geronimo-scm mailing list archives

Site index · List index

Message view	« Date » · « Thread »
Top	« Date » · « Thread »
From	a..@apache.org
Subject	svn commit: r157364 - in geronimo/trunk/modules: jetty/src/java/org/apache/geronimo/jetty/interceptor/ security-builder/src/java/org/apache/geronimo/security/deployment/ security-builder/src/schema/ security/src/java/org/apache/geronimo/security/deploy/ security/src/java/org/apache/geronimo/security/jacc/ security/src/java/org/apache/geronimo/security/util/ tomcat/src/java/org/apache/geronimo/tomcat/
Date	Mon, 14 Mar 2005 01:24:30 GMT
Author: adc Date: Sun Mar 13 17:24:28 2005 New Revision: 157364 URL: http://svn.apache.org/viewcvs?view=rev&rev=157364 Log: Added the ability to map distinguished names to roles. Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java?view=diff&r1=157363&r2=157364 ============================================================================== --- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java (original) +++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java Sun Mar 13 17:24:28 2005 @@ -29,6 +29,7 @@ import java.util.Map; import java.util.Set; import javax.security.auth.Subject; +import javax.security.auth.x500.X500Principal; import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContext; @@ -37,6 +38,15 @@ import javax.security.jacc.WebRoleRefPermission; import javax.security.jacc.WebUserDataPermission; +import org.mortbay.http.Authenticator; +import org.mortbay.http.HttpException; +import org.mortbay.http.HttpRequest; +import org.mortbay.http.HttpResponse; +import org.mortbay.http.SecurityConstraint; +import org.mortbay.http.UserRealm; +import org.mortbay.jetty.servlet.FormAuthenticator; +import org.mortbay.jetty.servlet.ServletHttpRequest; + import org.apache.geronimo.common.GeronimoSecurityException; import org.apache.geronimo.jetty.JAASJettyPrincipal; import org.apache.geronimo.security.ContextManager; @@ -45,20 +55,14 @@ import org.apache.geronimo.security.RealmPrincipal; import org.apache.geronimo.security.SubjectId; import org.apache.geronimo.security.deploy.DefaultPrincipal; +import org.apache.geronimo.security.deploy.DistinguishedName; import org.apache.geronimo.security.deploy.Realm; import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; import org.apache.geronimo.security.jacc.RoleMappingConfiguration; import org.apache.geronimo.security.jacc.RoleMappingConfigurationFactory; import org.apache.geronimo.security.util.ConfigurationUtil; -import org.mortbay.http.Authenticator; -import org.mortbay.http.HttpException; -import org.mortbay.http.HttpRequest; -import org.mortbay.http.HttpResponse; -import org.mortbay.http.SecurityConstraint; -import org.mortbay.http.UserRealm; -import org.mortbay.jetty.servlet.FormAuthenticator; -import org.mortbay.jetty.servlet.ServletHttpRequest; + /** * @version $Rev: $ $Date: $ @@ -151,7 +155,7 @@ this.realm = realm; // log.info("JettyWebAppJACCContext started with JACC policy '" + policyContextID + "'"); } - + public void registerServletHolder(Map webRoleRefPermissions) throws PolicyContextException { PolicyConfiguration policyConfiguration = factory.getPolicyConfiguration(policyContextID, false); for (Iterator iterator = webRoleRefPermissions.entrySet().iterator(); iterator.hasNext();) { @@ -161,7 +165,7 @@ policyConfiguration.addToRole(roleName, webRoleRefPermission); } policyConfiguration.commit(); - + } public void before(Object[] context, HttpRequest httpRequest, HttpResponse httpResponse) { @@ -213,131 +217,131 @@ //security check methods, delegated from WebAppContext /** - * Check the security constraints using JACC. - * - * @param pathInContext path in context - * @param request HTTP request - * @param response HTTP response - * @return true if the path in context passes the security check, - * false if it fails or a redirection has occured during authentication. - / - public boolean checkSecurityConstraints(String pathInContext, HttpRequest request, HttpResponse response) throws HttpException, IOException { - if (formLoginPath != null) { - String pathToBeTested = (pathInContext.indexOf('?') > 0 ? pathInContext.substring(0, pathInContext.indexOf('?')) : pathInContext); - - if (pathToBeTested.equals(formLoginPath)) { - return true; - } - } - - try { - Principal user = obtainUser(pathInContext, request, response); - - if (user == null) { - return false; - } - if (user == SecurityConstraint.__NOBODY) { - return true; - } - - AccessControlContext acc = ContextManager.getCurrentContext(); - ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper(); - - /* - * JACC v1.0 secion 4.1.1 - / - - String transportType; - if (request.isConfidential()) { - transportType = "CONFIDENTIAL"; - } else if (request.isIntegral()) { - transportType = "INTEGRAL"; - } else { - transportType = null; - } - WebUserDataPermission wudp = new WebUserDataPermission(servletHttpRequest.getServletPath(), new String[] {servletHttpRequest.getMethod()}, transportType); - acc.checkPermission(wudp); - - /* - * JACC v1.0 secion 4.1.2 - / - acc.checkPermission(new WebResourcePermission(servletHttpRequest)); - } catch (HttpException he) { - response.sendError(he.getCode(), he.getReason()); - return false; - } catch (AccessControlException ace) { - response.sendError(HttpResponse.