geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject svn commit: r505432 [4/11] - in /geronimo/server/trunk: applications/magicGball/magicGball-ear/src/main/plan/ configs/client-corba-yoko/src/plan/ configs/j2ee-corba-yoko/src/plan/ configs/openejb-corba-deployer/src/plan/ modules/ modules/geronimo-corba...
Date Fri, 09 Feb 2007 19:24:39 GMT
Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBean.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBean.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBean.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBean.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,208 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.omg.CORBA.Any;
+import org.omg.CORBA.ORB;
+import org.omg.CORBA.Policy;
+import org.omg.CosNaming.NamingContextExt;
+import org.omg.CosNaming.NamingContextExtHelper;
+import org.omg.PortableServer.IdAssignmentPolicyValue;
+import org.omg.PortableServer.ImplicitActivationPolicyValue;
+import org.omg.PortableServer.LifespanPolicyValue;
+import org.omg.PortableServer.POA;
+import org.omg.PortableServer.RequestProcessingPolicyValue;
+import org.omg.PortableServer.ServantRetentionPolicyValue;
+import org.apache.geronimo.corba.security.ServerPolicy;
+import org.apache.geronimo.corba.security.ServerPolicyFactory;
+import org.apache.geronimo.corba.security.config.tss.TSSConfig;
+import org.apache.geronimo.corba.security.config.tss.TSSNULLTransportConfig;
+
+import java.util.HashMap;
+import java.util.Map;
+
+ /**
+  * A TSSBean represents a transport-level security profile for exported EJB objects.  An
+  * exported object is attached to a TSSBean-created named POA.  The TSSBean POA
+  * is created in the context of the ORB controlled by a CORBABean instance.
+  * The parent CORBABean controls the transport-level security of the host connection and
+  * defines the endpoint connnection for the object (host and listener port).
+  * TSSBean may then define additional characteristics that
+  * get encoded in the IOR of the connection.
+  * @version $Revision: 497125 $ $Date: 2007-01-17 10:51:30 -0800 (Wed, 17 Jan 2007) $
+  */
+public class TSSBean implements GBeanLifecycle {
+
+    private final Log log = LogFactory.getLog(TSSBean.class);
+
+    private final ClassLoader classLoader;
+    private final String POAName;
+    private final CORBABean server;
+    private POA localPOA;
+    private NamingContextExt initialContext;
+    private TSSConfig tssConfig;
+    private final Map adapters = new HashMap();
+    private Policy securityPolicy;
+
+    /**
+     * gbean endpoint constructor
+     */
+    public TSSBean() {
+        classLoader = null;
+        POAName = null;
+        server = null;
+    }
+
+    public TSSBean(ClassLoader classLoader, String POAName, CORBABean server) {
+        this.classLoader = classLoader;
+        this.POAName = POAName;
+        this.server = server;
+    }
+
+    public CORBABean getServer() {
+        return server;
+    }
+
+    public String getPOAName() {
+        return POAName;
+    }
+
+    public TSSConfig getTssConfig() {
+        return tssConfig;
+    }
+
+    public void setTssConfig(TSSConfig tssConfig) {
+        if (tssConfig == null) tssConfig = new TSSConfig();
+        this.tssConfig = tssConfig;
+    }
+
+    /**
+     * TODO: Security policy really shouldn't be inserted if there is not CSI
+     * config to put into it.
+     *
+     * @throws Exception
+     */
+    public void doStart() throws Exception {
+        ClassLoader savedLoader = Thread.currentThread().getContextClassLoader();
+        try {
+            Thread.currentThread().setContextClassLoader(classLoader);
+
+            ORB orb = server.getORB();
+            POA rootPOA = server.getRootPOA();
+
+            Any any = orb.create_any();
+            any.insert_Value(new ServerPolicy.Config(createCSIv2Config(), classLoader));
+
+            securityPolicy = orb.create_policy(ServerPolicyFactory.POLICY_TYPE, any);
+            Policy[] policies = new Policy[]{
+                    securityPolicy,
+                    rootPOA.create_lifespan_policy(LifespanPolicyValue.TRANSIENT),
+                    rootPOA.create_request_processing_policy(RequestProcessingPolicyValue.USE_ACTIVE_OBJECT_MAP_ONLY),
+                    rootPOA.create_servant_retention_policy(ServantRetentionPolicyValue.RETAIN),
+                    rootPOA.create_id_assignment_policy(IdAssignmentPolicyValue.USER_ID),
+                    rootPOA.create_implicit_activation_policy(ImplicitActivationPolicyValue.NO_IMPLICIT_ACTIVATION),
+            };
+            // there may be ORB-specific policy overrides required. 
+            policies = server.addPolicyOverrides(policies); 
+            
+            localPOA = rootPOA.create_POA(POAName, rootPOA.the_POAManager(), policies);
+
+            localPOA.the_POAManager().activate();
+
+            org.omg.CORBA.Object obj = server.getORB().resolve_initial_references("NameService");
+            // NB:  This is initial context is never used by the TSSBean, but we request it here
+            // to verify that the server ORB is correctly configured and our target server is accessible.
+            initialContext = NamingContextExtHelper.narrow(obj);
+        } finally {
+            Thread.currentThread().setContextClassLoader(savedLoader);
+        }
+
+        log.debug("Started CORBA Target Security Service in POA " + POAName);
+    }
+
+    public void doStop() throws Exception {
+        if (localPOA != null) {
+            // make sure this POA is destroyed so the bean can be potentially restarted.
+            // NOTE:  we do NOT deactivate() the poa manager, as that will take down any
+            // other POAs attached to the same manager.  Just destroying this POA is sufficient.
