geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r707714 - in /geronimo/server/trunk: framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ plugins/connector-1_6/geroni...
Date Fri, 24 Oct 2008 18:47:56 GMT
Author: djencks
Date: Fri Oct 24 11:47:56 2008
New Revision: 707714

URL: http://svn.apache.org/viewvc?rev=707714&view=rev
Log:
GERONIMO-4360 security modifications for connector 1.6

Added:
    geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
  (with props)
    geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
  (with props)
    geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
  (with props)
Removed:
    geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/pool/
Modified:
    geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java

Added: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java?rev=707714&view=auto
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
(added)
+++ geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
Fri Oct 24 11:47:56 2008
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.security;
+
+import java.security.AccessControlContext;
+import java.security.Principal;
+import java.util.List;
+
+import javax.security.auth.Subject;
+
+/**
+ * @version $Rev:$ $Date:$
+ */
+public class Context {
+    private final SubjectId id;
+    private final AccessControlContext context;
+    private final Subject subject;
+    private final Principal principal;
+    private final List<String> groups;
+
+    public Context(SubjectId id, AccessControlContext context, Subject subject, Principal
principal, List<String> groups) {
+        this.id = id;
+        this.context = context;
+        this.subject = subject;
+        this.principal = principal;
+        this.groups = groups;
+    }
+
+    public SubjectId getId() {
+        return id;
+    }
+
+    public AccessControlContext getContext() {
+        return context;
+    }
+
+    public Subject getSubject() {
+        return subject;
+    }
+
+    public Principal getPrincipal() {
+        return principal;
+    }
+
+    public List<String> getGroups() {
+        return groups;
+    }
+}

Propchange: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java?rev=707714&r1=707713&r2=707714&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
Fri Oct 24 11:47:56 2008
@@ -29,6 +29,7 @@
 import java.util.IdentityHashMap;
 import java.util.Map;
 import java.util.Set;
+import java.util.List;
 
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
@@ -77,6 +78,12 @@
         subject.getPrincipals().add(principal);
         return loginContext;
     }
+    
+    public static LoginContext login(Subject subject, String realm, CallbackHandler callbackHandler)
throws LoginException {
+        LoginContext loginContext = new LoginContext(realm, subject, callbackHandler);
+        loginContext.login();
+        return loginContext;
+    }
 
     public static void logout(LoginContext loginContext) throws LoginException {
         Subject subject = loginContext.getSubject();
@@ -159,7 +166,7 @@
 
         assert context != null : "No registered context";
 
-        return context.context;
+        return context.getContext();
     }
 
     public static Principal getCurrentPrincipal(Subject callerSubject) {
@@ -177,7 +184,7 @@
 
         assert context != null : "No registered context";
 
-        return context.principal;
+        return context.getPrincipal();
     }
 
     public static SubjectId getCurrentId() {
@@ -192,7 +199,7 @@
 
         assert context != null : "No registered context";
 
-        return context.id;
+        return context.getId();
     }
 
     public static SubjectId getSubjectId(Subject subject) {
@@ -201,7 +208,7 @@
 
         Context context = subjectContexts.get(subject);
 
-        return (context != null ? context.id : null);
+        return (context != null ? context.getId() : null);
     }
 
     public static Subject getRegisteredSubject(SubjectId id) {
@@ -220,33 +227,35 @@
             }
         }, null);
 
-        Context context = new Context();
-        context.subject = subject;
-        context.context = acc;
         Set<? extends Principal> principals = subject.getPrincipals(GeronimoCallerPrincipal.class);
+        Principal principal = null;
         if (!principals.isEmpty()) {
-            context.principal = principals.iterator().next();
+            principal = principals.iterator().next();
         } else if (!(principals = subject.getPrincipals(PrimaryRealmPrincipal.class)).isEmpty())
{
-            context.principal = principals.iterator().next();
+            principal = principals.iterator().next();
         } else if (!(principals = subject.getPrincipals(RealmPrincipal.class)).isEmpty())
{
-            context.principal = principals.iterator().next();
+            principal = principals.iterator().next();
         } else if (!(principals = subject.getPrincipals()).isEmpty()) {
-            context.principal = principals.iterator().next();
+            principal = principals.iterator().next();
         }
         Long id = nextSubjectId++;
+        SubjectId subjectId;
         try {
-            context.id = new SubjectId(id, hash(id));
+            subjectId = new SubjectId(id, hash(id));
         } catch (NoSuchAlgorithmException e) {
             throw new ProviderException("No such algorithm: " + algorithm + ".  This can
be caused by a misconfigured java.ext.dirs, JAVA_HOME or JRE_HOME environment variable");
         } catch (InvalidKeyException e) {
             throw new ProviderException("Invalid key: " + key.toString());
         }
-        subjectIds.put(context.id, subject);
+        List<String> groups = Collections.emptyList();
+        Context context = new Context(subjectId, acc, subject, principal, groups);
+        subjectIds.put(context.getId(), subject);
         subjectContexts.put(subject, context);
 
