geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@apache.org
Subject svn commit: r522573 - in /geronimo/server/trunk: configs/client/ modules/geronimo-client/src/main/java/org/apache/geronimo/client/ modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/ modules/geronimo-security/ modules/geronimo-security/...
Date Mon, 26 Mar 2007 17:12:21 GMT
Author: dain
Date: Mon Mar 26 10:12:19 2007
New Revision: 522573

URL: http://svn.apache.org/viewvc?view=rev&rev=522573
Log:
Added OpenEJB security integration

Added:
    geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoSecurityService.java
    geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/GeronimoIdentityResolver.java
    geronimo/server/trunk/modules/geronimo-security/src/main/resources/
    geronimo/server/trunk/modules/geronimo-security/src/main/resources/META-INF/
    geronimo/server/trunk/modules/geronimo-security/src/main/resources/META-INF/org.apache.openejb.client.IdentityResolver/
    geronimo/server/trunk/modules/geronimo-security/src/main/resources/META-INF/org.apache.openejb.client.IdentityResolver/geronimo
Modified:
    geronimo/server/trunk/configs/client/pom.xml
    geronimo/server/trunk/modules/geronimo-client/src/main/java/org/apache/geronimo/client/AppClientContainer.java
    geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/EjbDeployment.java
    geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoThreadContextListener.java
    geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/OpenEjbSystemGBean.java
    geronimo/server/trunk/modules/geronimo-security/pom.xml

Modified: geronimo/server/trunk/configs/client/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/configs/client/pom.xml?view=diff&rev=522573&r1=522572&r2=522573
==============================================================================
--- geronimo/server/trunk/configs/client/pom.xml (original)
+++ geronimo/server/trunk/configs/client/pom.xml Mon Mar 26 10:12:19 2007
@@ -120,6 +120,12 @@
             <version>${version}</version>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.geronimo.modules</groupId>
+            <artifactId>geronimo-openejb</artifactId>
+            <version>${version}</version>
+        </dependency>
+
 <!--
      Added geronimo-axis so that the client can gain access to Axis classes.  It would
      probably be good to move the JAXR gbean from client and the web containers into 

Modified: geronimo/server/trunk/modules/geronimo-client/src/main/java/org/apache/geronimo/client/AppClientContainer.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-client/src/main/java/org/apache/geronimo/client/AppClientContainer.java?view=diff&rev=522573&r1=522572&r2=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-client/src/main/java/org/apache/geronimo/client/AppClientContainer.java
(original)
+++ geronimo/server/trunk/modules/geronimo-client/src/main/java/org/apache/geronimo/client/AppClientContainer.java
Mon Mar 26 10:12:19 2007
@@ -76,6 +76,9 @@
             ClassLoader classLoader,
             Kernel kernel
     ) throws Exception {
+        // set the geronimo identity resolver hook for openejb
+        System.setProperty("openejb.client.identityResolver", "geronimo");
+
         this.mainClassName = mainClassName;
         this.appClientModuleName = appClientModuleName;
         if ((realmName == null) != (callbackHandlerClassName == null)) {

Modified: geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/EjbDeployment.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/EjbDeployment.java?view=diff&rev=522573&r1=522572&r2=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/EjbDeployment.java
(original)
+++ geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/EjbDeployment.java
Mon Mar 26 10:12:19 2007
@@ -27,6 +27,7 @@
 
 import org.apache.geronimo.connector.outbound.connectiontracking.TrackedConnectionAssociator;
 import org.apache.geronimo.management.EJB;
+import org.apache.geronimo.security.ContextManager;
 import org.apache.openejb.BeanType;
 import org.apache.openejb.Container;
 import org.apache.openejb.ProxyInfo;
@@ -277,6 +278,15 @@
         if (deploymentInfo == null) {
             throw new IllegalStateException("Ejb does not exist " + deploymentId);
         }
+
+        if (defaultSubject != null) {
+            ContextManager.registerSubject(defaultSubject);
+        }
+
+        if (runAs != null) {
+            ContextManager.registerSubject(runAs);
+        }
+
         javaCompSubContext = (Context) deploymentInfo.getJndiEnc().lookup("java:comp");
         if (componentContext != null) {
             javaCompSubContext.bind("geronimo", componentContext);
@@ -288,6 +298,14 @@
         if (deploymentInfo != null) {
             deploymentInfo.set(EjbDeployment.class, null);
             deploymentInfo = null;
+        }
+
+        if (defaultSubject != null) {
+            ContextManager.unregisterSubject(defaultSubject);
+        }
+
+        if (runAs != null) {
+            ContextManager.unregisterSubject(runAs);
         }
     }
 }

