Return-Path: Delivered-To: apmail-geronimo-scm-archive@www.apache.org Received: (qmail 7713 invoked from network); 14 Mar 2005 01:24:34 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 14 Mar 2005 01:24:34 -0000 Received: (qmail 62067 invoked by uid 500); 14 Mar 2005 01:24:33 -0000 Delivered-To: apmail-geronimo-scm-archive@geronimo.apache.org Received: (qmail 61913 invoked by uid 500); 14 Mar 2005 01:24:33 -0000 Mailing-List: contact scm-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org Delivered-To: mailing list scm@geronimo.apache.org Received: (qmail 61900 invoked by uid 99); 14 Mar 2005 01:24:32 -0000 X-ASF-Spam-Status: No, hits=-9.8 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from minotaur.apache.org (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.28) with SMTP; Sun, 13 Mar 2005 17:24:32 -0800 Received: (qmail 7687 invoked by uid 65534); 14 Mar 2005 01:24:30 -0000 Message-ID: <20050314012430.7686.qmail@minotaur.apache.org> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Mailer: svnmailer-1.0.0-dev Date: Mon, 14 Mar 2005 01:24:30 -0000 Subject: svn commit: r157364 - in geronimo/trunk/modules: jetty/src/java/org/apache/geronimo/jetty/interceptor/ security-builder/src/java/org/apache/geronimo/security/deployment/ security-builder/src/schema/ security/src/java/org/apache/geronimo/security/deploy/ security/src/java/org/apache/geronimo/security/jacc/ security/src/java/org/apache/geronimo/security/util/ tomcat/src/java/org/apache/geronimo/tomcat/ To: scm@geronimo.apache.org From: adc@apache.org X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Author: adc Date: Sun Mar 13 17:24:28 2005 New Revision: 157364 URL: http://svn.apache.org/viewcvs?view=3Drev&rev=3D157364 Log: Added the ability to map distinguished names to roles. Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/d= eploy/DistinguishedName.java Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interce= ptor/SecurityContextBeforeAfter.java geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/se= curity/deployment/SecurityBuilder.java geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xsd geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/d= eploy/Role.java geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/j= acc/PolicyConfigurationGeneric.java geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/u= til/ConfigurationUtil.java geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/Tomca= tGeronimoRealm.java Modified: geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/i= nterceptor/SecurityContextBeforeAfter.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/jetty/src/java/or= g/apache/geronimo/jetty/interceptor/SecurityContextBeforeAfter.java?view=3D= diff&r1=3D157363&r2=3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interce= ptor/SecurityContextBeforeAfter.java (original) +++ geronimo/trunk/modules/jetty/src/java/org/apache/geronimo/jetty/interce= ptor/SecurityContextBeforeAfter.java Sun Mar 13 17:24:28 2005 @@ -29,6 +29,7 @@ import java.util.Map; import java.util.Set; import javax.security.auth.Subject; +import javax.security.auth.x500.X500Principal; import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContext; @@ -37,6 +38,15 @@ import javax.security.jacc.WebRoleRefPermission; import javax.security.jacc.WebUserDataPermission; =20 +import org.mortbay.http.Authenticator; +import org.mortbay.http.HttpException; +import org.mortbay.http.HttpRequest; +import org.mortbay.http.HttpResponse; +import org.mortbay.http.SecurityConstraint; +import org.mortbay.http.UserRealm; +import org.mortbay.jetty.servlet.FormAuthenticator; +import org.mortbay.jetty.servlet.ServletHttpRequest; + import org.apache.geronimo.common.GeronimoSecurityException; import org.apache.geronimo.jetty.JAASJettyPrincipal; import org.apache.geronimo.security.ContextManager; @@ -45,20 +55,14 @@ import org.apache.geronimo.security.RealmPrincipal; import org.apache.geronimo.security.SubjectId; import org.apache.geronimo.security.deploy.DefaultPrincipal; +import org.apache.geronimo.security.deploy.DistinguishedName; import org.apache.geronimo.security.deploy.Realm; import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; import org.apache.geronimo.security.jacc.RoleMappingConfiguration; import org.apache.geronimo.security.jacc.RoleMappingConfigurationFactory; import org.apache.geronimo.security.util.ConfigurationUtil; -import org.mortbay.http.Authenticator; -import org.mortbay.http.HttpException; -import org.mortbay.http.HttpRequest; -import org.mortbay.http.HttpResponse; -import org.mortbay.http.SecurityConstraint; -import org.mortbay.http.UserRealm; -import org.mortbay.jetty.servlet.FormAuthenticator; -import org.mortbay.jetty.servlet.ServletHttpRequest; + =20 /** * @version $Rev: $ $Date: $ @@ -151,7 +155,7 @@ this.realm =3D realm; // log.info("JettyWebAppJACCContext started with JACC policy '" + p= olicyContextID + "'"); } - =20 + public void registerServletHolder(Map webRoleRefPermissions) throws Po= licyContextException { PolicyConfiguration policyConfiguration =3D factory.getPolicyConfi= guration(policyContextID, false); for (Iterator iterator =3D webRoleRefPermissions.entrySet().iterat= or(); iterator.hasNext();) { @@ -161,7 +165,7 @@ policyConfiguration.addToRole(roleName, webRoleRefPermission); } policyConfiguration.commit(); - =20 + } =20 public void before(Object[] context, HttpRequest httpRequest, HttpResp= onse httpResponse) { @@ -213,131 +217,131 @@ //security check methods, delegated from WebAppContext =20 /** - * Check the security constraints using JACC. - * - * @param pathInContext path in context - * @param request HTTP request - * @param response HTTP response - * @return true if the path in context passes the security check, - * false if it fails or a redirection has occured during authen= tication. - */ - public boolean checkSecurityConstraints(String pathInContext, HttpReque= st request, HttpResponse response) throws HttpException, IOException { - if (formLoginPath !=3D null) { - String pathToBeTested =3D (pathInContext.indexOf('?') > 0 ? pat= hInContext.substring(0, pathInContext.indexOf('?')) : pathInContext); - - if (pathToBeTested.equals(formLoginPath)) { - return true; - } - } - - try { - Principal user =3D obtainUser(pathInContext, request, response); - - if (user =3D=3D null) { - return false; - } - if (user =3D=3D SecurityConstraint.__NOBODY) { - return true; - } - - AccessControlContext acc =3D ContextManager.getCurrentContext(); - ServletHttpRequest servletHttpRequest =3D (ServletHttpRequest) = request.getWrapper(); - - /** - * JACC v1.0 secion 4.1.1 - */ - - String transportType; - if (request.isConfidential()) { - transportType =3D "CONFIDENTIAL"; - } else if (request.isIntegral()) { - transportType =3D "INTEGRAL"; - } else { - transportType =3D null; - } - WebUserDataPermission wudp =3D new WebUserDataPermission(servle= tHttpRequest.getServletPath(), new String[] {servletHttpRequest.getMethod()= }, transportType); - acc.checkPermission(wudp); - - /** - * JACC v1.0 secion 4.1.2 - */ - acc.checkPermission(new WebResourcePermission(servletHttpReques= t)); - } catch (HttpException he) { - response.sendError(he.getCode(), he.getReason()); - return false; - } catch (AccessControlException ace) { - response.sendError(HttpResponse.__403_Forbidden); - return false; - } - return true; - } - - /** - * Obtain an authenticated user, if one is required. Otherwise return = the - * default principal. - *

