geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r1000268 - in /geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat: core/ security/ security/authentication/ security/authentication/jaspic/ security/jacc/
Date Wed, 22 Sep 2010 22:55:12 GMT
Author: djencks
Date: Wed Sep 22 22:55:11 2010
New Revision: 1000268

URL: http://svn.apache.org/viewvc?rev=1000268&view=rev
Log:
GERONIMO-5468 Based on an original patch by Han Hong Fan.  Support authenticate and login/logout methods in HttpServletRequest interface. may need some tidying up

Modified:
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/core/GeronimoApplicationServletRegistrationAdapter.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/AuthResult.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/Authenticator.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/SecurityValve.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCRealm.java

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/core/GeronimoApplicationServletRegistrationAdapter.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/core/GeronimoApplicationServletRegistrationAdapter.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/core/GeronimoApplicationServletRegistrationAdapter.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/core/GeronimoApplicationServletRegistrationAdapter.java Wed Sep 22 22:55:11 2010
@@ -63,9 +63,13 @@ public class GeronimoApplicationServletR
 
     @Override
     public void setRunAsRole(String roleName) {
-        applicationServletRegistration.setRunAsRole(roleName);
-        SpecSecurityBuilder specSecurityBuilder = applicationContext.getSpecSecurityBuilder();
-        specSecurityBuilder.declareRoles(roleName);
+        if (roleName != null) {
+            applicationServletRegistration.setRunAsRole(roleName);
+            SpecSecurityBuilder specSecurityBuilder = applicationContext.getSpecSecurityBuilder();
+            if (specSecurityBuilder != null) {
+                specSecurityBuilder.declareRoles(roleName);
+            }
+        }
     }
 
     @Override

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/AuthResult.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/AuthResult.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/AuthResult.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/AuthResult.java Wed Sep 22 22:55:11 2010
@@ -27,9 +27,11 @@ public class AuthResult {
 
     private final TomcatAuthStatus authStatus;
     private final UserIdentity userIdentity;
+    private final boolean containerCaching;
 
-    public AuthResult(TomcatAuthStatus authStatus, UserIdentity userIdentity) {
+    public AuthResult(TomcatAuthStatus authStatus, UserIdentity userIdentity, boolean containerCaching) {
         this.authStatus = authStatus;
+        this.containerCaching = containerCaching;
         this.userIdentity = userIdentity;
     }
 
@@ -40,4 +42,8 @@ public class AuthResult {
     public UserIdentity getUserIdentity() {
         return userIdentity;
     }
+
+    public boolean isContainerCaching() {
+        return containerCaching;
+    }
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/Authenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/Authenticator.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/Authenticator.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/Authenticator.java Wed Sep 22 22:55:11 2010
@@ -20,6 +20,9 @@
 
 package org.apache.geronimo.tomcat.security;
 
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
+
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 
@@ -29,9 +32,13 @@ import org.apache.catalina.connector.Res
  */
 public interface Authenticator {
 
-    AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException;
+    AuthResult validateRequest(Request request, HttpServletResponse response, boolean isAuthMandatory, UserIdentity cachedIdentity) throws ServerAuthException;
 
     boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException;
 
     String getAuthType();
+
+    AuthResult login(String username, String password, Request request) throws ServletException;
+
+    void logout(Request request) throws ServletException;
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/SecurityValve.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/SecurityValve.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/SecurityValve.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/SecurityValve.java Wed Sep 22 22:55:11 2010
@@ -24,15 +24,20 @@ import java.io.IOException;
 import java.security.Principal;
 
 import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
 
+import org.apache.catalina.Session;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
+import org.apache.catalina.deploy.LoginConfig;
 import org.apache.catalina.valves.ValveBase;
 
 /**
  * @version $Rev$ $Date$
  */
-public class SecurityValve extends ValveBase {
+public class SecurityValve extends ValveBase implements org.apache.catalina.Authenticator {
+
+    public final static String CACHED_IDENTITY_KEY = "org.apache.geronimo.jaspic.servlet.cachedIdentity";
 
     private final Authenticator authenticator;
     private final Authorizer authorizer;
@@ -59,32 +64,25 @@ public class SecurityValve extends Valve
         boolean isAuthMandatory = authorizer.isAuthMandatory(request, constraints);
 
         try {
-            AuthResult authResult = authenticator.validateRequest(request, response, isAuthMandatory);
+            AuthResult authResult = authenticator.validateRequest(request, response, isAuthMandatory, getCachedIdentity(request));
 