__403_Forbidden); - return false; - } - return true; - } - - /* - * Obtain an authenticated user, if one is required. Otherwise return the - * default principal. - * <p/> - * Also set the current caller for JACC security checks for the default - * principal. This is automatically done by <code>JAASJettyRealm</code>. - * - * @param pathInContext path in context - * @param request HTTP request - * @param response HTTP response - * @return <code>null</code> if there is no authenticated user at the moment - * and security checking should not proceed and servlet handling should also - * not proceed, e.g. redirect. <code>SecurityConstraint.__NOBODY</code> if - * security checking should not proceed and servlet handling should proceed, - * e.g. login page. - / - private Principal obtainUser(String pathInContext, HttpRequest request, HttpResponse response) throws IOException, IOException { - ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper(); - WebResourcePermission resourcePermission = new WebResourcePermission(servletHttpRequest); - WebUserDataPermission dataPermission = new WebUserDataPermission(servletHttpRequest); - boolean unauthenticated = !(checked.implies(resourcePermission) \|\| checked.implies(dataPermission)); - boolean forbidden = excludedPermissions.implies(resourcePermission) \|\| excludedPermissions.implies(dataPermission); + Check the security constraints using JACC. + * + * @param pathInContext path in context + * @param request HTTP request + * @param response HTTP response + * @return true if the path in context passes the security check, + * false if it fails or a redirection has occured during authentication. + / + public boolean checkSecurityConstraints(String pathInContext, HttpRequest request, HttpResponse response) throws HttpException, IOException { + if (formLoginPath != null) { + String pathToBeTested = (pathInContext.indexOf('?') > 0 ? pathInContext.substring(0, pathInContext.indexOf('?')) : pathInContext); + + if (pathToBeTested.equals(formLoginPath)) { + return true; + } + } + + try { + Principal user = obtainUser(pathInContext, request, response); + + if (user == null) { + return false; + } + if (user == SecurityConstraint.__NOBODY) { + return true; + } + + AccessControlContext acc = ContextManager.getCurrentContext(); + ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper(); + + /* + * JACC v1.0 secion 4.1.1 + / + + String transportType; + if (request.isConfidential()) { + transportType = "CONFIDENTIAL"; + } else if (request.isIntegral()) { + transportType = "INTEGRAL"; + } else { + transportType = null; + } + WebUserDataPermission wudp = new WebUserDataPermission(servletHttpRequest.getServletPath(), new String[]{servletHttpRequest.getMethod()}, transportType); + acc.checkPermission(wudp); + + /* + * JACC v1.0 secion 4.1.2 + / + acc.checkPermission(new WebResourcePermission(servletHttpRequest)); + } catch (HttpException he) { + response.sendError(he.getCode(), he.getReason()); + return false; + } catch (AccessControlException ace) { + response.sendError(HttpResponse.__403_Forbidden); + return false; + } + return true; + } + + /* + * Obtain an authenticated user, if one is required. Otherwise return the + * default principal. + * <p/> + * Also set the current caller for JACC security checks for the default + * principal. This is automatically done by <code>JAASJettyRealm</code>. + * + * @param pathInContext path in context + * @param request HTTP request + * @param response HTTP response + * @return <code>null</code> if there is no authenticated user at the moment + * and security checking should not proceed and servlet handling should also + * not proceed, e.g. redirect. <code>SecurityConstraint.__NOBODY</code> if + * security checking should not proceed and servlet handling should proceed, + * e.g. login page. + / + private Principal obtainUser(String pathInContext, HttpRequest request, HttpResponse response) throws IOException, IOException { + ServletHttpRequest servletHttpRequest = (ServletHttpRequest) request.getWrapper(); + WebResourcePermission resourcePermission = new WebResourcePermission(servletHttpRequest); + WebUserDataPermission dataPermission = new WebUserDataPermission(servletHttpRequest); + boolean unauthenticated = !