- * Also set the current caller for JACC security checks for the default - * principal. This is automatically done by JAASJettyRealm=2E - * - * @param pathInContext path in context - * @param request HTTP request - * @param response HTTP response - * @return null if there is no authenticated user at the m= oment - * and security checking should not proceed and servlet handlin= g should also - * not proceed, e.g. redirect. SecurityConstraint.__NOBOD= Y if - * security checking should not proceed and servlet handling sh= ould proceed, - * e.g. login page. - */ - private Principal obtainUser(String pathInContext, HttpRequest request,= HttpResponse response) throws IOException, IOException { - ServletHttpRequest servletHttpRequest =3D (ServletHttpRequest) requ= est.getWrapper(); - WebResourcePermission resourcePermission =3D new WebResourcePermiss= ion(servletHttpRequest); - WebUserDataPermission dataPermission =3D new WebUserDataPermission(= servletHttpRequest); - boolean unauthenticated =3D !(checked.implies(resourcePermission) |= | checked.implies(dataPermission)); - boolean forbidden =3D excludedPermissions.implies(resourcePermissio= n) || excludedPermissions.implies(dataPermission); + * Check the security constraints using JACC. + * + * @param pathInContext path in context + * @param request HTTP request + * @param response HTTP response + * @return true if the path in context passes the security check, + * false if it fails or a redirection has occured during authe= ntication. + */ + public boolean checkSecurityConstraints(String pathInContext, HttpRequ= est request, HttpResponse response) throws HttpException, IOException { + if (formLoginPath !=3D null) { + String pathToBeTested =3D (pathInContext.indexOf('?') > 0 ? pa= thInContext.substring(0, pathInContext.indexOf('?')) : pathInContext); + + if (pathToBeTested.equals(formLoginPath)) { + return true; + } + } + + try { + Principal user =3D obtainUser(pathInContext, request, response= ); + + if (user =3D=3D null) { + return false; + } + if (user =3D=3D SecurityConstraint.__NOBODY) { + return true; + } + + AccessControlContext acc =3D ContextManager.getCurrentContext(= ); + ServletHttpRequest servletHttpRequest =3D (ServletHttpRequest)= request.getWrapper(); + + /** + * JACC v1.0 secion 4.1.1 + */ + + String transportType; + if (request.isConfidential()) { + transportType =3D "CONFIDENTIAL"; + } else if (request.isIntegral()) { + transportType =3D "INTEGRAL"; + } else { + transportType =3D null; + } + WebUserDataPermission wudp =3D new WebUserDataPermission(servl= etHttpRequest.getServletPath(), new String[]{servletHttpRequest.getMethod()= }, transportType); + acc.checkPermission(wudp); + + /** + * JACC v1.0 secion 4.1.2 + */ + acc.checkPermission(new WebResourcePermission(servletHttpReque= st)); + } catch (HttpException he) { + response.sendError(he.getCode(), he.getReason()); + return false; + } catch (AccessControlException ace) { + response.sendError(HttpResponse.__403_Forbidden); + return false; + } + return true; + } + + /** + * Obtain an authenticated user, if one is required. Otherwise return= the + * default principal. + *

+ * Also set the current caller for JACC security checks for the default + * principal. This is automatically done by JAASJettyRealm. + * + * @param pathInContext path in context + * @param request HTTP request + * @param response HTTP response + * @return null if there is no authenticated user at the = moment + * and security checking should not proceed and servlet handli= ng should also + * not proceed, e.g. redirect. SecurityConstraint.__NOBO= DY if + * security checking should not proceed and servlet handling s= hould proceed, + * e.g. login page. + */ + private Principal obtainUser(String pathInContext, HttpRequest request= , HttpResponse response) throws IOException, IOException { + ServletHttpRequest servletHttpRequest =3D (ServletHttpRequest) req= uest.getWrapper(); + WebResourcePermission resourcePermission =3D new WebResourcePermis= sion(servletHttpRequest); + WebUserDataPermission dataPermission =3D new WebUserDataPermission= (servletHttpRequest); + boolean unauthenticated =3D !