             TomcatAuthStatus authStatus = authResult.getAuthStatus();
 
             if (authStatus == TomcatAuthStatus.FAILURE) {
-                return;
             } else if (authStatus == TomcatAuthStatus.SEND_CONTINUE) {
-                return;
+                cacheIdentity(request, authResult);
             } else if (authStatus == TomcatAuthStatus.SEND_FAILURE) {
-                return;
             } else if (authStatus == TomcatAuthStatus.SEND_SUCCESS) {
-                return;
             } else if (authStatus == TomcatAuthStatus.SUCCESS) {
-                request.setAuthType(authenticator.getAuthType());
-                UserIdentity userIdentity = authResult.getUserIdentity();
-                Principal principal = userIdentity == null? null: userIdentity.getUserPrincipal();
-                request.setUserPrincipal(principal);
+                Object previous = doSuccess(request, authResult);
                 if (isAuthMandatory) {
-                    if (!authorizer.hasResourcePermissions(request, authResult, constraints, userIdentity)) {
+                    if (!authorizer.hasResourcePermissions(request, authResult, constraints, authResult.getUserIdentity())) {
                         if (!response.isError()) {
                             response.sendError(Response.SC_FORBIDDEN);
                         }
                         return;
                     }
                 }
-                Object previous = identityService.associate(userIdentity);
                 try {
                     getNext().invoke(request, response);
                 } finally {
@@ -102,4 +100,75 @@ public class SecurityValve extends Valve
 
 
     }
+
+    private Object doSuccess(Request request, AuthResult authResult) {
+        cacheIdentity(request, authResult);
+        UserIdentity userIdentity = authResult.getUserIdentity();
+        Principal principal = userIdentity == null? null: userIdentity.getUserPrincipal();
+        if (principal != null) {
+            request.setAuthType(authenticator.getAuthType());
+            request.setUserPrincipal(principal);
+        }
+        return identityService.associate(userIdentity);
+    }
+
+    private void cacheIdentity(Request request, AuthResult authResult) {
+        UserIdentity userIdentity = authResult.getUserIdentity();
+        if (userIdentity != null && authResult.isContainerCaching()) {
+            Session session = request.getSessionInternal(true);
+            session.setNote(CACHED_IDENTITY_KEY, userIdentity);
+        }
+    }
+
+    private UserIdentity getCachedIdentity(Request request) {
+        Session session = request.getSessionInternal(false);
+        return session == null? null: (UserIdentity)session.getNote(CACHED_IDENTITY_KEY);
+
+    }
+
+    @Override
+    public boolean authenticate(Request request, HttpServletResponse response, LoginConfig config) throws IOException {
+        try {
+            //this call is the user program requesting authentication,
+            // so auth was not declaratively mandatory for this request, but is mandatory now.
+            AuthResult authResult = authenticator.validateRequest(request, response, true, getCachedIdentity(request));
+            TomcatAuthStatus authStatus = authResult.getAuthStatus();
+            if (TomcatAuthStatus.SUCCESS.equals(authStatus)) {
+                doSuccess(request, authResult);
+                return true;
+            }
+            return false;
+        } catch (ServerAuthException e) {
+            throw new IOException(e.getMessage(), e.getCause());
+        }
+    }
+
+    @Override
+    public void register(Request request, HttpServletResponse response, Principal principal, String authType, String username, String password) {
+        //we don't do this, session tracking is done by the jaspic authenticators
+        throw new IllegalStateException("should not be called in geronimo integration");
+    }
+
+    @Override
+    public void login(String username, String password, Request request) throws ServletException {
+        AuthResult authResult = authenticator.login(username, password, request);
+        TomcatAuthStatus authStatus = authResult.getAuthStatus();
+
+        if (authStatus == TomcatAuthStatus.SUCCESS) {
+            doSuccess(request, authResult);
+        } else {
+            throw new ServletException("Could not log in");
+        }
+    }
+
+    @Override
+    public void logout(Request request) throws ServletException {
+        authenticator.logout(request);
+        Session session = request.getSessionInternal(false);
+        if (session != null) {
+            session.removeNote(CACHED_IDENTITY_KEY);
+        }
+        identityService.associate(null);
+    }
+
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/BasicAuthenticator.java Wed Sep 22 22:55:11 2010
@@ -22,6 +22,7 @@ package org.apache.geronimo.tomcat.secur
 
