geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject cvs commit: incubator-geronimo/modules/security/src/test/org/apache/geronimo/security/remoting/jmx RemoteLoginTest.java
Date Wed, 18 Feb 2004 03:54:21 GMT
adc         2004/02/17 19:54:21

  Modified:    modules/security/src/java/org/apache/geronimo/security
                        ContextManager.java IdentificationPrincipal.java
               modules/security/src/java/org/apache/geronimo/security/jaas
                        LoginService.java
               modules/security/src/test/org/apache/geronimo/security/jaas
                        LoginSQLTest.java
               modules/security/src/test/org/apache/geronimo/security/remoting/jmx
                        RemoteLoginTest.java
  Added:       modules/security/src/java/org/apache/geronimo/security
                        SubjectId.java
  Log:
  Made subject id scure.
  
  Revision  Changes    Path
  1.5       +93 -13    incubator-geronimo/modules/security/src/java/org/apache/geronimo/security/ContextManager.java
  
  Index: ContextManager.java
  ===================================================================
  RCS file: /home/cvs/incubator-geronimo/modules/security/src/java/org/apache/geronimo/security/ContextManager.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- ContextManager.java	17 Feb 2004 00:05:39 -0000	1.4
  +++ ContextManager.java	18 Feb 2004 03:54:21 -0000	1.5
  @@ -55,6 +55,9 @@
    */
   package org.apache.geronimo.security;
   
  +import javax.crypto.Mac;
  +import javax.crypto.SecretKey;
  +import javax.crypto.spec.SecretKeySpec;
   import javax.security.auth.Subject;
   import javax.security.jacc.EJBRoleRefPermission;
   
  @@ -62,6 +65,8 @@
   import java.security.AccessControlContext;
   import java.security.AccessControlException;
   import java.security.AccessController;
  +import java.security.InvalidKeyException;
  +import java.security.NoSuchAlgorithmException;
   import java.security.Principal;
   import java.security.PrivilegedAction;
   import java.util.Hashtable;
  @@ -70,7 +75,6 @@
   
   
   /**
  - *
    * @version $Revision$ $Date$
    */
   public class ContextManager {
  @@ -84,6 +88,15 @@
   
       private static long nextPrincipalId = System.currentTimeMillis();
   
  +    private static SecretKey key;
  +    private static String algorithm;
  +    private static String password;
  +
  +    static {
  +        password = "secret";
  +        ContextManager.setAlgorithm("HmacSHA1");
  +    }
  +
   
       public static final GeronimoSecurityPermission GET_CONTEXT = new GeronimoSecurityPermission("getContext");
       public static final GeronimoSecurityPermission SET_CONTEXT = new GeronimoSecurityPermission("setContext");
  @@ -147,9 +160,11 @@
           if (sm != null) sm.checkPermission(GET_CONTEXT);
   
           Object caller = currentCaller.get();
  -        if (caller == null){
  -            return new Principal(){
  -                public String getName(){return "";}
  +        if (caller == null) {
  +            return new Principal() {
  +                public String getName() {
  +                    return "";
  +                }
               };
           }
           Context context = (Context) subjectContexts.get(currentCaller.get());
  @@ -159,7 +174,7 @@
           return context.principal;
       }
   
  -    public static Long getCurrentId() {
  +    public static SubjectId getCurrentId() {
           SecurityManager sm = System.getSecurityManager();
           if (sm != null) sm.checkPermission(GET_CONTEXT);
   
  @@ -170,7 +185,7 @@
           return context.id;
       }
   
  -    public static Long getSubjectId(Subject subject) {
  +    public static SubjectId getSubjectId(Subject subject) {
           SecurityManager sm = System.getSecurityManager();
           if (sm != null) sm.checkPermission(GET_CONTEXT);
   
  @@ -186,7 +201,7 @@
           try {
               Object caller = currentCaller.get();
               if (caller == null) return false;
  -            
  +
               Context context = (Context) subjectContexts.get(currentCaller.get());
   
               assert context != null : "No registered context";
  @@ -198,11 +213,11 @@
           return true;
       }
   
  -    public static Subject getRegisteredSubject(Long id) {
  +    public static Subject getRegisteredSubject(SubjectId id) {
           return (Subject) subjectIds.get(id);
       }
   
