Author: adc
Date: Sun Mar 13 17:24:28 2005
New Revision: 157364
URL: http://svn.apache.org/viewcvs?view=rev&rev=157364
Log:
Added the ability to map distinguished names to roles.
Added:
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
Modified:
geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
(original)
+++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java
Sun Mar 13 17:24:28 2005
@@ -29,6 +29,7 @@
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
+import javax.security.auth.x500.X500Principal;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
@@ -37,6 +38,15 @@
import javax.security.jacc.WebRoleRefPermission;
import javax.security.jacc.WebUserDataPermission;
+import org.mortbay.http.Authenticator;
+import org.mortbay.http.HttpException;
+import org.mortbay.http.HttpRequest;
+import org.mortbay.http.HttpResponse;
+import org.mortbay.http.SecurityConstraint;
+import org.mortbay.http.UserRealm;
+import org.mortbay.jetty.servlet.FormAuthenticator;
+import org.mortbay.jetty.servlet.ServletHttpRequest;
+
import org.apache.geronimo.common.GeronimoSecurityException;
import org.apache.geronimo.jetty.JAASJettyPrincipal;
import org.apache.geronimo.security.ContextManager;
@@ -45,20 +55,14 @@
import org.apache.geronimo.security.RealmPrincipal;
import org.apache.geronimo.security.SubjectId;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
import org.apache.geronimo.security.deploy.Realm;
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
import org.apache.geronimo.security.jacc.RoleMappingConfiguration;
import org.apache.geronimo.security.jacc.RoleMappingConfigurationFactory;
import org.apache.geronimo.security.util.ConfigurationUtil;
-import org.mortbay.http.Authenticator;
-import org.mortbay.http.HttpException;
-import org.mortbay.http.HttpRequest;
-import org.mortbay.http.HttpResponse;
-import org.mortbay.http.SecurityConstraint;
-import org.mortbay.http.UserRealm;
-import org.mortbay.jetty.servlet.FormAuthenticator;
-import org.mortbay.jetty.servlet.ServletHttpRequest;
+
/**
* @version $Rev: $ $Date: $
@@ -151,7 +155,7 @@
this.realm = realm;
// log.info("JettyWebAppJACCContext started with JACC policy '" + policyContextID
+ "'");
}
-
+
public void registerServletHolder(Map webRoleRefPermissions) throws PolicyContextException
{
PolicyConfiguration policyConfiguration = factory.getPolicyConfiguration(policyContextID,
false);
for (Iterator iterator = webRoleRefPermissions.entrySet().iterator(); iterator.hasNext();)
{
@@ -161,7 +165,7 @@
policyConfiguration.addToRole(roleName, webRoleRefPermission);
}
policyConfiguration.commit();
-
+
}
public void before(Object[] context, HttpRequest httpRequest, HttpResponse httpResponse)
{
@@ -213,131 +217,131 @@
//security check methods, delegated from WebAppContext
/**
- * Check the security constraints using JACC.
- *
- * @param pathInContext path in context
- * @param request HTTP request
- * @param response HTTP response
- * @return true if the path in context passes the security check,
- * false if it fails or a redirection has occured during authentication.
- */
- public boolean checkSecurityConstraints(String pathInContext, HttpRequest request, HttpResponse
response) throws HttpException, IOException {
- if (formLoginPath != null) {
- String pathToBeTested = (pathInContext.indexOf('?') > 0 ? pathInContext.substring(0,
pathInContext.indexOf('?')) : pathInContext);
-
- if (pathToBeTested.equals(formLoginPath)) {
- return true;
- }
- }
-
- try {
- Principal user = obtainUser(pathInContext, request, response);
-
- if (user == null) {
- return false;
- }
- if (user == SecurityConstraint.__NOBODY) {
- return true;
- }
-
- AccessControlContext acc = ContextManager.getCurrentContext();
- ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper();
-
- /**
- * JACC v1.0 secion 4.1.1
- */
-
- String transportType;
- if (request.isConfidential()) {
- transportType = "CONFIDENTIAL";
- } else if (request.isIntegral()) {
- transportType = "INTEGRAL";
- } else {
- transportType = null;
- }
- WebUserDataPermission wudp = new WebUserDataPermission(servletHttpRequest.getServletPath(),
new String[] {servletHttpRequest.getMethod()}, transportType);
- acc.checkPermission(wudp);
-
- /**
- * JACC v1.0 secion 4.1.2
- */
- acc.checkPermission(new WebResourcePermission(servletHttpRequest));
- } catch (HttpException he) {
- response.sendError(he.getCode(), he.getReason());
- return false;
- } catch (AccessControlException ace) {
- response.sendError(HttpResponse.__403_Forbidden);
- return false;
- }
- return true;
- }
-
- /**
- * Obtain an authenticated user, if one is required. Otherwise return the
- * default principal.