 import java.io.IOException;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -29,10 +30,10 @@ import org.apache.catalina.connector.Req
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.util.Base64;
 import org.apache.geronimo.tomcat.security.AuthResult;
-import org.apache.geronimo.tomcat.security.TomcatAuthStatus;
 import org.apache.geronimo.tomcat.security.Authenticator;
 import org.apache.geronimo.tomcat.security.LoginService;
 import org.apache.geronimo.tomcat.security.ServerAuthException;
+import org.apache.geronimo.tomcat.security.TomcatAuthStatus;
 import org.apache.geronimo.tomcat.security.UserIdentity;
 import org.apache.tomcat.util.buf.ByteChunk;
 import org.apache.tomcat.util.buf.CharChunk;
@@ -72,7 +73,7 @@ public class BasicAuthenticator implemen
         this.unauthenticatedIdentity = unauthenticatedIdentity;
     }
 
-    public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException {
+    public AuthResult validateRequest(Request request, HttpServletResponse response, boolean isAuthMandatory, UserIdentity cachedIdentity) throws ServerAuthException {
         // Validate any credentials already included with this request
         String username = null;
         String password = null;
@@ -108,7 +109,7 @@ public class BasicAuthenticator implemen
 
             UserIdentity userIdentity = loginService.login(username, password);
             if (userIdentity != null) {
-                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity);
+                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, false);
             }
         }
 
@@ -116,21 +117,18 @@ public class BasicAuthenticator implemen
         // Send an "unauthorized" response and an appropriate challenge
         if (isAuthMandatory) {
             try {
-                MessageBytes authenticate =
-                        response.getCoyoteResponse().getMimeHeaders()
-                        .addValue(AUTHENTICATE_BYTES, 0, AUTHENTICATE_BYTES.length);
-                CharChunk authenticateCC = authenticate.getCharChunk();
+                StringBuffer authenticateCC = new StringBuffer();
                 authenticateCC.append("Basic realm=\"");
                 authenticateCC.append((realmName == null) ? "<unspecified>" : realmName);
                 authenticateCC.append('\"');
-                authenticate.toChars();
+                response.addHeader(new String(AUTHENTICATE_BYTES), authenticateCC.toString());
                 response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
-                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null);
+                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null, false);
             } catch (IOException e) {
                 throw new ServerAuthException(e);
             }
         }
-        return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity);
+        return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity, false);
     }
 
     public boolean secureResponse(Request request, Response response, AuthResult authResult) {
@@ -140,4 +138,17 @@ public class BasicAuthenticator implemen
     public String getAuthType() {
         return HttpServletRequest.BASIC_AUTH;
     }
+
+    @Override
+    public AuthResult login(String username, String password, Request request) throws ServletException {
+        UserIdentity userIdentity = loginService.login(username, password);
+        if (userIdentity != null) {
+            return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, false);
+        }
+        return new AuthResult(TomcatAuthStatus.FAILURE, null, false);
+    }
+
+    @Override
+    public void logout(Request request) {
+    }
 }
\ No newline at end of file

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/ClientCertAuthenticator.java Wed Sep 22 22:55:11 2010
@@ -23,6 +23,7 @@ package org.apache.geronimo.tomcat.secur
 import java.io.IOException;
 import java.security.cert.X509Certificate;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -55,7 +56,7 @@ public class ClientCertAuthenticator imp
         this.unauthenticatedIdentity = unauthenticatedIdentity;
     }
 
-    public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException {
+    public AuthResult validateRequest(Request request, HttpServletResponse response, boolean isAuthMandatory, UserIdentity cachedIdentity) throws ServerAuthException {
         X509Certificate certs[] = (X509Certificate[])
             request.getAttribute(Globals.CERTIFICATES_ATTR);
         if ((certs == null) || (certs.length < 1)) {
@@ -69,26 +70,26 @@ public class ClientCertAuthenticator imp
                 if (isAuthMandatory) {
                     response.sendError(HttpServletResponse.SC_BAD_REQUEST,
                                    sm.getString("authenticator.certificates"));
-                    return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null);
+                    return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null, false);
                 } else {
-                    return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity);
+                    return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity, false);
                 }
             }
 