  -    public static synchronized Long registerSubject(Subject subject) {
  +    public static synchronized SubjectId registerSubject(Subject subject) {
           SecurityManager sm = System.getSecurityManager();
           if (sm != null) sm.checkPermission(SET_CONTEXT);
   
  @@ -225,7 +240,8 @@
               context.principal = (Principal) subject.getPrincipals().iterator().next();
           }
   
  -        context.id = new Long(nextSubjectId++);
  +        Long id = new Long(nextSubjectId++);
  +        context.id = new SubjectId(id, hash(id));
   
           subjectIds.put(context.id, subject);
           subjectContexts.put(subject, context);
  @@ -269,12 +285,76 @@
           return result;
       }
   
  +    public static String getAlgorithm() {
  +        SecurityManager sm = System.getSecurityManager();
  +        if (sm != null) sm.checkPermission(GET_CONTEXT);
  +
  +        return algorithm;
  +    }
  +
  +    public static void setAlgorithm(String algorithm) {
  +        SecurityManager sm = System.getSecurityManager();
  +        if (sm != null) sm.checkPermission(SET_CONTEXT);
  +
  +        ContextManager.algorithm = algorithm;
  +
  +        key = new SecretKeySpec(password.getBytes(), algorithm);
  +
  +        /**
  +         * Make sure that we can generate the  Mac.
  +         */
  +        try {
  +            Mac mac = Mac.getInstance(algorithm);
  +            mac.init(key);
  +        } catch (NoSuchAlgorithmException e) {
  +            assert false : "Should never have reached here";
  +        } catch (InvalidKeyException e) {
  +            assert false : "Should never have reached here";
  +        }
  +    }
  +
  +    public static String getPassword() {
  +        SecurityManager sm = System.getSecurityManager();
  +        if (sm != null) sm.checkPermission(GET_CONTEXT);
  +
  +        return password;
  +    }
  +
  +    public static void setPassword(String password) {
  +        SecurityManager sm = System.getSecurityManager();
  +        if (sm != null) sm.checkPermission(SET_CONTEXT);
  +
  +        ContextManager.password = password;
  +
  +        key = new SecretKeySpec(password.getBytes(), algorithm);
  +    }
  +
  +    private static byte[] hash(Long id) {
  +        long n = id.longValue();
  +        byte[] bytes = new byte[8];
  +        for (int i = 7; i >= 0; i--) {
  +            bytes[i] = (byte) (n);
  +            n >>>= 8;
  +        }
  +
  +        try {
  +            Mac mac = Mac.getInstance(algorithm);
  +            mac.init(key);
  +            mac.update(bytes);
  +
  +            return mac.doFinal();
  +        } catch (NoSuchAlgorithmException e) {
  +        } catch (InvalidKeyException e) {
  +        }
  +        assert false : "Should never have reached here";
  +        return null;
  +    }
   
       private static class Context {
  -        Long id;
  +        SubjectId id;
           AccessControlContext context;
           Subject subject;
           Principal principal;
       }
  -    
  +
   }
  
  
  
  1.2       +6 -12     incubator-geronimo/modules/security/src/java/org/apache/geronimo/security/IdentificationPrincipal.java
  
  Index: IdentificationPrincipal.java
  ===================================================================
  RCS file: /home/cvs/incubator-geronimo/modules/security/src/java/org/apache/geronimo/security/IdentificationPrincipal.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- IdentificationPrincipal.java	17 Feb 2004 00:05:39 -0000	1.1
  +++ IdentificationPrincipal.java	18 Feb 2004 03:54:21 -0000	1.2
  @@ -63,23 +63,17 @@
    * @version $Revision$ $Date$
    */
   public class IdentificationPrincipal implements Principal, Serializable {
  -    private final Long id;
  -    private final byte[] signature;
  +    private final SubjectId id;
       private transient String name;
   
  -    public IdentificationPrincipal(Long id, byte[] signature) {
  +    public IdentificationPrincipal(SubjectId id) {
           this.id = id;
  -        this.signature = signature;
       }
   
  -    public Long getId() {
  +    public SubjectId getId() {
           return id;
       }
   
  -    public byte[] getSignature() {
  -        return signature;
  -    }
  -
       /**
        * Compares this principal to the specified object.  Returns true
        * if the object passed in matches the principal represented by
  @@ -92,9 +86,9 @@
       public boolean equals(Object another) {
           if (!(another instanceof IdentificationPrincipal)) return false;
   
