You are viewing a plain text version of this content. The canonical link for it is here.
Posted to scm@geronimo.apache.org by dj...@apache.org on 2005/09/15 04:43:43 UTC
svn commit: r289136 - in /geronimo/trunk/modules/tomcat: ./
src/java/org/apache/geronimo/tomcat/
src/java/org/apache/geronimo/tomcat/valve/
Author: djencks
Date: Wed Sep 14 19:43:39 2005
New Revision: 289136
URL: http://svn.apache.org/viewcvs?rev=289136&view=rev
Log:
GERONIMO-1012 Hack that sets the defaultSubject if the web-app has no permissions at all. Also clears the subject for other web apps on return. Not an elegant or complete solution
Added:
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/DefaultSubjectValve.java
Modified:
geronimo/trunk/modules/tomcat/project.xml
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java
Modified: geronimo/trunk/modules/tomcat/project.xml
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/project.xml?rev=289136&r1=289135&r2=289136&view=diff
==============================================================================
--- geronimo/trunk/modules/tomcat/project.xml (original)
+++ geronimo/trunk/modules/tomcat/project.xml Wed Sep 14 19:43:39 2005
@@ -136,11 +136,23 @@
</dependency>
<dependency>
<groupId>geronimo-spec</groupId>
- <artifactId>geronimo-spec-j2ee</artifactId>
- <version>${geronimo_spec_j2ee_version}</version>
- <properties>
- <repository>true</repository>
- </properties>
+ <artifactId>geronimo-spec-servlet</artifactId>
+ <version>${geronimo_spec_servlet_version}</version>
+ </dependency>
+ <dependency>
+ <groupId>geronimo-spec</groupId>
+ <artifactId>geronimo-spec-j2ee-jacc</artifactId>
+ <version>${geronimo_spec_j2ee_jacc_version}</version>
+ </dependency>
+ <dependency>
+ <groupId>geronimo-spec</groupId>
+ <artifactId>geronimo-spec-j2ee-connector</artifactId>
+ <version>${geronimo_spec_j2ee_connector_version}</version>
+ </dependency>
+ <dependency>
+ <groupId>geronimo-spec</groupId>
+ <artifactId>geronimo-spec-jta</artifactId>
+ <version>${geronimo_spec_jta_version}</version>
</dependency>
<dependency>
<groupId>geronimo</groupId>
@@ -269,7 +281,7 @@
<artifactId>xml-apis</artifactId>
<version>${xml_apis_version}</version>
</dependency>
-
+
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java?rev=289136&r1=289135&r2=289136&view=diff
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java (original)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java Wed Sep 14 19:43:39 2005
@@ -30,6 +30,7 @@
import org.apache.catalina.LifecycleException;
import org.apache.catalina.Valve;
import org.apache.catalina.Wrapper;
+import org.apache.catalina.authenticator.AuthenticatorBase;
import org.apache.catalina.core.StandardContext;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
@@ -47,23 +48,24 @@
import org.apache.geronimo.tomcat.valve.InstanceContextValve;
import org.apache.geronimo.tomcat.valve.PolicyContextValve;
import org.apache.geronimo.tomcat.valve.TransactionContextValve;
+import org.apache.geronimo.tomcat.valve.DefaultSubjectValve;
import org.apache.geronimo.transaction.context.TransactionContextManager;
import org.apache.geronimo.webservices.POJOWebServiceServlet;
import org.apache.geronimo.webservices.WebServiceContainer;
import org.apache.geronimo.webservices.WebServiceContainerInvoker;
public class GeronimoStandardContext extends StandardContext{
-
+
private static final Log log = LogFactory.getLog(GeronimoStandardContext.class);
private static final long serialVersionUID = 3834587716552831032L;
private Subject defaultSubject = null;
-
+
private Map webServiceMap = null;
-
+
public void setContextProperties(TomcatContext ctx){
-
+
// Create ReadOnlyContext
javax.naming.Context enc = null;
Map componentContext = ctx.getComponentContext();
@@ -85,12 +87,12 @@
}
//Set the InstanceContextValve
- InstanceContextValve instanceContextValve =
+ InstanceContextValve instanceContextValve =
new InstanceContextValve(ctx.getUnshareableResources(),
ctx.getApplicationManagedSecurityResources(),
ctx.getTrackedConnectionAssociator());
addValve(instanceContextValve);
-
+
// Set ComponentContext valve
if (enc != null) {
ComponentContextValve contextValve = new ComponentContextValve(enc);
@@ -109,9 +111,9 @@
SecurityHolder securityHolder = ctx.getSecurityHolder();
if (securityHolder != null){
if (securityHolder.getPolicyContextID() != null) {
-
+
PolicyContext.setContextID(securityHolder.getPolicyContextID());
-
+
/**
* Register our default subject with the ContextManager
*/
@@ -120,26 +122,40 @@
defaultSubject = ConfigurationUtil.generateDefaultSubject(defaultPrincipal);
ContextManager.registerSubject(defaultSubject);
SubjectId id = ContextManager.getSubjectId(defaultSubject);
- defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
+ defaultSubject.getPrincipals().add(new IdentificationPrincipal(id));
}
-
+
PolicyContextValve policyValve = new PolicyContextValve(
securityHolder.getPolicyContextID());
addValve(policyValve);
- }
+
+ //This is definitely a hack, but I don't see a reasonable way to install the defaultSubject.
