Author: djencks
Date: Fri Oct 24 11:47:56 2008
New Revision: 707714
URL: http://svn.apache.org/viewvc?rev=707714&view=rev
Log:
GERONIMO-4360 security modifications for connector 1.6
Added:
geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
(with props)
geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
(with props)
geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
(with props)
Removed:
geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/pool/
Modified:
geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
Added: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java?rev=707714&view=auto
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
(added)
+++ geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
Fri Oct 24 11:47:56 2008
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.security;
+
+import java.security.AccessControlContext;
+import java.security.Principal;
+import java.util.List;
+
+import javax.security.auth.Subject;
+
+/**
+ * @version $Rev:$ $Date:$
+ */
+public class Context {
+ private final SubjectId id;
+ private final AccessControlContext context;
+ private final Subject subject;
+ private final Principal principal;
+ private final List<String> groups;
+
+ public Context(SubjectId id, AccessControlContext context, Subject subject, Principal
principal, List<String> groups) {
+ this.id = id;
+ this.context = context;
+ this.subject = subject;
+ this.principal = principal;
+ this.groups = groups;
+ }
+
+ public SubjectId getId() {
+ return id;
+ }
+
+ public AccessControlContext getContext() {
+ return context;
+ }
+
+ public Subject getSubject() {
+ return subject;
+ }
+
+ public Principal getPrincipal() {
+ return principal;
+ }
+
+ public List<String> getGroups() {
+ return groups;
+ }
+}
Propchange: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java?rev=707714&r1=707713&r2=707714&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
Fri Oct 24 11:47:56 2008
@@ -29,6 +29,7 @@
import java.util.IdentityHashMap;
import java.util.Map;
import java.util.Set;
+import java.util.List;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
@@ -77,6 +78,12 @@
subject.getPrincipals().add(principal);
return loginContext;
}
+
+ public static LoginContext login(Subject subject, String realm, CallbackHandler callbackHandler)
throws LoginException {
+ LoginContext loginContext = new LoginContext(realm, subject, callbackHandler);
+ loginContext.login();
+ return loginContext;
+ }
public static void logout(LoginContext loginContext) throws LoginException {
Subject subject = loginContext.getSubject();
@@ -159,7 +166,7 @@
assert context != null : "No registered context";
- return context.context;
+ return context.getContext();
}
public static Principal getCurrentPrincipal(Subject callerSubject) {
@@ -177,7 +184,7 @@
assert context != null : "No registered context";
- return context.principal;
+ return context.getPrincipal();
}
public static SubjectId getCurrentId() {
@@ -192,7 +199,7 @@
assert context != null : "No registered context";
- return context.id;
+ return context.getId();
}
public static SubjectId getSubjectId(Subject subject) {
@@ -201,7 +208,7 @@
Context context = subjectContexts.get(subject);
- return (context != null ? context.id : null);
+ return (context != null ? context.getId() : null);
}
public static Subject getRegisteredSubject(SubjectId id) {
@@ -220,33 +227,35 @@
}
}, null);
- Context context = new Context();
- context.subject = subject;
- context.context = acc;
Set<? extends Principal> principals = subject.getPrincipals(GeronimoCallerPrincipal.class);
+ Principal principal = null;
if (!principals.isEmpty()) {
- context.principal = principals.iterator().next();
+ principal = principals.iterator().next();
} else if (!(principals = subject.getPrincipals(PrimaryRealmPrincipal.class)).isEmpty())
{
- context.principal = principals.iterator().next();
+ principal = principals.iterator().next();
} else if (!(principals = subject.getPrincipals(RealmPrincipal.class)).isEmpty())
{
