You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by db...@apache.org on 2007/03/22 04:46:23 UTC
svn commit: r521111 - in /incubator/openejb/trunk/openejb3:
container/openejb-core/src/main/java/org/apache/openejb/core/
container/openejb-core/src/main/java/org/apache/openejb/ri/sp/
container/openejb-core/src/main/java/org/apache/openejb/spi/ contai...
Author: dblevins
Date: Wed Mar 21 20:46:22 2007
New Revision: 521111
URL: http://svn.apache.org/viewvc?view=rev&rev=521111
Log:
Wire new security calls into EjbContext and Server authentication and association process
Modified:
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/BaseContext.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/ri/sp/PseudoSecurityService.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/spi/SecurityService.java
incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/stateful/Compat3to2Test.java
incubator/openejb/trunk/openejb3/server/openejb-client/src/main/java/org/apache/openejb/client/AuthenticationRequest.java
incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java
incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/EjbRequestHandler.java
incubator/openejb/trunk/openejb3/server/openejb-security/src/main/java/org/apache/openejb/server/security/SecurityServiceImpl.java
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/BaseContext.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/BaseContext.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/BaseContext.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/core/BaseContext.java Wed Mar 21 20:46:22 2007
@@ -69,20 +69,20 @@
return getState().getEJBLocalHome();
}
- public Properties getEnvironment() {
- return getState().getEnvironment();
+ public final Properties getEnvironment() {
+ throw new UnsupportedOperationException();
}
- public Identity getCallerIdentity() {
- return getState().getCallerIdentity();
+ public final Identity getCallerIdentity() {
+ throw new UnsupportedOperationException();
}
public Principal getCallerPrincipal() {
return getState().getCallerPrincipal(securityService);
}
- public boolean isCallerInRole(Identity identity) {
- return getState().isCallerInRole(identity);
+ public final boolean isCallerInRole(Identity identity) {
+ throw new UnsupportedOperationException();
}
public boolean isCallerInRole(String roleName) {
@@ -106,7 +106,11 @@
}
public Object lookup(String name) {
- return getState().lookup(name);
+ try {
+ return (new InitialContext()).lookup("java:comp/env/" + name);
+ } catch (NamingException ne) {
+ throw new IllegalArgumentException(ne);
+ }
}
public boolean isUserTransactionAccessAllowed() {
@@ -149,30 +153,12 @@
return di.getEJBLocalHome();
}
- public final Properties getEnvironment() {
- throw new UnsupportedOperationException();
- }
-
- public final Identity getCallerIdentity() {
- throw new UnsupportedOperationException();
- }
-
public Principal getCallerPrincipal(SecurityService securityService) {
- Object securityIdentity = ThreadContext.getThreadContext().getSecurityIdentity();
- return (Principal) securityService.translateTo(securityIdentity, Principal.class);
- }
-
- public final boolean isCallerInRole(Identity identity) {
- throw new UnsupportedOperationException();
+ return securityService.getCallerPrincipal();
}
public boolean isCallerInRole(SecurityService securityService, String roleName) {
- ThreadContext threadContext = ThreadContext.getThreadContext();
- CoreDeploymentInfo di = threadContext.getDeploymentInfo();
- List<String> physicalRoles = di.getPhysicalRole(roleName);
- Object caller = threadContext.getSecurityIdentity();
-
- return securityService.isCallerAuthorized(caller, physicalRoles);
+ return securityService.isCallerInRole(roleName);
}
public UserTransaction getUserTransaction(UserTransaction userTransaction) throws IllegalStateException {
@@ -232,14 +218,6 @@
throw new IllegalStateException("This ejb does not support timers " + deploymentInfo.getDeploymentID());
}
return new TimerServiceImpl(timerService, threadContext.getPrimaryKey());
- }
-
- public Object lookup(String name) {
- try {
- return (new InitialContext()).lookup("java:comp/env/" + name);
- } catch (NamingException ne) {
- throw new IllegalArgumentException(ne);
- }
}
public boolean isUserTransactionAccessAllowed() {
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/ri/sp/PseudoSecurityService.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/ri/sp/PseudoSecurityService.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/ri/sp/PseudoSecurityService.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/ri/sp/PseudoSecurityService.java Wed Mar 21 20:46:22 2007