(checked.implies(resourcePermission) = || checked.implies(dataPermission)); + boolean forbidden =3D excludedPermissions.implies(resourcePermissi= on) || excludedPermissions.implies(dataPermission); =20 // Authenticator authenticator =3D getAuthenticator(); - Principal user =3D null; - if (!unauthenticated && !forbidden) { - if (realm =3D=3D null) { + Principal user =3D null; + if (!unauthenticated && !forbidden) { + if (realm =3D=3D null) { // log.warn("Realm Not Configured"); - throw new HttpException(HttpResponse.__500_Internal_Server_= Error, "Realm Not Configured"); - } + throw new HttpException(HttpResponse.__500_Internal_Server= _Error, "Realm Not Configured"); + } =20 =20 - // Handle pre-authenticated request - if (authenticator !=3D null) { - // User authenticator. - user =3D authenticator.authenticate(realm, pathInContext, r= equest, response); - } else { - // don't know how authenticate + // Handle pre-authenticated request + if (authenticator !=3D null) { + // User authenticator. + user =3D authenticator.authenticate(realm, pathInContext, = request, response); + } else { + // don't know how authenticate // log.warn("Mis-configured Authenticator for " + request.ge= tPath()); - throw new HttpException(HttpResponse.__500_Internal_Server_= Error, "Mis-configured Authenticator for " + request.getPath()); - } + throw new HttpException(HttpResponse.__500_Internal_Server= _Error, "Mis-configured Authenticator for " + request.getPath()); + } =20 - return user; - } else if (authenticator instanceof FormAuthenticator && pathInCont= ext.endsWith(FormAuthenticator.__J_SECURITY_CHECK)) { - /** - * This could be a post request to __J_SECURITY_CHECK. - */ - if (realm =3D=3D null) { + return user; + } else if (authenticator instanceof FormAuthenticator && pathInCon= text.endsWith(FormAuthenticator.__J_SECURITY_CHECK)) { + /** + * This could be a post request to __J_SECURITY_CHECK. + */ + if (realm =3D=3D null) { // log.warn("Realm Not Configured"); - throw new HttpException(HttpResponse.__500_Internal_Server_= Error, "Realm Not Configured"); - } - return authenticator.authenticate(realm, pathInContext, request= , response); - } - - /** - * No authentication is required. Return the defaultPrincipal. - */ - ContextManager.setCurrentCaller(defaultPrincipal.getSubject()); - return defaultPrincipal; - } - =20 + throw new HttpException(HttpResponse.__500_Internal_Server= _Error, "Realm Not Configured"); + } + return authenticator.authenticate(realm, pathInContext, reques= t, response); + } + + /** + * No authentication is required. Return the defaultPrincipal. + */ + ContextManager.setCurrentCaller(defaultPrincipal.getSubject()); + return defaultPrincipal; + } + =20 /** * Generate the default principal from the security config. * - * @param securityConfig The Geronimo security configuration. + * @param securityConfig The Geronimo security configuration. * @return the default principal */ protected JAASJettyPrincipal generateDefaultPrincipal(Security securit= yConfig) throws GeronimoSecurityException { @@ -346,7 +350,7 @@ if (defaultPrincipal =3D=3D null) { throw new GeronimoSecurityException("Unable to generate defaul= t principal"); } - =20 + JAASJettyPrincipal result =3D new JAASJettyPrincipal("default"); Subject defaultSubject =3D new Subject(); =20 @@ -398,6 +402,18 @@ } } } + + for (Iterator names =3D role.getDNames().iterator(); names.has= Next();) { + DistinguishedName dn =3D (DistinguishedName) names.next(); + + X500Principal x500Principal =3D ConfigurationUtil.generate= X500Principal(dn.getName()); + + principalSet.add(x500Principal); + if (dn.isDesignatedRunAs()) { + roleDesignate.getPrincipals().add(x500Principal); + } + } + roleMapper.addRoleMapping(roleName, principalSet); =20 if (roleDesignate.getPrincipals().size() > 0) { @@ -453,11 +469,11 @@ // log.debug("Role designate " + ContextManager.getSubjectId(ro= leDesignate) + " for role '" + roleName + "' for JACC policy '" + policyCon= textID + "' unregistered."); } ContextManager.unregisterSubject(defaultPrincipal.getSubject()); - =20 + if (policyConfiguration !