+            localPOA.destroy(true, false);
+            localPOA = null;
+        }
+        log.debug("Stopped CORBA Target Security Service in POA " + POAName);
+    }
+
+    public void doFail() {
+        log.warn("Failed CORBA Target Security Service in POA " + POAName);
+    }
+
+    private TSSConfig createCSIv2Config() {
+        if (tssConfig == null) return null;
+        if (tssConfig.isInherit()) return server.getTssConfig();
+
+        TSSConfig config = new TSSConfig();
+
+        if (server.getTssConfig() != null) {
+            config.setTransport_mech(server.getTssConfig().getTransport_mech());
+        } else {
+            config.setTransport_mech(new TSSNULLTransportConfig());
+        }
+
+        config.getMechListConfig().setStateful(tssConfig.getMechListConfig().isStateful());
+        for (int i = 0; i < tssConfig.getMechListConfig().size(); i++) {
+            config.getMechListConfig().add(tssConfig.getMechListConfig().mechAt(i));
+        }
+
+        return config;
+    }
+
+    public void registerContainer(TSSLink tssLink) throws CORBAException {
+        AdapterWrapper adapterWrapper = new AdapterWrapper(tssLink);
+
+        adapterWrapper.start(server.getORB(), localPOA, securityPolicy);
+        adapters.put(tssLink.getContainerId(), adapterWrapper);
+
+        log.debug(POAName + " - Linked container " + tssLink.getContainerId());
+    }
+
+    public void unregisterContainer(TSSLink tssLink) {
+        AdapterWrapper adapterWrapper = (AdapterWrapper) adapters.remove(tssLink.getContainerId());
+        if (adapterWrapper != null) {
+            try {
+                adapterWrapper.stop();
+                log.debug(POAName + " - Unlinked container " + tssLink.getContainerId());
+            } catch (CORBAException e) {
+                log.error(POAName + " - Error unlinking container " + tssLink.getContainerId(), e);
+            }
+        }
+    }
+    
+    /**
+     * Add the policy overrides (if any) to the list 
+     * of policies used to create a POA instance.
+     * 
+     * @param policies The base set of policies.
+     * 
+     * @return A new Policy array with the overrides added.  Returns
+     *         the same array if no overrides are required.
+     */
+    public Policy[] addPolicyOverrides(Policy[] policies) {
+        return server.addPolicyOverrides(policies); 
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBeanGBean.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBeanGBean.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBeanGBean.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSBeanGBean.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba;
+
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.corba.security.config.tss.TSSConfig;
+
+/**
+ * @version $Revision$ $Date$
+ */
+public final class TSSBeanGBean {
+
+    public static final GBeanInfo GBEAN_INFO;
+
+    static {
+        GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic(TSSBeanGBean.class, TSSBean.class, NameFactory.CORBA_TSS);
+
+        infoFactory.addAttribute("classLoader", ClassLoader.class, false);
+        infoFactory.addAttribute("POAName", String.class, true);
+        infoFactory.addReference("Server", CORBABean.class, NameFactory.CORBA_SERVICE);
+        infoFactory.addAttribute("tssConfig", TSSConfig.class, true);
+        infoFactory.addOperation("registerContainer", new Class[] {TSSLink.class});
+        infoFactory.addOperation("unregisterContainer", new Class[] {TSSLink.class});
+        infoFactory.setConstructor(new String[]{"classLoader", "POAName", "Server"});
+
+        GBEAN_INFO = infoFactory.getBeanInfo();
+    }
+
+    public static GBeanInfo getGBeanInfo() {
+        return GBEAN_INFO;
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLink.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLink.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLink.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLink.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.corba;
+
+import java.io.Serializable;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.lang.reflect.Method;
+
+import org.apache.geronimo.corba.util.Util;
+import org.apache.geronimo.corba.transaction.ServerTransactionPolicyConfig;
+import org.apache.geronimo.corba.transaction.OperationTxPolicy;
+import org.apache.geronimo.corba.transaction.MappedServerTransactionPolicyConfig;
+import org.apache.geronimo.corba.transaction.nodistributedtransactions.NoDTxServerTransactionPolicies;
+import org.apache.geronimo.gbean.GBeanLifecycle;
+import org.apache.geronimo.openejb.EjbDeployment;
+
+import org.omg.CORBA.Policy;
+
+/**
+ * @version $Rev: 497125 $ $Date: 2007-01-17 10:51:30 -0800 (Wed, 17 Jan 2007) $
+ */
+public class TSSLink implements GBeanLifecycle {
+    private final TSSBean tssBean;
+    private final EjbDeployment ejb;
+    private final String[] jndiNames;
+
+    public TSSLink() {
+        tssBean = null;
+        ejb = null;
+        jndiNames = null;
+    }
+
+    public TSSLink(String[] jndiNames, TSSBean tssBean, EjbDeployment ejb) {
+        if (tssBean == null) {
+            throw new NullPointerException("No TSSBean supplied");
+        }
+        if (ejb == null) {
+            throw new NullPointerException("No ejb supplied");
+        }
+        this.jndiNames = jndiNames;
+        this.tssBean = tssBean;
+        this.ejb = ejb;
+    }
+
+    public void doStart() throws Exception {
+        if (tssBean != null) {
+            tssBean.registerContainer(this);
+        }
+    }
+
+    public void doStop() throws Exception {
+        destroy();
+    }
+
+    public void doFail() {
+        destroy();
+    }
+
+    protected void destroy() {
+        if (tssBean != null) {
+            tssBean.unregisterContainer(this);
+        }
+    }
+
+    public EjbDeployment getDeployment() {
+        return ejb;
+    }
+
+    public String getContainerId() {
+        return ejb.getDeploymentId();
+    }
+
+    public String[] getJndiNames() {
+        return jndiNames;
+    }
+
+    /**
+     * CORBA home transaction import policy configuration
+     * @return home transaction import policy
+     */
+    public Serializable getHomeTxPolicyConfig() {
+        if (ejb.getHomeInterface() == null) {
+            return null;
+        }
+        Serializable policy = buildTransactionImportPolicy(ejb.getHomeInterface());
+        return policy;
+    }
+
+    /**
+     * CORBA remote transaction import policy configuration
+     * @return remote transaction import policy
+     */
+    public Serializable getRemoteTxPolicyConfig() {
+        if (ejb.getRemoteInterface() == null) {
+            return null;
+        }
+        Serializable policy = buildTransactionImportPolicy(ejb.getRemoteInterface());
+        return policy;
+    }
+
+    private Serializable buildTransactionImportPolicy(Class intf) {
+
+        Map policies = new HashMap();
+
+        Map methodToOperation = Util.mapMethodToOperation(intf);
+        for (Iterator iterator = methodToOperation.entrySet().iterator(); iterator.hasNext();) {
+            Map.Entry entry = (Map.Entry) iterator.next();
+            Method method = (Method) entry.getKey();
+            String operation = (String) entry.getValue();
+
+            if (!ejb.isBeanManagedTransaction()) {
+                byte transactionAttribute = ejb.getTransactionAttribute(method);
+                OperationTxPolicy operationTxPolicy = NoDTxServerTransactionPolicies.getContainerTransactionPolicy(transactionAttribute);
+                policies.put(operation, operationTxPolicy);
+            } else {
+                OperationTxPolicy operationTxPolicy = NoDTxServerTransactionPolicies.getBeanTransactionPolicy();
+                policies.put(operation, operationTxPolicy);
+            }
+        }
+        ServerTransactionPolicyConfig serverTransactionPolicyConfig = new MappedServerTransactionPolicyConfig(policies);
+
+        return serverTransactionPolicyConfig;
+    }
+
+    /**
+     * Add the policy overrides (if any) to the list 
+     * of policies used to create a POA instance.