Added: geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoSecurityService.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoSecurityService.java?view=auto&rev=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoSecurityService.java
(added)
+++ geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoSecurityService.java
Mon Mar 26 10:12:19 2007
@@ -0,0 +1,136 @@
+/**
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.openejb;
+
+import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.SubjectId;
+import org.apache.openejb.InterfaceType;
+import org.apache.openejb.core.CoreDeploymentInfo;
+import org.apache.openejb.core.ThreadContext;
+import org.apache.openejb.core.security.jaas.UsernamePasswordCallbackHandler;
+import org.apache.openejb.spi.SecurityService;
+
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import javax.security.jacc.EJBMethodPermission;
+import java.lang.reflect.Method;
+import java.security.AccessControlContext;
+import java.security.AccessControlException;
+import java.security.Permission;
+import java.security.Principal;
+import java.util.Properties;
+
+/**
+ * @version $Rev$ $Date$
+ */
+public class GeronimoSecurityService implements SecurityService {
+    public void init(Properties props) throws Exception {
+    }
+
+    public Object login(String user, String pass) throws LoginException {
+        LoginContext context = new LoginContext("OpenEJB", new UsernamePasswordCallbackHandler(user,
pass));
+        context.login();
+
+        Subject subject = context.getSubject();
+        SubjectId subjectId = ContextManager.registerSubject(subject);
+        return subjectId;
+    }
+
+    public void logout(Object securityIdentity) {
+        Subject subject = ContextManager.getRegisteredSubject((SubjectId) securityIdentity);
+        ContextManager.unregisterSubject(subject);
+    }
+
+    public void associate(Object securityIdentity) throws LoginException {
+        if (securityIdentity == null) {
+            return;
+        }
+
+        Subject subject = ContextManager.getRegisteredSubject((SubjectId) securityIdentity);
+        if (subject == null) {
+            return;
+        }
+        ContextManager.setCallers(subject, subject);
+    }
+
+    public void unassociate(Object securityIdentity) {
+        // this is only called before the thread is put back in the pool so it should be
ok
+        ContextManager.popCallers(null);
+    }
+
+    public boolean isCallerAuthorized(Method method, InterfaceType typee) {
+        if (true) return true;
+        ThreadContext threadContext = ThreadContext.getThreadContext();
+
+        try {
+            CoreDeploymentInfo deploymentInfo = threadContext.getDeploymentInfo();
+
+            String ejbName = deploymentInfo.getEjbName();
+
+            InterfaceType type = deploymentInfo.getInterfaceType(method.getDeclaringClass());
+
+            String name = (type == null)? null: type.getSpecName();
+
+            Permission permission = new EJBMethodPermission(ejbName, name, method);
+
+            AccessControlContext accessContext = ContextManager.getCurrentContext();
+
+            if (permission != null) accessContext.checkPermission(permission);
+
+        } catch (AccessControlException e) {
+            return false;
+        }
+        return true;
+    }
+
+    public boolean isCallerInRole(String role) {
+        if (role == null) throw new IllegalArgumentException("Role must not be null");
+
+        ThreadContext threadContext = ThreadContext.getThreadContext();
+
+        CoreDeploymentInfo deployment = threadContext.getDeploymentInfo();
+        return ContextManager.isCallerInRole(deployment.getEjbName(), role);
+    }
+
+    public Principal getCallerPrincipal() {
+        Subject callerSubject = ContextManager.getCurrentCaller();
+        return ContextManager.getCurrentPrincipal(callerSubject);
+    }
+
+    //
+    // Unused
+    //
+
+    public Object getSecurityIdentity() {
+        throw new UnsupportedOperationException();
+    }
+
+    public void setSecurityIdentity(Object securityIdentity) {
+        throw new UnsupportedOperationException();
+    }
+
+    public <T> T translateTo(Object securityIdentity, Class<T> type) {
+        throw new UnsupportedOperationException();
+    }
+
+    public Subject getCurrentSubject() {
+        throw new UnsupportedOperationException();
+    }
+
+}