  -        IdentificationPrincipal realmPrincipal = (IdentificationPrincipal) another;
  +        IdentificationPrincipal idPrincipal = (IdentificationPrincipal) another;
   
  -        return id == realmPrincipal.id;
  +        return id == idPrincipal.id;
       }
   
       /**
  
  
  
  1.1                  incubator-geronimo/modules/security/src/java/org/apache/geronimo/security/SubjectId.java
  
  Index: SubjectId.java
  ===================================================================
  /* ====================================================================
   * The Apache Software License, Version 1.1
   *
   * Copyright (c) 2004 The Apache Software Foundation.  All rights
   * reserved.
   *
   * Redistribution and use in source and binary forms, with or without
   * modification, are permitted provided that the following conditions
   * are met:
   *
   * 1. Redistributions of source code must retain the above copyright
   *    notice, this list of conditions and the following disclaimer.
   *
   * 2. Redistributions in binary form must reproduce the above copyright
   *    notice, this list of conditions and the following disclaimer in
   *    the documentation and/or other materials provided with the
   *    distribution.
   *
   * 3. The end-user documentation included with the redistribution,
   *    if any, must include the following acknowledgment:
   *       "This product includes software developed by the
   *        Apache Software Foundation (http://www.apache.org/)."
   *    Alternately, this acknowledgment may appear in the software itself,
   *    if and wherever such third-party acknowledgments normally appear.
   *
   * 4. The names "Apache" and "Apache Software Foundation" and
   *    "Apache Geronimo" must not be used to endorse or promote products
   *    derived from this software without prior written permission. For
   *    written permission, please contact apache@apache.org.
   *
   * 5. Products derived from this software may not be called "Apache",
   *    "Apache Geronimo", nor may "Apache" appear in their name, without
   *    prior written permission of the Apache Software Foundation.
   *
   * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
   * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
   * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
   * DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
   * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
   * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
   * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
   * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
   * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
   * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
   * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
   * ====================================================================
   *
   * This software consists of voluntary contributions made by many
   * individuals on behalf of the Apache Software Foundation.  For more
   * information on the Apache Software Foundation, please see
   * <http://www.apache.org/>.
   *
   * ====================================================================
   */
  package org.apache.geronimo.security;
  
  import java.io.Serializable;
  
  
  /**
   * @version $Revision: 1.1 $ $Date: 2004/02/18 03:54:21 $
   */
  public class SubjectId implements Serializable {
      private final Long subjectId;
      private final byte[] hash;
      private transient int hashCode;
      private transient String name;
  
      public SubjectId(Long subjectId, byte[] hash) {
          this.subjectId = subjectId;
          this.hash = hash;
      }
  
      public Long getSubjectId() {
          return subjectId;
      }
  
      public byte[] getHash() {
          return hash;
      }
  
      public boolean equals(Object obj) {
          if (!(obj instanceof SubjectId)) return false;
  
          SubjectId another = (SubjectId) obj;
          if (!another.subjectId.equals(subjectId)) return false;
          for (int i = 0; i < hash.length; i++) {
              if (another.hash[i] != hash[i]) return false;
          }
          return true;
      }
  
      public String toString() {
          if (name == null) {
              StringBuffer buffer = new StringBuffer();
              buffer.append('[');
              buffer.append(subjectId);
              buffer.append(":0x");
              for (int i = 0; i < hash.length; i++) {
                  buffer.append(HEXCHAR[(hash[i]>>>4)&0x0F]);
                  buffer.append(HEXCHAR[(hash[i]    )&0x0F]);
              }
              buffer.append(']');
              name = buffer.toString();
          }
          return name;
      }
  
      /**
       * Returns a hashcode for this LoginModuleId.
       *
       * @return a hashcode for this LoginModuleId.
       */
      public int hashCode() {
          if (hashCode == 0) {
              for (int i = 0; i < hash.length; i++) {
                  hashCode ^= hash[i];
              }
              hashCode ^= subjectId.hashCode();
          }
          return hashCode;
      }
  
      private static final char[] HEXCHAR = {
          '0', '1', '2', '3', '4', '5', '6', '7',
          '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'
      };
  }
  