@@ -17,8 +17,13 @@
package org.apache.openejb.ri.sp;
import org.apache.openejb.spi.SecurityService;
+import org.apache.openejb.InterfaceType;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.Subject;
import java.util.Collection;
+import java.security.Principal;
+import java.lang.reflect.Method;
/**
* @org.apache.xbean.XBean element="pseudoSecurityService"
@@ -54,5 +59,28 @@
} else {
return null;
}
+ }
+
+
+ public Object login(String user, String pass) throws LoginException {
+ return null;
+ }
+
+ public void associate(Object securityIdentity) throws LoginException {
+ }
+
+ public Subject getCurrentSubject() {
+ return null;
+ }
+
+ public boolean isCallerInRole(String role) {
+ return false;
+ }
+
+ public Principal getCallerPrincipal() {
+ return null;
+ }
+
+ public void checkPermission(Method method, InterfaceType type) throws Throwable {
}
}
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/spi/SecurityService.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/spi/SecurityService.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/spi/SecurityService.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/main/java/org/apache/openejb/spi/SecurityService.java Wed Mar 21 20:46:22 2007
@@ -16,6 +16,12 @@
*/
package org.apache.openejb.spi;
+import org.apache.openejb.InterfaceType;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginException;
+import java.lang.reflect.Method;
+import java.security.Principal;
import java.util.Collection;
public interface SecurityService extends Service {
@@ -38,4 +44,17 @@
* If there is no association, then null is returned.
*/
public Object getSecurityIdentity();
+
+ public Object login(String user, String pass) throws LoginException;
+
+ public void associate(Object securityIdentity) throws LoginException;
+
+ public Subject getCurrentSubject();
+
+ public boolean isCallerInRole(String role);
+
+ public Principal getCallerPrincipal();
+
+ public void checkPermission(Method method, InterfaceType type) throws Throwable;
+
}
Modified: incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/stateful/Compat3to2Test.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/stateful/Compat3to2Test.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/stateful/Compat3to2Test.java (original)
+++ incubator/openejb/trunk/openejb3/container/openejb-core/src/test/java/org/apache/openejb/core/stateful/Compat3to2Test.java Wed Mar 21 20:46:22 2007
@@ -30,8 +30,6 @@
import org.apache.openejb.jee.StatefulBean;
import javax.naming.InitialContext;
-import javax.ejb.SessionBean;
-import javax.ejb.SessionContext;
import javax.ejb.CreateException;
import javax.ejb.EJBException;
import javax.ejb.EJBHome;
@@ -70,7 +68,11 @@
statefulContainerInfo.properties.setProperty("BulkPassivate", "1");
assembler.createContainer(statefulContainerInfo);
- assembler.createApplication(config.configureApplication(buildTestApp()));
+ EjbJar ejbJar = new EjbJar();
+ StatefulBean bean = ejbJar.addEnterpriseBean(new StatefulBean(TargetBean.class));
+ bean.setHomeAndRemote(TargetHome.class, Target.class);
+
+ assembler.createApplication(config.configureApplication(new EjbModule(getClass().getClassLoader(), getClass().getSimpleName(), "test", ejbJar, null)));
calls.clear();
@@ -93,15 +95,6 @@
private void assertCalls(Call... expectedCalls) {
List expected = Arrays.asList(expectedCalls);
assertEquals(join("\n", expected), join("\n", calls));
- }
-
- public EjbModule buildTestApp() {
- EjbJar ejbJar = new EjbJar();
-
- StatefulBean bean = ejbJar.addEnterpriseBean(new StatefulBean(TargetBean.class));
- bean.setHomeAndRemote(TargetHome.class, Target.class);
-
- return new EjbModule(this.getClass().getClassLoader(), this.getClass().getSimpleName(), "test", ejbJar, null);
}
public static List<Call> calls = new ArrayList<Call>();
Modified: incubator/openejb/trunk/openejb3/server/openejb-client/src/main/java/org/apache/openejb/client/AuthenticationRequest.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/server/openejb-client/src/main/java/org/apache/openejb/client/AuthenticationRequest.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/server/openejb-client/src/main/java/org/apache/openejb/client/AuthenticationRequest.java (original)
+++ incubator/openejb/trunk/openejb3/server/openejb-client/src/main/java/org/apache/openejb/client/AuthenticationRequest.java Wed Mar 21 20:46:22 2007
