geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ke...@apache.org
Subject svn commit: r565936 [2/2] - in /geronimo/server/branches/2.0: applications/console/geronimo-console-core/src/main/java/org/apache/geronimo/console/core/security/ applications/console/geronimo-console-standard/src/main/java/org/apache/geronimo/console/s...
Date Tue, 14 Aug 2007 21:54:52 GMT
Modified: geronimo/server/branches/2.0/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/SQLLoginModule.java
Tue Aug 14 14:54:50 2007
@@ -20,16 +20,17 @@
 import java.io.IOException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
 import java.sql.Connection;
 import java.sql.Driver;
 import java.sql.PreparedStatement;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.util.HashSet;
-import java.util.Iterator;
 import java.util.Map;
 import java.util.Properties;
 import java.util.Set;
+
 import javax.security.auth.Subject;
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
@@ -58,21 +59,24 @@
 /**
  * A login module that loads security information from a SQL database.  Expects
  * to be run by a GenericSecurityRealm (doesn't work on its own).
- * <p>
+ * <p/>
  * This requires database connectivity information (either 1: a dataSourceName and
  * optional dataSourceApplication or 2: a JDBC driver, URL, username, and password)
  * and 2 SQL queries.
- * <p>
+ * <p/>
  * The userSelect query should return 2 values, the username and the password in
  * that order.  It should include one PreparedStatement parameter (a ?) which
  * will be filled in with the username.  In other words, the query should look
  * like: <tt>SELECT user, password FROM credentials WHERE username=?</tt>
- * <p>
+ * <p/>
  * The groupSelect query should return 2 values, the username and the group name in
  * that order (but it may return multiple rows, one per group).  It should include
  * one PreparedStatement parameter (a ?) which will be filled in with the username.
  * In other words, the query should look like:
  * <tt>SELECT user, role FROM user_roles WHERE username=?</tt>
+ * <p/>
+ * This login module checks security credentials so the lifecycle methods must return true
to indicate success
+ * or throw LoginException to indicate failure.
  *
  * @version $Rev$ $Date$
  */
@@ -95,13 +99,13 @@
     private String userSelect;
     private String groupSelect;
     private String digest;
-    private String encoding;    
+    private String encoding;
 
     private Subject subject;
     private CallbackHandler handler;
     private String cbUsername;
     private String cbPassword;
-    private final Set groups = new HashSet();
+    private final Set<Principal> groups = new HashSet<Principal>();
 
     public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState,
Map options) {
         this.subject = subject;
@@ -111,41 +115,41 @@
 
         digest = (String) options.get(DIGEST);
         encoding = (String) options.get(ENCODING);
-        if(digest != null && !digest.equals("")) {
+        if (digest != null && !digest.equals("")) {
             // Check if the digest algorithm is available
             try {
                 MessageDigest.getInstance(digest);
-            } catch(NoSuchAlgorithmException e) {
-                log.error("Initialization failed. Digest algorithm "+digest+" is not available.",
e);
-                throw new IllegalArgumentException("Unable to configure SQL login module:
"+e.getMessage(), e);
+            } catch (NoSuchAlgorithmException e) {
+                log.error("Initialization failed. Digest algorithm " + digest + " is not
available.", e);
+                throw new IllegalArgumentException("Unable to configure SQL login module:
" + e.getMessage(), e);
             }
-            if(encoding != null && !"hex".equalsIgnoreCase(encoding) && !"base64".equalsIgnoreCase(encoding))
{
-                log.error("Initialization failed. Digest Encoding "+encoding+" is not supported.");
-                throw new IllegalArgumentException("Unable to configure SQL login module.
Digest Encoding "+encoding+" not supported.");
+            if (encoding != null && !"hex".equalsIgnoreCase(encoding) &&
!"base64".equalsIgnoreCase(encoding)) {
+                log.error("Initialization failed. Digest Encoding " + encoding + " is not
supported.");
+                throw new IllegalArgumentException(
+                        "Unable to configure SQL login module. Digest Encoding " + encoding
+ " not supported.");
             }
         }
 