+     * 
+     * @param policies The base set of policies.
+     * 
+     * @return A new Policy array with the overrides added.  Returns
+     *         the same array if no overrides are required.
+     */
+    public Policy[] addPolicyOverrides(Policy[] policies) {
+        return tssBean.addPolicyOverrides(policies);
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLinkGBean.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLinkGBean.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLinkGBean.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/TSSLinkGBean.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,49 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.corba;
+
+import org.apache.geronimo.gbean.GBeanInfo;
+import org.apache.geronimo.gbean.GBeanInfoBuilder;
+import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
+import org.apache.geronimo.openejb.EjbDeployment;
+
+/**
+ * @version $Revision: 465108 $ $Date: 2006-10-17 17:23:40 -0700 (Tue, 17 Oct 2006) $
+ */
+public final class TSSLinkGBean {
+
+    public static final GBeanInfo GBEAN_INFO;
+
+    static {
+        GBeanInfoBuilder infoBuilder = GBeanInfoBuilder.createStatic(TSSLinkGBean.class, TSSLink.class, NameFactory.CORBA_TSS);
+        infoBuilder.addAttribute("jndiNames", String[].class, true, true);
+        infoBuilder.addReference("TSSBean", TSSBean.class, NameFactory.CORBA_TSS);
+        //this may not work properly due to variable j2eeType in ejbs.
+        infoBuilder.addReference("EJB", EjbDeployment.class);
+        infoBuilder.setConstructor(new String[]{"jndiNames", "TSSBean", "EJB"});
+
+        GBEAN_INFO = infoBuilder.getBeanInfo();
+    }
+
+    public static GBeanInfo getGBeanInfo() {
+        return TSSLinkGBean.GBEAN_INFO;
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/proxy/CORBAProxyReference.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/proxy/CORBAProxyReference.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/proxy/CORBAProxyReference.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/proxy/CORBAProxyReference.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,87 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.proxy;
+
+import java.net.URI;
+import javax.naming.NameNotFoundException;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.apache.geronimo.gbean.AbstractName;
+import org.apache.geronimo.gbean.AbstractNameQuery;
+import org.apache.geronimo.kernel.GBeanNotFoundException;
+import org.apache.geronimo.kernel.Kernel;
+import org.apache.geronimo.kernel.repository.Artifact;
+import org.apache.geronimo.naming.reference.ConfigurationAwareReference;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public final class CORBAProxyReference extends ConfigurationAwareReference {
+
+    private final static Log log = LogFactory.getLog(CORBAProxyReference.class);
+
+    private final URI nsCorbaloc;
+    private final String objectName;
+    private final String home;
+
+    public CORBAProxyReference(Artifact configId, AbstractNameQuery abstractNameQuery, URI nsCorbaloc, String objectName, String home) {
+        super(configId, abstractNameQuery);
+        this.nsCorbaloc = nsCorbaloc;
+        this.objectName = objectName;
+        this.home = home;
+        if (log.isDebugEnabled()) {
+            log.debug("<init> " + nsCorbaloc.toString() + ", " + objectName + ", " + abstractNameQuery + ", " + home);
+        }
+    }
+
+    public String getClassName() {
+        return home;
+    }
+
+    public Object getContent() throws NameNotFoundException {
+
+        if (log.isDebugEnabled()) {
+            log.debug("Obtaining home from " + nsCorbaloc.toString() + ", " + objectName + ", " + abstractNameQueries + ", " + home);
+        }
+        AbstractName containerName;
+        try {
+            containerName = resolveTargetName();
+        } catch (GBeanNotFoundException e) {
+            throw (NameNotFoundException) new NameNotFoundException("Could not resolve gbean from name query: " + abstractNameQueries).initCause(e);
+        }
+        Kernel kernel = getKernel();
+        Object proxy;
+        try {
+            //TODO configid objectname might well be wrong kind of thing.
+            proxy = kernel.invoke(containerName, "getHome", new Object[]{nsCorbaloc, objectName}, new String[]{URI.class.getName(), String.class.getName()});
+        } catch (Exception e) {
+            log.error("Could not get proxy from " + containerName, e);
+            throw (IllegalStateException) new IllegalStateException("Could not get proxy").initCause(e);
+        }
+        if (proxy == null) {
+            log.error("Proxy not returned from " + containerName);
+            throw new IllegalStateException("Proxy not returned. Target " + containerName + " not started");
+        }
+        if (!org.omg.CORBA.Object.class.isAssignableFrom(proxy.getClass())) {
+            log.error("Proxy not an instance of expected class org.omg.CORBA.Object from " + containerName);
+            throw new ClassCastException("Proxy not an instance of expected class org.omg.CORBA.Object");
+        }
+        return proxy;
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicy.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicy.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicy.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicy.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,50 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.omg.CORBA.LocalObject;
+import org.omg.CORBA.Policy;
+
+import org.apache.geronimo.corba.security.config.css.CSSConfig;
+
+
+/**
+ * @version $Rev: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class ClientPolicy extends LocalObject implements Policy {
+
+    private final CSSConfig config;
+
+    public ClientPolicy(CSSConfig ORBConfig) {
+        this.config = ORBConfig;
+    }
+
+    public CSSConfig getConfig() {
+        return config;
+    }
+
+    public int policy_type() {
+        return ClientPolicyFactory.POLICY_TYPE;
+    }
+
+    public void destroy() {
+    }
+
+    public Policy copy() {
+        return new ClientPolicy(config);
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicyFactory.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicyFactory.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicyFactory.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientPolicyFactory.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.omg.CORBA.Any;
+import org.omg.CORBA.LocalObject;
+import org.omg.CORBA.Policy;
+import org.omg.CORBA.PolicyError;
+import org.omg.PortableInterceptor.PolicyFactory;
+
+import org.apache.geronimo.corba.security.config.css.CSSConfig;
+
+
+/**
+ * @version $Rev: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class ClientPolicyFactory extends LocalObject implements PolicyFactory {
+
+    public final static int POLICY_TYPE = 0x41534601;
+
+    public Policy create_policy(int type, Any value) throws PolicyError {
+        if (type != POLICY_TYPE) throw new PolicyError();
+
+        return new ClientPolicy((CSSConfig) value.extract_Value());
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientSecurityInterceptor.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientSecurityInterceptor.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientSecurityInterceptor.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ClientSecurityInterceptor.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,105 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.util.List;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.omg.CORBA.BAD_PARAM;
+import org.omg.CORBA.LocalObject;
+import org.omg.IOP.ServiceContext;
+import org.omg.IOP.TAG_CSI_SEC_MECH_LIST;
+import org.omg.IOP.TaggedComponent;
+import org.omg.PortableInterceptor.ClientRequestInfo;
+import org.omg.PortableInterceptor.ClientRequestInterceptor;
+
+import org.apache.geronimo.corba.security.config.css.CSSCompoundSecMechConfig;
+import org.apache.geronimo.corba.security.config.css.CSSConfig;
+import org.apache.geronimo.corba.security.config.tss.TSSCompoundSecMechListConfig;
+import org.apache.geronimo.corba.util.Util;
+
+
+/**
+ * @version $Revision: 502310 $ $Date: 2007-02-01 10:34:57 -0800 (Thu, 01 Feb 2007) $
+ */
+final class ClientSecurityInterceptor extends LocalObject implements ClientRequestInterceptor {
+
+    private final Log log = LogFactory.getLog(ClientSecurityInterceptor.class);