(checked.implies(resourcePermission) \|\| checked.implies(dataPermission)); + boolean forbidden = excludedPermissions.implies(resourcePermission) \|\| excludedPermissions.implies(dataPermission); // Authenticator authenticator = getAuthenticator(); - Principal user = null; - if (!unauthenticated && !forbidden) { - if (realm == null) { + Principal user = null; + if (!unauthenticated && !forbidden) { + if (realm == null) { // log.warn("Realm Not Configured"); - throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured"); - } + throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured"); + } - // Handle pre-authenticated request - if (authenticator != null) { - // User authenticator. - user = authenticator.authenticate(realm, pathInContext, request, response); - } else { - // don't know how authenticate + // Handle pre-authenticated request + if (authenticator != null) { + // User authenticator. + user = authenticator.authenticate(realm, pathInContext, request, response); + } else { + // don't know how authenticate // log.warn("Mis-configured Authenticator for " + request.getPath()); - throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Mis-configured Authenticator for " + request.getPath()); - } + throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Mis-configured Authenticator for " + request.getPath()); + } - return user; - } else if (authenticator instanceof FormAuthenticator && pathInContext.endsWith(FormAuthenticator.__J_SECURITY_CHECK)) { - /* - * This could be a post request to __J_SECURITY_CHECK. - / - if (realm == null) { + return user; + } else if (authenticator instanceof FormAuthenticator && pathInContext.endsWith(FormAuthenticator.__J_SECURITY_CHECK)) { + /* + * This could be a post request to __J_SECURITY_CHECK. + / + if (realm == null) { // log.warn("Realm Not Configured"); - throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured"); - } - return authenticator.authenticate(realm, pathInContext, request, response); - } - - /* - * No authentication is required. Return the defaultPrincipal. - / - ContextManager.setCurrentCaller(defaultPrincipal.getSubject()); - return defaultPrincipal; - } - + throw new HttpException(HttpResponse.__500_Internal_Server_Error, "Realm Not Configured"); + } + return authenticator.authenticate(realm, pathInContext, request, response); + } + + /* + * No authentication is required. Return the defaultPrincipal. + / + ContextManager.setCurrentCaller(defaultPrincipal.getSubject()); + return defaultPrincipal; + } + /* * Generate the default principal from the security config. * - * @param securityConfig The Geronimo security configuration. + * @param securityConfig The Geronimo security configuration. * @return the default principal / protected JAASJettyPrincipal generateDefaultPrincipal(Security securityConfig) throws GeronimoSecurityException { @@ -346,7 +350,7 @@ if (defaultPrincipal == null) { throw new GeronimoSecurityException("Unable to generate default principal"); } - + JAASJettyPrincipal result = new JAASJettyPrincipal("default"); Subject defaultSubject = new Subject(); @@ -398,6 +402,18 @@ } } } + + for (Iterator names = role.getDNames().iterator(); names.hasNext();) { + DistinguishedName dn = (DistinguishedName) names.next(); + + X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName()); + + principalSet.add(x500Principal); + if (dn.isDesignatedRunAs()) { + roleDesignate.getPrincipals().add(x500Principal); + } + } + roleMapper.addRoleMapping(roleName, principalSet); if (roleDesignate.getPrincipals().size() > 0) { @@ -453,11 +469,11 @@ // log.debug("Role designate " + ContextManager.getSubjectId(roleDesignate) + " for role '" + roleName + "' for JACC policy '" + policyContextID + "' unregistered."); } ContextManager.unregisterSubject(defaultPrincipal.getSubject()); - + if (policyConfiguration != null) { policyConfiguration.delete(); } - + } } Modified: geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java?view=diff&r1=157363&r2=157364 ============================================================================== --- geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java (original) +++ geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java Sun Mar 13 17:24:28 2005 @@ -16,16 +16,17 @@ / package org.apache.geronimo.security.deployment; -import java.util.HashSet; import java.util.Set; import org.apache.geronimo.common.DeploymentException; import org.apache.geronimo.security.deploy.DefaultPrincipal; +import org.apache.geronimo.security.deploy.DistinguishedName; import org.apache.geronimo.security.deploy.Principal; import org.apache.geronimo.security.deploy.Realm; import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalType; +import org.apache.geronimo.xbeans.geronimo.security.GerDistinguishedNameType; import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType; import org.apache.geronimo.xbeans.geronimo.security.GerRealmType; import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType; @@ -52,9 +53,8 @@ security.setDefaultRole(securityType.getDefaultRole().trim()); } - GerRoleMappingsType roleMappingsType = securityType.getRoleMappings(); - Set