         String dataSourceName = (String) options.get(DATABASE_POOL_NAME);
-        if(dataSourceName != null) {
+        if (dataSourceName != null) {
             dataSourceName = dataSourceName.trim();
             String dataSourceAppName = (String) options.get(DATABASE_POOL_APP_NAME);
-            if(dataSourceAppName == null || dataSourceAppName.trim().equals("")) {
+            if (dataSourceAppName == null || dataSourceAppName.trim().equals("")) {
                 dataSourceAppName = "null";
             } else {
                 dataSourceAppName = dataSourceAppName.trim();
             }
             String kernelName = (String) options.get(JaasLoginModuleUse.KERNEL_NAME_LM_OPTION);
             Kernel kernel = KernelRegistry.getKernel(kernelName);
-            Set set = kernel.listGBeans(new AbstractNameQuery(JCAManagedConnectionFactory.class.getName()));
+            Set<AbstractName> set = kernel.listGBeans(new AbstractNameQuery(JCAManagedConnectionFactory.class.getName()));
             JCAManagedConnectionFactory factory;
-            for (Iterator it = set.iterator(); it.hasNext();) {
-                AbstractName name = (AbstractName) it.next();
-                if(name.getName().get(NameFactory.J2EE_APPLICATION).equals(dataSourceAppName)
&&
-                    name.getName().get(NameFactory.J2EE_NAME).equals(dataSourceName)) {
+            for (AbstractName name : set) {
+                if (name.getName().get(NameFactory.J2EE_APPLICATION).equals(dataSourceAppName)
&&
+                        name.getName().get(NameFactory.J2EE_NAME).equals(dataSourceName))
{
                     try {
                         factory = (JCAManagedConnectionFactory) kernel.getGBean(name);
                         String type = factory.getConnectionFactoryInterface();
-                        if(type.equals(DataSource.class.getName())) {
+                        if (type.equals(DataSource.class.getName())) {
                             this.factory = factory;
                             break;
                         }
@@ -157,19 +161,23 @@
         } else {
             connectionURL = (String) options.get(CONNECTION_URL);
             properties = new Properties();
-            if(options.get(USER) != null) {
+            if (options.get(USER) != null) {
                 properties.put("user", options.get(USER));
             }
-            if(options.get(PASSWORD) != null) {
+            if (options.get(PASSWORD) != null) {
                 properties.put("password", options.get(PASSWORD));
             }
             ClassLoader cl = (ClassLoader) options.get(JaasLoginModuleUse.CLASSLOADER_LM_OPTION);
             try {
                 driver = (Driver) cl.loadClass((String) options.get(DRIVER)).newInstance();
             } catch (ClassNotFoundException e) {
-                throw new IllegalArgumentException("Driver class " + options.get(DRIVER)
+ " is not available.  Perhaps you need to add it as a dependency in your deployment plan?",
e);
+                throw new IllegalArgumentException("Driver class " + options.get(
+                        DRIVER) + " is not available.  Perhaps you need to add it as a dependency
in your deployment plan?",
+                        e);
             } catch (Exception e) {
-                throw new IllegalArgumentException("Unable to load, instantiate, register
driver " + options.get(DRIVER) + ": " + e.getMessage(), e);
+                throw new IllegalArgumentException(
+                        "Unable to load, instantiate, register driver " + options.get(DRIVER)
+ ": " + e.getMessage(),
+                        e);
             }
         }
     }
@@ -189,15 +197,14 @@
         assert callbacks.length == 2;
         cbUsername = ((NameCallback) callbacks[0]).getName();
         if (cbUsername == null || cbUsername.equals("")) {
-            return false;
+            throw new FailedLoginException();
         }
         char[] provided = ((PasswordCallback) callbacks[1]).getPassword();
         cbPassword = provided == null ? null : new String(provided);
 
-        boolean found = false;
         try {
             Connection conn;
-            if(factory != null) {
+            if (factory != null) {
                 DataSource ds = (DataSource) factory.getConnectionFactory();
                 conn = ds.getConnection();
             } else {
@@ -208,8 +215,8 @@
                 PreparedStatement statement = conn.prepareStatement(userSelect);
                 try {
                     int count = countParameters(userSelect);
-                    for(int i=0; i<count; i++) {
-                        statement.setObject(i+1, cbUsername);
+                    for (int i = 0; i < count; i++) {
+                        statement.setObject(i + 1, cbUsername);
                     }
                     ResultSet result = statement.executeQuery();
 
@@ -219,8 +226,9 @@
                             String userPassword = result.getString(2);
 
                             if (cbUsername.equals(userName)) {
-                                found = (cbPassword == null && userPassword == null)
||
-                                        (cbPassword != null && userPassword != null
&& checkPassword(userPassword, cbPassword));
+                                if (!checkPassword(userPassword, cbPassword)) {
+                                    throw new FailedLoginException();
+                                }
                                 break;
                             }
                         }
@@ -231,15 +239,11 @@
                     statement.close();
                 }
 