             // Authenticate the specified certificate chain
             UserIdentity userIdentity = loginService.login(certs);
             if (userIdentity != null) {
-                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity);
+                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, true);
             }
             if (isAuthMandatory) {
                 response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                                    sm.getString("authenticator.unauthorized"));
-                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null);
+                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null, false);
             }
         } catch (IOException e) {
             throw new ServerAuthException(e);
         }
-        return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity);
+        return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity, false);
     }
 
     public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException {
@@ -98,4 +99,18 @@ public class ClientCertAuthenticator imp
     public String getAuthType() {
         return HttpServletRequest.CLIENT_CERT_AUTH;
     }
+
+    @Override
+    public AuthResult login(String username, String password, Request request) throws ServletException {
+        UserIdentity userIdentity = loginService.login(username, password);
+        if (userIdentity != null) {
+            return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, true);
+        }
+        return new AuthResult(TomcatAuthStatus.FAILURE, null, false);
+    }
+
+    @Override
+    public void logout(Request request) {
+    }
+    
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/DigestAuthenticator.java Wed Sep 22 22:55:11 2010
@@ -25,6 +25,7 @@ import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.StringTokenizer;
 
+import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -73,12 +74,12 @@ public class DigestAuthenticator impleme
         this.unauthenticatedIdentity = unauthenticatedIdentity;
     }
 
-    public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException {
+    public AuthResult validateRequest(Request request, HttpServletResponse response, boolean isAuthMandatory, UserIdentity cachedIdentity) throws ServerAuthException {
         String authorization = request.getHeader("authorization");
         if (authorization != null) {
             UserIdentity userIdentity = findPrincipal(request, authorization);
             if (userIdentity != null) {
-                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity);
+                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, false);
             }
         }
 
@@ -97,9 +98,9 @@ public class DigestAuthenticator impleme
             } catch (IOException e) {
                 throw new ServerAuthException(e);
             }
-            return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null);
+            return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null, false);
         }
-        return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity);
+        return new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity, false);
 
     }
 
@@ -305,7 +306,7 @@ public class DigestAuthenticator impleme
      * @param nOnce    nonce token
      */
     protected void setAuthenticateHeader(
-            Response response,
+            HttpServletResponse response,
             String nOnce) {
 
         // Get the realm name
@@ -321,4 +322,17 @@ public class DigestAuthenticator impleme
 
     }
 
+    @Override
+    public AuthResult login(String username, String password, Request request) throws ServletException {
+        UserIdentity userIdentity = loginService.login(username, password);
+        if (userIdentity != null) {
+            return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, false);
+        }
+        return new AuthResult(TomcatAuthStatus.FAILURE, null, false);
+    }
+
+    @Override
+    public void logout(Request request) {
+    }
+    
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/FormAuthenticator.java Wed Sep 22 22:55:11 2010
@@ -27,6 +27,7 @@ import java.util.Iterator;
 import java.util.Locale;
 
 import javax.servlet.RequestDispatcher;
+import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -68,12 +69,12 @@ public class FormAuthenticator implement
         this.erroryPage = erroryPage;
     }
 
-    public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException {
+    public AuthResult validateRequest(Request request, HttpServletResponse response, boolean isAuthMandatory, UserIdentity cachedIdentity) throws ServerAuthException {
         try {
             Session session = request.getSessionInternal(isAuthMandatory);
             if (session == null) {
                 //default identity??
-                return new AuthResult(TomcatAuthStatus.SUCCESS, null);
+                return new AuthResult(TomcatAuthStatus.SUCCESS, null, false);
             }
             if (matchRequest(request, session)) {
                 //            if (log.isDebugEnabled())
@@ -99,12 +100,11 @@ public class FormAuthenticator implement
 //                    if (log.isDebugEnabled())
 //                        log.debug("Restore of original request failed");
                     response.sendError(HttpServletResponse.SC_BAD_REQUEST);
-                    return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null);
+                    return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null, false);
                 }
             }
-            UserIdentity userIdentity = (UserIdentity) session.getNote(Constants.FORM_PRINCIPAL_NOTE);
-            if (userIdentity != null) {
-                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity);
+            if (cachedIdentity != null) {
+                return new AuthResult(TomcatAuthStatus.SUCCESS, cachedIdentity, true);
             }
 