allRealms = new HashSet(); - if (roleMappingsType != null) { + if (securityType.isSetRoleMappings()) { + GerRoleMappingsType roleMappingsType = securityType.getRoleMappings(); for (int i = 0; i < roleMappingsType.sizeOfRoleArray(); i++) { GerRoleType roleType = roleMappingsType.getRoleArray(i); Role role = new Role(); @@ -65,7 +65,6 @@ for (int j = 0; j < roleType.sizeOfRealmArray(); j++) { GerRealmType realmType = roleType.getRealmArray(j); String realmName = realmType.getRealmName().trim(); - allRealms.add(realmName); Realm realm = new Realm(); realm.setRealmName(realmName); @@ -75,6 +74,15 @@ } role.getRealms().put(realmName, realm); + } + + for (int j = 0; j < roleType.sizeOfDistinguishedNameArray(); j++) { + GerDistinguishedNameType dnType = roleType.getDistinguishedNameArray(j); + DistinguishedName name = new DistinguishedName(dnType.getName()); + + name.setDesignatedRunAs(dnType.getDesignatedRunAs()); + + role.append(name); } security.getRoleMappings().put(roleName, role); Modified: geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd?view=diff&r1=157363&r2=157364 ============================================================================== --- geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd (original) +++ geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd Sun Mar 13 17:24:28 2005 @@ -86,7 +86,8 @@ <xsd:complexType name="roleType"> <xsd:sequence> <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0" maxOccurs="unbounded"/> - <xsd:element name="realm" type="geronimo:realmType" minOccurs="1" maxOccurs="unbounded"/> + <xsd:element name="realm" type="geronimo:realmType" minOccurs="0" maxOccurs="unbounded"/> + <xsd:element name="distinguished-name" type="geronimo:distinguishedNameType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="role-name" type="xsd:string" use="required"/> </xsd:complexType> @@ -102,6 +103,20 @@ <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="class" type="xsd:string" use="required"/> + <xsd:attribute name="name" type="xsd:string" use="required"/> + <xsd:attribute name="designated-run-as" type="xsd:boolean" default="false"> + <xsd:annotation> + <xsd:documentation> + Set this attribute to "true" if this principal is to be + used as the run-as principal for this role. + </xsd:documentation> + </xsd:annotation> + </xsd:attribute> + </xsd:complexType> + <xsd:complexType name="distinguishedNameType"> + <xsd:sequence> + <xsd:element name="description" type="j2ee:descriptionType" minOccurs="0" maxOccurs="unbounded"/> + </xsd:sequence> <xsd:attribute name="name" type="xsd:string" use="required"/> <xsd:attribute name="designated-run-as" type="xsd:boolean" default="false"> <xsd:annotation> Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java?view=auto&rev=157364 ============================================================================== --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java (added) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/DistinguishedName.java Sun Mar 13 17:24:28 2005 @@ -0,0 +1,90 @@ +/** + * Redistribution and use of this software and associated documentation + * ("Software"), with or without modification, are permitted provided + * that the following conditions are met: + * + * 1. Redistributions of source code must retain copyright + * statements and notices. Redistributions must also contain a + * copy of this document. + * + * 2. Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and the + * following disclaimer in the documentation and/or other + * materials provided with the distribution. + * + * 3. The name "OpenEJB" must not be used to endorse or promote + * products derived from this Software without prior written + * permission of The OpenEJB Group. For written permission, + * please contact openejb-group@openejb.sf.net. + * + * 4. Products derived from this Software may not be called "OpenEJB" + * nor may "OpenEJB" appear in their names without prior written + * permission of The OpenEJB Group. OpenEJB is a registered + * trademark of The OpenEJB Group. + * + * 5. Due credit should be given to the OpenEJB Project + * (http://openejb.sf.net/). + * + * THIS SOFTWARE IS PROVIDED BY THE OPENEJB GROUP AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT + * NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND + * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE OPENEJB GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Copyright 2005 (C) The OpenEJB Group. All Rights Reserved. + * + * $Id: $ + / +package org.apache.geronimo.security.deploy; + +import java.io.Serializable; + + +/* + * @version $Revision: $ $Date: $ + / +public class DistinguishedName implements Serializable { + + private final String name; + private boolean designatedRunAs; + + public DistinguishedName(String name) { + assert name != null; + + this.name = name; + } + + public boolean isDesignatedRunAs() { + return designatedRunAs; + } + + public void setDesignatedRunAs(boolean designatedRunAs) { + this.designatedRunAs = designatedRunAs; + } + + public String getName() { + return name; + } + + public boolean equals(Object o) { + if (this == o) return true; + if (!