Return-Path: Delivered-To: apmail-geronimo-scm-archive@www.apache.org Received: (qmail 29793 invoked from network); 19 Dec 2004 19:11:13 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 19 Dec 2004 19:11:13 -0000 Received: (qmail 1742 invoked by uid 500); 19 Dec 2004 19:11:13 -0000 Delivered-To: apmail-geronimo-scm-archive@geronimo.apache.org Received: (qmail 1705 invoked by uid 500); 19 Dec 2004 19:11:12 -0000 Mailing-List: contact scm-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: list-post: Reply-To: dev@geronimo.apache.org Delivered-To: mailing list scm@geronimo.apache.org Received: (qmail 1684 invoked by uid 99); 19 Dec 2004 19:11:12 -0000 X-ASF-Spam-Status: No, hits=-9.8 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from minotaur.apache.org (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.28) with SMTP; Sun, 19 Dec 2004 11:11:11 -0800 Received: (qmail 29755 invoked by uid 65534); 19 Dec 2004 19:11:09 -0000 Date: 19 Dec 2004 19:11:09 -0000 Message-ID: <20041219191109.29754.qmail@minotaur.apache.org> From: djencks@apache.org To: scm@geronimo.apache.org Subject: svn commit: r122776 - in geronimo/trunk/modules: assembly/src/plan j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames jetty-builder/src/java/org/apache/geronimo/jetty/deployment jetty-builder/src/test/org/apache/geronimo/jetty/deployment jetty/src/java/org/apache/geronimo/jetty jetty/src/java/org/apache/geronimo/jetty/interceptor jetty/src/test/org/apache/geronimo/jetty security/src/java/org/apache/geronimo/security security/src/java/org/apache/geronimo/security/deploy tomcat/src/test/org/apache/geronimo/tomcat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Author: djencks Date: Sun Dec 19 11:11:07 2004 New Revision: 122776 URL: http://svn.apache.org/viewcvs?view=rev&rev=122776 Log: merge JettyWebAppJACCContext into JettyWebAppContext Removed: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java Modified: geronimo/trunk/modules/assembly/src/plan/j2ee-deployer-plan.xml geronimo/trunk/modules/assembly/src/plan/j2ee-server-plan.xml geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java geronimo/trunk/modules/jetty-builder/src/test/org/apache/geronimo/jetty/deployment/JettyModuleBuilderTest.java geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyPrincipal.java geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/SecurityServiceImpl.java geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java Modified: geronimo/trunk/modules/assembly/src/plan/j2ee-deployer-plan.xml Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/assembly/src/plan/j2ee-deployer-plan.xml?view=diff&rev=122776&p1=geronimo/trunk/modules/assembly/src/plan/j2ee-deployer-plan.xml&r1=122775&p2=geronimo/trunk/modules/assembly/src/plan/j2ee-deployer-plan.xml&r2=122776 ============================================================================== --- geronimo/trunk/modules/assembly/src/plan/j2ee-deployer-plan.xml (original) +++ geronimo/trunk/modules/assembly/src/plan/j2ee-deployer-plan.xml Sun Dec 19 11:11:07 2004 @@ -163,7 +163,7 @@ org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory - geronimo.security:type=SecurityRealm,* + geronimo.security:type=SecurityRealm,* Modified: geronimo/trunk/modules/assembly/src/plan/j2ee-server-plan.xml Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/assembly/src/plan/j2ee-server-plan.xml?view=diff&rev=122776&p1=geronimo/trunk/modules/assembly/src/plan/j2ee-server-plan.xml&r1=122775&p2=geronimo/trunk/modules/assembly/src/plan/j2ee-server-plan.xml&r2=122776 ============================================================================== --- geronimo/trunk/modules/assembly/src/plan/j2ee-server-plan.xml (original) +++ geronimo/trunk/modules/assembly/src/plan/j2ee-server-plan.xml Sun Dec 19 11:11:07 2004 @@ -157,7 +157,7 @@ org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory - geronimo.security:type=SecurityRealm,* + geronimo.security:type=SecurityRealm,* Modified: geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java?view=diff&rev=122776&p1=geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java&r1=122775&p2=geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java (original) +++ geronimo/trunk/modules/j2ee/src/java/org/apache/geronimo/j2ee/j2eeobjectnames/NameFactory.java Sun Dec 19 11:11:07 2004 @@ -210,4 +210,8 @@ return ObjectName.getInstance(context.getJ2eeDomainName(j2eeDomainName), props); } + //TODO parameterize this + public static ObjectName getSecurityRealmName(String realmName) throws MalformedObjectNameException { + return ObjectName.getInstance("geronimo.security:type=SecurityRealm,name=" + realmName); + } } Modified: geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java?view=diff&rev=122776&p1=geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java&r1=122775&p2=geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java (original) +++ geronimo/trunk/modules/jetty-builder/src/java/org/apache/geronimo/jetty/deployment/JettyModuleBuilder.java Sun Dec 19 11:11:07 2004 @@ -46,13 +46,6 @@ import javax.security.jacc.WebUserDataPermission; import javax.transaction.UserTransaction; -import org.apache.xmlbeans.XmlException; -import org.apache.xmlbeans.XmlObject; -import org.mortbay.http.BasicAuthenticator; -import