=3D null) { policyConfiguration.delete(); } =20 - =20 + } } Modified: geronimo/trunk/modules/security-builder/src/java/org/apache/geron= imo/security/deployment/SecurityBuilder.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/= src/java/org/apache/geronimo/security/deployment/SecurityBuilder.java?view= =3Ddiff&r1=3D157363&r2=3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/se= curity/deployment/SecurityBuilder.java (original) +++ geronimo/trunk/modules/security-builder/src/java/org/apache/geronimo/se= curity/deployment/SecurityBuilder.java Sun Mar 13 17:24:28 2005 @@ -16,16 +16,17 @@ */ package org.apache.geronimo.security.deployment; =20 -import java.util.HashSet; import java.util.Set; =20 import org.apache.geronimo.common.DeploymentException; import org.apache.geronimo.security.deploy.DefaultPrincipal; +import org.apache.geronimo.security.deploy.DistinguishedName; import org.apache.geronimo.security.deploy.Principal; import org.apache.geronimo.security.deploy.Realm; import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalTyp= e; +import org.apache.geronimo.xbeans.geronimo.security.GerDistinguishedNameTy= pe; import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType; import org.apache.geronimo.xbeans.geronimo.security.GerRealmType; import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType; @@ -52,9 +53,8 @@ security.setDefaultRole(securityType.getDefaultRole().trim()); } =20 - GerRoleMappingsType roleMappingsType =3D securityType.getRoleMappi= ngs(); - Set allRealms =3D new HashSet(); - if (roleMappingsType !=3D null) { + if (securityType.isSetRoleMappings()) { + GerRoleMappingsType roleMappingsType =3D securityType.getRoleM= appings(); for (int i =3D 0; i < roleMappingsType.sizeOfRoleArray(); i++)= { GerRoleType roleType =3D roleMappingsType.getRoleArray(i); Role role =3D new Role(); @@ -65,7 +65,6 @@ for (int j =3D 0; j < roleType.sizeOfRealmArray(); j++) { GerRealmType realmType =3D roleType.getRealmArray(j); String realmName =3D realmType.getRealmName().trim(); - allRealms.add(realmName); Realm realm =3D new Realm(); =20 realm.setRealmName(realmName); @@ -75,6 +74,15 @@ } =20 role.getRealms().put(realmName, realm); + } + + for (int j =3D 0; j < roleType.sizeOfDistinguishedNameArra= y(); j++) { + GerDistinguishedNameType dnType =3D roleType.getDistin= guishedNameArray(j); + DistinguishedName name =3D new DistinguishedName(dnTyp= e=2EgetName()); + + name.setDesignatedRunAs(dnType.getDesignatedRunAs()); + + role.append(name); } =20 security.getRoleMappings().put(roleName, role); Modified: geronimo/trunk/modules/security-builder/src/schema/geronimo-secur= ity.xsd URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security-builder/= src/schema/geronimo-security.xsd?view=3Ddiff&r1=3D157363&r2=3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xs= d (original) +++ geronimo/trunk/modules/security-builder/src/schema/geronimo-security.xs= d Sun Mar 13 17:24:28 2005 @@ -86,7 +86,8 @@ - + + @@ -102,6 +103,20 @@ + + + + + Set this attribute to "true" if this principal is to be + used as the run-as principal for this role. + + + + + + + + Added: geronimo/trunk/modules/security/src/java/org/apache/geronimo/securit= y/deploy/DistinguishedName.