geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject svn commit: rev 57351 - in geronimo/trunk: applications/demo/src/webapp/WEB-INF modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF modules/jetty/src/java/org/apache/geronimo/jetty modules/jetty/src/test-resources/deployables/war3/WEB-INF modules/jetty/src/test/org/apache/geronimo/jetty modules/security-builder/src/java/org/apache/geronimo/security/deployment modules/security-builder/src/schema modules/security/src/java/org/apache/geronimo/security/deploy modules/security/src/java/org/apache/geronimo/security/realm modules/security/src/java/org/apache/geronimo/security/realm/providers
Date Wed, 10 Nov 2004 19:39:51 GMT
Author: adc
Date: Wed Nov 10 11:39:50 2004
New Revision: 57351

Added:
   geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/AutoMapAssistant.java
   geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/AutoMapAssistant.java
Modified:
   geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml
   geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
   geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java
   geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java
   geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
   geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java
   geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
   geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
   geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
   geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java
   geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java
   geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java
Log:
Support Group Name = Role Name Role Mapping
http://nagoya.apache.org/jira/browse/GERONIMO-454

Modified: geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml
==============================================================================
--- geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml	(original)
+++ geronimo/trunk/applications/demo/src/webapp/WEB-INF/geronimo-jetty.xml	Wed Nov 10 11:39:50
2004
@@ -16,21 +16,26 @@
     limitations under the License.
 -->
 
-<web-app xmlns="http://geronimo.apache.org/xml/ns/web/jetty" configId="org/apache/geronimo/Demo"
parentId="org/apache/geronimo/Secure">
+<web-app
+    xmlns="http://geronimo.apache.org/xml/ns/web/jetty"
+    xmlns:sec="http://geronimo.apache.org/xml/ns/security"
+    configId="org/apache/geronimo/Demo"
+    parentId="org/apache/geronimo/Secure">
+
     <context-root>/demo</context-root>
     <context-priority-classloader>false</context-priority-classloader>
-    <security>
-        <default-principal realm-name="demo-properties-realm">
-            <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="izumi"/>
-        </default-principal>
-        <role-mappings>
-            <role role-name="content-administrator">
-                <realm realm-name="demo-properties-realm">
-                    <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileGroupPrincipal"
name="it" designated-run-as="true"/>
-                    <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="metro"/>
-                    <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="george"/>
-                </realm>
-            </role>
-        </role-mappings>
-    </security>
+    <sec:security>
+        <sec:default-principal realm-name="demo-properties-realm">
+            <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="izumi"/>
+        </sec:default-principal>
+        <sec:role-mappings>
+            <sec:role role-name="content-administrator">
+                <sec:realm realm-name="demo-properties-realm">
+                    <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileGroupPrincipal"
name="it" designated-run-as="true"/>
+                    <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="metro"/>
+                    <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="george"/>
+                </sec:realm>
+            </sec:role>
+        </sec:role-mappings>
+    </sec:security>
 </web-app>

Modified: geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
==============================================================================
--- geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
(original)
+++ geronimo/trunk/modules/jetty-builder/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
Wed Nov 10 11:39:50 2004
@@ -16,12 +16,17 @@
     limitations under the License.
 -->
 
-<web-app xmlns="http://geronimo.apache.org/xml/ns/web/jetty" configId="org/apache/geronimo/test">
+<web-app
+    xmlns="http://geronimo.apache.org/xml/ns/web/jetty"
+    xmlns:sec="http://geronimo.apache.org/xml/ns/security"
+    configId="org/apache/geronimo/test">
+
     <context-root>/test</context-root>
     <context-priority-classloader>false</context-priority-classloader>
-    <security>
-        <default-principal realm-name="demo-properties-realm">
-            <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="izumi"/>
-        </default-principal>
-    </security>
+    <sec:security>
+        <sec:auto-map-roles security-realm="demo-properties-realm"/>
+        <sec:default-principal realm-name="demo-properties-realm">
+            <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="izumi"/>
+        </sec:default-principal>
+    </sec:security>
 </web-app>

Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java
(original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java
Wed Nov 10 11:39:50 2004
@@ -36,6 +36,8 @@
 import javax.security.jacc.PolicyContextException;
 import javax.security.jacc.WebResourcePermission;
 import javax.security.jacc.WebUserDataPermission;
+import javax.management.ObjectName;
+import javax.management.MalformedObjectNameException;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -49,13 +51,16 @@
 import org.apache.geronimo.security.PrimaryRealmPrincipal;
 import org.apache.geronimo.security.RealmPrincipal;
 import org.apache.geronimo.security.SubjectId;
+import org.apache.geronimo.security.realm.SecurityRealm;
 import org.apache.geronimo.security.deploy.DefaultPrincipal;
 import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.deploy.AutoMapAssistant;
 import org.apache.geronimo.security.util.ConfigurationUtil;
 import org.apache.geronimo.transaction.TrackedConnectionAssociator;
-import org.apache.geronimo.transaction.UserTransactionImpl;
 import org.apache.geronimo.transaction.OnlineUserTransaction;
 import org.apache.geronimo.transaction.context.TransactionContextManager;
+import org.apache.geronimo.kernel.Kernel;
+
 import org.mortbay.http.Authenticator;
 import org.mortbay.http.HttpException;
 import org.mortbay.http.HttpRequest;
@@ -78,6 +83,7 @@
 public class JettyWebAppJACCContext extends JettyWebAppContext {
     private static Log log = LogFactory.getLog(JettyWebAppJACCContext.class);
 
+    private final Kernel kernel;
     private final String policyContextID;
     private final Security securityConfig;
     private final JAASJettyPrincipal defaultPrincipal;
@@ -91,12 +97,14 @@
     private String formLoginPath;
 
     public JettyWebAppJACCContext() {
+        kernel = null;
         policyContextID = null;
         securityConfig = null;
         defaultPrincipal = null;
     }
 
     public JettyWebAppJACCContext(
+            Kernel kernel,
             URI uri,
             ReadOnlyContext componentContext,
             OnlineUserTransaction userTransaction,
@@ -125,6 +133,7 @@
                 trackedConnectionAssociator,
                 jettyContainer);
 
+        this.kernel = kernel;
         this.policyContextID = policyContextID;
         this.securityConfig = securityConfig;
         defaultPrincipal = generateDefaultPrincipal(securityConfig);
@@ -135,6 +144,10 @@
         addHandler(new JettyWebAppHandler());
     }
 
+    public Kernel getKernel() {
+        return kernel;
+    }
+
     public String getPolicyContextID() {
         return policyContextID;
     }
@@ -361,16 +374,40 @@
      * @return the default principal
      */
     protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig) throws
GeronimoSecurityException {
+
+        DefaultPrincipal defaultPrincipal = securityConfig.getDefaultPrincipal();
+        if (defaultPrincipal == null) {
+            AutoMapAssistant config = securityConfig.getAssistant();
+            try {
+                if (config != null) {
+                    Set assistants = kernel.listGBeans(new ObjectName("geronimo.security:type=SecurityRealm,realm="
+ config.getSecurityRealm()));
+                    if (assistants.size() < 1 || assistants.size() > 1) throw new GeronimoSecurityException("Only
one auto mapping assistant should match " + config.getSecurityRealm());
+
+                    org.apache.geronimo.security.realm.AutoMapAssistant assistant = (org.apache.geronimo.security.realm.AutoMapAssistant)
assistants.iterator().next();
+                    org.apache.geronimo.security.deploy.Principal principal = assistant.obtainDefaultPrincipal();
+                    defaultPrincipal = new DefaultPrincipal();
+                    defaultPrincipal.setPrincipal(principal);
+                    defaultPrincipal.setRealmName(((SecurityRealm)assistant).getRealmName());
+                }
+            } catch (MalformedObjectNameException e) {
+                throw new GeronimoSecurityException("Bad object name geronimo.security:type=SecurityRealm,realm="
+ config.getSecurityRealm());
+            }
+
+        }
+        if (defaultPrincipal == null) throw new GeronimoSecurityException("Unable to generate
default principal");
+
+        return generateDefaultPrincipal(securityConfig, defaultPrincipal);
+    }
+
+    protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig, DefaultPrincipal
defaultPrincipal) throws GeronimoSecurityException {
         JAASJettyPrincipal result = new JAASJettyPrincipal("default");
         Subject defaultSubject = new Subject();
 