org.mortbay.http.ClientCertAuthenticator; -import org.mortbay.http.DigestAuthenticator; -import org.mortbay.jetty.servlet.FormAuthenticator; - import org.apache.geronimo.common.DeploymentException; import org.apache.geronimo.deployment.service.GBeanHelper; import org.apache.geronimo.deployment.util.DeploymentUtil; @@ -71,7 +64,6 @@ import org.apache.geronimo.jetty.JettyFilterMapping; import org.apache.geronimo.jetty.JettyServletHolder; import org.apache.geronimo.jetty.JettyWebAppContext; -import org.apache.geronimo.jetty.JettyWebAppJACCContext; import org.apache.geronimo.kernel.Kernel; import org.apache.geronimo.naming.deployment.ENCConfigBuilder; import org.apache.geronimo.naming.deployment.GBeanResourceEnvironmentBuilder; @@ -79,6 +71,7 @@ import org.apache.geronimo.schema.SchemaConversionUtils; import org.apache.geronimo.security.SecurityService; import org.apache.geronimo.security.deploy.Security; +import org.apache.geronimo.security.deploy.AutoMapAssistant; import org.apache.geronimo.security.deployment.SecurityBuilder; import org.apache.geronimo.security.util.URLPattern; import org.apache.geronimo.transaction.OnlineUserTransaction; @@ -111,6 +104,12 @@ import org.apache.geronimo.xbeans.j2ee.WebAppType; import org.apache.geronimo.xbeans.j2ee.WebResourceCollectionType; import org.apache.geronimo.xbeans.j2ee.WelcomeFileListType; +import org.apache.xmlbeans.XmlException; +import org.apache.xmlbeans.XmlObject; +import org.mortbay.http.BasicAuthenticator; +import org.mortbay.http.ClientCertAuthenticator; +import org.mortbay.http.DigestAuthenticator; +import org.mortbay.jetty.servlet.FormAuthenticator; /** @@ -368,27 +367,29 @@ UserTransaction userTransaction = new OnlineUserTransaction(); ReadOnlyContext compContext = buildComponentContext(earContext, webModule, webApp, jettyWebApp, userTransaction, webClassLoader); - GBeanData webModuleData; + GBeanData webModuleData = new GBeanData(webModuleName, JettyWebAppContext.GBEAN_INFO); try { Set securityRoles = new HashSet(); if (jettyWebApp.isSetLoginDomainName()) { - webModuleData = new GBeanData(webModuleName, JettyWebAppJACCContext.GBEAN_INFO); Security security = SecurityBuilder.buildSecurityConfig(jettyWebApp.getSecurity(), collectRoleNames(webApp)); security.autoGenerate(securityService); webModuleData.setAttribute("loginDomainName", jettyWebApp.getLoginDomainName().trim()); webModuleData.setAttribute("securityConfig", security); - String policyContextID; - if (earContext.getApplicationObjectName() == null) { - policyContextID = module.getName(); - } else { - policyContextID = earContext.getApplicationObjectName().toString(); - } + String policyContextID = webModuleName.getCanonicalName(); webModuleData.setAttribute("policyContextID", policyContextID); buildSpecSecurityConfig(webApp, webModuleData, securityRoles); - - } else { - webModuleData = new GBeanData(webModuleName, JettyWebAppContext.GBEAN_INFO); + AutoMapAssistant assistant = security.getAssistant(); + if (assistant != null) { + String realmName = assistant.getSecurityRealm(); + ObjectName securityRealmName = null; + try { + securityRealmName = NameFactory.getSecurityRealmName(realmName); + } catch (MalformedObjectNameException e) { + throw new DeploymentException("Could not construct security realm name", e); + } + webModuleData.setReferencePattern("SecurityRealm", securityRealmName); + } } webModuleData.setAttribute("uri", URI.create(module.getTargetPath() + "/")); Modified: geronimo/trunk/modules/jetty-builder/src/test/org/apache/geronimo/jetty/deployment/JettyModuleBuilderTest.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty-builder/src/test/org/apache/geronimo/jetty/deployment/JettyModuleBuilderTest.java?view=diff&rev=122776&p1=geronimo/trunk/modules/jetty-builder/src/test/org/apache/geronimo/jetty/deployment/JettyModuleBuilderTest.java&r1=122775&p2=geronimo/trunk/modules/jetty-builder/src/test/org/apache/geronimo/jetty/deployment/JettyModuleBuilderTest.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/jetty-builder/src/test/org/apache/geronimo/jetty/deployment/JettyModuleBuilderTest.java (original) +++ geronimo/trunk/modules/jetty-builder/src/test/org/apache/geronimo/jetty/deployment/JettyModuleBuilderTest.java Sun Dec 19 11:11:07 2004 @@ -184,7 +184,7 @@ kernel = new Kernel("test.kernel"); kernel.boot(); ObjectName defaultServlets = ObjectName.getInstance("test:name=test,type=none,*"); - SecurityServiceImpl securityService = new SecurityServiceImpl("org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory", null, null); + SecurityServiceImpl securityService = new SecurityServiceImpl("org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory", null); builder = new JettyModuleBuilder(new URI("null"), new Integer(1800), Collections.EMPTY_LIST, containerName, defaultServlets, null, null, securityService, kernel); Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyPrincipal.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyPrincipal.java?view=diff&rev=122776&p1=geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyPrincipal.java&r1=122775&p2=geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyPrincipal.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyPrincipal.java (original) +++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JAASJettyPrincipal.java Sun Dec 19 11:11:07 2004 @@ -41,7 +41,7 @@ return subject; } - void setSubject(Subject subject) { + public void setSubject(Subject subject) { this.subject = subject; } Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java?view=diff&rev=122776&p1=geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java&r1=122775&p2=geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java (original) +++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppContext.java Sun Dec 19 11:11:07 2004 @@ -24,12 +24,15 @@ import java.util.Iterator; import java.util.Map; import java.util.Set; +import java.security.PermissionCollection; +import java.io.IOException; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.mortbay.http.Authenticator; import org.mortbay.http.HttpRequest; import org.mortbay.http.HttpResponse; +import org.mortbay.http.HttpException; import org.mortbay.jetty.servlet.AbstractSessionManager; import org.mortbay.jetty.servlet.FilterHolder; import org.mortbay.jetty.servlet.JSR154Filter; @@ -47,10 +50,13 @@ import org.apache.geronimo.jetty.interceptor.ThreadClassloaderBeforeAfter; import org.apache.geronimo.jetty.interceptor.TransactionContextBeforeAfter; import org.apache.geronimo.jetty.interceptor.WebApplicationContextBeforeAfter; +import org.apache.geronimo.jetty.interceptor.SecurityContextBeforeAfter; import org.apache.geronimo.naming.java.ReadOnlyContext; import org.apache.geronimo.transaction.OnlineUserTransaction; import org.apache.geronimo.transaction.TrackedConnectionAssociator; import org.apache.geronimo.transaction.context.TransactionContextManager; +import org.apache.geronimo.security.deploy.Security; +import org.apache.geronimo.security.realm.AutoMapAssistant; /** @@ -68,9 +74,9 @@ private final WebApplicationHandler handler; private String displayName; - //TODO make these private final again! - protected BeforeAfter chain; - protected int contextLength; + private final BeforeAfter chain; + private final int contextLength; + private final SecurityContextBeforeAfter securityInterceptor; /** * @deprecated never use this... this is only here because Jetty WebApplicationContext is externalizable @@ -82,34 +88,45 @@ handler = null; chain = null; contextLength = 0; + securityInterceptor = null; } public JettyWebAppContext(URI uri, - ReadOnlyContext componentContext, - OnlineUserTransaction userTransaction, - ClassLoader classLoader, - URI[] webClassPath, - boolean contextPriorityClassLoader, - URL configurationBaseUrl, - Set unshareableResources, - Set applicationManagedSecurityResources, - - String displayName, - Map contextParamMap, - Collection listenerClassNames, - boolean distributable, - Map mimeMap, - String[] welcomeFiles, - Map localeEncodingMapping, - Map errorPages, - Authenticator authenticator, - String realmName, - Map tagLibMap, - int sessionTimeoutSeconds, - - TransactionContextManager transactionContextManager, - TrackedConnectionAssociator trackedConnectionAssociator, - JettyContainer jettyContainer) throws Exception, IllegalAccessException, InstantiationException, ClassNotFoundException { + ReadOnlyContext componentContext, + OnlineUserTransaction userTransaction, + ClassLoader classLoader, + URI[] webClassPath, + boolean contextPriorityClassLoader, + URL configurationBaseUrl, + Set unshareableResources, + Set applicationManagedSecurityResources, + + String displayName, + Map contextParamMap, + Collection listenerClassNames, + boolean distributable, + Map mimeMap, + String[] welcomeFiles, + Map localeEncodingMapping, + Map errorPages, + Authenticator authenticator, + String realmName, + Map tagLibMap, + int sessionTimeoutSeconds, + + String policyContextID, + String loginDomainName, + Security securityConfig, + //from jettyxmlconfig + Set securityRoles, + PermissionCollection uncheckedPermissions, + PermissionCollection excludedPermissions, + Map rolePermissions, + + TransactionContextManager transactionContextManager, + TrackedConnectionAssociator trackedConnectionAssociator, + JettyContainer jettyContainer, + AutoMapAssistant assistant) throws Exception, IllegalAccessException, InstantiationException, ClassNotFoundException { assert uri != null; assert componentContext != null; @@ -163,6 +180,17 @@ interceptor = new ComponentContextBeforeAfter(interceptor, index++, componentContext); interceptor = new ThreadClassloaderBeforeAfter(interceptor, index++, index++, this.classLoader); interceptor = new WebApplicationContextBeforeAfter(interceptor, index++, this); +//JACC + if (securityConfig != null) { + //set the JAASJettyRealm as our realm. + JAASJettyRealm realm = new JAASJettyRealm(realmName, loginDomainName); + setRealm(realm); + this.securityInterceptor = new SecurityContextBeforeAfter(interceptor, index++, index++, policyContextID, securityConfig, loginDomainName, assistant, authenticator, securityRoles, uncheckedPermissions, excludedPermissions, rolePermissions, realm); + interceptor = securityInterceptor; + } else { + securityInterceptor = null; + } +//end JACC chain = interceptor; contextLength = index; @@ -216,24 +244,27 @@ super.stop(); return; } + jettyContainer.removeContext(this); + if (securityInterceptor != null) { + securityInterceptor.stop(); + } Object context = enterContextScope(null, null); try { super.doStop(); } finally { leaveContextScope(null, null, context); } - jettyContainer.removeContext(this); log.info("JettyWebAppContext stopped"); } public void doFail() { try { + //this will call doStop super.stop(); } catch (InterruptedException e) { } - jettyContainer.removeContext(this); log.info("JettyWebAppContext failed"); } @@ -314,6 +345,9 @@ handler.mapPathToServlet(urlPattern, servletName); } } + if (securityInterceptor != null) { + securityInterceptor.registerServletHolder(webRoleRefPermissions); + } Object context = enterContextScope(null, null); try { servletHolder.start(); @@ -322,6 +356,14 @@ } } + public boolean checkSecurityConstraints(String pathInContext, HttpRequest request, HttpResponse response) throws HttpException, IOException { + if (securityInterceptor != null) { + return securityInterceptor.checkSecurityConstraints(pathInContext, request, response); + } + return super.checkSecurityConstraints(pathInContext, request, response); + } + + public static final GBeanInfo GBEAN_INFO; static { @@ -361,6 +403,17 @@ infoBuilder.addInterface(JettyServletRegistration.class); + infoBuilder.addAttribute("policyContextID", String.class, true); + infoBuilder.addAttribute("loginDomainName", String.class, true); + infoBuilder.addAttribute("securityConfig", Security.class, true); + + infoBuilder.addAttribute("securityRoles", Set.class, true); + infoBuilder.addAttribute("uncheckedPermissions", PermissionCollection.class, true); + infoBuilder.addAttribute("excludedPermissions", PermissionCollection.class, true); + infoBuilder.addAttribute("rolePermissions", Map.class, true); + + infoBuilder.addReference("SecurityRealm", AutoMapAssistant.class); + infoBuilder.setConstructor(new String[]{ "uri", "componentContext", @@ -385,9 +438,19 @@ "tagLibMap", "sessionTimeoutSeconds", + "policyContextID", + "loginDomainName", + "securityConfig", + + "securityRoles", + "uncheckedPermissions", + "excludedPermissions", + "rolePermissions", + "TransactionContextManager", "TrackedConnectionAssociator", - "JettyContainer" + "JettyContainer", + "SecurityRealm", }); GBEAN_INFO = infoBuilder.getBeanInfo(); Deleted: /geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/JettyWebAppJACCContext.java?view=auto&rev=122775 ============================================================================== Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java?view=diff&rev=122776&p1=geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java&r1=122775&p2=geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java (original) +++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Sun Dec 19 11:11:07 2004 @@ -16,27 +16,49 @@ */ package org.apache.geronimo.jetty.interceptor; +import java.io.IOException; +import java.security.AccessControlContext; +import java.security.AccessControlException; +import java.security.Permission; +import java.security.PermissionCollection; +import java.security.Permissions; +import java.security.Principal; import java.util.HashMap; import java.util.HashSet; import java.util.Iterator; import java.util.Map; import java.util.Set; import javax.security.auth.Subject; +import javax.security.jacc.PolicyConfiguration; +import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContext; import javax.security.jacc.PolicyContextException; +import javax.security.jacc.WebResourcePermission; +import javax.security.jacc.WebRoleRefPermission; +import javax.security.jacc.WebUserDataPermission; import org.apache.geronimo.common.GeronimoSecurityException; +import org.apache.geronimo.jetty.JAASJettyPrincipal; import org.apache.geronimo.security.ContextManager; -import org.apache.geronimo.security.RealmPrincipal; import org.apache.geronimo.security.IdentificationPrincipal; +import org.apache.geronimo.security.PrimaryRealmPrincipal; +import org.apache.geronimo.security.RealmPrincipal; import org.apache.geronimo.security.SubjectId; +import org.apache.geronimo.security.deploy.DefaultPrincipal; import org.apache.geronimo.security.deploy.Realm; import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; import org.apache.geronimo.security.jacc.RoleMappingConfiguration; +import org.apache.geronimo.security.realm.AutoMapAssistant; import org.apache.geronimo.security.util.ConfigurationUtil; +import org.mortbay.http.Authenticator; +import org.mortbay.http.HttpException; import org.mortbay.http.HttpRequest; import org.mortbay.http.HttpResponse; +import org.mortbay.http.SecurityConstraint; +import org.mortbay.http.UserRealm; +import org.mortbay.jetty.servlet.FormAuthenticator; +import org.mortbay.jetty.servlet.ServletHttpRequest; /** * @version $Rev: $ $Date: $ @@ -49,12 +71,98 @@ private final String policyContextID; private final static ThreadLocal currentWebAppContext = new ThreadLocal(); private final Map roleDesignates = new HashMap(); + private final JAASJettyPrincipal defaultPrincipal; - public SecurityContextBeforeAfter(BeforeAfter next, int policyContextIDIndex, int webAppContextIndex, String policyContextID) { + private final String formLoginPath; + private final PolicyConfigurationFactory factory; + private final PolicyConfiguration policyConfiguration; + + private final PermissionCollection checked = new Permissions(); + private final PermissionCollection excludedPermissions; + private