@@ -22,14 +22,14 @@
public class AuthenticationRequest implements Request {
- private transient Object principle;
+ private transient Object principal;
private transient Object credentials;
public AuthenticationRequest() {
}
- public AuthenticationRequest(Object principle, Object credentials) {
- this.principle = principle;
+ public AuthenticationRequest(Object principal, Object credentials) {
+ this.principal = principal;
this.credentials = credentials;
}
@@ -37,16 +37,16 @@
return RequestMethodConstants.AUTH_REQUEST;
}
- public Object getPrinciple() {
- return principle;
+ public Object getPrincipal() {
+ return principal;
}
public Object getCredentials() {
return credentials;
}
- public void setPrinciple(Object principle) {
- this.principle = principle;
+ public void setPrincipal(Object principal) {
+ this.principal = principal;
}
public void setCredentials(Object credentials) {
@@ -54,12 +54,12 @@
}
public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {
- principle = in.readObject();
+ principal = in.readObject();
credentials = in.readObject();
}
public void writeExternal(ObjectOutput out) throws IOException {
- out.writeObject(principle);
+ out.writeObject(principal);
out.writeObject(credentials);
}
}
Modified: incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java (original)
+++ incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/AuthRequestHandler.java Wed Mar 21 20:46:22 2007
@@ -16,14 +16,15 @@
*/
package org.apache.openejb.server.ejbd;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-
import org.apache.openejb.client.AuthenticationRequest;
import org.apache.openejb.client.AuthenticationResponse;
import org.apache.openejb.client.ClientMetaData;
-import org.apache.openejb.client.RequestMethodConstants;
import org.apache.openejb.client.ResponseCodes;
+import org.apache.openejb.loader.SystemInstance;
+import org.apache.openejb.spi.SecurityService;
+
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
class AuthRequestHandler {
@@ -37,17 +38,25 @@
try {
req.readExternal(in);
- ClientMetaData client = new ClientMetaData();
- client.setClientIdentity(new String((String) req.getPrinciple()));
+ String username = (String) req.getPrincipal();
+ String password = (String) req.getCredentials();
+
+ SecurityService securityService = SystemInstance.get().getComponent(SecurityService.class);
+ Object token = securityService.login(username, password);
+
+ ClientMetaData client = new ClientMetaData();
+ client.setClientIdentity(token);
res.setIdentity(client);
res.setResponseCode(ResponseCodes.AUTH_GRANTED);
res.writeExternal(out);
} catch (Throwable t) {
-
+ // TODO: Log
return;
}
}
+
+
}
Modified: incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/EjbRequestHandler.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/EjbRequestHandler.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/EjbRequestHandler.java (original)
+++ incubator/openejb/trunk/openejb3/server/openejb-ejbd/src/main/java/org/apache/openejb/server/ejbd/EjbRequestHandler.java Wed Mar 21 20:46:22 2007
@@ -92,8 +92,15 @@
call.setEJBRequest(req);
call.setDeploymentInfo(di);
} catch (Throwable t) {
- replyWithFatalError
- (out, t, "Unable to set the thread context for this request");
+ replyWithFatalError(out, t, "Unable to set the thread context for this request");
+ return;
+ }
+
+ try {
+ SecurityService securityService = SystemInstance.get().getComponent(SecurityService.class);
+ securityService.associate(req.getClientIdentity());
+ } catch (Throwable t) {
+ replyWithFatalError(out, t, "Security system failed to associate thread with the thread");
return;
}
Modified: incubator/openejb/trunk/openejb3/server/openejb-security/src/main/java/org/apache/openejb/server/security/SecurityServiceImpl.java
URL: http://svn.apache.org/viewvc/incubator/openejb/trunk/openejb3/server/openejb-security/src/main/java/org/apache/openejb/server/security/SecurityServiceImpl.java?view=diff&rev=521111&r1=521110&r2=521111
==============================================================================
--- incubator/openejb/trunk/openejb3/server/openejb-security/src/main/java/org/apache/openejb/server/security/SecurityServiceImpl.java (original)
+++ incubator/openejb/trunk/openejb3/server/openejb-security/src/main/java/org/apache/openejb/server/security/SecurityServiceImpl.java Wed Mar 21 20:46:22 2007
@@ -19,16 +19,23 @@
import org.apache.openejb.spi.SecurityService;