- * <p/>
- * Also set the current caller for JACC security checks for the default
- * principal. This is automatically done by <code>JAASJettyRealm</code>.
- *
- * @param pathInContext path in context
- * @param request HTTP request
- * @param response HTTP response
- * @return <code>null</code> if there is no authenticated user at the moment
- * and security checking should not proceed and servlet handling should also
- * not proceed, e.g. redirect. <code>SecurityConstraint.__NOBODY</code>
if
- * security checking should not proceed and servlet handling should proceed,
- * e.g. login page.
- */
- private Principal obtainUser(String pathInContext, HttpRequest request, HttpResponse response)
throws IOException, IOException {
- ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper();
- WebResourcePermission resourcePermission = new WebResourcePermission(servletHttpRequest);
- WebUserDataPermission dataPermission = new WebUserDataPermission(servletHttpRequest);
- boolean unauthenticated = !(checked.implies(resourcePermission) || checked.implies(dataPermission));
- boolean forbidden = excludedPermissions.implies(resourcePermission) || excludedPermissions.implies(dataPermission);
+ * Check the security constraints using JACC.
+ *
+ * @param pathInContext path in context
+ * @param request HTTP request
+ * @param response HTTP response
+ * @return true if the path in context passes the security check,
+ * false if it fails or a redirection has occured during authentication.
+ */
+ public boolean checkSecurityConstraints(String pathInContext, HttpRequest request, HttpResponse
response) throws HttpException, IOException {
+ if (formLoginPath != null) {
+ String pathToBeTested = (pathInContext.indexOf('?') > 0 ? pathInContext.substring(0,
pathInContext.indexOf('?')) : pathInContext);
+
+ if (pathToBeTested.equals(formLoginPath)) {
+ return true;
+ }
+ }
+
+ try {
+ Principal user = obtainUser(pathInContext, request, response);
+
+ if (user == null) {
+ return false;
+ }
+ if (user == SecurityConstraint.__NOBODY) {
+ return true;
+ }
+
+ AccessControlContext acc = ContextManager.getCurrentContext();
+ ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper();
+
+ /**
+ * JACC v1.0 secion 4.1.1
+ */
+
+ String transportType;
+ if (request.isConfidential()) {
+ transportType = "CONFIDENTIAL";
+ } else if (request.isIntegral()) {
+ transportType = "INTEGRAL";
+ } else {
+ transportType = null;
+ }
+ WebUserDataPermission wudp = new WebUserDataPermission(servletHttpRequest.getServletPath(),
new String[]{servletHttpRequest.getMethod()}, transportType);
+ acc.checkPermission(wudp);
+
+ /**
+ * JACC v1.0 secion 4.1.2
+ */
+ acc.checkPermission(new WebResourcePermission(servletHttpRequest));
+ } catch (HttpException he) {
+ response.sendError(he.getCode(), he.getReason());
+ return false;
+ } catch (AccessControlException ace) {
+ response.sendError(HttpResponse.__403_Forbidden);
+ return false;
+ }
+ return true;
+ }
+
+ /**
+ * Obtain an authenticated user, if one is required. Otherwise return the
+ * default principal.
+ * <p/>
+ * Also set the current caller for JACC security checks for the default
+ * principal. This is automatically done by <code>JAASJettyRealm</code>.
+ *
+ * @param pathInContext path in context
+ * @param request HTTP request
+ * @param response HTTP response
+ * @return <code>null</code> if there is no authenticated user at the moment
+ * and security checking should not proceed and servlet handling should also
+ * not proceed, e.g. redirect. <code>SecurityConstraint.__NOBODY</code>
if
+ * security checking should not proceed and servlet handling should proceed,
+ * e.g. login page.
+ */
+ private Principal obtainUser(String pathInContext, HttpRequest request, HttpResponse
response) throws IOException, IOException {
+ ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper();
+ WebResourcePermission resourcePermission = new WebResourcePermission(servletHttpRequest);
+ WebUserDataPermission dataPermission = new WebUserDataPermission(servletHttpRequest);
+ boolean unauthenticated = !(checked.implies(resourcePermission) || checked.implies(dataPermission));
+ boolean forbidden = excludedPermissions.implies(resourcePermission) || excludedPermissions.implies(dataPermission);
// Authenticator authenticator = getAuthenticator();
- Principal user = null;
- if (!unauthenticated && !forbidden) {
- if (realm == null) {
+ Principal user = null;
+ if (!unauthenticated && !forbidden) {
+ if (realm == null) {
// log.warn("Realm Not Configured");
- throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not
Configured");
- }
+ throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm
Not Configured");
+ }
- // Handle pre-authenticated request
- if (authenticator != null) {
- // User authenticator.
