFalse("in role committer", bar.isCallerInRole("committer"));
+ assertFalse("in role community", bar.isCallerInRole("community"));
+ assertTrue("not in role contributor", bar.isCallerInRole("contributor"));
+
}
@Stateless
- public static class FooBean implements Foo {
+ @DeclareRoles({"committer", "contributor","community"})
+ public static class FooBean implements Project {
+
+ @Resource
+ private SessionContext context;
+
@RolesAllowed({"committer"})
public String svnCommit(String s) {
return s;
@@ -138,11 +155,20 @@
public String deleteProject(String s) {
return s;
}
+
+ public boolean isCallerInRole(String role){
+ return context.isCallerInRole(role);
+ }
}
@Stateless
@RunAs("contributor")
- public static class BarBean implements Foo {
+ @DeclareRoles({"committer", "contributor","community"})
+ public static class BarBean implements Project {
+
+ @Resource
+ private SessionContext context;
+
@RolesAllowed({"committer"})
public String svnCommit(String s) {
return s;
@@ -162,9 +188,14 @@
public String deleteProject(String s) {
return s;
}
+
+ @PermitAll
+ public boolean isCallerInRole(String role){
+ return context.isCallerInRole(role);
+ }
}
- public static interface Foo {
+ public static interface Project {
public String svnCommit(String s);
@@ -173,5 +204,7 @@
public String svnCheckout(String s);
public String deleteProject(String s);
+
+ public boolean isCallerInRole(String s);
}
}
Modified: incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java?view=diff&rev=522403&r1=522402&r2=522403
==============================================================================
--- incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java (original)
+++ incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java Sun Mar 25 19:30:56 2007
@@ -22,12 +22,18 @@
import org.apache.openejb.client.ResponseCodes;
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.spi.SecurityService;
+import org.apache.openejb.util.Messages;
+import org.apache.openejb.util.Logger;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
+import java.io.IOException;
class AuthRequestHandler {
+ Messages _messages = new Messages("org.apache.openejb.server.util.resources");
+ Logger logger = Logger.getInstance("OpenEJB.server.remote", "org.apache.openejb.server.util.resources");
+
AuthRequestHandler(EjbDaemon daemon) {
}
@@ -53,8 +59,12 @@
res.writeExternal(out);
} catch (Throwable t) {
- // TODO: Log
- return;
+ try {
+ res.setResponseCode(ResponseCodes.AUTH_DENIED);
+ res.writeExternal(out);
+ } catch (IOException e) {
+ logger.error("Failed to write to AuthenticationResponse", e);
+ }
}
}