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java= /org/apache/geronimo/security/deploy/DistinguishedName.java?view=3Dauto&rev= =3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/d= eploy/DistinguishedName.java (added) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/d= eploy/DistinguishedName.java Sun Mar 13 17:24:28 2005 @@ -0,0 +1,90 @@ +/** + * Redistribution and use of this software and associated documentation + * ("Software"), with or without modification, are permitted provided + * that the following conditions are met: + * + * 1. Redistributions of source code must retain copyright + * statements and notices. Redistributions must also contain a + * copy of this document. + * + * 2. Redistributions in binary form must reproduce the + * above copyright notice, this list of conditions and the + * following disclaimer in the documentation and/or other + * materials provided with the distribution. + * + * 3. The name "OpenEJB" must not be used to endorse or promote + * products derived from this Software without prior written + * permission of The OpenEJB Group. For written permission, + * please contact openejb-group@openejb.sf.net. + * + * 4. Products derived from this Software may not be called "OpenEJB" + * nor may "OpenEJB" appear in their names without prior written + * permission of The OpenEJB Group. OpenEJB is a registered + * trademark of The OpenEJB Group. + * + * 5. Due credit should be given to the OpenEJB Project + * (http://openejb.sf.net/). + * + * THIS SOFTWARE IS PROVIDED BY THE OPENEJB GROUP AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT + * NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND + * FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + * THE OPENEJB GROUP OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Copyright 2005 (C) The OpenEJB Group. All Rights Reserved. + * + * $Id: $ + */ +package org.apache.geronimo.security.deploy; + +import java.io.Serializable; + + +/** + * @version $Revision: $ $Date: $ + */ +public class DistinguishedName implements Serializable { + + private final String name; + private boolean designatedRunAs; + + public DistinguishedName(String name) { + assert name !=3D null; + + this.name =3D name; + } + + public boolean isDesignatedRunAs() { + return designatedRunAs; + } + + public void setDesignatedRunAs(boolean designatedRunAs) { + this.designatedRunAs =3D designatedRunAs; + } + + public String getName() { + return name; + } + + public boolean equals(Object o) { + if (this =3D=3D o) return true; + if (!(o instanceof DistinguishedName)) return false; + + final DistinguishedName dn =3D (DistinguishedName) o; + + if (!name.equals(dn.name)) return false; + + return true; + } + + public int hashCode() { + return name.hashCode(); + } +} Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/secu= rity/deploy/Role.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java= /org/apache/geronimo/security/deploy/Role.java?view=3Ddiff&r1=3D157363&r2= =3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/d= eploy/Role.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/d= eploy/Role.java Sun Mar 13 17:24:28 2005 @@ -18,7 +18,9 @@ =20 import java.io.Serializable; import java.util.HashMap; +import java.util.HashSet; import java.util.Map; +import java.util.Set; =20 =20 /** @@ -27,7 +29,8 @@ public class Role implements Serializable { =20 private String roleName; - private Map realms =3D new HashMap(); + private final Map realms =3D new HashMap(); + private final Set dNames =3D new HashSet(); =20 public String getRoleName() { return roleName; @@ -48,5 +51,13 @@ } else { realms.put(realm.getRealmName(), realm); } + } + + public Set getDNames() { + return dNames; + } + + public void append(DistinguishedName distinguishedName) { + dNames.add(distinguishedName); } } Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/secu= rity/jacc/PolicyConfigurationGeneric.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java= /org/apache/geronimo/security/jacc/PolicyConfigurationGeneric.java?view=3Dd= iff&r1=3D157363&r2=3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/j= acc/PolicyConfigurationGeneric.