geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick McGuire <rick...@gmail.com>
Subject AppClient security call back handlers essentially broken in 2.0
Date Fri, 20 Apr 2007 12:45:34 GMT
I've run into a serious problem with app client security callback 
handlers in Geronimo 2.0.  These appear to be completely broken, and I'm 
not sure I understand how to fix this.  Here's the scenario:

In 1.2, a security callback handler class can be specified in the plan.  
In the main() method of the AppClientContainer, this was handled thusly:

            if (callbackHandlerClass != null) {
                //look for a constructor taking the args
                CallbackHandler callbackHandler;
                try {
                    Constructor cArgs = 
callbackHandlerClass.getConstructor(new Class[] {String[].class});
                    callbackHandler = (CallbackHandler) 
cArgs.newInstance(new Object[] {args});
                } catch (NoSuchMethodException e) {
                    callbackHandler = (CallbackHandler) 
callbackHandlerClass.newInstance();
                }
                loginContext = new LoginContext(realmName, callbackHandler);
                try {
                    loginContext.login();
                } catch (LoginException e) {
                    loginContext = null;
                    throw e;
                }
                clientSubject = loginContext.getSubject();
            }


The appclient container looked for a constructor on the target callback 
handler that took an array of Strings as an argument, and constructed 
that callback handler using the string arguments passed to the 
AppClientContainer main() method.  The callback handler would scan the 
application args looking for options that applied to its authentication 
technique, and it was passed to the loginContext in an initialized 
state, ready to provide addtional information to the login process. 

In 2.0, this has changed drastically, breaking any call back handlers 
written for 1.2, and I don't even see an obvious method of fixing this.  
Here's the new code for managing the callback handler:

            if (callbackHandlerClass != null) {
                callbackHandler = (CallbackHandler) 
holder.newInstance(callbackHandlerClass, classLoader, componentContext);
                loginContext = new LoginContext(realmName, callbackHandler);
                try {
                    loginContext.login();
                } catch (LoginException e) {
                    loginContext = null;
                    throw e;
                }
                clientSubject = loginContext.getSubject();
            }

Same relative point in the AppClientContainer startup, but with two key 
differences:

   1. The holder.newInstance() call appears to be looking for a
      no-argument constructor on the callbackHandlerClass (which likely
      fails with the 1.2 classes because they are expecting to have
      their void CallbackHandler(String []) constructor called).
   2. The new callback handler instance is no longer being given access
      to the appclient args to initialize.  There appears to be some
      injection processing going on in the holder.newInstance() call,
      but it's not clear how to specify what information get injected,
      or even if the information from the appclient args is available.

So, how is this supposed to work, and if this is currently working 
correctly in 2.0, what is the process for converting a handler written 
for 1.2 into an equivalent for 2.0?

Rick


Mime
View raw message