-        DefaultPrincipal principal = securityConfig.getDefaultPrincipal();
-
-        RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal.getPrincipal(),
principal.getRealmName());
+        RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(defaultPrincipal.getPrincipal(),
defaultPrincipal.getRealmName());
         if (realmPrincipal == null) {
             throw new GeronimoSecurityException("Unable to create realm principal");
         }
-        PrimaryRealmPrincipal primaryRealmPrincipal = ConfigurationUtil.generatePrimaryRealmPrincipal(principal.getPrincipal(),
principal.getRealmName());
+        PrimaryRealmPrincipal primaryRealmPrincipal = ConfigurationUtil.generatePrimaryRealmPrincipal(defaultPrincipal.getPrincipal(),
defaultPrincipal.getRealmName());
         if (primaryRealmPrincipal == null) {
             throw new GeronimoSecurityException("Unable to create primary realm principal");
         }
@@ -497,10 +534,12 @@
     static {
         GBeanInfoBuilder infoFactory = new GBeanInfoBuilder("Jetty JACC WebApplication Context",
JettyWebAppJACCContext.class, JettyWebAppContext.GBEAN_INFO);
 
+        infoFactory.addAttribute("kernel", Kernel.class, false);
         infoFactory.addAttribute("policyContextID", String.class, true);
         infoFactory.addAttribute("securityConfig", Security.class, true);
 
         infoFactory.setConstructor(new String[]{
+            "kernel",
             "uri",
             "componentContext",
             "userTransaction",

Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java
(original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyXMLConfiguration.java
Wed Nov 10 11:39:50 2004
@@ -16,13 +16,6 @@
  */
 package org.apache.geronimo.jetty;
 
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.util.HashMap;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Map;
-import java.util.Set;
 import javax.security.auth.Subject;
 import javax.security.jacc.PolicyConfiguration;
 import javax.security.jacc.PolicyContextException;
@@ -30,20 +23,32 @@
 import javax.security.jacc.WebRoleRefPermission;
 import javax.security.jacc.WebUserDataPermission;
 import javax.servlet.UnavailableException;
+import javax.management.ObjectName;
+import javax.management.MalformedObjectNameException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Set;
 
+import org.mortbay.jetty.servlet.XMLConfiguration;
+import org.mortbay.xml.XmlParser;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+
 import org.apache.geronimo.security.GeronimoSecurityException;
 import org.apache.geronimo.security.RealmPrincipal;
+import org.apache.geronimo.security.deploy.AutoMapAssistant;
 import org.apache.geronimo.security.deploy.Principal;
 import org.apache.geronimo.security.deploy.Realm;
 import org.apache.geronimo.security.deploy.Role;
 import org.apache.geronimo.security.deploy.Security;
 import org.apache.geronimo.security.jacc.RoleMappingConfiguration;
+import org.apache.geronimo.security.realm.SecurityRealm;
 import org.apache.geronimo.security.util.ConfigurationUtil;
 import org.apache.geronimo.security.util.URLPattern;
-import org.mortbay.jetty.servlet.XMLConfiguration;
-import org.mortbay.xml.XmlParser;
 
 
 /**
@@ -53,6 +58,7 @@
  * @version $Rev$ $Date$
  */
 public class JettyXMLConfiguration extends XMLConfiguration {
+
     private static Log log = LogFactory.getLog(JettyXMLConfiguration.class);
 
     private final Set securityRoles = new HashSet();
@@ -118,10 +124,11 @@
      * <code>PolicyConfiguration</code> object as defined in the JACC spec.
      *
      * @param node deployment descriptor from which to obtain the
-     * security constraints that are to be translated.
-     * @throws org.apache.geronimo.security.GeronimoSecurityException if there
-     * is any violation of the semantics of the security descriptor or the state
-     * of the module configuration.
+     *             security constraints that are to be translated.
+     * @throws org.apache.geronimo.security.GeronimoSecurityException
+     *          if there
+     *          is any violation of the semantics of the security descriptor or the state
+     *          of the module configuration.
      * @see javax.security.jacc.PolicyConfiguration
      * @see "Java Authorization Contract for Containers", section 3.1.3
      */
@@ -202,7 +209,7 @@
      * PolicyConfiguration.
      *
      * @param configuration the JACC PolicyConfiguration
-     * @param security the augmented security information from the geronimo-web.xml file
+     * @param security      the augmented security information from the geronimo-web.xml
file
      */
     public void configure(PolicyConfiguration configuration, Security security) throws GeronimoSecurityException
{
 
@@ -289,38 +296,7 @@
                 configuration.addToUncheckedPolicy(new WebUserDataPermission(name, actions));
             }
 