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/j= acc/PolicyConfigurationGeneric.java Sun Mar 13 17:24:28 2005 @@ -30,8 +30,6 @@ import java.util.Iterator; import javax.security.jacc.PolicyContextException; =20 -import org.apache.geronimo.security.RealmPrincipal; - =20 /** * @version $Rev$ $Date$ @@ -70,7 +68,6 @@ =20 for (int i =3D 0; i < principals.length; i++) { Principal principal =3D principals[i]; - if (!(principal instanceof RealmPrincipal)) continue; =20 Permissions permissions =3D (Permissions) principalPermissions= Map.get(principal); =20 @@ -84,8 +81,6 @@ Iterator iter =3D principals.iterator(); while (iter.hasNext()) { Principal principal =3D (Principal) iter.next(); - - if (!(principal instanceof RealmPrincipal)) throw new PolicyCo= ntextException("Principal not instance of RealmPrincipal"); =20 HashSet roles =3D (HashSet) principalRoleMapping.get(principal= ); if (roles =3D=3D null) { Modified: geronimo/trunk/modules/security/src/java/org/apache/geronimo/secu= rity/util/ConfigurationUtil.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/security/src/java= /org/apache/geronimo/security/util/ConfigurationUtil.java?view=3Ddiff&r1=3D= 157363&r2=3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/u= til/ConfigurationUtil.java (original) +++ geronimo/trunk/modules/security/src/java/org/apache/geronimo/security/u= til/ConfigurationUtil.java Sun Mar 13 17:24:28 2005 @@ -24,6 +24,7 @@ import javax.security.jacc.PolicyContext; import javax.security.jacc.PolicyContextException; import javax.security.jacc.PolicyContextHandler; +import javax.security.auth.x500.X500Principal; =20 import org.apache.geronimo.security.PrimaryRealmPrincipal; import org.apache.geronimo.security.RealmPrincipal; @@ -39,6 +40,15 @@ * @see "JSR 115" Java Authorization Contract for Containers */ public class ConfigurationUtil { + + /** + * Create an X500Principal from a deployment description. + * @param name the distinguished name of the principal + * @return an X500Principal from a deployment description + */ + public static X500Principal generateX500Principal(String name) { + return new X500Principal(name); + } =20 /** * Create a RealmPrincipal from a deployment description. Modified: geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat= /TomcatGeronimoRealm.java URL: http://svn.apache.org/viewcvs/geronimo/trunk/modules/tomcat/src/java/o= rg/apache/geronimo/tomcat/TomcatGeronimoRealm.java?view=3Ddiff&r1=3D157363&= r2=3D157364 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D --- geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/Tomca= tGeronimoRealm.java (original) +++ geronimo/trunk/modules/tomcat/src/java/org/apache/geronimo/tomcat/Tomca= tGeronimoRealm.java Sun Mar 13 17:24:28 2005 @@ -34,6 +34,7 @@ import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginContext; import javax.security.auth.login.LoginException; +import javax.security.auth.x500.X500Principal; import javax.security.jacc.PolicyConfiguration; import javax.security.jacc.PolicyConfigurationFactory; import javax.security.jacc.PolicyContext; @@ -61,6 +62,7 @@ import org.apache.geronimo.security.RealmPrincipal; import org.apache.geronimo.security.SubjectId; import org.apache.geronimo.security.deploy.DefaultPrincipal; +import org.apache.geronimo.security.deploy.DistinguishedName; import org.apache.geronimo.security.deploy.Realm; import org.apache.geronimo.security.deploy.Role; import org.apache.geronimo.security.deploy.Security; @@ -521,6 +523,18 @@ } } } + + for (Iterator names =3D role.getDNames().iterator(); names.has= Next();) { + DistinguishedName dn =3D (DistinguishedName) names.next(); + + X500Principal x500Principal =3D ConfigurationUtil.generate= X500Principal(dn.getName()); + + principalSet.add(x500Principal); + if (dn.isDesignatedRunAs()) { + roleDesignate.getPrincipals().add(x500Principal); + } + } + roleMapper.addRoleMapping(roleName, principalSet); =20 if (roleDesignate.getPrincipals().size() > 0) {