Modified: geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoThreadContextListener.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoThreadContextListener.java?view=diff&rev=522573&r1=522572&r2=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoThreadContextListener.java
(original)
+++ geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/GeronimoThreadContextListener.java
Mon Mar 26 10:12:19 2007
@@ -19,6 +19,8 @@
 
 import javax.naming.Context;
 import javax.resource.ResourceException;
+import javax.security.auth.Subject;
+import javax.security.jacc.PolicyContext;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -26,6 +28,8 @@
 import org.apache.geronimo.connector.outbound.connectiontracking.ConnectorInstanceContextImpl;
 import org.apache.geronimo.connector.outbound.connectiontracking.TrackedConnectionAssociator;
 import org.apache.geronimo.naming.java.RootContext;
+import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.Callers;
 import org.apache.openejb.core.CoreDeploymentInfo;
 import org.apache.openejb.core.ThreadContext;
 import org.apache.openejb.core.ThreadContextListener;
@@ -82,6 +86,26 @@
         // Set the jndi context into Geronimo's root context
         RootContext.setComponentContext(jndiContext);
 
+        // set the policy (security) context id
+        String moduleID = newContext.getDeploymentInfo().getModuleID();
+        PolicyContext.setContextID(moduleID);
+
+        // set the default subject if needed
+        if (ContextManager.getCurrentCaller() == null) {
+            Subject defaultSubject = ejbDeployment.getDefaultSubject();
+
+            if (defaultSubject != null) {
+                ContextManager.setCallers(defaultSubject, defaultSubject);
+                geronimoCallContext.clearCallers = true;
+            }
+        }
+
+        // apply run as
+        Subject runAsSubject = ejbDeployment.getRunAs();
+        if (runAsSubject != null) {
+            geronimoCallContext.callers = ContextManager.pushNextCaller(runAsSubject);
+        }
+
         newContext.set(GeronimoCallContext.class, geronimoCallContext);
     }
 
@@ -96,6 +120,16 @@
         GeronimoCallContext geronimoCallContext = exitedContext.get(GeronimoCallContext.class);
         if (geronimoCallContext == null) return;
 
+        // reset run as
+        if (geronimoCallContext.callers != null) {
+            ContextManager.popCallers(geronimoCallContext.callers);
+        }
+
+        // reset default subject
+        if (geronimoCallContext.clearCallers) {
+            ContextManager.clearCallers();
+        }
+
         // reset Geronimo's root jndi context
         RootContext.setComponentContext(geronimoCallContext.oldJndiContext);
 
@@ -113,5 +147,7 @@
     private static final class GeronimoCallContext {
         private Context oldJndiContext;
         private ConnectorInstanceContext oldConnectorContext;
+        private boolean clearCallers;
+        private Callers callers;
     }
 }

Modified: geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/OpenEjbSystemGBean.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/OpenEjbSystemGBean.java?view=diff&rev=522573&r1=522572&r2=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/OpenEjbSystemGBean.java
(original)
+++ geronimo/server/trunk/modules/geronimo-openejb/src/main/java/org/apache/geronimo/openejb/OpenEjbSystemGBean.java
Mon Mar 26 10:12:19 2007
@@ -38,8 +38,6 @@
 import org.apache.geronimo.gbean.ReferenceCollection;
 import org.apache.geronimo.gbean.ReferenceCollectionEvent;
 import org.apache.geronimo.gbean.ReferenceCollectionListener;
-import org.apache.geronimo.gbean.SingleElementCollection;
-import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
 import org.apache.geronimo.kernel.GBeanNotFoundException;
 import org.apache.geronimo.kernel.Kernel;
 import org.apache.openejb.Container;
@@ -65,6 +63,7 @@
 import org.apache.openejb.loader.SystemInstance;
 import org.apache.openejb.spi.ApplicationServer;
 import org.apache.openejb.spi.ContainerSystem;
+import org.apache.openejb.spi.SecurityService;
 import org.apache.openejb.util.proxy.Jdk13ProxyFactory;
 
 import org.omg.CORBA.ORB;
@@ -81,7 +80,6 @@
     // These are provided by the corba subsystem when it first initializes.  
     // Once we have a set, we ignore any additional notifications. 
     private ORB orb; 
-    private HandleDelegate handleDelegate; 
 