  
  
  1.3       +6 -5      incubator-geronimo/modules/security/src/java/org/apache/geronimo/security/jaas/LoginService.java
  
  Index: LoginService.java
  ===================================================================
  RCS file: /home/cvs/incubator-geronimo/modules/security/src/java/org/apache/geronimo/security/jaas/LoginService.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- LoginService.java	17 Feb 2004 04:30:29 -0000	1.2
  +++ LoginService.java	18 Feb 2004 03:54:21 -0000	1.3
  @@ -69,9 +69,9 @@
   
   import java.io.IOException;
   import java.security.AccessController;
  -import java.security.Principal;
  -import java.security.NoSuchAlgorithmException;
   import java.security.InvalidKeyException;
  +import java.security.NoSuchAlgorithmException;
  +import java.security.Principal;
   import java.util.ArrayList;
   import java.util.Collection;
   import java.util.Collections;
  @@ -101,6 +101,7 @@
   import org.apache.geronimo.security.GeronimoSecurityException;
   import org.apache.geronimo.security.IdentificationPrincipal;
   import org.apache.geronimo.security.RealmPrincipal;
  +import org.apache.geronimo.security.SubjectId;
   import org.apache.geronimo.security.realm.SecurityRealm;
   
   
  @@ -355,9 +356,9 @@
   
           ContextManager.registerSubject(subject);
   
  -        Long id = ContextManager.getSubjectId(lm.getSubject());
  +        SubjectId id = ContextManager.getSubjectId(lm.getSubject());
   
  -        subject.getPrincipals().add(new IdentificationPrincipal(id, hash(id)));
  +        subject.getPrincipals().add(new IdentificationPrincipal(id));
   
           return true;
       }
  
  
  
  1.2       +6 -6      incubator-geronimo/modules/security/src/test/org/apache/geronimo/security/jaas/LoginSQLTest.java
  
  Index: LoginSQLTest.java
  ===================================================================
  RCS file: /home/cvs/incubator-geronimo/modules/security/src/test/org/apache/geronimo/security/jaas/LoginSQLTest.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- LoginSQLTest.java	17 Feb 2004 00:05:40 -0000	1.1
  +++ LoginSQLTest.java	18 Feb 2004 03:54:21 -0000	1.2
  @@ -157,7 +157,7 @@
           assertEquals("subject should have two realm principals", 2, subject.getPrincipals(RealmPrincipal.class).size());
           assertEquals("subject should have one remote principal", 1, subject.getPrincipals(IdentificationPrincipal.class).size());
           IdentificationPrincipal principal = (IdentificationPrincipal) subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
  -        assertTrue("id of principal should be non-zero", principal.getId().longValue()
!= 0);
  +        assertTrue("id of principal should be non-zero", principal.getId().getSubjectId().longValue()
!= 0);
   
           context.logout();
       }
  @@ -173,7 +173,7 @@
           assertEquals("subject should have two realm principals", 2, subject.getPrincipals(RealmPrincipal.class).size());
           assertEquals("subject should have one remote principal", 1, subject.getPrincipals(IdentificationPrincipal.class).size());
           IdentificationPrincipal principal = (IdentificationPrincipal) subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
  -        assertTrue("id of principal should be non-zero", principal.getId().longValue()
!= 0);
  +        assertTrue("id of principal should be non-zero", principal.getId().getSubjectId().longValue()
!= 0);
   
           Thread.sleep(2 * 1000);
   
  @@ -190,7 +190,7 @@
               assertEquals("subject should have two realm principals", 2, subject.getPrincipals(RealmPrincipal.class).size());
               assertEquals("subject should have one remote principal", 1, subject.getPrincipals(IdentificationPrincipal.class).size());
               principal = (IdentificationPrincipal) subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
  -            assertTrue("id of principal should be non-zero", principal.getId().longValue()
!= 0);
  +            assertTrue("id of principal should be non-zero", principal.getId().getSubjectId().longValue()
!= 0);
   