+
+    public ClientSecurityInterceptor() {
+        if (log.isDebugEnabled()) log.debug("Registered");
+    }
+
+    public void receive_exception(ClientRequestInfo ri) {
+    }
+
+    public void receive_other(ClientRequestInfo ri) {
+    }
+
+    public void receive_reply(ClientRequestInfo ri) {
+    }
+
+    public void send_poll(ClientRequestInfo ri) {
+    }
+
+    public void send_request(ClientRequestInfo ri) {
+
+        try {
+            if (log.isDebugEnabled()) log.debug("Checking if target " + ri.operation() + " has a security policy");
+
+            TaggedComponent tc = ri.get_effective_component(TAG_CSI_SEC_MECH_LIST.value);
+            TSSCompoundSecMechListConfig csml = TSSCompoundSecMechListConfig.decodeIOR(Util.getCodec(), tc);
+
+            if (log.isDebugEnabled()) log.debug("Target has a security policy");
+
+            ClientPolicy clientPolicy = (ClientPolicy) ri.get_request_policy(ClientPolicyFactory.POLICY_TYPE);
+            CSSConfig config = clientPolicy.getConfig();
+            if (config == null) return;
+
+            if (log.isDebugEnabled()) log.debug("Client has a security policy");
+
+            List compat = config.findCompatibleSet(csml);
+
+            if (compat.size() == 0) return;
+
+            if (log.isDebugEnabled()) log.debug("Found compatible policy");
+
+            ServiceContext context = ((CSSCompoundSecMechConfig) compat.get(0)).generateServiceContext();
+
+            if (context == null) return;
+
+            if (log.isDebugEnabled()) {
+                log.debug("Msg context id: " + context.context_id);
+                log.debug("Encoded msg: 0x" + Util.byteToString(context.context_data));
+            }
+
+            ri.add_request_service_context(context, true);
+        } catch (BAD_PARAM bp) {
+            // do nothing
+        } catch (Exception ue) {
+            log.error("Exception", ue);
+        }
+    }
+
+    public void destroy() {
+    }
+
+    public String name() {
+        return "org.apache.geronimo.corba.security.ClientSecurityInterceptor";
+    }
+}
\ No newline at end of file

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/FinalContextToken.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/FinalContextToken.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/FinalContextToken.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/FinalContextToken.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import javax.security.auth.Destroyable;
+import javax.security.auth.DestroyFailedException;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class FinalContextToken implements Destroyable {
+
+    private byte[] token;
+
+    public FinalContextToken(byte[] token) {
+        this.token = new byte[token.length];
+        System.arraycopy(token, 0, this.token, 0, token.length);
+    }
+
+    public byte[] getToken() {
+        return token;
+    }
+
+    public void destroy() throws DestroyFailedException {
+        for (int i=0; i<token.length; i++) {
+            token[i] = 0;
+        }
+        token = null;
+    }
+
+    public boolean isDestroyed() {
+        return token == null;
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/IORSecurityInterceptor.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/IORSecurityInterceptor.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/IORSecurityInterceptor.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/IORSecurityInterceptor.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,59 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.omg.CORBA.INV_POLICY;
+import org.omg.CORBA.LocalObject;
+import org.omg.IOP.TAG_INTERNET_IOP;
+import org.omg.PortableInterceptor.IORInfo;
+import org.omg.PortableInterceptor.IORInterceptor;
+
+import org.apache.geronimo.corba.util.Util;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+final class IORSecurityInterceptor extends LocalObject implements IORInterceptor {
+
+    private final Log log = LogFactory.getLog(IORSecurityInterceptor.class);
+
+    public void establish_components(IORInfo info) {
+
+        try {
+            ServerPolicy policy = (ServerPolicy) info.get_effective_policy(ServerPolicyFactory.POLICY_TYPE);
+
+            if (policy == null || policy.getConfig() == null) return;
+
+            info.add_ior_component_to_profile(policy.getConfig().generateIOR(Util.getORB(), Util.getCodec()), TAG_INTERNET_IOP.value);
+        } catch (INV_POLICY e) {
+            // do nothing
+        } catch (Exception e) {
+            log.error("Generating IOR", e);
+        }
+    }
+
+    public void destroy() {
+    }
+
+    public String name() {
+        return "org.apache.geronimo.corba.security.IORSecurityInterceptor";
+    }
+
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASConflictingEvidenceException.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASConflictingEvidenceException.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASConflictingEvidenceException.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASConflictingEvidenceException.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.omg.CORBA.NO_PERMISSION;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class SASConflictingEvidenceException extends SASException {
+
+    public SASConflictingEvidenceException() {
+        super(3, new NO_PERMISSION());
+    }
+    
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASException.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASException.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASException.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASException.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class SASException extends Exception {
+
+    private final int major;
+
+    public SASException(int major) {
+        this.major = major;
+    }
+
+    public SASException(int major, Throwable cause) {
+        super(cause);
+
+        this.major = major;
+    }
+
+    public int getMajor() {
+        return major;
+    }
+
+    public int getMinor() {
+        return 1;
+    }
+
+    public byte[] getErrorToken() {
+        return null;
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidEvidenceException.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidEvidenceException.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidEvidenceException.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidEvidenceException.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.omg.CORBA.NO_PERMISSION;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class SASInvalidEvidenceException extends SASException {
+
+    public SASInvalidEvidenceException() {
+        super(1, new NO_PERMISSION());
+    }
+    
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidMechanismException.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidMechanismException.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidMechanismException.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASInvalidMechanismException.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.omg.CORBA.NO_PERMISSION;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class SASInvalidMechanismException extends SASException {
+
+    public SASInvalidMechanismException() {
+        super(2, new NO_PERMISSION());
+    }
+    
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASNoContextException.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASNoContextException.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASNoContextException.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASNoContextException.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.omg.CORBA.NO_PERMISSION;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class SASNoContextException extends SASException {
+
+    public SASNoContextException() {
+        super(4, new NO_PERMISSION());
+    }
+
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASReplyManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASReplyManager.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASReplyManager.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SASReplyManager.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,48 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.util.Hashtable;
+import java.util.Map;
+
+import org.omg.CSI.SASContextBody;
+
+
+/**
+ * Stores requests' SASContextBody because get/setSlot does not seem to work in
+ * OpenORB.