-            JettyWebAppJACCContext context = (JettyWebAppJACCContext) getWebApplicationContext();
-            RoleMappingConfiguration roleMapper = (RoleMappingConfiguration) configuration;
-            Iterator rollMappings = security.getRoleMappings().iterator();
-            while (rollMappings.hasNext()) {
-                Role role = (Role) rollMappings.next();
-                String roleName = role.getRoleName();
-                Set principalSet = new HashSet();
-
-                if (!securityRoles.contains(roleName)) throw new GeronimoSecurityException("Role
does not exist in this configuration");
-
-                Subject roleDesignate = new Subject();
-
-                Iterator realms = role.getRealms().iterator();
-                while (realms.hasNext()) {
-                    Realm realm = (Realm) realms.next();
-
-                    Iterator principals = realm.getPrincipals().iterator();
-                    while (principals.hasNext()) {
-                        Principal principal = (Principal) principals.next();
-
-                        RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal,
realm.getRealmName());
-
-                        if (realmPrincipal == null) throw new GeronimoSecurityException("Unable
to create realm principal");
-
-                        principalSet.add(realmPrincipal);
-                        if (principal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(realmPrincipal);
-                    }
-                }
-                roleMapper.addRoleMapping(roleName, principalSet);
-
-                if (roleDesignate.getPrincipals().size() > 0) context.setRoleDesignate(roleName,
roleDesignate);
-            }
+            addRoleMappings((RoleMappingConfiguration) configuration, security);
 
             Iterator keys = roleRefs.keySet().iterator();
             while (keys.hasNext()) {
@@ -350,6 +326,91 @@
             throw new GeronimoSecurityException("Policy configuration object does not implement
RoleMappingConfiguration", cce.getCause());
         } catch (PolicyContextException e) {
             throw new GeronimoSecurityException(e);
+        }
+    }
+
+    protected void addRoleMappings(RoleMappingConfiguration roleMapper, Security security)
throws PolicyContextException, GeronimoSecurityException {
+        autoMapRoles(roleMapper, security);
+        addExplicitMappings(roleMapper, security);
+    }
+
+    protected void autoMapRoles(RoleMappingConfiguration roleMapper, Security security) throws
PolicyContextException, GeronimoSecurityException {
+
+        JettyWebAppJACCContext context = (JettyWebAppJACCContext) getWebApplicationContext();
+        AutoMapAssistant config = security.getAssistant();
+        try {
+            if (config != null) {
+                ObjectName assistantName = new ObjectName("geronimo.security:type=SecurityRealm,realm="
+ config.getSecurityRealm());
+                Set assistants = context.getKernel().listGBeans(assistantName);
+                if (assistants.size() < 1 || assistants.size() > 1) throw new GeronimoSecurityException("Only
one auto mapping assistant should match " + assistantName);
+
+                org.apache.geronimo.security.realm.AutoMapAssistant assistant = (org.apache.geronimo.security.realm.AutoMapAssistant)
assistants.iterator().next();
+                String realmName = ((SecurityRealm) assistant).getRealmName();
+                Iterator principalClasses = null;
+                if (config.getClassOverrides().size() > 0) {
+                    principalClasses = config.getClassOverrides().iterator();
+                } else {
+                    principalClasses = assistant.obtainRolePrincipalClasses().iterator();
+                }
+
+                Iterator roles = securityRoles.iterator();
+                while (roles.hasNext()) {
+                    String roleName = (String) roles.next();
+                    Set principalSet = new HashSet();
+                    Subject roleDesignate = new Subject();
+
+                    while (principalClasses.hasNext()) {
+                        Principal principal = new Principal();
+                        principal.setClassName((String) principalClasses.next());
+                        principal.setPrincipalName(roleName);
+
+                        RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal,
realmName);
+                        if (realmPrincipal == null) throw new GeronimoSecurityException("Unable
to create realm principal");
+
+                        principalSet.add(realmPrincipal);
+                        roleDesignate.getPrincipals().add(realmPrincipal);
+                    }
+                    roleMapper.addRoleMapping(roleName, principalSet);
+                    if (roleDesignate.getPrincipals().size() > 0) context.setRoleDesignate(roleName,
roleDesignate);
+                }
+            }
+        } catch (MalformedObjectNameException e) {
+            throw new GeronimoSecurityException("Bad object name geronimo.security:type=SecurityRealm,realm="
+ config.getSecurityRealm());
+        }
+    }
+
+    protected void addExplicitMappings(RoleMappingConfiguration roleMapper, Security security)
throws PolicyContextException, GeronimoSecurityException {
+
+        JettyWebAppJACCContext context = (JettyWebAppJACCContext) getWebApplicationContext();
+
+        Iterator rollMappings = security.getRoleMappings().iterator();
+        while (rollMappings.hasNext()) {
+            Role role = (Role) rollMappings.next();
+            String roleName = role.getRoleName();
+            Set principalSet = new HashSet();
+
+            if (!securityRoles.contains(roleName)) throw new GeronimoSecurityException("Role
does not exist in this configuration");
+
+            Subject roleDesignate = new Subject();
+
+            Iterator realms = role.getRealms().iterator();
+            while (realms.hasNext()) {
+                Realm realm = (Realm) realms.next();
+
+                Iterator principals = realm.getPrincipals().iterator();
+                while (principals.hasNext()) {
+                    Principal principal = (Principal) principals.next();
+
+                    RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(principal,
realm.getRealmName());
+                    if (realmPrincipal == null) throw new GeronimoSecurityException("Unable
to create realm principal");
+
+                    principalSet.add(realmPrincipal);
+                    if (principal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(realmPrincipal);
+                }
+            }
+            roleMapper.addRoleMapping(roleName, principalSet);
+
+            if (roleDesignate.getPrincipals().size() > 0) context.setRoleDesignate(roleName,
roleDesignate);
         }
     }
 }