-        return context.id;
+        return context.getId();
     }
-    public static synchronized AccessControlContext registerSubjectShort(Subject subject)
{
+
+    public static synchronized AccessControlContext registerSubjectShort(Subject subject,
Principal callerPrincipal, List<String> groups) {
         SecurityManager sm = System.getSecurityManager();
         if (sm != null) sm.checkPermission(SET_CONTEXT);
 
@@ -254,7 +263,7 @@
         
         Context test = subjectContexts.get(subject);
         if (test != null) {
-            return test.context;
+            return test.getContext();
         }
 
         AccessControlContext acc = (AccessControlContext) Subject.doAsPrivileged(subject,
new PrivilegedAction() {
@@ -263,18 +272,19 @@
             }
         }, null);
 
-        Context context = new Context();
-        context.subject = subject;
-        context.context = acc;
         Long id = nextSubjectId++;
+        SubjectId subjectId;
         try {
-            context.id = new SubjectId(id, hash(id));
+            subjectId = new SubjectId(id, hash(id));
         } catch (NoSuchAlgorithmException e) {
             throw new ProviderException("No such algorithm: " + algorithm + ".  This can
be caused by a misconfigured java.ext.dirs, JAVA_HOME or JRE_HOME environment variable");
         } catch (InvalidKeyException e) {
             throw new ProviderException("Invalid key: " + key.toString());
         }
-        subjectIds.put(context.id, subject);
+        IdentificationPrincipal principal = new IdentificationPrincipal(subjectId);
+        subject.getPrincipals().add(principal);
+        Context context = new Context(subjectId, acc, subject, callerPrincipal, groups);
+        subjectIds.put(context.getId(), subject);
         subjectContexts.put(subject, context);
 
         return acc;
@@ -289,7 +299,7 @@
         Context context = subjectContexts.get(subject);
         if (context == null) return;
 
-        subjectIds.remove(context.id);
+        subjectIds.remove(context.getId());
         subjectContexts.remove(subject);
     }
 
@@ -383,11 +393,4 @@
         return mac.doFinal();
     }
 
-    private static class Context {
-        SubjectId id;
-        AccessControlContext context;
-        Subject subject;
-        Principal principal;
-    }
-
 }