-                if (!found) {
-                    throw new FailedLoginException();
-                }
-
                 statement = conn.prepareStatement(groupSelect);
                 try {
                     int count = countParameters(groupSelect);
-                    for(int i=0; i<count; i++) {
-                        statement.setObject(i+1, cbUsername);
+                    for (int i = 0; i < count; i++) {
+                        statement.setObject(i + 1, cbUsername);
                     }
                     ResultSet result = statement.executeQuery();
 
@@ -271,12 +275,9 @@
     }
 
     public boolean commit() throws LoginException {
-        Set principals = subject.getPrincipals();
+        Set<Principal> principals = subject.getPrincipals();
         principals.add(new GeronimoUserPrincipal(cbUsername));
-        Iterator iter = groups.iterator();
-        while (iter.hasNext()) {
-            principals.add(iter.next());
-        }
+        principals.addAll(groups);
 
         return true;
     }
@@ -298,7 +299,7 @@
     private static int countParameters(String sql) {
         int count = 0;
         int pos = -1;
-        while((pos = sql.indexOf('?', pos+1)) != -1) {
+        while ((pos = sql.indexOf('?', pos + 1)) != -1) {
             ++count;
         }
         return count;
@@ -306,12 +307,21 @@
 
     /**
      * This method checks if the provided password is correct.  The original password may
have been digested.
-     * @param real      Original password in digested form if applicable
-     * @param provided  User provided password in clear text
+     *
+     * @param real     Original password in digested form if applicable
+     * @param provided User provided password in clear text
      * @return true     If the password is correct
      */
-    private boolean checkPassword(String real, String provided){
-        if(digest == null || digest.equals("")) {
+    private boolean checkPassword(String real, String provided) {
+        if (real == null && provided == null) {
+            return true;
+        }
+        if (real == null || provided == null) {
+            return false;
+        }
+
+        //both are non-null
+        if (digest == null || digest.equals("")) {
             // No digest algorithm is used
             return real.equals(provided);
         }
@@ -319,14 +329,14 @@
             // Digest the user provided password
             MessageDigest md = MessageDigest.getInstance(digest);
             byte[] data = md.digest(provided.getBytes());
-            if(encoding == null || "hex".equalsIgnoreCase(encoding)) {
+            if (encoding == null || "hex".equalsIgnoreCase(encoding)) {
                 // Convert bytes to hex digits
                 byte[] hexData = new byte[data.length * 2];
                 HexTranslator ht = new HexTranslator();
                 ht.encode(data, 0, data.length, hexData, 0);
                 // Compare the digested provided password with the actual one
                 return real.equalsIgnoreCase(new String(hexData));
-            } else if("base64".equalsIgnoreCase(encoding)) {
+            } else if ("base64".equalsIgnoreCase(encoding)) {
                 return real.equals(new String(Base64.encode(data)));
             }
         } catch (NoSuchAlgorithmException e) {

Modified: geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/ConfigurationEntryTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/ConfigurationEntryTest.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/ConfigurationEntryTest.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/ConfigurationEntryTest.java
Tue Aug 14 14:54:50 2007
@@ -67,9 +67,8 @@
         assertEquals("Audit file wasn't cleared", 0, auditlog.length());
 
         // First try with explicit configuration entry
-        LoginContext context = new LoginContext("properties-realm", new AbstractTest.UsernamePasswordCallback("alan",
"starcraft"));
+        LoginContext context = ContextManager.login("properties-realm", new AbstractTest.UsernamePasswordCallback("alan",
"starcraft"));
 
-        context.login();
         Subject subject = context.getSubject();
         Subject clientSubject = subject;
         assertTrue("expected non-null client subject", subject != null);
@@ -87,7 +86,7 @@
         assertTrue("server subject should have seven principals (" + subject.getPrincipals().size()
+ ")", subject.getPrincipals().size() == 7);
         assertTrue("server subject should have one private credential (" + subject.getPrivateCredentials().size()
+ ")", subject.getPrivateCredentials().size() == 1);
 
-        context.logout();
+        ContextManager.logout(context);
 
         assertNull(ContextManager.getRegisteredSubject(idp.getId()));
         assertNull(ContextManager.getServerSideSubject(clientSubject));
@@ -95,9 +94,8 @@
         assertTrue("id of subject should be null", ContextManager.getSubjectId(subject) ==
null);
 
         // next try the automatic configuration entry
-        context = new LoginContext("properties-realm", new AbstractTest.UsernamePasswordCallback("alan",
"starcraft"));
+        context = ContextManager.login("properties-realm", new AbstractTest.UsernamePasswordCallback("alan",
"starcraft"));
 