- user = authenticator.authenticate(realm, pathInContext, request, response);
- } else {
- // don't know how authenticate
+ // Handle pre-authenticated request
+ if (authenticator != null) {
+ // User authenticator.
+ user = authenticator.authenticate(realm, pathInContext, request, response);
+ } else {
+ // don't know how authenticate
// log.warn("Mis-configured Authenticator for " + request.getPath());
- throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Mis-configured
Authenticator for " + request.getPath());
- }
+ throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Mis-configured
Authenticator for " + request.getPath());
+ }
- return user;
- } else if (authenticator instanceof FormAuthenticator && pathInContext.endsWith(FormAuthenticator.__J_SECURITY_CHECK))
{
- /**
- * This could be a post request to __J_SECURITY_CHECK.
- */
- if (realm == null) {
+ return user;
+ } else if (authenticator instanceof FormAuthenticator && pathInContext.endsWith(FormAuthenticator.__J_SECURITY_CHECK))
{
+ /**
+ * This could be a post request to __J_SECURITY_CHECK.
+ */
+ if (realm == null) {
// log.warn("Realm Not Configured");
- throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not
Configured");
- }
- return authenticator.authenticate(realm, pathInContext, request, response);
- }
-
- /**
- * No authentication is required. Return the defaultPrincipal.
- */
- ContextManager.setCurrentCaller(defaultPrincipal.getSubject());
- return defaultPrincipal;
- }
-
+ throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm
Not Configured");
+ }
+ return authenticator.authenticate(realm, pathInContext, request, response);
+ }
+
+ /**
+ * No authentication is required. Return the defaultPrincipal.
+ */
+ ContextManager.setCurrentCaller(defaultPrincipal.getSubject());
+ return defaultPrincipal;
+ }
+
/**
* Generate the default principal from the security config.
*
- * @param securityConfig The Geronimo security configuration.
+ * @param securityConfig The Geronimo security configuration.
* @return the default principal
*/
protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig) throws
GeronimoSecurityException {
@@ -346,7 +350,7 @@
if (defaultPrincipal == null) {
throw new GeronimoSecurityException("Unable to generate default principal");
}
-
+
JAASJettyPrincipal result = new JAASJettyPrincipal("default");
Subject defaultSubject = new Subject();
@@ -398,6 +402,18 @@
}
}
}
+
+ for (Iterator names = role.getDNames().iterator(); names.hasNext();) {
+ DistinguishedName dn = (DistinguishedName) names.next();
+
+ X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName());
+
+ principalSet.add(x500Principal);
+ if (dn.isDesignatedRunAs()) {
+ roleDesignate.getPrincipals().add(x500Principal);
+ }
+ }
+
roleMapper.addRoleMapping(roleName, principalSet);
if (roleDesignate.getPrincipals().size() > 0) {
@@ -453,11 +469,11 @@
// log.debug("Role designate " + ContextManager.getSubjectId(roleDesignate) +
" for role '" + roleName + "' for JACC policy '" + policyContextID + "' unregistered.");
}
ContextManager.unregisterSubject(defaultPrincipal.getSubject());
-
+
if (policyConfiguration != null) {
policyConfiguration.delete();
}
-
+
}
}
Modified: geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
(original)
+++ geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java
Sun Mar 13 17:24:28 2005
@@ -16,16 +16,17 @@
*/
package org.apache.geronimo.security.deployment;
-import java.util.HashSet;
import java.util.Set;
import org.apache.geronimo.common.DeploymentException;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
import org.apache.geronimo.security.deploy.Principal;
import org.apache.geronimo.security.deploy.Realm;
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalType;
+import org.apache.geronimo.xbeans.geronimo.security.GerDistinguishedNameType;
import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType;
import org.apache.geronimo.xbeans.geronimo.security.GerRealmType;
import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType;
@@ -52,9 +53,8 @@
security.setDefaultRole(securityType.getDefaultRole().trim());
}
- GerRoleMappingsType roleMappingsType = securityType.getRoleMappings();
- Set allRealms = new HashSet();
- if (roleMappingsType != null) {