+ * <p/>
+ * TODO: There may be an error where the interceptor does not remove the
+ * registered subjects.  We should have a daemon that cleans up old requests.
+ *
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public final class SASReplyManager {
+    private final static Map requestSASMsgs = new Hashtable();
+
+    public static SASContextBody getSASReply(int requestId) {
+        return (SASContextBody) requestSASMsgs.get(new Integer(requestId));
+    }
+
+    public static void setSASReply(int requestId, SASContextBody sasMsg) {
+        requestSASMsgs.put(new Integer(requestId), sasMsg);
+    }
+
+    public static SASContextBody clearSASReply(int requestId) {
+        return (SASContextBody) requestSASMsgs.remove(new Integer(requestId));
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionListener.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionListener.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionListener.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionListener.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public interface SSLConnectionListener {
+
+    public void open(long connectionId);
+
+    public void close(long connectionId);
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionManager.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionManager.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLConnectionManager.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,70 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class SSLConnectionManager {
+    private static final Set listeners = new HashSet();
+    private static long nextId = 0;
+
+    public static void register(SSLConnectionListener listener) {
+        synchronized (listeners) {
+            listeners.add(listener);
+        }
+    }
+
+    public static void unregister(SSLConnectionListener listener) {
+        synchronized (listeners) {
+            listeners.remove(listener);
+        }
+    }
+
+    public synchronized static long allocateId() {
+        return nextId++;
+    }
+
+    public static void fireOpen(long connectionId) {
+        Set copy = null;
+
+        synchronized (listeners) {
+            copy = new HashSet(listeners);
+        }
+
+        for (Iterator iter = copy.iterator(); iter.hasNext();) {
+            ((SSLConnectionListener) iter.next()).open(connectionId);
+        }
+    }
+
+    public static void fireClose(long connectionId) {
+        Set copy = null;
+
+        synchronized (listeners) {
+            copy = new HashSet(listeners);
+        }
+
+        for (Iterator iter = copy.iterator(); iter.hasNext();) {
+            ((SSLConnectionListener) iter.next()).close(connectionId);
+        }
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLSessionManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLSessionManager.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLSessionManager.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SSLSessionManager.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,49 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.util.Hashtable;
+import java.util.Map;
+import javax.net.ssl.SSLSession;
+
+
+/**
+ * Stores requests' SSL sessions so that they may be shared amongst portable
+ * interceptors.  We use this singleton instead of using a ThreadLocal
+ * because we cannot guarantee that interceptors will be called under
+ * the same thread for a single request.
+ * <p/>
+ * TODO: There may be an error where the interceptor does not remove the
+ * registered session.  We should have a daemon that cleans up old requests.
+ *
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public final class SSLSessionManager {
+    private final static Map requestSSLSessions = new Hashtable();
+
+    public static SSLSession getSSLSession(int requestId) {
+        return (SSLSession) requestSSLSessions.get(new Integer(requestId));
+    }
+
+    public static void setSSLSession(int requestId, SSLSession session) {
+        requestSSLSessions.put(new Integer(requestId), session);
+    }
+
+    public static SSLSession clearSSLSession(int requestId) {
+        return (SSLSession) requestSSLSessions.remove(new Integer(requestId));
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SecurityInitializer.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SecurityInitializer.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SecurityInitializer.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SecurityInitializer.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,219 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.security.Principal;
+import javax.security.auth.Subject;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.omg.CORBA.LocalObject;
+import org.omg.PortableInterceptor.ORBInitInfo;
+import org.omg.PortableInterceptor.ORBInitInfoPackage.DuplicateName;
+import org.omg.PortableInterceptor.ORBInitializer;
+
+import org.apache.geronimo.common.DeploymentException;
+import org.apache.geronimo.common.GeronimoSecurityException;
+import org.apache.geronimo.security.DomainPrincipal;
+import org.apache.geronimo.security.PrimaryDomainPrincipal;
+import org.apache.geronimo.security.PrimaryPrincipal;
+import org.apache.geronimo.security.PrimaryRealmPrincipal;
+import org.apache.geronimo.security.RealmPrincipal;
+import org.apache.geronimo.security.util.ConfigurationUtil;
+
+
+/**
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class SecurityInitializer extends LocalObject implements ORBInitializer {
+
+    private final Log log = LogFactory.getLog(SecurityInitializer.class);
+    public final static String DEFAULT_REALM_PRINCIPAL = "default-realm-principal::";
+    public final static String DEFAULT_DOMAIN_PRINCIPAL = "default-domain-principal::";
+    public final static String DEFAULT_PRINCIPAL = "default-principal::";
+
+    //TODO see if there is a better way... TCCL??
+    private final ClassLoader classLoader = this.getClass().getClassLoader();
+
+    public SecurityInitializer() {
+        if (log.isDebugEnabled()) log.debug("SecurityInitializer.<init>");
+    }
+
+    /**
+     * Called during ORB initialization.  If it is expected that initial
+     * services registered by an interceptor will be used by other
+     * interceptors, then those initial services shall be registered at
+     * this point via calls to
+     * <code>ORBInitInfo.register_initial_reference</code>.
+     *
+     * @param info provides initialization attributes and operations by
+     *             which Interceptors can be registered.
+     */
+    public void pre_init(ORBInitInfo info) {
+    }
+
+    /**
+     * Called during ORB initialization. If a service must resolve initial
+     * references as part of its initialization, it can assume that all
+     * initial references will be available at this point.
+     * <p/>
+     * Calling the <code>post_init</code> operations is not the final
+     * task of ORB initialization. The final task, following the
+     * <code>post_init</code> calls, is attaching the lists of registered
+     * interceptors to the ORB. Therefore, the ORB does not contain the
+     * interceptors during calls to <code>post_init</code>. If an
+     * ORB-mediated call is made from within <code>post_init</code>, no
+     * request interceptors will be invoked on that call.