             //we have not yet completed authentication.
@@ -114,7 +114,6 @@ public class FormAuthenticator implement
             uriCC.setLimit(-1);
             String contextPath = request.getContextPath();
             String requestURI = request.getDecodedRequestURI();
-            response.setContext(request.getContext());
 
             // Is this the action request from the login page?
             boolean loginAction =
@@ -127,7 +126,7 @@ public class FormAuthenticator implement
 //                if (log.isDebugEnabled())
 //                    log.debug("Save request in session '" + session.getIdInternal() + "'");
                 if (!isAuthMandatory) {
-                    return new AuthResult(TomcatAuthStatus.SUCCESS, null);
+                    return new AuthResult(TomcatAuthStatus.SUCCESS, null, false);
                 }
                 try {
                     saveRequest(request, session);
@@ -135,10 +134,10 @@ public class FormAuthenticator implement
 //                    log.debug("Request body too big to save during authentication");
                     response.sendError(HttpServletResponse.SC_BAD_REQUEST,
                             sm.getString("authenticator.requestBodyTooBig"));
-                    return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null);
+                    return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null, false);
                 }
                 forwardToLoginPage(request, response);
-                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, unauthenticatedIdentity);
+                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, unauthenticatedIdentity, false);
             }
 
             // Yes -- Validate the specified credentials and redirect
@@ -150,12 +149,12 @@ public class FormAuthenticator implement
             String password = request.getParameter(Constants.FORM_PASSWORD);
 //            if (log.isDebugEnabled())
 //                log.debug("Authenticating username '" + username + "'");
-            userIdentity = loginService.login(username, password);
+            UserIdentity userIdentity = loginService.login(username, password);
             if (userIdentity == null) {
 //                if (isAuthMandatory) {
-                    forwardToErrorPage(request, response);
-                    //TODO right status?
-                    return new AuthResult(TomcatAuthStatus.SEND_FAILURE, unauthenticatedIdentity);
+                forwardToErrorPage(request, response);
+                //TODO right status?
+                return new AuthResult(TomcatAuthStatus.SEND_FAILURE, unauthenticatedIdentity, false);
 //                } else {
 //                    userIdentity = unauthenticatedIdentity;
 //                }
@@ -164,24 +163,16 @@ public class FormAuthenticator implement
 //            if (log.isDebugEnabled())
 //                log.debug("Authentication of '" + username + "' was successful");
 
-            if (session == null)
-                session = request.getSessionInternal(false);
+            session = request.getSessionInternal(false);
             if (session == null) {
 //                if (containerLog.isDebugEnabled())
 //                    containerLog.debug
 //                        ("User took so long to log on the session expired");
                 response.sendError(HttpServletResponse.SC_REQUEST_TIMEOUT,
                         sm.getString("authenticator.sessionExpired"));
-                return new AuthResult(TomcatAuthStatus.SEND_FAILURE, unauthenticatedIdentity);
+                return new AuthResult(TomcatAuthStatus.SEND_FAILURE, unauthenticatedIdentity, false);
             }
 