(o instanceof DistinguishedName)) return false; + + final DistinguishedName dn = (DistinguishedName) o; + + if (!name.equals(dn.name)) return false; + + return true; + } + + public int hashCode() { + return name.hashCode(); + } +} Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java?view=diff&r1=157363&r2=157364 ============================================================================== --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/deploy/Role.java Sun Mar 13 17:24:28 2005 @@ -18,7 +18,9 @@ import java.io.Serializable; import java.util.HashMap; +import java.util.HashSet; import java.util.Map; +import java.util.Set; /* @@ -27,7 +29,8 @@ public class Role implements Serializable { private String roleName; - private Map realms = new HashMap(); + private final Map realms = new HashMap(); + private final Set dNames = new HashSet(); public String getRoleName() { return roleName; @@ -48,5 +51,13 @@ } else { realms.put(realm.getRealmName(), realm); } + } + + public Set getDNames() { + return dNames; + } + + public void append(DistinguishedName distinguishedName) { + dNames.add(distinguishedName); } } Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java?view=diff&r1=157363&r2=157364 ============================================================================== --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java Sun Mar 13 17:24:28 2005 @@ -30,8 +30,6 @@ import java.util.Iterator; import javax.security.jacc.PolicyContextException; -import org.apache.geronimo.security.RealmPrincipal; - /** * @version $Rev$ $Date$ @@ -70,7 +68,6 @@ for (int i = 0; i < principals.length; i++) { Principal principal = principals[i]; - if (!(principal instanceof RealmPrincipal)) continue; Permissions permissions = (Permissions) principalPermissionsMap.get(principal); @@ -84,8 +81,6 @@ Iterator iter = principals.iterator(); while (iter.hasNext()) { Principal principal = (Principal) iter.next(); - - if (!(principal instanceof RealmPrincipal)) throw new PolicyContextException("Principal not instance of RealmPrincipal"); HashSet roles = (HashSet) principalRoleMapping.get(principal); if (roles == null) { Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java?view=diff&r1=157363&r2=157364 ============================================================================== --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/util/ConfigurationUtil.java Sun Mar 13 17:24:28 2005 @@ -24,6 +24,7 @@ import javax.security.jacc.PolicyContext; import javax.security.jacc.PolicyContextException; import javax.security.jacc.PolicyContextHandler; +import javax.security.auth.x500.X500Principal; import org.apache.geronimo.security.PrimaryRealmPrincipal; import org.apache.geronimo.security.RealmPrincipal; @@ -39,6 +40,15 @@ * @see "JSR 115" Java Authorization Contract for Containers / public class ConfigurationUtil { + + /* + * Create an X500Principal from a deployment description. + * @param name the distinguished name of the principal + * @return an X500Principal from a deployment description + / + public static X500Principal generateX500Principal(String name) { + return new X500Principal(name); + } /* * Create a RealmPrincipal from a deployment description. Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java?view=diff&r1=157363&r2=157364 ============================================================================== --- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java (original) +++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/TomcatGeronimoRealm.java Sun Mar 13 17:24:28 2005 @@ -34,6 +34,7 @@ import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; +import javax.security.auth.x500.X500Principal; import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContext; @@ -61,6 +62,7 @@ import org.apache.geronimo.security.RealmPrincipal; import org.apache.geronimo.security.SubjectId; import org.apache.geronimo.security.deploy.DefaultPrincipal; +import org.apache.geronimo.security.deploy.DistinguishedName; import org.apache.geronimo.security.deploy.Realm; import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; @@ -521,6 +523,18 @@ } } } + + for (Iterator names = role.getDNames().iterator(); names.hasNext();) { + DistinguishedName dn = (DistinguishedName) names.next(); + + X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName()); + + principalSet.add(x500Principal); + if (dn.isDesignatedRunAs()) { + roleDesignate.getPrincipals().add(x500Principal); + } + } + roleMapper.addRoleMapping(roleName, principalSet); if (roleDesignate.getPrincipals().size() > 0) {
Mime	Unnamed text/plain (inline, Quoted Printable, 33939 bytes)
	View raw message