+ //Obviously this won't work if there are permissions. Setting the default subject if there are
+ //permissions breaks authentication.
+ boolean hasPermissions = securityHolder.getChecked().elements().hasMoreElements() ||
+ securityHolder.getExcluded().elements().hasMoreElements();
+ if (!hasPermissions && defaultSubject != null) {
+ Valve defaultSubjectValve = new DefaultSubjectValve(defaultSubject);
+ addValve(defaultSubjectValve);
+ } else {
+ //this will clear the thread of any read subject added by some other web app
+ addValve(new DefaultSubjectValve(null));
+ }
+ }
}
-
+
// Add User Defined Valves
List valveChain = ctx.getValveChain();
if (valveChain != null){
Iterator iterator = valveChain.iterator();
while(iterator.hasNext()){
- addValve((Valve)iterator.next());
+ Valve valve = (Valve)iterator.next();
+ addValve(valve);
}
}
this.webServiceMap = ctx.getWebServices();
-
+
this.setCrossContext(ctx.isCrossContext());
}
@@ -152,21 +168,21 @@
if (defaultSubject != null){
ContextManager.unregisterSubject(defaultSubject);
}
-
+
super.stop();
}
-
+
public void addChild(Container child){
Wrapper wrapper = (Wrapper) child;
-
+
String servletClassName = wrapper.getServletClass();
if (servletClassName == null){
super.addChild(child);
return;
}
-
+
ClassLoader cl = this.getParentClassLoader();
-
+
Class baseServletClass = null;
Class servletClass = null;
try{
@@ -177,7 +193,7 @@
//Nope - its probably a webservice, so lets see...
if (webServiceMap != null){
StoredObject storedObject = (StoredObject)webServiceMap.get(wrapper.getName());
-
+
if (storedObject != null){
WebServiceContainer webServiceContainer = null;
try{
@@ -188,12 +204,12 @@
//Yep its a web service
//So swap it out with a POJOWebServiceServlet
wrapper.setServletClass("org.apache.geronimo.webservices.POJOWebServiceServlet");
-
+
//Set the WebServiceContainer stuff
String webServicecontainerID = wrapper.getName() + WebServiceContainerInvoker.WEBSERVICE_CONTAINER + webServiceContainer.hashCode();
getServletContext().setAttribute(webServicecontainerID, webServiceContainer);
wrapper.addInitParameter(WebServiceContainerInvoker.WEBSERVICE_CONTAINER, webServicecontainerID);
-
+
//Set the SEI Class in the attribute
String pojoClassID = wrapper.getName() + POJOWebServiceServlet.POJO_CLASS + servletClass.hashCode();
getServletContext().setAttribute(pojoClassID, servletClass);
@@ -204,7 +220,7 @@
} catch (ClassNotFoundException e){
throw new RuntimeException(e.getMessage(), e);
}
-
+
super.addChild(child);
}
}
Added: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/DefaultSubjectValve.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/DefaultSubjectValve.java?rev=289136&view=auto
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/DefaultSubjectValve.java (added)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/DefaultSubjectValve.java Wed Sep 14 19:43:39 2005
@@ -0,0 +1,56 @@
+/**
+ *
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.tomcat.valve;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.security.auth.Subject;
+
+import org.apache.catalina.valves.ValveBase;
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.geronimo.security.ContextManager;
+
+/**
+ * @version $Rev: $ $Date: $
+ */
+public class DefaultSubjectValve extends ValveBase {
+
+ private final Subject defaultSubject;
+
+ public DefaultSubjectValve(Subject defaultSubject) {
+ this.defaultSubject = defaultSubject;
+ }
+
+ public void invoke(Request request, Response response) throws IOException, ServletException {
+ boolean setSubject = ContextManager.getCurrentCaller() == null;
+ if (setSubject) {
+ ContextManager.setCurrentCaller(defaultSubject);
+ ContextManager.setNextCaller(defaultSubject);
+ try {
+ getNext().invoke(request, response);
+ } finally {
+ ContextManager.setCurrentCaller(null);
+ ContextManager.setNextCaller(null);
+ }
+ } else {
+ getNext().invoke(request, response);
+ }
+
+ }
+}
Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java?rev=289136&r1=289135&r2=289136&view=diff
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java (original)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/valve/PolicyContextValve.java Wed Sep 14 19:43:39 2005
@@ -19,20 +19,22 @@
import org.apache.catalina.valves.ValveBase;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
+import org.apache.geronimo.security.ContextManager;
import javax.servlet.ServletException;
import javax.security.jacc.PolicyContext;
+import javax.security.auth.Subject;
import java.io.IOException;
/**
* @version $Rev$ $Date$
*/
-public class PolicyContextValve extends ValveBase{
+public class PolicyContextValve extends ValveBase {
private final String policyContextID;
- public PolicyContextValve(String policyContextID){
+ public PolicyContextValve(String policyContextID) {
this.policyContextID = policyContextID;
}
@@ -44,8 +46,10 @@
PolicyContext.setHandlerData(request);
// Pass this request on to the next valve in our pipeline
- getNext().invoke(request, response);
-
- PolicyContext.setContextID(oldId);
+ try {
+ getNext().invoke(request, response);
+ } finally {
+ PolicyContext.setContextID(oldId);
+ }
}
}