final Authenticator authenticator; + + private final UserRealm realm; + + public SecurityContextBeforeAfter(BeforeAfter next, + int policyContextIDIndex, + int webAppContextIndex, + String policyContextID, + Security securityConfig, + String loginDomainName, + AutoMapAssistant assistant, + Authenticator authenticator, + Set securityRoles, + PermissionCollection uncheckedPermissions, + PermissionCollection excludedPermissions, + Map rolePermissions, + UserRealm realm) throws PolicyContextException, ClassNotFoundException { this.next = next; this.policyContextIDIndex = policyContextIDIndex; this.webAppContextIndex = webAppContextIndex; this.policyContextID = policyContextID; + + this.defaultPrincipal = generateDefaultPrincipal(securityConfig, loginDomainName, assistant); + + if (authenticator instanceof FormAuthenticator) { + String formLoginPath = ((FormAuthenticator) authenticator).getLoginPage(); + if (formLoginPath.indexOf('?') > 0) { + formLoginPath = formLoginPath.substring(0, formLoginPath.indexOf('?')); + } + this.formLoginPath = formLoginPath; + } else { + formLoginPath = null; + } + + this.authenticator = authenticator; + /** + * Register our default principal with the ContextManager + */ + Subject defaultSubject = defaultPrincipal.getSubject(); + ContextManager.registerSubject(defaultSubject); + SubjectId id = ContextManager.getSubjectId(defaultSubject); + defaultSubject.getPrincipals().add(new IdentificationPrincipal(id)); + +// log.debug("Default subject " + id + " for JACC policy '" + policyContextID + "' registered."); + + /** + * Get the JACC policy configuration that's associated with this + * web application and configure it with the geronimo security + * configuration. The work for this is done by the class + * JettyXMLConfiguration. + */ + factory = PolicyConfigurationFactory.getPolicyConfigurationFactory(); + + policyConfiguration = factory.getPolicyConfiguration(policyContextID, true); + configure(uncheckedPermissions, excludedPermissions, rolePermissions); + addRoleMappings(securityRoles, loginDomainName, securityConfig, (RoleMappingConfiguration) policyConfiguration); + policyConfiguration.commit(); + this.excludedPermissions = excludedPermissions; + + Set allRolePermissions = new HashSet(); + for (Iterator iterator = rolePermissions.entrySet().iterator(); iterator.hasNext();) { + Map.Entry entry = (Map.Entry) iterator.next(); + Set permissionsForRole = (Set) entry.getValue(); + allRolePermissions.addAll(permissionsForRole); + } + for (Iterator iterator = allRolePermissions.iterator(); iterator.hasNext();) { + Permission permission = (Permission) iterator.next(); + checked.add(permission); + } + + this.realm = realm; +// log.info("JettyWebAppJACCContext started with JACC policy '" + policyContextID + "'"); + } + + public void registerServletHolder(Map webRoleRefPermissions) throws PolicyContextException { + PolicyConfiguration policyConfiguration = factory.getPolicyConfiguration(policyContextID, false); + for (Iterator iterator = webRoleRefPermissions.entrySet().iterator(); iterator.hasNext();) { + Map.Entry entry = (Map.Entry) iterator.next(); + String roleName = (String) entry.getValue(); + WebRoleRefPermission webRoleRefPermission = (WebRoleRefPermission) entry.getKey(); + policyConfiguration.addToRole(roleName, webRoleRefPermission); + } + policyConfiguration.commit(); + } public void before(Object[] context, HttpRequest httpRequest, HttpResponse httpResponse) { @@ -102,6 +210,167 @@ private void setRoleDesignate(String roleName, Subject subject) { roleDesignates.put(roleName, subject); } + + //security check methods, delegated from WebAppContext + + /** + * Check the security constraints using JACC. + * + * @param pathInContext path in context + * @param request HTTP request + * @param response HTTP response + * @return true if the path in context passes the security check, + * false if it fails or a redirection has occured during authentication. + */ + public boolean checkSecurityConstraints(String pathInContext, HttpRequest request, HttpResponse response) throws HttpException, IOException { + if (formLoginPath != null) { + String pathToBeTested = (pathInContext.indexOf('?') > 0 ? pathInContext.substring(0, pathInContext.indexOf('?')) : pathInContext); + + if (pathToBeTested.equals(formLoginPath)) { + return true; + } + } + + try { + Principal user = obtainUser(pathInContext, request, response); + + if (user == null) { + return false; + } + if (user == SecurityConstraint.__NOBODY) { + return true; + } + + AccessControlContext acc = ContextManager.getCurrentContext(); + ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper(); + + /** + * JACC v1.0 secion 4.1.1 + */ + acc.checkPermission(new WebUserDataPermission(servletHttpRequest)); + + /** + * JACC v1.0 secion 4.1.2 + */ + acc.checkPermission(new WebResourcePermission(servletHttpRequest)); + } catch (HttpException he) { + response.sendError(he.getCode(), he.getReason()); + return false; + } catch (AccessControlException ace) { + response.sendError(HttpResponse.__403_Forbidden); + return false; + } + return true; + } + + /** + * Obtain an authenticated user, if one is required. Otherwise return the + * default principal. + *