-        context.login();
         subject = context.getSubject();
         assertTrue("expected non-null client subject", subject != null);
         set = subject.getPrincipals(IdentificationPrincipal.class);
@@ -105,17 +103,14 @@
         IdentificationPrincipal idp2 = (IdentificationPrincipal) set.iterator().next();
         assertNotSame(idp.getId(), idp2.getId());
         assertEquals(idp2.getId(), idp2.getId());
-        subject = ContextManager.getServerSideSubject(subject);
-
-        assertTrue("expected non-null server subject", subject != null);
         assertTrue("server subject should have one remote principal", subject.getPrincipals(IdentificationPrincipal.class).size()
== 1);
-        remote = (IdentificationPrincipal) subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
+        remote = subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
         assertTrue("server subject should be associated with remote id", ContextManager.getRegisteredSubject(remote.getId())
!= null);
         assertTrue("server subject should have two realm principals (" + subject.getPrincipals(RealmPrincipal.class).size()
+ ")", subject.getPrincipals(RealmPrincipal.class).size() == 2);
         assertTrue("server subject should have seven principals (" + subject.getPrincipals().size()
+ ")", subject.getPrincipals().size() == 7);
         assertTrue("server subject should have one private credential (" + subject.getPrivateCredentials().size()
+ ")", subject.getPrivateCredentials().size() == 1);
 
-        context.logout();
+        ContextManager.logout(context);
 
         assertTrue("id of subject should be null", ContextManager.getSubjectId(subject) ==
null);
 

Modified: geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginKerberosTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginKerberosTest.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginKerberosTest.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginKerberosTest.java
Tue Aug 14 14:54:50 2007
@@ -87,18 +87,12 @@
             context.login();
             Subject subject = context.getSubject();
 
-            assertTrue("expected non-null client-side subject", subject != null);
-            subject = ContextManager.getServerSideSubject(subject);
-
-            assertTrue("expected non-null server-side subject", subject != null);
-            assertTrue("id of server-side subject should be non-null", ContextManager.getSubjectId(subject)
!= null);
-            assertEquals("server-side subject should have two principals", 2, subject.getPrincipals().size());
-            assertEquals("server-side subject should have one identification principal",
1, subject.getPrincipals(IdentificationPrincipal.class).size());
+            assertTrue("expected non-null subject", subject != null);
+            assertEquals("server-side subject should have two principals", 1, subject.getPrincipals().size());
             assertEquals("server-side subject should have one kerberos principal", 1, subject.getPrincipals(KerberosPrincipal.class).size());
 
             context.logout();
 
-            assertTrue("id of subject should be null", ContextManager.getSubjectId(subject)
== null);
         } catch (LoginException e) {
             //See GERONIMO-3388.  This seems to be the normal code path.
             e.printStackTrace();

Modified: geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginPropertiesFileTest.java
Tue Aug 14 14:54:50 2007
@@ -103,20 +103,8 @@
         Subject subject = context.getSubject();
 
         assertTrue("expected non-null subject", subject != null);
-        assertTrue("subject should have one remote principal", subject.getPrincipals(IdentificationPrincipal.class).size()
== 1);
-        IdentificationPrincipal remote = subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
-        assertTrue("subject should be associated with remote id", ContextManager.getRegisteredSubject(remote.getId())
!= null);
-        assertEquals("subject should have seven principals (" + subject.getPrincipals().size()
+ ")", 7, subject.getPrincipals().size());
-        assertEquals("subject should have 2 realm principals (" + subject.getPrincipals(RealmPrincipal.class).size()
+ ")", 2, subject.getPrincipals(RealmPrincipal.class).size());
-        assertEquals("subject should have 2 domain principals (" + subject.getPrincipals(DomainPrincipal.class).size()
+ ")", 2, subject.getPrincipals(DomainPrincipal.class).size());
-
-        subject = ContextManager.getServerSideSubject(subject);
-
-        assertTrue("expected non-null subject", subject != null);
-        assertTrue("subject should have one remote principal", subject.getPrincipals(IdentificationPrincipal.class).size()
== 1);
-        remote = subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
-        assertTrue("subject should be associated with remote id", ContextManager.getRegisteredSubject(remote.getId())
!= null);
-        assertEquals("subject should have seven principals (" + subject.getPrincipals().size()
+ ")", 7, subject.getPrincipals().size());
+        assertTrue("subject should have no remote principal", subject.getPrincipals(IdentificationPrincipal.class).size()
== 0);
+        assertEquals("subject should have 6 principals (" + subject.getPrincipals().size()
+ ")", 6, subject.getPrincipals().size());
         assertEquals("subject should have 2 realm principals (" + subject.getPrincipals(RealmPrincipal.class).size()
+ ")", 2, subject.getPrincipals(RealmPrincipal.class).size());
         assertEquals("subject should have 2 domain principals (" + subject.getPrincipals(DomainPrincipal.class).size()
+ ")", 2, subject.getPrincipals(DomainPrincipal.class).size());
 