+ if (securityType.isSetRoleMappings()) {
+ GerRoleMappingsType roleMappingsType = securityType.getRoleMappings();
for (int i = 0; i < roleMappingsType.sizeOfRoleArray(); i++) {
GerRoleType roleType = roleMappingsType.getRoleArray(i);
Role role = new Role();
@@ -65,7 +65,6 @@
for (int j = 0; j < roleType.sizeOfRealmArray(); j++) {
GerRealmType realmType = roleType.getRealmArray(j);
String realmName = realmType.getRealmName().trim();
- allRealms.add(realmName);
Realm realm = new Realm();
realm.setRealmName(realmName);
@@ -75,6 +74,15 @@
}
role.getRealms().put(realmName, realm);
+ }
+
+ for (int j = 0; j < roleType.sizeOfDistinguishedNameArray(); j++) {
+ GerDistinguishedNameType dnType = roleType.getDistinguishedNameArray(j);
+ DistinguishedName name = new DistinguishedName(dnType.getName());
+
+ name.setDesignatedRunAs(dnType.getDesignatedRunAs());
+
+ role.append(name);
}
security.getRoleMappings().put(roleName, role);
Modified: geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd (original)
+++ geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd Sun Mar 13 17:24:28
2005
@@ -86,7 +86,8 @@
<xsd:complexType name="roleType">
<xsd:sequence>
<xsd:element name="description" type="j2ee:descriptionType" minOccurs="0"
maxOccurs="unbounded"/>
- <xsd:element name="realm" type="geronimo:realmType" minOccurs="1" maxOccurs="unbounded"/>
+ <xsd:element name="realm" type="geronimo:realmType" minOccurs="0" maxOccurs="unbounded"/>
+ <xsd:element name="distinguished-name" type="geronimo:distinguishedNameType"
minOccurs="0" maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="role-name" type="xsd:string" use="required"/>
</xsd:complexType>
@@ -102,6 +103,20 @@
<xsd:element name="description" type="j2ee:descriptionType" minOccurs="0"
maxOccurs="unbounded"/>
</xsd:sequence>
<xsd:attribute name="class" type="xsd:string" use="required"/>
+ <xsd:attribute name="name" type="xsd:string" use="required"/>
+ <xsd:attribute name="designated-run-as" type="xsd:boolean" default="false">
+ <xsd:annotation>
+ <xsd:documentation>
+ Set this attribute to "true" if this principal is to be
+ used as the run-as principal for this role.
+ </xsd:documentation>
+ </xsd:annotation>
+ </xsd:attribute>
+ </xsd:complexType>
+ <xsd:complexType name="distinguishedNameType">
+ <xsd:sequence>
+ <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0"
maxOccurs="unbounded"/>
+ </xsd:sequence>
<xsd:attribute name="name" type="xsd:string" use="required"/>
<xsd:attribute name="designated-run-as" type="xsd:boolean" default="false">
<xsd:annotation>
Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java?view=auto&rev=157364
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
(added)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java
Sun Mar 13 17:24:28 2005
@@ -0,0 +1,90 @@
+/**
+ * Redistribution and use of this software and associated documentation
+ * ("Software"), with or without modification, are permitted provided
+ * that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain copyright
+ * statements and notices. Redistributions must also contain a
+ * copy of this document.
+ *
+ * 2. Redistributions in binary form must reproduce the
+ * above copyright notice, this list of conditions and the
+ * following disclaimer in the documentation and/or other
+ * materials provided with the distribution.
+ *
+ * 3. The name "OpenEJB" must not be used to endorse or promote
+ * products derived from this Software without prior written
+ * permission of The OpenEJB Group. For written permission,
+ * please contact openejb-group@openejb.sf.net.
+ *
+ * 4. Products derived from this Software may not be called "OpenEJB"
+ * nor may "OpenEJB" appear in their names without prior written
+ * permission of The OpenEJB Group. OpenEJB is a registered
+ * trademark of The OpenEJB Group.
+ *
+ * 5. Due credit should be given to the OpenEJB Project
+ * (http://openejb.sf.net/).
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OPENEJB GROUP AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT
+ * NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+ * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+ * THE OPENEJB GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Copyright 2005 (C) The OpenEJB Group. All Rights Reserved.