+ * Also set the current caller for JACC security checks for the default + * principal. This is automatically done by JAASJettyRealm. + * + * @param pathInContext path in context + * @param request HTTP request + * @param response HTTP response + * @return null if there is no authenticated user at the moment + * and security checking should not proceed and servlet handling should also + * not proceed, e.g. redirect. SecurityConstraint.__NOBODY if + * security checking should not proceed and servlet handling should proceed, + * e.g. login page. + */ + private Principal obtainUser(String pathInContext, HttpRequest request, HttpResponse response) throws IOException, IOException { + ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper(); + WebResourcePermission resourcePermission = new WebResourcePermission(servletHttpRequest); + WebUserDataPermission dataPermission = new WebUserDataPermission(servletHttpRequest); + boolean unauthenticated = !(checked.implies(resourcePermission) || checked.implies(dataPermission)); + boolean forbidden = excludedPermissions.implies(resourcePermission) || excludedPermissions.implies(dataPermission); + +// Authenticator authenticator = getAuthenticator(); + Principal user = null; + if (!unauthenticated && !forbidden) { + if (realm == null) { +// log.warn("Realm Not Configured"); + throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured"); + } + + + // Handle pre-authenticated request + if (authenticator != null) { + // User authenticator. + user = authenticator.authenticate(realm, pathInContext, request, response); + } else { + // don't know how authenticate +// log.warn("Mis-configured Authenticator for " + request.getPath()); + throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Mis-configured Authenticator for " + request.getPath()); + } + + return user; + } else if (authenticator instanceof FormAuthenticator && pathInContext.endsWith(FormAuthenticator.__J_SECURITY_CHECK)) { + /** + * This could be a post request to __J_SECURITY_CHECK. + */ + if (realm == null) { +// log.warn("Realm Not Configured"); + throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured"); + } + return authenticator.authenticate(realm, pathInContext, request, response); + } + + /** + * No authentication is required. Return the defaultPrincipal. + */ + ContextManager.setCurrentCaller(defaultPrincipal.getSubject()); + return defaultPrincipal; + } + + + //configuration methods + /** + * Generate the default principal from the security config. + * + * @param securityConfig The Geronimo security configuration. + * @param loginDomainName + * @return the default principal + */ + protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig, String loginDomainName, AutoMapAssistant assistant) throws GeronimoSecurityException { + + DefaultPrincipal defaultPrincipal = securityConfig.getDefaultPrincipal(); + if (defaultPrincipal == null) { + if (assistant != null) { + org.apache.geronimo.security.deploy.Principal principal = assistant.obtainDefaultPrincipal(); + defaultPrincipal = new DefaultPrincipal(); + defaultPrincipal.setPrincipal(principal); + defaultPrincipal.setRealmName(assistant.getRealmName()); + } + + } + if (defaultPrincipal == null) throw new GeronimoSecurityException("Unable to generate default principal"); + + return generateDefaultPrincipal(securityConfig, defaultPrincipal, loginDomainName); + } + + protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig, DefaultPrincipal defaultPrincipal, String loginDomainName) throws GeronimoSecurityException { + JAASJettyPrincipal result = new JAASJettyPrincipal("default"); + Subject defaultSubject = new Subject(); + + RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(defaultPrincipal.getPrincipal(), loginDomainName, defaultPrincipal.getRealmName()); + if (realmPrincipal == null) { + throw new GeronimoSecurityException("Unable to create realm principal"); + } + PrimaryRealmPrincipal primaryRealmPrincipal = ConfigurationUtil.generatePrimaryRealmPrincipal(defaultPrincipal.getPrincipal(), loginDomainName, defaultPrincipal.getRealmName()); + if (primaryRealmPrincipal == null) { + throw new GeronimoSecurityException("Unable to create primary realm principal"); + } + + defaultSubject.getPrincipals().add(realmPrincipal); + defaultSubject.getPrincipals().add(primaryRealmPrincipal); + + result.setSubject(defaultSubject); + + return result; + } + public void addRoleMappings(Set securityRoles, String loginDomainName, Security security, RoleMappingConfiguration roleMapper) throws PolicyContextException, GeronimoSecurityException { @@ -158,7 +427,28 @@ } - public void stop() { + private void configure(PermissionCollection uncheckedPermissions, + PermissionCollection excludedPermissions, + Map rolePermissions) throws GeronimoSecurityException { + try { + policyConfiguration.addToExcludedPolicy(excludedPermissions); + policyConfiguration.addToUncheckedPolicy(uncheckedPermissions); + for (Iterator iterator = rolePermissions.entrySet().iterator(); iterator.hasNext();) { + Map.Entry entry = (Map.Entry) iterator.next(); + String roleName = (String) entry.getKey(); + Set permissions = (Set) entry.getValue(); + for (Iterator iterator1 = permissions.iterator(); iterator1.hasNext();) { + Permission permission = (Permission) iterator1.next(); + policyConfiguration.addToRole(roleName, permission); + } + } + } catch (PolicyContextException e) { + throw new GeronimoSecurityException(e); + } + } + + + public void stop() throws PolicyContextException { for (Iterator iter = roleDesignates.keySet().iterator(); iter.hasNext();) { String roleName = (String) iter.next(); Subject roleDesignate = (Subject) roleDesignates.get(roleName); @@ -166,5 +456,12 @@ ContextManager.unregisterSubject(roleDesignate); // log.debug("Role designate " + ContextManager.getSubjectId(roleDesignate) + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' unregistered."); } + ContextManager.unregisterSubject(defaultPrincipal.getSubject()); + + if (policyConfiguration != null) { + policyConfiguration.delete(); + } + + } } Modified: geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java?view=diff&rev=122776&p1=geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java&r1=122775&p2=geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java (original) +++ geronimo/trunk/modules/jetty/src/test/org/apache/geronimo/jetty/AbstractWebModuleTest.java Sun Dec 19 11:11:07 2004 @@ -26,6 +26,7 @@ import java.util.Properties; import java.util.Set; import javax.management.ObjectName; +import javax.management.MalformedObjectNameException; import junit.framework.TestCase; import org.apache.geronimo.connector.outbound.connectiontracking.ConnectionTrackingCoordinator; @@ -124,7 +125,7 @@ } protected void setUpSecureAppContext(Security securityConfig, PermissionCollection uncheckedPermissions, PermissionCollection excludedPermissions, Map rolePermissions, Set securityRoles) throws Exception { - GBeanData app = new GBeanData(webModuleName, JettyWebAppJACCContext.GBEAN_INFO); + GBeanData app = new GBeanData(webModuleName, JettyWebAppContext.GBEAN_INFO); app.setAttribute("loginDomainName", "demo-properties-realm"); app.setAttribute("securityConfig", securityConfig); app.setAttribute("uncheckedPermissions", uncheckedPermissions); @@ -150,6 +151,7 @@ app.setReferencePattern("TransactionContextManager", tcmName); app.setReferencePattern("TrackedConnectionAssociator", ctcName); app.setReferencePattern("JettyContainer", containerName); + app.setReferencePattern("SecurityRealm", propertiesRealmName); app.setAttribute("contextPath", "/test"); @@ -167,7 +169,6 @@ securityServiceName = new ObjectName("geronimo.security:type=SecurityService"); securityServiceGBean = new GBeanData(securityServiceName, SecurityServiceImpl.GBEAN_INFO); - securityServiceGBean.setReferencePatterns("Realms", Collections.singleton(new ObjectName("geronimo.security:type=SecurityRealm,*"))); securityServiceGBean.setReferencePatterns("Mappers", Collections.singleton(new ObjectName("geronimo.security:type=SecurityRealm,*"))); securityServiceGBean.setAttribute("policyConfigurationFactory", "org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory"); Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/SecurityServiceImpl.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/SecurityServiceImpl.java?view=diff&rev=122776&p1=geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/SecurityServiceImpl.java&r1=122775&p2=geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/SecurityServiceImpl.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/SecurityServiceImpl.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/SecurityServiceImpl.java Sun Dec 19 11:11:07 2004 @@ -19,11 +19,11 @@ import java.security.Policy; import java.util.Collection; -import java.util.Collections; import java.util.Iterator; import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContextException; +import EDU.oswego.cs.dl.util.concurrent.ConcurrentHashMap; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.geronimo.gbean.GBeanInfo; @@ -37,7 +37,6 @@ import org.apache.geronimo.security.jacc.PolicyContextHandlerHttpServletRequest; import org.apache.geronimo.security.jacc.PolicyContextHandlerSOAPMessage; import org.apache.geronimo.security.realm.AutoMapAssistant; -import org.apache.geronimo.security.realm.SecurityRealm; import org.apache.geronimo.security.util.ConfigurationUtil; @@ -50,8 +49,7 @@ private final Log log = LogFactory.getLog(SecurityService.class); - private final Collection realms; - private final Collection mappers; + private final ConcurrentHashMap mappersMap = new ConcurrentHashMap(); /** * Permissions that protect access to sensitive security information @@ -59,7 +57,6 @@ public static final GeronimoSecurityPermission CONFIGURE = new GeronimoSecurityPermission("configure"); public SecurityServiceImpl(String policyConfigurationFactory, - Collection realms, Collection mappers) throws PolicyContextException, ClassNotFoundException { /** * @see "JSR 115 4.6.1" Container Subject Policy Context Handler @@ -74,39 +71,11 @@ PolicyConfigurationFactory factory = PolicyConfigurationFactory.getPolicyConfigurationFactory(); GeronimoPolicyConfigurationFactory geronimoPolicyConfigurationFactory = (GeronimoPolicyConfigurationFactory) factory; Policy.setPolicy(new GeronimoPolicy(geronimoPolicyConfigurationFactory)); - if (realms == null) { - this.realms = Collections.EMPTY_SET; - } else { + if (mappers != null) { SecurityManager sm = System.getSecurityManager(); if (sm != null) { sm.checkPermission(CONFIGURE); } - this.realms = realms; - ((ReferenceCollection) realms).addReferenceCollectionListener(new ReferenceCollectionListener() { - - public void memberAdded(ReferenceCollectionEvent event) { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(CONFIGURE); - } - } - - public void memberRemoved(ReferenceCollectionEvent event) { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(CONFIGURE); - } - } - }); - } - if (mappers == null) { - this.mappers = Collections.EMPTY_SET; - } else { - SecurityManager sm = System.getSecurityManager(); - if (sm != null) { - sm.checkPermission(CONFIGURE); - } - this.mappers = mappers; ((ReferenceCollection) mappers).addReferenceCollectionListener(new ReferenceCollectionListener() { public void memberAdded(ReferenceCollectionEvent event) { @@ -114,6 +83,8 @@ if (sm != null) { sm.checkPermission(CONFIGURE); } + AutoMapAssistant assistant = (AutoMapAssistant) event.getMember(); + mappersMap.put(assistant.getRealmName(), assistant); } public void memberRemoved(ReferenceCollectionEvent event) { @@ -121,64 +92,20 @@ if (sm != null) { sm.checkPermission(CONFIGURE); } + AutoMapAssistant assistant = (AutoMapAssistant) event.getMember(); + mappersMap.remove(assistant.getRealmName()); } }); - } - log.info("Security service started"); - } - -// public Collection getRealms() throws GeronimoSecurityException { -// SecurityManager sm = System.getSecurityManager(); -// if (sm != null) sm.checkPermission(CONFIGURE); -// return realms; -// } -// -// -// public void setRealms(Collection realms) { -// SecurityManager sm = System.getSecurityManager(); -// if (sm != null) sm.checkPermission(CONFIGURE); -// this.realms = realms; -// } -// -// public Collection getMappers() throws GeronimoSecurityException { -// SecurityManager sm = System.getSecurityManager(); -// if (sm != null) sm.checkPermission(CONFIGURE); -// return mappers; -// } -// -// -// public void setMappers(Collection mappers) { -// SecurityManager sm = System.getSecurityManager(); -// if (sm != null) sm.checkPermission(CONFIGURE); -// this.mappers = mappers; -// } - -// public Collection getModuleConfigurations() { -// return moduleConfigurations; -// } -// -// public void setModuleConfigurations(Collection moduleConfigurations) { -// this.moduleConfigurations = moduleConfigurations; -// } - - public SecurityRealm getRealm(String name) { - for (Iterator iter = realms.iterator(); iter.hasNext();) { - SecurityRealm realm = (SecurityRealm) iter.next(); - if (name.equals(realm.getRealmName())) { - return realm; + for (Iterator iterator = mappers.iterator(); iterator.hasNext();) { + AutoMapAssistant assistant = (AutoMapAssistant) iterator.next(); + mappersMap.put(assistant.getRealmName(), assistant); } } - return null; + log.info("Security service started"); } public AutoMapAssistant getMapper(String name) { - for (Iterator iter = mappers.iterator(); iter.hasNext();) { - AutoMapAssistant mapper = (AutoMapAssistant) iter.next(); - if (name.equals(mapper.getRealmName())) { - return mapper; - } - } - return null; + return (AutoMapAssistant) mappersMap.get(name); } @@ -189,12 +116,10 @@ infoFactory.addAttribute("policyConfigurationFactory", String.class, true); - infoFactory.addReference("Realms", SecurityRealm.class); infoFactory.addReference("Mappers", AutoMapAssistant.class); - infoFactory.addOperation("getRealm", new Class[]{String.class}); infoFactory.addOperation("getMapper", new Class[]{String.class}); - infoFactory.setConstructor(new String[]{"policyConfigurationFactory", "Realms", "Mappers"}); + infoFactory.setConstructor(new String[]{"policyConfigurationFactory", "Mappers"}); GBEAN_INFO = infoFactory.getBeanInfo(); } Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java?view=diff&rev=122776&p1=geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java&r1=122775&p2=geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Security.java Sun Dec 19 11:11:07 2004 @@ -23,7 +23,6 @@ import java.util.Map; import java.util.Set; -import org.apache.geronimo.security.SecurityServiceImpl; import org.apache.geronimo.security.SecurityService; Modified: geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java Url: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java?view=diff&rev=122776&p1=geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java&r1=122775&p2=geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java&r2=122776 ============================================================================== --- geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java (original) +++ geronimo/trunk/modules/tomcat/src/test/org/apache/geronimo/tomcat/AbstractWebModuleTest.java Sun Dec 19 11:11:07 2004 @@ -154,7 +154,6 @@ protected void setUpSecurity() throws Exception { securityServiceName = new ObjectName("geronimo.security:type=SecurityService"); securityServiceGBean = new GBeanData(securityServiceName, SecurityServiceImpl.GBEAN_INFO); - securityServiceGBean.setReferencePatterns("Realms", Collections.singleton(new ObjectName("geronimo.security:type=SecurityRealm,*"))); securityServiceGBean.setReferencePatterns("Mappers", Collections.singleton(new ObjectName("geronimo.security:type=SecurityRealm,*"))); securityServiceGBean.setAttribute("policyConfigurationFactory", "org.apache.geronimo.security.jacc.GeronimoPolicyConfigurationFactory");