-            // Save the authenticated Principal in our session
-            session.setNote(Constants.FORM_PRINCIPAL_NOTE, userIdentity);
-
-            // Save the username and password as well
-            session.setNote(Constants.SESS_USERNAME_NOTE, username);
-            session.setNote(Constants.SESS_PASSWORD_NOTE, password);
-
             // Redirect the user to the original request URI (which will cause
             // the original request to be restored)
             requestURI = savedRequestURL(session);
@@ -190,10 +181,10 @@ public class FormAuthenticator implement
             if (requestURI == null) {
                 response.sendError(HttpServletResponse.SC_BAD_REQUEST,
                         sm.getString("authenticator.formlogin"));
-                return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null);
+                return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null, false);
             } else {
                 response.sendRedirect(response.encodeRedirectURL(requestURI));
-                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, userIdentity);
+                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, userIdentity, true);
             }
         } catch (IOException e) {
             throw new ServerAuthException(e);
@@ -215,12 +206,12 @@ public class FormAuthenticator implement
      * @param request  Request we are processing
      * @param response Response we are creating
      */
-    protected void forwardToLoginPage(Request request, Response response) {
+    protected void forwardToLoginPage(Request request, HttpServletResponse response) {
         RequestDispatcher disp = request.getRequestDispatcher(loginPage);
         try {
-            disableClientCache(response.getResponse());
-            disp.forward(request.getRequest(), response.getResponse());
-            response.finishResponse();
+            disableClientCache(response);
+            disp.forward(request.getRequest(), response);
+            response.flushBuffer();
         } catch (Throwable t) {
 //            log.warn("Unexpected error forwarding to login page", t);
         }
@@ -233,12 +224,12 @@ public class FormAuthenticator implement
      * @param request  Request we are processing
      * @param response Response we are creating
      */
-    protected void forwardToErrorPage(Request request, Response response) {
+    protected void forwardToErrorPage(Request request, HttpServletResponse response) {
         RequestDispatcher disp = request.getRequestDispatcher(erroryPage);
         try {
-            disableClientCache(response.getResponse());
-            disp.forward(request.getRequest(), response.getResponse());
-            response.finishResponse();
+            disableClientCache(response);
+            disp.forward(request.getRequest(), response);
+            response.flushBuffer();
         } catch (Throwable t) {
 //            log.warn("Unexpected error forwarding to error page", t);
         }
@@ -443,4 +434,18 @@ public class FormAuthenticator implement
         response.setHeader("Cache-Control", "No-cache");
         response.setDateHeader("Expires", 1);
     }
+
+    @Override
+    public AuthResult login(String username, String password, Request request) throws ServletException {
+        UserIdentity userIdentity = loginService.login(username, password);
+        if (userIdentity != null) {
+            return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, true);
+        }
+        return new AuthResult(TomcatAuthStatus.FAILURE, null, false);
+    }
+
+    @Override
+    public void logout(Request request) {
+    }
+
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/NoneAuthenticator.java Wed Sep 22 22:55:11 2010
@@ -20,13 +20,16 @@
 
 package org.apache.geronimo.tomcat.security.authentication;
 
-import org.apache.geronimo.tomcat.security.Authenticator;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
 import org.apache.geronimo.tomcat.security.AuthResult;
+import org.apache.geronimo.tomcat.security.Authenticator;
 import org.apache.geronimo.tomcat.security.ServerAuthException;
 import org.apache.geronimo.tomcat.security.TomcatAuthStatus;
 import org.apache.geronimo.tomcat.security.UserIdentity;
-import org.apache.catalina.connector.Request;
-import org.apache.catalina.connector.Response;
 
 /**
  * @version $Rev$ $Date$
@@ -36,10 +39,10 @@ public class NoneAuthenticator implement
     private final AuthResult unauthenticated;
 
     public NoneAuthenticator(UserIdentity unauthenticatedIdentity) {
-        unauthenticated = new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity);
+        unauthenticated = new AuthResult(TomcatAuthStatus.SUCCESS, unauthenticatedIdentity, false);
     }
 
-    public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException {
+    public AuthResult validateRequest(Request request, HttpServletResponse response, boolean isAuthMandatory, UserIdentity cachedIdentity) throws ServerAuthException {
         return unauthenticated;
     }
 
@@ -50,4 +53,14 @@ public class NoneAuthenticator implement
     public String getAuthType() {
         return "NONE";
     }
+
+    @Override
+    public AuthResult login(String username, String password, Request request) throws ServletException {
+        return unauthenticated;
+    }
+
+    @Override
+    public void logout(Request request) {
+    }
+
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java Wed Sep 22 22:55:11 2010
@@ -20,6 +20,7 @@
 
 package org.apache.geronimo.tomcat.security.authentication.jaspic;
 
+import java.io.IOException;
 import java.security.Principal;
 import java.util.Arrays;
 import java.util.Collections;
@@ -27,16 +28,21 @@ import java.util.Map;
 import java.util.Set;
 
 import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.message.AuthException;
 import javax.security.auth.message.AuthStatus;
 import javax.security.auth.message.MessageInfo;
 import javax.security.auth.message.callback.CallerPrincipalCallback;
 import javax.security.auth.message.callback.GroupPrincipalCallback;
+import javax.security.auth.message.callback.PasswordValidationCallback;
 import javax.security.auth.message.config.ServerAuthConfig;
 import javax.security.auth.message.config.ServerAuthContext;
-
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
+import org.apache.geronimo.security.ContextManager;
 import org.apache.geronimo.tomcat.security.AuthResult;
 import org.apache.geronimo.tomcat.security.Authenticator;
 import org.apache.geronimo.tomcat.security.IdentityService;
@@ -44,17 +50,21 @@ import org.apache.geronimo.tomcat.securi
 import org.apache.geronimo.tomcat.security.TomcatAuthStatus;
 import org.apache.geronimo.tomcat.security.UserIdentity;
 