Modified: geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginSQLTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginSQLTest.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginSQLTest.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/LoginSQLTest.java
Tue Aug 14 14:54:50 2007
@@ -143,16 +143,10 @@
 
         context.login();
         Subject subject = context.getSubject();
-        assertTrue("expected non-null client-side subject", subject != null);
-        subject = ContextManager.getServerSideSubject(subject);
-
-        assertTrue("expected non-null server-side subject", subject != null);
-        assertEquals("server-side subject should have seven principal", 7, subject.getPrincipals().size());
+        assertTrue("expected non-null subject", subject != null);
+        assertEquals("server-side subject should have 6 principal", 6, subject.getPrincipals().size());
         assertEquals("server-side subject should have two realm principals", 2, subject.getPrincipals(RealmPrincipal.class).size());
         assertEquals("server-side subject should have two domain principals", 2, subject.getPrincipals(DomainPrincipal.class).size());
-        assertEquals("server-side subject should have one remote principal", 1, subject.getPrincipals(IdentificationPrincipal.class).size());
-        IdentificationPrincipal principal = subject.getPrincipals(IdentificationPrincipal.class).iterator().next();
-        assertTrue("id of principal should be non-zero", principal.getId().getSubjectId()
!= 0);
 
         context.logout();
     }

Modified: geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/TimeoutTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/TimeoutTest.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/TimeoutTest.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-security/src/test/java/org/apache/geronimo/security/jaas/TimeoutTest.java
Tue Aug 14 14:54:50 2007
@@ -99,14 +99,11 @@
         kernel.shutdown();
     }
 
-    public void testNothing() {
-    }
 
     public void testTimeout() throws Exception {
 
-        LoginContext context = new LoginContext("properties-realm", new AbstractTest.UsernamePasswordCallback("alan",
"starcraft"));
+        LoginContext context = ContextManager.login("properties-realm", new AbstractTest.UsernamePasswordCallback("alan",
"starcraft"));
 
-        context.login();
         Subject subject = context.getSubject();
         assertTrue("expected non-null client subject", subject != null);
         Set set = subject.getPrincipals(IdentificationPrincipal.class);
@@ -124,11 +121,11 @@
 
         assertTrue("id of server subject should be non-null", ContextManager.getSubjectId(subject)
!= null);
 
-        Thread.sleep(3000); // wait for timeout to kick in
+//        Thread.sleep(3000); // wait for timeout to kick in
+//
+//        assertTrue("id of server subject should be non-null", ContextManager.getSubjectId(subject)
!= null);
 
-        assertTrue("id of server subject should be non-null", ContextManager.getSubjectId(subject)
!= null);
-
-        Thread.sleep(7000); // wait for timeout to kick in
+//        Thread.sleep(7000); // wait for timeout to kick in
         //TODO figure out if we can time out logins!
 //        assertTrue("id of server subject should be null", ContextManager.getSubjectId(subject)
== null);
     }

Modified: geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatGeronimoRealm.java
Tue Aug 14 14:54:50 2007
@@ -16,6 +16,25 @@
  */
 package org.apache.geronimo.tomcat.realm;
 
+import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessControlException;
+import java.security.Principal;
+import java.security.cert.X509Certificate;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.AccountExpiredException;
+import javax.security.auth.login.CredentialExpiredException;
+import javax.security.auth.login.FailedLoginException;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import javax.security.jacc.PolicyContext;
+import javax.security.jacc.PolicyContextException;
+import javax.security.jacc.WebResourcePermission;
+import javax.security.jacc.WebRoleRefPermission;
+import javax.security.jacc.WebUserDataPermission;
+
 import org.apache.catalina.Context;
 import org.apache.catalina.LifecycleException;
 import org.apache.catalina.connector.Request;
@@ -32,31 +51,12 @@
 import org.apache.geronimo.tomcat.JAASTomcatPrincipal;
 import org.apache.geronimo.tomcat.interceptor.PolicyContextBeforeAfter;
 