import org.apache.openejb.DeploymentInfo;
import org.apache.openejb.InterfaceType;
+import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.core.ThreadContextListener;
import org.apache.openejb.core.ThreadContext;
import org.apache.openejb.core.CoreDeploymentInfo;
import javax.security.auth.Subject;
+import javax.security.auth.login.LoginException;
+import javax.security.auth.login.LoginContext;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.EJBMethodPermission;
import javax.security.jacc.EJBRoleRefPermission;
import javax.ejb.AccessLocalException;
import java.util.Set;
+import java.util.UUID;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Collection;
import java.security.AccessControlContext;
import java.security.Permission;
import java.security.AccessControlException;
@@ -37,11 +44,53 @@
import java.security.Principal;
import java.lang.reflect.Method;
import java.rmi.AccessException;
+import java.io.Serializable;
+import java.io.File;
+import java.io.IOException;
+import java.net.URL;
/**
* @version $Rev$ $Date$
*/
-public class SecurityServiceImpl implements ThreadContextListener {
+public class SecurityServiceImpl implements SecurityService, ThreadContextListener {
+ static private final Map<Object, Identity> identities = new java.util.concurrent.ConcurrentHashMap();
+
+ public SecurityServiceImpl() {
+ String path = System.getProperty("java.security.auth.login.config");
+ if (path == null) {
+ try {
+ File conf = SystemInstance.get().getBase().getDirectory("conf");
+ File loginConfig = new File(conf, "login.config");
+ if (loginConfig.exists()){
+ path = conf.getAbsolutePath();
+ System.setProperty("java.security.auth.login.config", path);
+ }
+ } catch (IOException e) {
+ }
+ }
+
+ if (path == null) {
+ URL resource = this.getClass().getClassLoader().getResource("login.config");
+ if (resource != null) {
+ path = resource.getFile();
+ System.setProperty("java.security.auth.login.config", path);
+ }
+ }
+
+ ThreadContext.addThreadContextListener(this);
+ }
+
+ public Serializable login(String username, String password) throws LoginException {
+ LoginContext context = new LoginContext("PropertiesLogin", new UsernamePasswordCallbackHandler(username, password));
+ context.login();
+
+ Subject subject = context.getSubject();
+
+ Identity identity = new Identity(subject);
+ Serializable token = identity.getToken();
+ identities.put(token, identity);
+ return token;
+ }
private final static class SecurityContext {
private final Subject subject;
@@ -65,10 +114,13 @@
SecurityContext securityContext = oldContext.get(SecurityContext.class);
if (deploymentInfo.getRunAsSubject() != null){
+
securityContext = new SecurityContext(deploymentInfo.getRunAsSubject());
+
} else if (securityContext == null){
- // TODO: Get the Subject from the JAAS LoginModule
- Subject subject = null;
+
+ Subject subject = clientIdentity.get();
+ // TODO: Maybe use a default subject if client subject doesn't exist
securityContext = new SecurityContext(subject);
}
@@ -83,6 +135,21 @@
}
+ public Subject getCurrentSubject() {
+ ThreadContext threadContext = ThreadContext.getThreadContext();
+ SecurityContext securityContext = threadContext.get(SecurityContext.class);
+
+ return securityContext.subject;
+ }
+
+ private static ThreadLocal<Subject> clientIdentity = new ThreadLocal<Subject>();
+
+ public void associate(Object securityIdentity) throws LoginException {
+ Identity identity = identities.get(securityIdentity);
+ if (identity == null) throw new LoginException("Identity does not exist: "+securityIdentity);
+
+ clientIdentity.set(identity.subject);
+ }
public boolean isCallerInRole(String role) {
if (role == null) throw new IllegalArgumentException("Role must not be null");
@@ -129,4 +196,42 @@
}
}
}
+
+ private static class Identity {
+ private final Subject subject;
+ private final UUID token;
+
+ public Identity(Subject subject) {
+ this.subject = subject;
+ this.token = UUID.randomUUID();
+ }
+
+ public Subject getSubject() {
+ return subject;
+ }
+
+ public Serializable getToken() {
+ return token;
+ }
+ }
+
+ public void init(Properties props) throws Exception {
+ }
+
+
+ public Object getSecurityIdentity() {
+ return null;
+ }
+
+ public void setSecurityIdentity(Object securityIdentity) {
+ }
+
+ public <T> T translateTo(Object securityIdentity, Class<T> type) {
+ return null;
+ }
+
+ public boolean isCallerAuthorized(Object securityIdentity, Collection<String> roleNames) {
+ return false;
+ }
+
}