Modified: geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
==============================================================================
--- geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
(original)
+++ geronimo/trunk/modules/jetty/src/test-resources/deployables/war3/WEB-INF/geronimo-web.xml
Wed Nov 10 11:39:50 2004
@@ -16,12 +16,16 @@
     limitations under the License.
 -->
 
-<web-app xmlns="http://geronimo.apache.org/xml/ns/web/jetty" configId="org/apache/geronimo/test">
+<web-app
+    xmlns="http://geronimo.apache.org/xml/ns/web/jetty"
+    xmlns:sec="http://geronimo.apache.org/xml/ns/security"
+    configId="org/apache/geronimo/test">
+
     <context-root>/test</context-root>
     <context-priority-classloader>false</context-priority-classloader>
-    <security>
-        <default-principal realm-name="demo-properties-realm">
-            <principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="izumi"/>
-        </default-principal>
-    </security>
+    <sec:security>
+        <sec:default-principal realm-name="demo-properties-realm">
+            <sec:principal class="org.apache.geronimo.security.realm.providers.PropertiesFileUserPrincipal"
name="izumi"/>
+        </sec:default-principal>
+    </sec:security>
 </web-app>

Modified: geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java
==============================================================================
--- geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java	(original)
+++ geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/SecurityTest.java	Wed
Nov 10 11:39:50 2004
@@ -105,6 +105,7 @@
 
         GBeanMBean app = new GBeanMBean(JettyWebAppJACCContext.GBEAN_INFO);
 
+        app.setAttribute("kernel", kernel);
         app.setAttribute("uri", URI.create("war3/"));
         app.setAttribute("componentContext", null);
         OnlineUserTransaction userTransaction = new OnlineUserTransaction();

Modified: geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
==============================================================================
--- geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
(original)
+++ geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
Wed Nov 10 11:39:50 2004
@@ -16,17 +16,21 @@
  */
 package org.apache.geronimo.security.deployment;
 
-import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.security.deploy.AutoMapAssistant;
 import org.apache.geronimo.security.deploy.DefaultPrincipal;
-import org.apache.geronimo.security.deploy.Role;
-import org.apache.geronimo.security.deploy.Realm;
 import org.apache.geronimo.security.deploy.Principal;
-import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType;
+import org.apache.geronimo.security.deploy.Realm;
+import org.apache.geronimo.security.deploy.Role;
+import org.apache.geronimo.security.deploy.Security;
+import org.apache.geronimo.xbeans.geronimo.security.GerAutoMapRolesType;
+import org.apache.geronimo.xbeans.geronimo.security.GerClassOverrideType;
 import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerRealmType;
 import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType;
 import org.apache.geronimo.xbeans.geronimo.security.GerRoleType;
-import org.apache.geronimo.xbeans.geronimo.security.GerRealmType;
-import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType;
+
 
 /**
  * @version $Rev:  $ $Date:  $
@@ -74,6 +78,20 @@
 
                     security.getRoleMappings().add(role);
                 }
+            }
+
+            GerAutoMapRolesType autoMapRolesType = securityType.getAutoMapRoles();
+            if (autoMapRolesType != null) {
+                AutoMapAssistant assistant = new AutoMapAssistant();
+
+                assistant.setSecurityRealm(autoMapRolesType.getSecurityRealm());
+
+                GerClassOverrideType[] classOverrideArray = autoMapRolesType.getClassOverrideArray();
+                for (int i = 0; i < classOverrideArray.length; i++) {
+                    assistant.getClassOverrides().add(classOverrideArray[i].getClass1());
+                }
+
+                security.setAssistant(assistant);
             }
         }
 