+import static org.apache.geronimo.tomcat.security.SecurityValve.CACHED_IDENTITY_KEY;
+
 /**
  * @version $Rev$ $Date$
  */
 public class JaspicAuthenticator implements Authenticator {
     private static final String MESSAGE_INFO_KEY = "org.apache.geronimo.tomcat.jaspic.message.info";
+    public static final String CONTAINER_CACHING_KEY = "org.apache.geronimo.jaspic.servlet.containerCaching";
 
     private final ServerAuthConfig serverAuthConfig;
     private final Map authProperties;
     private final Subject serviceSubject;
     private final JaspicCallbackHandler callbackHandler;
     private final IdentityService identityService;
+    private final boolean containerCaching;
 
     public JaspicAuthenticator(ServerAuthConfig serverAuthConfig, Map authProperties, Subject serviceSubject, JaspicCallbackHandler callbackHandler, IdentityService identityService) {
         this.serverAuthConfig = serverAuthConfig;
@@ -62,11 +72,15 @@ public class JaspicAuthenticator impleme
         this.serviceSubject = serviceSubject;
         this.callbackHandler = callbackHandler;
         this.identityService = identityService;
+        containerCaching = authProperties != null && (authProperties.get(CONTAINER_CACHING_KEY) == null ? false : Boolean.valueOf((String) authProperties.get(CONTAINER_CACHING_KEY)));
     }
 
-    public AuthResult validateRequest(Request request, Response response, boolean isAuthMandatory) throws ServerAuthException {
+    public AuthResult validateRequest(Request request, HttpServletResponse response, boolean isAuthMandatory, UserIdentity cachedIdentity) throws ServerAuthException {
         try {
             MessageInfo messageInfo = new JaspicMessageInfo(request, response, isAuthMandatory);
+            if (cachedIdentity != null) {
+                messageInfo.getMap().put(CACHED_IDENTITY_KEY, cachedIdentity);
+            }
             request.setNote(MESSAGE_INFO_KEY, messageInfo);
             String authContextId = serverAuthConfig.getAuthContextID(messageInfo);
             ServerAuthContext authContext = serverAuthConfig.getAuthContext(authContextId, serviceSubject, authProperties);
@@ -74,9 +88,9 @@ public class JaspicAuthenticator impleme
 
             AuthStatus authStatus = authContext.validateRequest(messageInfo, clientSubject, serviceSubject);
             if (authStatus == AuthStatus.SEND_CONTINUE)
-                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null);
+                return new AuthResult(TomcatAuthStatus.SEND_CONTINUE, null, false);
             if (authStatus == AuthStatus.SEND_FAILURE)
-                return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null);
+                return new AuthResult(TomcatAuthStatus.SEND_FAILURE, null, false);
 
             if (authStatus == AuthStatus.SUCCESS) {
                 Set<UserIdentity> ids = clientSubject.getPrivateCredentials(UserIdentity.class);
@@ -98,18 +112,18 @@ public class JaspicAuthenticator impleme
                         }
                         if (principal == null) {
                             //TODO not clear what to do here.
-                            return new AuthResult(TomcatAuthStatus.SUCCESS, null);
+                            return new AuthResult(TomcatAuthStatus.SUCCESS, null, false);
                         }
                     }
                     GroupPrincipalCallback groupPrincipalCallback = callbackHandler.getThreadGroupPrincipalCallback();
                     String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
                     userIdentity = identityService.newUserIdentity(clientSubject, principal, groups == null ? Collections.<String>emptyList() : Arrays.asList(groups));
                 }
-                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity);
+                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, containerCaching);
             }
             if (authStatus == AuthStatus.SEND_SUCCESS) {
                 //we are processing a message in a secureResponse dialog.
-                return new AuthResult(TomcatAuthStatus.SEND_SUCCESS, null);
+                return new AuthResult(TomcatAuthStatus.SEND_SUCCESS, null, false);
             }
             //should not happen
             throw new NullPointerException("No AuthStatus returned");
@@ -120,12 +134,11 @@ public class JaspicAuthenticator impleme
 