+     * Likewise, if an operation is performed which causes an IOR to be
+     * created, no IOR interceptors will be invoked.
+     *
+     * @param info provides initialization attributes and
+     *             operations by which Interceptors can be registered.
+     */
+    public void post_init(ORBInitInfo info) {
+
+        try {
+            if (log.isDebugEnabled()) log.debug("Registering interceptors and policy factories");
+
+            Subject defaultSubject = null;
+            String[] strings = info.arguments();
+            for (int i = 0; i < strings.length; i++) {
+                String arg = strings[i];
+                if (arg.startsWith(DEFAULT_REALM_PRINCIPAL)) {
+                    defaultSubject = generateDefaultRealmSubject(arg);
+                    break;
+                } else if (arg.startsWith(DEFAULT_DOMAIN_PRINCIPAL)) {
+                    defaultSubject = generateDefaultDomainSubject(arg);
+                    break;
+                } else if (arg.startsWith(DEFAULT_PRINCIPAL)) {
+                    defaultSubject = generateDefaultSubject(arg);
+                    break;
+                }
+            }
+
+            if (log.isDebugEnabled()) log.debug("Default subject: " + defaultSubject);
+
+            try {
+                info.add_client_request_interceptor(new ClientSecurityInterceptor());
+                info.add_server_request_interceptor(new ServerSecurityInterceptor(info.allocate_slot_id(), info.allocate_slot_id(), defaultSubject));
+                info.add_ior_interceptor(new IORSecurityInterceptor());
+            } catch (DuplicateName dn) {
+                log.error("Error registering interceptor", dn);
+            }
+
+            info.register_policy_factory(ClientPolicyFactory.POLICY_TYPE, new ClientPolicyFactory());
+            info.register_policy_factory(ServerPolicyFactory.POLICY_TYPE, new ServerPolicyFactory());
+        } catch (RuntimeException re) {
+            log.error("Error registering interceptor", re);
+            throw re;
+        }
+    }
+
+    private Subject generateDefaultRealmSubject(String argument) {
+        Subject defaultSubject = new Subject();
+
+        String[] tokens = argument.substring(DEFAULT_REALM_PRINCIPAL.length()).split(":");
+        if (tokens.length != 4) throw new GeronimoSecurityException("Unable to create primary realm principal");
+
+        String realm = tokens[0];
+        String domain = tokens[1];
+        String className = tokens[2];
+        String principalName = tokens[3];
+
+        if (realm.length() == 0 || domain.length() == 0 || className.length() == 0 || principalName.length() == 0) {
+            throw new GeronimoSecurityException("Unable to create primary realm principal");
+        }
+
+        RealmPrincipal realmPrincipal = ConfigurationUtil.generateRealmPrincipal(realm, domain, className, principalName, classLoader);
+        if (realmPrincipal == null) {
+            throw new GeronimoSecurityException("Unable to create realm principal");
+        }
+        PrimaryRealmPrincipal primaryRealmPrincipal = null;
+        try {
+            primaryRealmPrincipal = ConfigurationUtil.generatePrimaryRealmPrincipal(realm, domain, className, principalName, classLoader);
+        } catch (DeploymentException e) {
+            throw new GeronimoSecurityException("Unable to create primary realm principal", e);
+        }
+
+        defaultSubject.getPrincipals().add(realmPrincipal);
+        defaultSubject.getPrincipals().add(primaryRealmPrincipal);
+
+        return defaultSubject;
+    }
+
+    private Subject generateDefaultDomainSubject(String argument) {
+        Subject defaultSubject = new Subject();
+
+        String[] tokens = argument.substring(DEFAULT_DOMAIN_PRINCIPAL.length()).split(":");
+        if (tokens.length != 3) throw new GeronimoSecurityException("Unable to create primary domain principal");
+
+        String realm = tokens[0];
+        String className = tokens[1];
+        String principalName = tokens[2];
+
+        if (realm.length() == 0 || className.length() == 0 || principalName.length() == 0) {
+            throw new GeronimoSecurityException("Unable to create primary domain principal");
+        }
+
+        DomainPrincipal domainPrincipal = ConfigurationUtil.generateDomainPrincipal(realm, className, principalName, classLoader);
+        if (domainPrincipal == null) {
+            throw new GeronimoSecurityException("Unable to create domain principal");
+        }
+        PrimaryDomainPrincipal primaryDomainPrincipal = null;
+        try {
+            primaryDomainPrincipal = ConfigurationUtil.generatePrimaryDomainPrincipal(realm, className, principalName, classLoader);
+        } catch (DeploymentException e) {
+            throw new GeronimoSecurityException("Unable to create primary domain principal", e);
+        }
+
+        defaultSubject.getPrincipals().add(domainPrincipal);
+        defaultSubject.getPrincipals().add(primaryDomainPrincipal);
+
+        return defaultSubject;
+    }
+
+    private Subject generateDefaultSubject(String argument) {
+        Subject defaultSubject = new Subject();
+
+        String[] tokens = argument.substring(DEFAULT_PRINCIPAL.length()).split(":");
+        if (tokens.length != 2) throw new GeronimoSecurityException("Unable to create primary principal");
+
+        String className = tokens[0];
+        String principalName = tokens[1];
+
+        if (className.length() == 0 || principalName.length() == 0) {
+            throw new GeronimoSecurityException("Unable to create primary principal");
+        }
+
+        Principal domainPrincipal = ConfigurationUtil.generatePrincipal(className, principalName, classLoader);
+        if (domainPrincipal == null) {
+            throw new GeronimoSecurityException("Unable to create principal");
+        }
+        PrimaryPrincipal primaryDomainPrincipal = null;
+        try {
+            primaryDomainPrincipal = ConfigurationUtil.generatePrimaryPrincipal(className, principalName, classLoader);
+        } catch (DeploymentException e) {
+            throw new GeronimoSecurityException("Unable to create primary principal", e);
+        }
+
+        defaultSubject.getPrincipals().add(domainPrincipal);
+        defaultSubject.getPrincipals().add(primaryDomainPrincipal);
+
+        return defaultSubject;
+    }
+
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicy.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicy.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicy.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicy.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,81 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.io.Serializable;
+
+import org.omg.CORBA.LocalObject;
+import org.omg.CORBA.Policy;
+
+import org.apache.geronimo.corba.security.config.tss.TSSConfig;
+
+
+/**
+ * @version $Rev: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class ServerPolicy extends LocalObject implements Policy {
+
+    private final TSSConfig TSSConfig;
+    private final ClassLoader classloader;
+
+    public ServerPolicy(Config config) {
+        this.TSSConfig = config.getTSSConfig();
+        this.classloader = config.getClassloader();
+    }
+
+    protected ServerPolicy(TSSConfig config, ClassLoader classLoader) {
+         this.TSSConfig = config;
+         this.classloader = classLoader;
+    }
+
+    public TSSConfig getConfig() {
+        return TSSConfig;
+    }
+
+    public ClassLoader getClassloader() {
+        return classloader;
+    }
+
+    public int policy_type() {
+        return ServerPolicyFactory.POLICY_TYPE;
+    }
+
+    public void destroy() {
+    }
+
+    public Policy copy() {
+        return new ServerPolicy(TSSConfig, classloader);
+    }
+