+ *
+ * $Id: $
+ */
+package org.apache.geronimo.security.deploy;
+
+import java.io.Serializable;
+
+
+/**
+ * @version $Revision: $ $Date: $
+ */
+public class DistinguishedName implements Serializable {
+
+ private final String name;
+ private boolean designatedRunAs;
+
+ public DistinguishedName(String name) {
+ assert name != null;
+
+ this.name = name;
+ }
+
+ public boolean isDesignatedRunAs() {
+ return designatedRunAs;
+ }
+
+ public void setDesignatedRunAs(boolean designatedRunAs) {
+ this.designatedRunAs = designatedRunAs;
+ }
+
+ public String getName() {
+ return name;
+ }
+
+ public boolean equals(Object o) {
+ if (this == o) return true;
+ if (!(o instanceof DistinguishedName)) return false;
+
+ final DistinguishedName dn = (DistinguishedName) o;
+
+ if (!name.equals(dn.name)) return false;
+
+ return true;
+ }
+
+ public int hashCode() {
+ return name.hashCode();
+ }
+}
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java
Sun Mar 13 17:24:28 2005
@@ -18,7 +18,9 @@
import java.io.Serializable;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.Map;
+import java.util.Set;
/**
@@ -27,7 +29,8 @@
public class Role implements Serializable {
private String roleName;
- private Map realms = new HashMap();
+ private final Map realms = new HashMap();
+ private final Set dNames = new HashSet();
public String getRoleName() {
return roleName;
@@ -48,5 +51,13 @@
} else {
realms.put(realm.getRealmName(), realm);
}
+ }
+
+ public Set getDNames() {
+ return dNames;
+ }
+
+ public void append(DistinguishedName distinguishedName) {
+ dNames.add(distinguishedName);
}
}
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java
Sun Mar 13 17:24:28 2005
@@ -30,8 +30,6 @@
import java.util.Iterator;
import javax.security.jacc.PolicyContextException;
-import org.apache.geronimo.security.RealmPrincipal;
-
/**
* @version $Rev$ $Date$
@@ -70,7 +68,6 @@
for (int i = 0; i < principals.length; i++) {
Principal principal = principals[i];
- if (!(principal instanceof RealmPrincipal)) continue;
Permissions permissions = (Permissions) principalPermissionsMap.get(principal);
@@ -84,8 +81,6 @@
Iterator iter = principals.iterator();
while (iter.hasNext()) {
Principal principal = (Principal) iter.next();
-
- if (!(principal instanceof RealmPrincipal)) throw new PolicyContextException("Principal
not instance of RealmPrincipal");
HashSet roles = (HashSet) principalRoleMapping.get(principal);
if (roles == null) {
Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
(original)
+++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java
Sun Mar 13 17:24:28 2005
@@ -24,6 +24,7 @@
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
import javax.security.jacc.PolicyContextHandler;
+import javax.security.auth.x500.X500Principal;
import org.apache.geronimo.security.PrimaryRealmPrincipal;
import org.apache.geronimo.security.RealmPrincipal;
@@ -39,6 +40,15 @@
* @see "JSR 115" Java Authorization Contract for Containers
*/
public class ConfigurationUtil {
+
+ /**
+ * Create an X500Principal from a deployment description.
+ * @param name the distinguished name of the principal
+ * @return an X500Principal from a deployment description
+ */
+ public static X500Principal generateX500Principal(String name) {
+ return new X500Principal(name);
+ }
/**
* Create a RealmPrincipal from a deployment description.
Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java?view=diff&r1=157363&r2=157364
==============================================================================
--- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
(original)
+++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java
Sun Mar 13 17:24:28 2005
@@ -34,6 +34,7 @@
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
+import javax.security.auth.x500.X500Principal;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContext;
@@ -61,6 +62,7 @@
import org.apache.geronimo.security.RealmPrincipal;
import org.apache.geronimo.security.SubjectId;
import org.apache.geronimo.security.deploy.DefaultPrincipal;
+import org.apache.geronimo.security.deploy.DistinguishedName;
import org.apache.geronimo.security.deploy.Realm;
import org.apache.geronimo.security.deploy.Role;
import org.apache.geronimo.security.deploy.Security;
@@ -521,6 +523,18 @@
}
}
}
+
+ for (Iterator names = role.getDNames().iterator(); names.hasNext();) {
+ DistinguishedName dn = (DistinguishedName) names.next();
+
+ X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName());
+
+ principalSet.add(x500Principal);
+ if (dn.isDesignatedRunAs()) {
+ roleDesignate.getPrincipals().add(x500Principal);
+ }
+ }
+
roleMapper.addRoleMapping(roleName, principalSet);
if (roleDesignate.getPrincipals().size() > 0) {
|