- context.principal = principals.iterator().next();
+ principal = principals.iterator().next();
} else if (!(principals = subject.getPrincipals()).isEmpty()) {
- context.principal = principals.iterator().next();
+ principal = principals.iterator().next();
}
Long id = nextSubjectId++;
+ SubjectId subjectId;
try {
- context.id = new SubjectId(id, hash(id));
+ subjectId = new SubjectId(id, hash(id));
} catch (NoSuchAlgorithmException e) {
throw new ProviderException("No such algorithm: " + algorithm + ". This can
be caused by a misconfigured java.ext.dirs, JAVA_HOME or JRE_HOME environment variable");
} catch (InvalidKeyException e) {
throw new ProviderException("Invalid key: " + key.toString());
}
- subjectIds.put(context.id, subject);
+ List<String> groups = Collections.emptyList();
+ Context context = new Context(subjectId, acc, subject, principal, groups);
+ subjectIds.put(context.getId(), subject);
subjectContexts.put(subject, context);
- return context.id;
+ return context.getId();
}
- public static synchronized AccessControlContext registerSubjectShort(Subject subject)
{
+
+ public static synchronized AccessControlContext registerSubjectShort(Subject subject,
Principal callerPrincipal, List<String> groups) {
SecurityManager sm = System.getSecurityManager();
if (sm != null) sm.checkPermission(SET_CONTEXT);
@@ -254,7 +263,7 @@
Context test = subjectContexts.get(subject);
if (test != null) {
- return test.context;
+ return test.getContext();
}
AccessControlContext acc = (AccessControlContext) Subject.doAsPrivileged(subject,
new PrivilegedAction() {
@@ -263,18 +272,19 @@
}
}, null);
- Context context = new Context();
- context.subject = subject;
- context.context = acc;
Long id = nextSubjectId++;
+ SubjectId subjectId;
try {
- context.id = new SubjectId(id, hash(id));
+ subjectId = new SubjectId(id, hash(id));
} catch (NoSuchAlgorithmException e) {
throw new ProviderException("No such algorithm: " + algorithm + ". This can
be caused by a misconfigured java.ext.dirs, JAVA_HOME or JRE_HOME environment variable");
} catch (InvalidKeyException e) {
throw new ProviderException("Invalid key: " + key.toString());
}
- subjectIds.put(context.id, subject);
+ IdentificationPrincipal principal = new IdentificationPrincipal(subjectId);
+ subject.getPrincipals().add(principal);
+ Context context = new Context(subjectId, acc, subject, callerPrincipal, groups);
+ subjectIds.put(context.getId(), subject);
subjectContexts.put(subject, context);
return acc;
@@ -289,7 +299,7 @@
Context context = subjectContexts.get(subject);
if (context == null) return;
- subjectIds.remove(context.id);
+ subjectIds.remove(context.getId());
subjectContexts.remove(subject);
}
@@ -383,11 +393,4 @@
return mac.doFinal();
}
- private static class Context {
- SubjectId id;
- AccessControlContext context;
- Subject subject;
- Principal principal;
- }
-
}
Added: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java?rev=707714&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
(added)
+++ geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
Fri Oct 24 11:47:56 2008
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.connector.work;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.List;
+import java.util.Arrays;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.message.callback.CallerPrincipalCallback;
+import javax.security.auth.message.callback.GroupPrincipalCallback;
+import javax.security.auth.message.callback.PasswordValidationCallback;
+import javax.security.auth.message.callback.CertStoreCallback;
+import javax.security.auth.message.callback.PrivateKeyCallback;
+import javax.security.auth.message.callback.SecretKeyCallback;
+import javax.security.auth.message.callback.TrustStoreCallback;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.geronimo.security.ContextManager;
+
+/**
+ * Spec 16.4.1: must support CallerPrincipalCallback, GroupPrincipalCallback, PasswordValidationCallback.
+ * Recommended to support CertStoreCallback, PrivateKeyCallback, SecretKeyCallback, and TrustStoreCallback.