+    public static class Config implements Serializable {
+        private final TSSConfig TSSConfig;
+        private final transient ClassLoader classloader;
+
+        public Config(TSSConfig TSSConfig, ClassLoader classloader) {
+            this.TSSConfig = TSSConfig;
+            this.classloader = classloader;
+        }
+
+        public final TSSConfig getTSSConfig() {
+            return TSSConfig;
+        }
+
+        public final ClassLoader getClassloader() {
+            return classloader;
+        }
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicyFactory.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicyFactory.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicyFactory.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerPolicyFactory.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import org.omg.CORBA.Any;
+import org.omg.CORBA.LocalObject;
+import org.omg.CORBA.Policy;
+import org.omg.CORBA.PolicyError;
+import org.omg.PortableInterceptor.PolicyFactory;
+
+
+/**
+ * @version $Rev: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public class ServerPolicyFactory extends LocalObject implements PolicyFactory {
+
+    public final static int POLICY_TYPE = 0x41534600;
+
+    public Policy create_policy(int type, Any value) throws PolicyError {
+        if (type != POLICY_TYPE) throw new PolicyError();
+
+        return new ServerPolicy((ServerPolicy.Config) value.extract_Value());
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerSecurityInterceptor.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerSecurityInterceptor.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerSecurityInterceptor.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/ServerSecurityInterceptor.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,255 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.util.Set;
+import javax.security.auth.DestroyFailedException;
+import javax.security.auth.Subject;
+
+import org.omg.CORBA.Any;
+import org.omg.CORBA.BAD_PARAM;
+import org.omg.CORBA.INTERNAL;
+import org.omg.CORBA.INV_POLICY;
+import org.omg.CORBA.LocalObject;
+import org.omg.CORBA.MARSHAL;
+import org.omg.CORBA.ORB;
+import org.omg.CSI.CompleteEstablishContext;
+import org.omg.CSI.ContextError;
+import org.omg.CSI.MTCompleteEstablishContext;
+import org.omg.CSI.MTContextError;
+import org.omg.CSI.MTEstablishContext;
+import org.omg.CSI.MTMessageInContext;
+import org.omg.CSI.SASContextBody;
+import org.omg.CSI.SASContextBodyHelper;
+import org.omg.IOP.CodecPackage.FormatMismatch;
+import org.omg.IOP.CodecPackage.InvalidTypeForEncoding;
+import org.omg.IOP.CodecPackage.TypeMismatch;
+import org.omg.IOP.SecurityAttributeService;
+import org.omg.IOP.ServiceContext;
+import org.omg.PortableInterceptor.ServerRequestInfo;
+import org.omg.PortableInterceptor.ServerRequestInterceptor;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.apache.geronimo.security.ContextManager;
+
+import org.apache.geronimo.corba.security.config.tss.TSSConfig;
+import org.apache.geronimo.corba.util.Util;
+
+
+/**
+ * @version $Revision: 482212 $ $Date: 2006-12-04 07:16:03 -0800 (Mon, 04 Dec 2006) $
+ */
+final class ServerSecurityInterceptor extends LocalObject implements ServerRequestInterceptor {
+
+    private final Log log = LogFactory.getLog(ServerSecurityInterceptor.class);
+
+    private final int subjectSlot;
+    private final int replySlot;
+    private final Subject defaultSubject;
+
+    public ServerSecurityInterceptor(int subjectSlot, int replySlot, Subject defaultSubject) {
+        this.subjectSlot = subjectSlot;
+        this.replySlot = replySlot;
+        this.defaultSubject = defaultSubject;
+
+        if (defaultSubject != null) ContextManager.registerSubject(defaultSubject);
+
+        if (log.isDebugEnabled()) log.debug("<init>");
+    }
+
+    public void receive_request(ServerRequestInfo ri) {
+
+        Subject identity = null;
+        long contextId = 0;
+
+        if (log.isDebugEnabled()) log.debug("receive_request(" + ri.operation() + " [" + new String(ri.object_id()) + "] ");
+        ClassLoader savedCL = Thread.currentThread().getContextClassLoader();
+        try {
+            ServerPolicy serverPolicy = (ServerPolicy) ri.get_server_policy(ServerPolicyFactory.POLICY_TYPE);
+            if (serverPolicy == null) return;
+
+            TSSConfig tssPolicy = serverPolicy.getConfig();
+            if (tssPolicy == null) return;
+
+            if (serverPolicy.getClassloader() != null) Thread.currentThread().setContextClassLoader(serverPolicy.getClassloader());
+
+            if (log.isDebugEnabled()) log.debug("Found server policy");
+
+            ServiceContext serviceContext = ri.get_request_service_context(SecurityAttributeService.value);
+            if (serviceContext == null) return;
+
+            if (log.isDebugEnabled()) log.debug("Found service context");
+
+            Any any = Util.getCodec().decode_value(serviceContext.context_data, SASContextBodyHelper.type());
+            SASContextBody contextBody = SASContextBodyHelper.extract(any);
+
+            short msgType = contextBody.discriminator();
+            switch (msgType) {
+                case MTEstablishContext.value:
+                    if (log.isDebugEnabled()) log.debug("   EstablishContext");
+
+                    contextId = contextBody.establish_msg().client_context_id;
+
+                    identity = tssPolicy.check(SSLSessionManager.getSSLSession(ri.request_id()), contextBody.establish_msg());
+
+                    if (identity != null) {
+                        ContextManager.registerSubject(identity);
+                    } else {
+                        identity = defaultSubject;
+                    }
+
+                    SASReplyManager.setSASReply(ri.request_id(), generateContextEstablished(identity, contextId, false));
+
+                    break;
+
+                case MTCompleteEstablishContext.value:
+                    log.error("The CSIv2 TSS is not supposed to receive a CompleteEstablishContext message.");
+                    throw new INTERNAL("The CSIv2 TSS is not supposed to receive a CompleteEstablishContext message.");
+
+                case MTContextError.value:
+                    log.error("The CSIv2 TSS is not supposed to receive a CompleteEstablishContext message.");
+                    throw new INTERNAL("The CSIv2 TSS is not supposed to receive a ContextError message.");
+
+                case MTMessageInContext.value:
+                    log.error("The CSIv2 TSS is not supposed to receive a CompleteEstablishContext message.");
+
+                    contextId = contextBody.in_context_msg().client_context_id;
+                    throw new SASNoContextException();
+            }
+        } catch (BAD_PARAM e) {
+            if (log.isDebugEnabled()) log.debug("No security service context found");
+            identity = defaultSubject;
+        } catch (INV_POLICY e) {
+            if (log.isDebugEnabled()) log.debug("INV_POLICY");
+            identity = defaultSubject;
+        } catch (TypeMismatch tm) {
+            log.error("TypeMismatch thrown", tm);
+            throw new MARSHAL("TypeMismatch thrown: " + tm);
+        } catch (FormatMismatch fm) {
+            log.error("FormatMismatch thrown", fm);
+            throw new MARSHAL("FormatMismatch thrown: " + fm);
+        } catch (SASException e) {
+            log.error("SASException", e);
+            SASReplyManager.setSASReply(ri.request_id(), generateContextError(e, contextId));
+            // rethrowing this requires some special handling.  If the root exception is a
+            // RuntimeException, then we can just rethrow it.  Otherwise we need to turn this into
+            // a RuntimeException.