-import javax.security.auth.Subject;
-import javax.security.auth.callback.CallbackHandler;
-import javax.security.auth.login.AccountExpiredException;
-import javax.security.auth.login.CredentialExpiredException;
-import javax.security.auth.login.FailedLoginException;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
-import javax.security.jacc.PolicyContext;
-import javax.security.jacc.PolicyContextException;
-import javax.security.jacc.WebResourcePermission;
-import javax.security.jacc.WebRoleRefPermission;
-import javax.security.jacc.WebUserDataPermission;
-
-import java.io.IOException;
-import java.security.AccessControlContext;
-import java.security.AccessControlException;
-import java.security.Principal;
-import java.security.cert.X509Certificate;
-
 
 public class TomcatGeronimoRealm extends JAASRealm {
 
     private static final Log log = LogFactory.getLog(TomcatGeronimoRealm.class);
 
-    private static ThreadLocal currentRequestWrapperName = new ThreadLocal();
+    private static ThreadLocal<String> currentRequestWrapperName = new ThreadLocal<String>();
 
     /**
      * Descriptive information about this <code>Realm</code> implementation.
@@ -70,10 +70,10 @@
 
     public TomcatGeronimoRealm() {
 
-     }
+    }
 
     public static String setRequestWrapperName(String requestWrapperName) {
-        String old = (String) currentRequestWrapperName.get();
+        String old = currentRequestWrapperName.get();
         currentRequestWrapperName.set(requestWrapperName);
         return old;
     }
@@ -136,10 +136,10 @@
      * Return <code>true</code> if this constraint is satisfied and processing
      * should continue, or <code>false</code> otherwise.
      *
-     * @param request    Request we are processing
-     * @param response   Response we are creating
+     * @param request     Request we are processing
+     * @param response    Response we are creating
      * @param constraints Security constraints we are enforcing
-     * @param context    The Context to which client of this class is attached.
+     * @param context     The Context to which client of this class is attached.
      * @throws java.io.IOException if an input/output error occurs
      */
     public boolean hasResourcePermission(Request request,
@@ -152,7 +152,7 @@
         // and the "j_security_check" action
         LoginConfig config = context.getLoginConfig();
         if ((config != null) &&
-            (org.apache.catalina.realm.Constants.FORM_METHOD.equals(config.getAuthMethod())))
{
+                (org.apache.catalina.realm.Constants.FORM_METHOD.equals(config.getAuthMethod())))
{
             String requestURI = request.getDecodedRequestURI();
             String loginPage = context.getPath() + config.getLoginPage();
             if (loginPage.equals(requestURI)) {
@@ -172,7 +172,7 @@
                 return (true);
             }
         }
-        
+
         //Set the current wrapper name (Servlet mapping)
         currentRequestWrapperName.set(request.getWrapper().getName());
 
@@ -181,7 +181,7 @@
 
         //If we have no principal, then we should use the default.
         if (principal == null) {
-            Subject defaultSubject = (Subject)request.getAttribute(PolicyContextBeforeAfter.DEFAULT_SUBJECT);
+            Subject defaultSubject = (Subject) request.getAttribute(PolicyContextBeforeAfter.DEFAULT_SUBJECT);
             ContextManager.setCallers(defaultSubject, defaultSubject);
         } else {
             Subject currentCaller = ((JAASTomcatPrincipal) principal).getSubject();
@@ -192,7 +192,6 @@
 
             AccessControlContext acc = ContextManager.getCurrentContext();
 
-
             /**
              * JACC v1.0 section 4.1.2
              */
@@ -221,7 +220,7 @@
             return false;
         }
 
-        String name = (String)currentRequestWrapperName.get();
+        String name = currentRequestWrapperName.get();
 
         /**
          * JACC v1.0 secion B.19
@@ -264,7 +263,7 @@
      */
     public Principal authenticate(String username, String credentials) {
 
-        char[] cred = credentials == null? null: credentials.toCharArray();
+        char[] cred = credentials == null ? null : credentials.toCharArray();
         CallbackHandler callbackHandler = new PasswordCallbackHandler(username, cred);
         return authenticate(callbackHandler, username);
     }
@@ -283,95 +282,64 @@
         // Establish a LoginContext to use for authentication
         try {
 