+ *
+ * @version $Rev:$ $Date:$
+ */
+public class ConnectorCallbackHandler implements CallbackHandler {
+
+ private final String realm;
+
+ private Principal callerPrincipal;
+ private String[] groupsArray;
+
+ public ConnectorCallbackHandler(String realm) {
+ if (realm == null) throw new NullPointerException("No realm provided");
+ this.realm = realm;
+ }
+
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
+ {
+ for (Callback callback: callbacks)
+ {
+ //jaspi to server communication
+ if (callback instanceof CallerPrincipalCallback)
+ {
+ callerPrincipal = ((CallerPrincipalCallback) callback).getPrincipal();
+ }
+ else if (callback instanceof GroupPrincipalCallback)
+ {
+ groupsArray = ((GroupPrincipalCallback)callback).getGroups();
+ }
+ else if (callback instanceof PasswordValidationCallback)
+ {
+ PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback)
callback;
+ Subject subject = passwordValidationCallback.getSubject();
+ final String userName = passwordValidationCallback.getUsername();
+ final char[] password = passwordValidationCallback.getPassword();
+ try {
+ LoginContext loginContext = ContextManager.login(subject, realm, new
CallbackHandler() {
+ public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+ for (Callback callback: callbacks) {
+ if (callback instanceof NameCallback) {
+ ((NameCallback)callback).setName(userName);
+ } else if (callback instanceof PasswordCallback) {
+ ((PasswordCallback)callback).setPassword(password);
+ } else throw new UnsupportedCallbackException(callback);
+ }
+ }
+ });
+ } catch (LoginException e) {
+ throw (IOException)new IOException("Could not log in").initCause(e);
+ }
+
+ }
+ //server to jaspi communication
+ //TODO implement these
+ else if (callback instanceof CertStoreCallback)
+ {
+ }
+ else if (callback instanceof PrivateKeyCallback)
+ {
+ }
+ else if (callback instanceof SecretKeyCallback)
+ {
+ }
+ else if (callback instanceof TrustStoreCallback)
+ {
+ }
+ else
+ {
+ throw new UnsupportedCallbackException(callback);
+ }
+ }
+ }
+
+ public Principal getCallerPrincipal() {
+ return callerPrincipal;
+ }
+
+ public List<String> getGroups() {
+ return groupsArray == null? null: Arrays.asList(groupsArray);
+ }
+
+}
Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
Added: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java?rev=707714&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
(added)
+++ geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
Fri Oct 24 11:47:56 2008
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.connector.work;
+
+import javax.resource.spi.work.WorkCompletedException;
+import javax.resource.spi.work.SecurityInflowContext;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginException;
+
+import org.apache.geronimo.security.credentialstore.CredentialStore;
+import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.Callers;
+
+/**
+ * @version $Rev:$ $Date:$
+ */
+public class SecurityInflowContextHandler implements InflowContextHandler<SecurityInflowContext>
{
+
+ private final String realm;
+ private final Subject serviceSubject;
+
+ private final ThreadLocal<Callers> callers = new ThreadLocal<Callers>();
+
+ public SecurityInflowContextHandler(String realm, String serviceSubjectRealm, String
serviceSubjectId, CredentialStore credentialStore) throws LoginException {
+ serviceSubject = credentialStore.getSubject(serviceSubjectRealm, serviceSubjectId);
+ this.realm = realm;
+ }
+
+ public void before(SecurityInflowContext securityInflowContext) throws WorkCompletedException
{
+ Subject clientSubject = new Subject();
+ ConnectorCallbackHandler callbackHandler = new ConnectorCallbackHandler(realm);
+ securityInflowContext.setupSecurityContext(callbackHandler, clientSubject, serviceSubject);
+ ContextManager.registerSubjectShort(clientSubject, callbackHandler.getCallerPrincipal(),
callbackHandler.getGroups());
+ callers.set(ContextManager.getCallers());
+ ContextManager.setCallers(clientSubject, clientSubject);
+ }
+
+ public void after(SecurityInflowContext securityInflowContext) throws WorkCompletedException
{
+ Subject clientSubject = ContextManager.getCurrentCaller();
+ ContextManager.popCallers(callers.get());
+ callers.remove();
+ ContextManager.unregisterSubject(clientSubject);
+ }
+
+ public Class<SecurityInflowContext> getHandledClass() {
+ return SecurityInflowContext.class;
+ }
+}
Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
------------------------------------------------------------------------------
svn:keywords = Date Revision
Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
------------------------------------------------------------------------------
svn:mime-type = text/plain
|