+            Throwable cause = e.getCause();
+            if (cause instanceof RuntimeException) {
+                throw (RuntimeException)cause;
+            }
+            else {
+                throw new RuntimeException(cause.getMessage(), cause);
+            }
+        } catch (Exception e) {
+            log.error("Exception", e);
+            Throwable cause = e.getCause();
+            if (cause instanceof RuntimeException) {
+                throw (RuntimeException)cause;
+            }
+            else {
+                throw new RuntimeException(cause.getMessage(), cause);
+            }
+        } finally {
+            Thread.currentThread().setContextClassLoader(savedCL);
+        }
+
+        if (log.isDebugEnabled()) log.debug("   " + identity);
+
+        ContextManager.setCallers(identity, identity);
+
+        SubjectManager.setSubject(ri.request_id(), identity);
+    }
+
+    public void receive_request_service_contexts(ServerRequestInfo ri) {
+        if (log.isDebugEnabled()) log.debug("receive_request_service_contexts()");
+    }
+
+    public void send_exception(ServerRequestInfo ri) {
+        Subject identity = SubjectManager.clearSubject(ri.request_id());
+        if (identity != null && identity != defaultSubject) ContextManager.unregisterSubject(identity);
+
+        insertServiceContext(ri);
+
+        if (log.isDebugEnabled()) log.debug("send_exception()");
+    }
+
+    public void send_other(ServerRequestInfo ri) {
+        if (log.isDebugEnabled()) log.debug("send_other()");
+    }
+
+    public void send_reply(ServerRequestInfo ri) {
+        Subject identity = SubjectManager.clearSubject(ri.request_id());
+        if (identity != null && identity != defaultSubject) ContextManager.unregisterSubject(identity);
+
+        insertServiceContext(ri);
+
+        if (log.isDebugEnabled()) log.debug("send_reply()");
+    }
+
+    public void destroy() {
+        if (defaultSubject != null) ContextManager.unregisterSubject(defaultSubject);
+        if (log.isDebugEnabled()) log.debug("destroy()");
+    }
+
+    public String name() {
+        return "org.apache.geronimo.corba.security.ServerSecurityInterceptor";
+    }
+
+    protected SASContextBody generateContextError(SASException e, long contextId) {
+        SASContextBody reply = new SASContextBody();
+
+        reply.error_msg(new ContextError(contextId, e.getMajor(), e.getMinor(), e.getErrorToken()));
+
+        return reply;
+    }
+
+    protected SASContextBody generateContextEstablished(Subject identity, long contextId, boolean stateful) {
+        SASContextBody reply = new SASContextBody();
+
+        byte[] finalContextToken = null;
+        Set credentials = identity.getPrivateCredentials(FinalContextToken.class);
+        if (!credentials.isEmpty()) {
+            try {
+                FinalContextToken token = (FinalContextToken) credentials.iterator().next();
+                finalContextToken = token.getToken();
+                token.destroy();
+            } catch (DestroyFailedException e) {
+                // do nothing
+            }
+        }
+        if (finalContextToken == null) finalContextToken = new byte[0];
+        reply.complete_msg(new CompleteEstablishContext(contextId, stateful, finalContextToken));
+
+        return reply;
+    }
+
+    protected void insertServiceContext(ServerRequestInfo ri) {
+        try {
+            SASContextBody sasContextBody = SASReplyManager.clearSASReply(ri.request_id());
+            if (sasContextBody != null) {
+                Any any = ORB.init().create_any();
+                SASContextBodyHelper.insert(any, sasContextBody);
+                ri.add_reply_service_context(new ServiceContext(SecurityAttributeService.value, Util.getCodec().encode_value(any)), true);
+            }
+        } catch (InvalidTypeForEncoding itfe) {
+            log.error("InvalidTypeForEncoding thrown", itfe);
+            throw new INTERNAL("InvalidTypeForEncoding thrown: " + itfe);
+        }
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SubjectManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SubjectManager.java?view=auto&rev=505432
==============================================================================
--- geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SubjectManager.java (added)
+++ geronimo/server/trunk/modules/geronimo-corba/src/main/java/org/apache/geronimo/corba/security/SubjectManager.java Fri Feb  9 11:24:30 2007
@@ -0,0 +1,47 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.geronimo.corba.security;
+
+import java.util.Hashtable;
+import java.util.Map;
+import javax.security.auth.Subject;
+
+
+/**
+ * Stores requests' subjects because get/setSlot does not seem to work in
+ * OpenORB.
+ * <p/>
+ * TODO: There may be an error where the interceptor does not remove the
+ * registered subjects.  We should have a daemon that cleans up old requests.
+ *
+ * @version $Revision: 451417 $ $Date: 2006-09-29 13:13:22 -0700 (Fri, 29 Sep 2006) $
+ */
+public final class SubjectManager {
+    private final static Map requestSubjects = new Hashtable();
+
+    public static Subject getSubject(int requestId) {
+        return (Subject) requestSubjects.get(new Integer(requestId));
+    }
+
+    public static void setSubject(int requestId, Subject subject) {
+        requestSubjects.put(new Integer(requestId), subject);
+    }
+
+    public static Subject clearSubject(int requestId) {
+        return (Subject) requestSubjects.remove(new Integer(requestId));
+    }
+}



Mime
View raw message