Modified: geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
==============================================================================
--- geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd	(original)
+++ geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd	Wed Nov 10 11:39:50
2004
@@ -40,7 +40,8 @@
         </xsd:annotation>
         <xsd:sequence>
             <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0"
maxOccurs="unbounded"/>
-            <xsd:element name="default-principal" type="geronimo:default-principalType"/>
+            <xsd:element name="auto-map-roles" type="geronimo:auto-map-rolesType" minOccurs="0"/>
+            <xsd:element name="default-principal" type="geronimo:default-principalType"
minOccurs="0"/>
             <xsd:element name="role-mappings" type="geronimo:role-mappingsType" minOccurs="0"/>
         </xsd:sequence>
         <xsd:attribute name="doas-current-caller" type="xsd:boolean" default="false">
@@ -111,6 +112,25 @@
                 </xsd:documentation>
             </xsd:annotation>
         </xsd:attribute>
+    </xsd:complexType>
+    <xsd:complexType name="auto-map-rolesType">
+        <xsd:sequence>
+            <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0"
maxOccurs="unbounded"/>
+            <xsd:element name="class-override" type="geronimo:class-overrideType" minOccurs="0"
maxOccurs="unbounded"/>
+        </xsd:sequence>
+        <xsd:attribute name="security-realm" type="xsd:string" use="required"/>
+    </xsd:complexType>
+    <xsd:complexType name="class-overrideType">
+        <xsd:annotation>
+            <xsd:documentation>
+                Class overrides allow a deployer to specify a different set of
+                principal classes to be used in the auto mapping of roles.
+            </xsd:documentation>
+        </xsd:annotation>
+        <xsd:sequence>
+            <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0"
maxOccurs="unbounded"/>
+        </xsd:sequence>
+        <xsd:attribute name="class" type="xsd:string" use="required"/>
     </xsd:complexType>
 
 </xsd:schema>

Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/AutoMapAssistant.java
==============================================================================
--- (empty file)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/AutoMapAssistant.java
Wed Nov 10 11:39:50 2004
@@ -0,0 +1,44 @@
+/**
+ *
+ * Copyright 2004 The Apache Software Foundation
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.security.deploy;
+
+import javax.management.ObjectName;
+import java.io.Serializable;
+import java.util.HashSet;
+import java.util.Set;
+
+
+/**
+ * @version $Rev: $ $Date: $
+ */
+public class AutoMapAssistant implements Serializable {
+
+    private String securityRealm;
+    private Set classOverrides = new HashSet();
+
+    public String getSecurityRealm() {
+        return securityRealm;
+    }
+
+    public void setSecurityRealm(String securityRealm) {
+        this.securityRealm = securityRealm;
+    }
+
+    public Set getClassOverrides() {
+        return classOverrides;
+    }
+}

Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java
Wed Nov 10 11:39:50 2004
@@ -31,6 +31,7 @@
     private String defaultRole;
     private DefaultPrincipal defaultPrincipal;
     private Set roleMappings = new HashSet();
+    private AutoMapAssistant assistant;
 
     public boolean isDoAsCurrentCaller() {
         return doAsCurrentCaller;
@@ -66,5 +67,13 @@
 
     public Set getRoleMappings() {
         return roleMappings;
+    }
+
+    public AutoMapAssistant getAssistant() {
+        return assistant;
+    }
+
+    public void setAssistant(AutoMapAssistant assistant) {
+        this.assistant = assistant;
     }
 }

Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/AutoMapAssistant.java
==============================================================================
--- (empty file)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/AutoMapAssistant.java
Wed Nov 10 11:39:50 2004
@@ -0,0 +1,50 @@
+/**
+ *
+ * Copyright 2004 The Apache Software Foundation
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License");
+ *  you may not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.security.realm;
+
+import java.util.Set;
+
+import org.apache.geronimo.security.deploy.Principal;
+
+
+/**
+ * Provides a way for security realms to provide reasonable defaults for
+ * principal to role mapping.
+ * <p/>
+ * This interface is used by the deployment code to automatically map
+ * principals to roles.
+ *
+ * @version $Rev: $ $Date: $
+ */
+public interface AutoMapAssistant {
+
+    /**
+     * Provides the default principal to be used when an unauthenticated
+     * subject uses a container.
+     *
+     * @return the default principal
+     */
+    public Principal obtainDefaultPrincipal();
+
+    /**
+     * Provides a set of principal class names to be used when automatically
+     * mapping principals to roles.
+     *
+     * @return a set of principal class names
+     */
+    public Set obtainRolePrincipalClasses();
+}

Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/AbstractSecurityRealm.java
Wed Nov 10 11:39:50 2004
@@ -72,15 +72,9 @@
     static {
         GBeanInfoBuilder infoFactory = new GBeanInfoBuilder(AbstractSecurityRealm.class);
 
+        infoFactory.addInterface(SecurityRealm.class);
         infoFactory.addAttribute("realmName", String.class, true);
-        infoFactory.addAttribute("maxLoginModuleAge", long.class, true);
-
-        infoFactory.addOperation("getGroupPrincipals");
-        infoFactory.addOperation("getGroupPrincipals", new Class[]{RE.class});
-        infoFactory.addOperation("getUserPrincipals");
-        infoFactory.addOperation("getUserPrincipals", new Class[]{RE.class});
-        infoFactory.addOperation("refresh");
-        infoFactory.addOperation("getAppConfigurationEntries");
+        infoFactory.addAttribute("maxLoginModuleAge", Long.TYPE, true);
 
         infoFactory.setConstructor(new String[]{"realmName"});
 

Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/PropertiesFileSecurityRealm.java
Wed Nov 10 11:39:50 2004
@@ -32,6 +32,8 @@
 import org.apache.geronimo.gbean.GBeanInfo;
 import org.apache.geronimo.gbean.GBeanInfoBuilder;
 import org.apache.geronimo.security.GeronimoSecurityException;
+import org.apache.geronimo.security.deploy.Principal;
+import org.apache.geronimo.security.realm.AutoMapAssistant;
 import org.apache.geronimo.system.serverinfo.ServerInfo;
 import org.apache.regexp.RE;
 
@@ -39,7 +41,8 @@
 /**
  * @version $Rev$ $Date$
  */
-public class PropertiesFileSecurityRealm extends AbstractSecurityRealm {
+public class PropertiesFileSecurityRealm extends AbstractSecurityRealm implements AutoMapAssistant
{
+
     private static Log log = LogFactory.getLog(PropertiesFileSecurityRealm.class);
 
     private final ServerInfo serverInfo;
@@ -47,8 +50,9 @@
     private boolean running = false;
     private URI usersURI;
     private URI groupsURI;
-    final Properties users = new Properties();
-    final Properties groups = new Properties();
+    private final Properties users = new Properties();
+    private final Properties groups = new Properties();
+    private String defaultPrincipal;
 
     final static String REALM_INSTANCE = "org.apache.geronimo.security.realm.providers.PropertiesFileSecurityRealm";
 
@@ -99,6 +103,17 @@
         this.groupsURI = groupsURI;
     }
 
+    public String getDefaultPrincipal() {
+        return defaultPrincipal;
+    }
+
+    public void setDefaultPrincipal(String defaultPrincipal) {
+        if (running) {
+            throw new IllegalStateException("Cannot change the default principal after the
realm is started");
+        }
+        this.defaultPrincipal = defaultPrincipal;
+    }
+
     public Set getGroupPrincipals() throws GeronimoSecurityException {
         if (!running) {
             throw new IllegalStateException("Cannot obtain Groups until the realm is started");
@@ -194,17 +209,46 @@
         return true;
     }
 
+    /**
+     * Provides the default principal to be used when an unauthenticated
+     * subject uses a container.
+     *
+     * @return the default principal
+     */
+    public Principal obtainDefaultPrincipal() {
+        Principal principal = new Principal();
+
+        principal.setClassName(PropertiesFileUserPrincipal.class.getName());
+        principal.setPrincipalName(defaultPrincipal);
+
+        return principal;
+    }
+
+    /**
+     * Provides a set of principal class names to be used when automatically
+     * mapping principals to roles.
+     *
+     * @return a set of principal class names
+     */
+    public Set obtainRolePrincipalClasses() {
+        Set principals = new HashSet();
+
+        principals.add(PropertiesFileGroupPrincipal.class.getName());
+
+        return principals;
+    }
+
     public static final GBeanInfo GBEAN_INFO;
 
     static {
         GBeanInfoBuilder infoFactory = new GBeanInfoBuilder(PropertiesFileSecurityRealm.class,
AbstractSecurityRealm.GBEAN_INFO);
 
+        infoFactory.addInterface(AutoMapAssistant.class);
         infoFactory.addAttribute("usersURI", URI.class, true);
         infoFactory.addAttribute("groupsURI", URI.class, true);
+        infoFactory.addAttribute("defaultPrincipal", String.class, true);
 
         infoFactory.addReference("ServerInfo", ServerInfo.class);
-
-        infoFactory.addOperation("isLoginModuleLocal");
 
         infoFactory.setConstructor(new String[]{"realmName", "usersURI", "groupsURI", "ServerInfo"});
 

Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/realm/providers/SQLSecurityRealm.java
Wed Nov 10 11:39:50 2004
@@ -17,6 +17,7 @@
 
 package org.apache.geronimo.security.realm.providers;
 
+import javax.security.auth.login.AppConfigurationEntry;
 import java.sql.Connection;
 import java.sql.DriverManager;
 import java.sql.PreparedStatement;
@@ -28,21 +29,24 @@
 import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
-import javax.security.auth.login.AppConfigurationEntry;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.apache.regexp.RE;
+
 import org.apache.geronimo.gbean.GBeanInfo;
 import org.apache.geronimo.gbean.GBeanInfoBuilder;
 import org.apache.geronimo.security.GeronimoSecurityException;
-import org.apache.regexp.RE;
+import org.apache.geronimo.security.deploy.Principal;
+import org.apache.geronimo.security.realm.AutoMapAssistant;
 
 
 /**
  * @version $Rev$ $Date$
  */
 
-public class SQLSecurityRealm extends AbstractSecurityRealm {
+public class SQLSecurityRealm extends AbstractSecurityRealm implements AutoMapAssistant {
+
     private static Log log = LogFactory.getLog(SQLSecurityRealm.class);
     public final static String USER_SELECT = "org.apache.geronimo.security.realm.providers.SQLSecurityRealm.USER_SELECT";
     public final static String GROUP_SELECT = "org.apache.geronimo.security.realm.providers.SQLSecurityRealm.GROUP_SELECT";
@@ -56,8 +60,9 @@
     private String password = "";
     private String userSelect = "SELECT UserName, Password FROM Users";
     private String groupSelect = "SELECT GroupName, UserName FROM Groups";
-    final Map users = new HashMap();
-    final Map groups = new HashMap();
+    private final Map users = new HashMap();
+    private final Map groups = new HashMap();
+    private String defaultPrincipal;
 
     /**
      * @deprecated
@@ -147,6 +152,16 @@
         this.groupSelect = groupSelect;
     }
 
+    public String getDefaultPrincipal() {
+        return defaultPrincipal;
+    }
+
+    public void setDefaultPrincipal(String defaultPrincipal) {
+        if (running) {
+            throw new IllegalStateException("Cannot change the default principal after the
realm is started");
+        }
+        this.defaultPrincipal = defaultPrincipal;
+    }
 
     public Set getGroupPrincipals() throws GeronimoSecurityException {
         if (!running) {
@@ -277,8 +292,8 @@
         options.put(PASSWORD, password);
 
         AppConfigurationEntry entry = new AppConfigurationEntry("org.apache.geronimo.security.realm.providers.SQLLoginModule",
-                AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,
-                options);
+                                                                AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT,
+                                                                options);
 
         return new AppConfigurationEntry[]{entry};
     }
@@ -287,18 +302,47 @@
         return true;
     }
 
+    /**
+     * Provides the default principal to be used when an unauthenticated
+     * subject uses a container.
+     *
+     * @return the default principal
+     */
+    public Principal obtainDefaultPrincipal() {
+        Principal principal = new Principal();
+
+        principal.setClassName(PropertiesFileUserPrincipal.class.getName());
+        principal.setPrincipalName(defaultPrincipal);
+
+        return principal;
+    }
+
+    /**
+     * Provides a set of principal class names to be used when automatically
+     * mapping principals to roles.
+     *
+     * @return a set of principal class names
+     */
+    public Set obtainRolePrincipalClasses() {
+        Set principals = new HashSet();
+
+        principals.add(PropertiesFileGroupPrincipal.class.getName());
+
+        return principals;
+    }
+
     public static final GBeanInfo GBEAN_INFO;
 
     static {
         GBeanInfoBuilder infoFactory = new GBeanInfoBuilder(SQLSecurityRealm.class, AbstractSecurityRealm.GBEAN_INFO);
 
+        infoFactory.addInterface(AutoMapAssistant.class);
         infoFactory.addAttribute("connectionURL", String.class, true);
         infoFactory.addAttribute("user", String.class, true);
         infoFactory.addAttribute("password", String.class, true);
         infoFactory.addAttribute("userSelect", String.class, true);
         infoFactory.addAttribute("groupSelect", String.class, true);
-
-        infoFactory.addOperation("isLoginModuleLocal");
+        infoFactory.addAttribute("defaultPrincipal", String.class, true);
 
         infoFactory.setConstructor(new String[]{
             "realmName",

Mime
View raw message