     public OpenEjbSystemGBean(TransactionManager transactionManager) throws Exception {
         this(transactionManager, null, null, OpenEjbSystemGBean.class.getClassLoader());
@@ -114,16 +112,16 @@
         transactionManager = getRawService(kernel, transactionManager);
         TransactionServiceInfo transactionServiceInfo = new TransactionServiceInfo();
         PassthroughFactory.add(transactionServiceInfo, transactionManager);
-        try {
-            transactionServiceInfo.id = "Default Transaction Manager";
-            transactionServiceInfo.serviceType = "TransactionManager";
-            assembler.createTransactionManager(transactionServiceInfo);
-        } finally {
-            PassthroughFactory.remove(transactionServiceInfo);
-        }
+        transactionServiceInfo.id = "Default Transaction Manager";
+        transactionServiceInfo.serviceType = "TransactionManager";
+        assembler.createTransactionManager(transactionServiceInfo);
 
         // install security service
-        SecurityServiceInfo securityServiceInfo = configurationFactory.configureService(SecurityServiceInfo.class);
+        SecurityService securityService = new GeronimoSecurityService();
+        SecurityServiceInfo securityServiceInfo = new SecurityServiceInfo();
+        PassthroughFactory.add(securityServiceInfo, securityService);
+        securityServiceInfo.id = "Default Security Service";
+        securityServiceInfo.serviceType = "SecurityService";
         assembler.createSecurityService(securityServiceInfo);
 
         // install proxy factory
@@ -322,7 +320,6 @@
         // this is only processed once, since these are global values. 
         if (this.orb == null) {
             this.orb = orb; 
-            this.handleDelegate = handleDelegate; 
             SystemInstance.get().setComponent(ORB.class, orb);
             SystemInstance.get().setComponent(HandleDelegate.class, handleDelegate);
         }

Modified: geronimo/server/trunk/modules/geronimo-security/pom.xml
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/pom.xml?view=diff&rev=522573&r1=522572&r2=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/pom.xml (original)
+++ geronimo/server/trunk/modules/geronimo-security/pom.xml Mon Mar 26 10:12:19 2007
@@ -82,7 +82,13 @@
             <artifactId>hsqldb</artifactId>
             <scope>test</scope>
         </dependency>
-    
+
+        <dependency>
+            <groupId>org.apache.openejb</groupId>
+            <artifactId>openejb-client</artifactId>
+            <optional>true</optional>
+        </dependency>
+
     </dependencies>
     
     <build>

Added: geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/GeronimoIdentityResolver.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/GeronimoIdentityResolver.java?view=auto&rev=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/GeronimoIdentityResolver.java
(added)
+++ geronimo/server/trunk/modules/geronimo-security/src/main/java/org/apache/geronimo/security/GeronimoIdentityResolver.java
Mon Mar 26 10:12:19 2007
@@ -0,0 +1,44 @@
+/**
+ *
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.security;
+
+import org.apache.openejb.client.IdentityResolver;
+
+import javax.security.auth.Subject;
+import java.security.AccessController;
+import java.util.Set;
+
+/**
+ * @version $Rev$ $Date$
+ */
+public class GeronimoIdentityResolver implements IdentityResolver {
+    public Object getIdentity() {
+        Subject subject = Subject.getSubject(AccessController.getContext());
+        if (subject == null) {
+            return null;
+        }
+
+        Set<IdentificationPrincipal> identificationPrincipals = subject.getPrincipals(IdentificationPrincipal.class);
+        if (identificationPrincipals.isEmpty()) {
+            return null;
+        }
+
+        IdentificationPrincipal principal = identificationPrincipals.iterator().next();
+        return principal.getId();
+    }
+}

Added: geronimo/server/trunk/modules/geronimo-security/src/main/resources/META-INF/org.apache.openejb.client.IdentityResolver/geronimo
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/modules/geronimo-security/src/main/resources/META-INF/org.apache.openejb.client.IdentityResolver/geronimo?view=auto&rev=522573
==============================================================================
--- geronimo/server/trunk/modules/geronimo-security/src/main/resources/META-INF/org.apache.openejb.client.IdentityResolver/geronimo
(added)
+++ geronimo/server/trunk/modules/geronimo-security/src/main/resources/META-INF/org.apache.openejb.client.IdentityResolver/geronimo
Mon Mar 26 10:12:19 2007
@@ -0,0 +1 @@
+org.apache.geronimo.security.GeronimoIdentityResolver
\ No newline at end of file



Mime
View raw message