-            if ( (principalName!=null) && (!principalName.equals("")) ) {
-              LoginContext loginContext = null;
-              if (appName == null)
-                  appName = "Tomcat";
-
-              if (log.isDebugEnabled())
-                  log.debug(sm.getString("jaasRealm.beginLogin", principalName, appName));
-
-              // What if the LoginModule is in the container class loader ?
-              ClassLoader ocl = null;
-
-              if (isUseContextClassLoader()) {
-                  ocl = Thread.currentThread().getContextClassLoader();
-                  Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
-              }
-
-              try {
-                  loginContext = new LoginContext(appName, callbackHandler);
-              } catch (Throwable e) {
-                  log.error(sm.getString("jaasRealm.unexpectedError"), e);
-                  return (null);
-              } finally {
-                  if (isUseContextClassLoader()) {
-                      Thread.currentThread().setContextClassLoader(ocl);
-                  }
-              }
-
-              if (log.isDebugEnabled())
-                  log.debug("Login context created " + principalName);
-
-              // Negotiate a login via this LoginContext
-              Subject subject;
-              try {
-                  loginContext.login();
-                  Subject tempSubject = loginContext.getSubject();
-                  if (tempSubject == null) {
-                      if (log.isDebugEnabled())
-                          log.debug(sm.getString("jaasRealm.failedLogin", principalName));
-                      return (null);
-                  }
-
-                  subject = ContextManager.getServerSideSubject(tempSubject);
-                  if (subject == null) {
-                      if (log.isDebugEnabled())
-                          log.debug(sm.getString("jaasRealm.failedLogin", principalName));
-                      return (null);
-                  }
-
-                  ContextManager.setCallers(subject, subject);
-
-              } catch (AccountExpiredException e) {
-                  if (log.isDebugEnabled())
-                      log.debug(sm.getString("jaasRealm.accountExpired", principalName));
-                  return (null);
-              } catch (CredentialExpiredException e) {
-                  if (log.isDebugEnabled())
-                      log.debug(sm.getString("jaasRealm.credentialExpired", principalName));
-                  return (null);
-              } catch (FailedLoginException e) {
-                  if (log.isDebugEnabled())
-                      log.debug(sm.getString("jaasRealm.failedLogin", principalName));
-                  return (null);
-              } catch (LoginException e) {
-                  log.warn(sm.getString("jaasRealm.loginException", principalName), e);
-                  return (null);
-              } catch (Throwable e) {
-                  log.error(sm.getString("jaasRealm.unexpectedError"), e);
-                  return (null);
-              }
-
-              if (log.isDebugEnabled())
-                  log.debug(sm.getString("jaasRealm.loginContextCreated", principalName));
-
-              // Return the appropriate Principal for this authenticated Subject
-  /*            Principal principal = createPrincipal(username, subject);
-              if (principal == null) {
-                  log.debug(sm.getString("jaasRealm.authenticateFailure", username));
-                  return (null);
-              }
-              if (log.isDebugEnabled()) {
-                  log.debug(sm.getString("jaasRealm.authenticateSuccess", username));
-              }
-  */
-              JAASTomcatPrincipal jaasPrincipal = new JAASTomcatPrincipal(principalName);
-              jaasPrincipal.setSubject(subject);
+            if ((principalName != null) && (!principalName.equals(""))) {
+                LoginContext loginContext = null;
+                if (appName == null)
+                    appName = "Tomcat";
 
-              return (jaasPrincipal);
-            }
-            else {
+                if (log.isDebugEnabled())
+                    log.debug(sm.getString("jaasRealm.beginLogin", principalName, appName));
+
+                // What if the LoginModule is in the container class loader ?
+                ClassLoader ocl = null;
+
+                if (isUseContextClassLoader()) {
+                    ocl = Thread.currentThread().getContextClassLoader();
+                    Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
+                }
+
+                try {
+                    loginContext = ContextManager.login(appName, callbackHandler);
+                } catch (AccountExpiredException e) {
+                    if (log.isDebugEnabled())
+                        log.debug(sm.getString("jaasRealm.accountExpired", principalName));
+                    return (null);
+                } catch (CredentialExpiredException e) {
+                    if (log.isDebugEnabled())
+                        log.debug(sm.getString("jaasRealm.credentialExpired", principalName));
+                    return (null);
+                } catch (FailedLoginException e) {
+                    if (log.isDebugEnabled())
+                        log.debug(sm.getString("jaasRealm.failedLogin", principalName));
+                    return (null);
+                } catch (LoginException e) {
+                    log.warn(sm.getString("jaasRealm.loginException", principalName), e);
+                    return (null);
+                } catch (Throwable e) {
+                    log.error(sm.getString("jaasRealm.unexpectedError"), e);
+                    return (null);
+                } finally {
+                    if (isUseContextClassLoader()) {
+                        Thread.currentThread().setContextClassLoader(ocl);
+                    }
+                }
+
+                if (log.isDebugEnabled())
+                    log.debug("Login context created " + principalName);
+
+                // Negotiate a login via this LoginContext
+                Subject subject = loginContext.getSubject();
+                ContextManager.setCallers(subject, subject);
+
+                if (log.isDebugEnabled())
+                    log.debug(sm.getString("jaasRealm.loginContextCreated", principalName));
+
+                // Return the appropriate Principal for this authenticated Subject
+                JAASTomcatPrincipal jaasPrincipal = new JAASTomcatPrincipal(principalName);
+                jaasPrincipal.setSubject(subject);
+
+                return (jaasPrincipal);
+            } else {
                 if (log.isDebugEnabled())
                     log.debug("Login Failed - null userID");
                 return null;
@@ -382,6 +350,7 @@
             return null;
         }
     }
+
     /**
      * Prepare for active use of the public methods of this <code>Component</code>.
      *