Added: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java?rev=707714&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
(added)
+++ geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
Fri Oct 24 11:47:56 2008
@@ -0,0 +1,129 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.connector.work;
+
+import java.io.IOException;
+import java.security.Principal;
+import java.util.List;
+import java.util.Arrays;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
+import javax.security.auth.callback.NameCallback;
+import javax.security.auth.callback.PasswordCallback;
+import javax.security.auth.message.callback.CallerPrincipalCallback;
+import javax.security.auth.message.callback.GroupPrincipalCallback;
+import javax.security.auth.message.callback.PasswordValidationCallback;
+import javax.security.auth.message.callback.CertStoreCallback;
+import javax.security.auth.message.callback.PrivateKeyCallback;
+import javax.security.auth.message.callback.SecretKeyCallback;
+import javax.security.auth.message.callback.TrustStoreCallback;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+
+import org.apache.geronimo.security.ContextManager;
+
+/**
+ * Spec 16.4.1:  must support CallerPrincipalCallback, GroupPrincipalCallback, PasswordValidationCallback.
+ * Recommended to support CertStoreCallback, PrivateKeyCallback, SecretKeyCallback, and TrustStoreCallback.
+ *
+ * @version $Rev:$ $Date:$
+ */
+public class ConnectorCallbackHandler implements CallbackHandler {
+
+    private final String realm;
+
+    private Principal callerPrincipal;
+    private String[] groupsArray;
+
+    public ConnectorCallbackHandler(String realm) {
+        if (realm == null) throw new NullPointerException("No realm provided");
+        this.realm = realm;
+    }
+
+    public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
+    {
+        for (Callback callback: callbacks)
+        {
+            //jaspi to server communication
+            if (callback instanceof CallerPrincipalCallback)
+            {
+                callerPrincipal = ((CallerPrincipalCallback) callback).getPrincipal();
+            }
+            else if (callback instanceof GroupPrincipalCallback)
+            {
+                groupsArray = ((GroupPrincipalCallback)callback).getGroups();
+            }
+            else if (callback instanceof PasswordValidationCallback)
+            {
+                PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback)
callback;
+                Subject subject = passwordValidationCallback.getSubject();
+                final String userName = passwordValidationCallback.getUsername();
+                final char[] password = passwordValidationCallback.getPassword();
+                try {
+                    LoginContext loginContext = ContextManager.login(subject, realm, new
CallbackHandler() {
+                        public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException
{
+                            for (Callback callback: callbacks) {
+                                if (callback instanceof NameCallback) {
+                                    ((NameCallback)callback).setName(userName);
+                                } else if (callback instanceof PasswordCallback) {
+                                    ((PasswordCallback)callback).setPassword(password);
+                            } else throw new UnsupportedCallbackException(callback);
+                            }
+                        }
+                    });
+                } catch (LoginException e) {
+                    throw (IOException)new IOException("Could not log in").initCause(e);
+                }
+
+            }
+            //server to jaspi communication
+            //TODO implement these
+            else if (callback instanceof CertStoreCallback)
+            {
+            }
+            else if (callback instanceof PrivateKeyCallback)
+            {
+            }
+            else if (callback instanceof SecretKeyCallback)
+            {
+            }
+            else if (callback instanceof TrustStoreCallback)
+            {
+            }
+            else
+            {
+                throw new UnsupportedCallbackException(callback);
+            }
+        }
+    }
+
+    public Principal getCallerPrincipal() {
+        return callerPrincipal;
+    }
+
+    public List<String> getGroups() {
+        return groupsArray == null? null: Arrays.asList(groupsArray);
+    }
+
+}

Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/ConnectorCallbackHandler.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Added: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java?rev=707714&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
(added)
+++ geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
Fri Oct 24 11:47:56 2008
@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.connector.work;
+
+import javax.resource.spi.work.WorkCompletedException;
+import javax.resource.spi.work.SecurityInflowContext;
+import javax.security.auth.Subject;
+import javax.security.auth.login.LoginException;
+
+import org.apache.geronimo.security.credentialstore.CredentialStore;
+import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.Callers;
+
+/**
+ * @version $Rev:$ $Date:$
+ */
+public class SecurityInflowContextHandler implements InflowContextHandler<SecurityInflowContext>
{
+
+    private final String realm;
+    private final Subject serviceSubject;
+
+    private final ThreadLocal<Callers> callers = new ThreadLocal<Callers>();
+
+    public SecurityInflowContextHandler(String realm, String serviceSubjectRealm, String
serviceSubjectId, CredentialStore credentialStore) throws LoginException {
+        serviceSubject = credentialStore.getSubject(serviceSubjectRealm, serviceSubjectId);
+        this.realm = realm;
+    }
+
+    public void before(SecurityInflowContext securityInflowContext) throws WorkCompletedException
{
+        Subject clientSubject = new Subject();
+        ConnectorCallbackHandler callbackHandler = new ConnectorCallbackHandler(realm);
+        securityInflowContext.setupSecurityContext(callbackHandler, clientSubject, serviceSubject);
+        ContextManager.registerSubjectShort(clientSubject, callbackHandler.getCallerPrincipal(),
callbackHandler.getGroups());
+        callers.set(ContextManager.getCallers());
+        ContextManager.setCallers(clientSubject, clientSubject);
+    }
+
+    public void after(SecurityInflowContext securityInflowContext) throws WorkCompletedException
{
+        Subject clientSubject = ContextManager.getCurrentCaller();
+        ContextManager.popCallers(callers.get());
+        callers.remove();
+        ContextManager.unregisterSubject(clientSubject);
+    }
+
+    public Class<SecurityInflowContext> getHandledClass() {
+        return SecurityInflowContext.class;
+    }
+}

Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/work/SecurityInflowContextHandler.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain



Mime
View raw message