               context.logout();
           }
  @@ -207,7 +207,7 @@
           assertEquals("subject should have two realm principals", 2, subject.getPrincipals(RealmPrincipal.class).size());
           assertEquals("subject should have one remote principal", 1, subject.getPrincipals(IdentificationPrincipal.class).size());
           IdentificationPrincipal principal = (IdentificationPrincipal) subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
  -        assertTrue("id of principal should be non-zero", principal.getId().longValue()
!= 0);
  +        assertTrue("id of principal should be non-zero", principal.getId().getSubjectId().longValue()
!= 0);
   
           context.logout();
           context.login();
  @@ -229,7 +229,7 @@
           assertEquals("subject should have two realm principals", 2, subject.getPrincipals(RealmPrincipal.class).size());
           assertEquals("subject should have one remote principal", 1, subject.getPrincipals(IdentificationPrincipal.class).size());
           principal = (IdentificationPrincipal) subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
  -        assertTrue("id of principal should be non-zero", principal.getId().longValue()
!= 0);
  +        assertTrue("id of principal should be non-zero", principal.getId().getSubjectId().longValue()
!= 0);
   
           context.logout();
       }
  
  
  
  1.2       +12 -2     incubator-geronimo/modules/security/src/test/org/apache/geronimo/security/remoting/jmx/RemoteLoginTest.java
  
  Index: RemoteLoginTest.java
  ===================================================================
  RCS file: /home/cvs/incubator-geronimo/modules/security/src/test/org/apache/geronimo/security/remoting/jmx/RemoteLoginTest.java,v
  retrieving revision 1.1
  retrieving revision 1.2
  diff -u -r1.1 -r1.2
  --- RemoteLoginTest.java	17 Feb 2004 00:05:40 -0000	1.1
  +++ RemoteLoginTest.java	18 Feb 2004 03:54:21 -0000	1.2
  @@ -85,6 +85,7 @@
    */
   public class RemoteLoginTest extends TestCase {
       Kernel kernel;
  +    ObjectName gssapiRegistration;
       ObjectName loginService;
       ObjectName kerberosRealm;
       ObjectName subsystemRouter;
  @@ -109,7 +110,7 @@
           assertTrue("expected non-null subject", subject != null);
           assertTrue("subject should have one remote principal", subject.getPrincipals(IdentificationPrincipal.class).size()
== 1);
           IdentificationPrincipal principal = (IdentificationPrincipal) subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
  -        assertTrue("id of principal should be non-zero", principal.getId().longValue()
!= 0);
  +        assertTrue("id of principal should be non-zero", principal.getId().getSubjectId().longValue()
!= 0);
           assertTrue("subject should have five principals", subject.getPrincipals().size()
== 5);
           assertTrue("subject should have two realm principal", subject.getPrincipals(RealmPrincipal.class).size()
== 2);
   
  @@ -123,6 +124,12 @@
           GBeanMBean gbean;
   
           // Create all the parts
  +        gbean = new GBeanMBean("org.apache.geronimo.remoting.transport.TransportRegistration");
  +        gssapiRegistration = new ObjectName("geronimo.remoting:registration=gssapi");
  +        gbean.setAttribute("TransportFactory", "org.apache.geronimo.remoting.transport.async.TransportFactory");
  +        gbean.setAttribute("TransportName", "gssapi");
  +        kernel.loadGBean(gssapiRegistration, gbean);
  +
           gbean = new GBeanMBean("org.apache.geronimo.security.jaas.LoginService");
           loginService = new ObjectName("geronimo.security:type=LoginService");
           gbean.setReferencePatterns("Realms", Collections.singleton(new ObjectName("geronimo.security:type=SecurityRealm,*")));
  @@ -181,6 +188,7 @@
           serverStub = new ObjectName("geronimo.remoting:target=LoginServiceStub");
           kernel.loadGBean(serverStub, gbean);
   
  +        kernel.startGBean(gssapiRegistration);
           kernel.startGBean(loginService);
           kernel.startGBean(kerberosRealm);
           kernel.startGBean(subsystemRouter);
  @@ -216,7 +224,9 @@
           kernel.stopGBean(subsystemRouter);
           kernel.stopGBean(kerberosRealm);
           kernel.stopGBean(loginService);
  +        kernel.stopGBean(gssapiRegistration);
   
  +        kernel.unloadGBean(gssapiRegistration);
           kernel.unloadGBean(loginService);
           kernel.unloadGBean(kerberosRealm);
           kernel.unloadGBean(subsystemRouter);
  
  
  

Mime
View raw message