Modified: geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatJAASRealm.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatJAASRealm.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatJAASRealm.java
(original)
+++ geronimo/server/branches/2.0/modules/geronimo-tomcat6/src/main/java/org/apache/geronimo/tomcat/realm/TomcatJAASRealm.java
Tue Aug 14 14:54:50 2007
@@ -88,37 +88,7 @@
             }
 
             try {
-                loginContext = new LoginContext(appName, new JAASCallbackHandler(this, username,
credentials));
-            } catch (Throwable e) {
-                log.error(sm.getString("jaasRealm.unexpectedError"), e);
-                return (null);
-            } finally {
-                if (isUseContextClassLoader()) {
-                    Thread.currentThread().setContextClassLoader(ocl);
-                }
-            }
-
-            if (log.isDebugEnabled())
-                log.debug("Login context created " + username);
-
-            // Negotiate a login via this LoginContext
-            Subject subject = null;
-            try {
-                loginContext.login();
-                Subject tempSubject = loginContext.getSubject();
-                if (tempSubject == null) {
-                    if (log.isDebugEnabled())
-                        log.debug(sm.getString("jaasRealm.failedLogin", username));
-                    return (null);
-                }
-
-                subject = ContextManager.getServerSideSubject(tempSubject);
-                if (subject == null) {
-                    if (log.isDebugEnabled())
-                        log.debug(sm.getString("jaasRealm.failedLogin", username));
-                    return (null);
-                }
-
+                loginContext = ContextManager.login(appName, new JAASCallbackHandler(this,
username, credentials));
             } catch (AccountExpiredException e) {
                 if (log.isDebugEnabled())
                     log.debug(sm.getString("jaasRealm.accountExpired", username));
@@ -137,8 +107,18 @@
             } catch (Throwable e) {
                 log.error(sm.getString("jaasRealm.unexpectedError"), e);
                 return (null);
+            } finally {
+                if (isUseContextClassLoader()) {
+                    Thread.currentThread().setContextClassLoader(ocl);
+                }
             }
 
+            if (log.isDebugEnabled())
+                log.debug("Login context created " + username);
+
+            // Negotiate a login via this LoginContext
+            Subject subject = loginContext.getSubject();
+            ContextManager.setCallers(subject, subject);
             if (log.isDebugEnabled())
                 log.debug(sm.getString("jaasRealm.loginContextCreated", username));
 

Modified: geronimo/server/branches/2.0/testsuite/enterprise-testsuite/sec-tests/sec-ejb/src/main/java/org/apache/geronimo/itest/TestLoginModule.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.0/testsuite/enterprise-testsuite/sec-tests/sec-ejb/src/main/java/org/apache/geronimo/itest/TestLoginModule.java?view=diff&rev=565936&r1=565935&r2=565936
==============================================================================
--- geronimo/server/branches/2.0/testsuite/enterprise-testsuite/sec-tests/sec-ejb/src/main/java/org/apache/geronimo/itest/TestLoginModule.java
(original)
+++ geronimo/server/branches/2.0/testsuite/enterprise-testsuite/sec-tests/sec-ejb/src/main/java/org/apache/geronimo/itest/TestLoginModule.java
Tue Aug 14 14:54:50 2007
@@ -69,7 +69,10 @@
         }
         user = ((NameCallback)callbacks[0]).getName();
         String password = new String(((PasswordCallback)callbacks[1]).getPassword());
-        return user.equals(password) && users.contains(user);
+        if (user.equals(password) && users.contains(user)) {
+            return true;
+        }
+        throw new LoginException();
     }
 
     public boolean commit() throws LoginException {



Mime
View raw message