     public boolean secureResponse(Request request, Response response, AuthResult authResult) throws ServerAuthException {
         JaspicMessageInfo messageInfo = (JaspicMessageInfo)request.getNote(MESSAGE_INFO_KEY);
-        if (messageInfo==null) throw new NullPointerException("MeesageInfo from request missing: " + request);
+        if (messageInfo==null) throw new NullPointerException("MessageInfo from request missing: " + request);
         try
         {
             String authContextId = serverAuthConfig.getAuthContextID(messageInfo);
             ServerAuthContext authContext = serverAuthConfig.getAuthContext(authContextId,serviceSubject,authProperties);
-            // TODO authContext.cleanSubject(messageInfo,validatedUser.getUserIdentity().getSubject());
             AuthStatus status = authContext.secureResponse(messageInfo,serviceSubject);
             return (AuthStatus.SEND_SUCCESS.equals(status));
         }
@@ -138,4 +151,43 @@ public class JaspicAuthenticator impleme
     public String getAuthType() {
         return "JASPIC";
     }
+
+    @Override
+    public AuthResult login(String username, String password, Request request) throws ServletException {
+        PasswordValidationCallback passwordValidationCallback = new PasswordValidationCallback(new Subject(), username, password.toCharArray());
+        try {
+            callbackHandler.handle(new Callback[] {passwordValidationCallback});
+            if (passwordValidationCallback.getResult()) {
+                UserIdentity userIdentity = passwordValidationCallback.getSubject().getPrivateCredentials(UserIdentity.class).iterator().next();
+                return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, containerCaching);
+            }
+            return new AuthResult(TomcatAuthStatus.FAILURE, null, false);
+        } catch (UnsupportedCallbackException e) {
+            throw new ServletException("internal server error");
+        } catch (IOException e) {
+            throw new ServletException("Unsuccessful login");
+        }
+    }
+
+    @Override
+    public void logout(Request request) throws ServletException {
+        JaspicMessageInfo messageInfo = (JaspicMessageInfo)request.getNote(MESSAGE_INFO_KEY);
+        if (messageInfo==null) throw new NullPointerException("MessageInfo from request missing: " + request);
+        Subject subject = ContextManager.getCurrentCaller();
+        if (subject != null) {
+            identityService.associate(null);
+            try
+            {
+                String authContextId = serverAuthConfig.getAuthContextID(messageInfo);
+                ServerAuthContext authContext = serverAuthConfig.getAuthContext(authContextId,serviceSubject,authProperties);
+                authContext.cleanSubject(messageInfo, subject);
+            }
+            catch (AuthException e)
+            {
+                throw new ServletException(e);
+            }
+        }
+
+    }
+
 }

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicMessageInfo.java Wed Sep 22 22:55:11 2010
@@ -43,7 +43,7 @@ public class JaspicMessageInfo implement
     public JaspicMessageInfo() {
     }
 
-    public JaspicMessageInfo(Request request, Response response, boolean authMandatory) {
+    public JaspicMessageInfo(Request request, HttpServletResponse response, boolean authMandatory) {
         this.request = request;
         this.response = response;
         if (authMandatory) {

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCRealm.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCRealm.java?rev=1000268&r1=1000267&r2=1000268&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCRealm.java (original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCRealm.java Wed Sep 22 22:55:11 2010
@@ -21,23 +21,20 @@
 package org.apache.geronimo.tomcat.security.jacc;
 
 import java.beans.PropertyChangeListener;
-import java.security.Principal;
+import java.io.IOException;
 import java.security.AccessControlContext;
 import java.security.AccessControlException;
+import java.security.Principal;
 import java.security.cert.X509Certificate;
-import java.io.IOException;
 
-import javax.security.auth.Subject;
 import javax.security.jacc.WebRoleRefPermission;
-
-import org.apache.catalina.Realm;
 import org.apache.catalina.Container;
 import org.apache.catalina.Context;
+import org.apache.catalina.Realm;
+import org.apache.catalina.Wrapper;
 import org.apache.catalina.connector.Request;
 import org.apache.catalina.connector.Response;
 import org.apache.catalina.deploy.SecurityConstraint;
-import org.apache.geronimo.tomcat.JAASTomcatPrincipal;
-import org.apache.geronimo.tomcat.security.UserIdentity;
 import org.apache.geronimo.security.ContextManager;
 
 /**
@@ -55,6 +52,8 @@ public class JACCRealm implements Realm 
         return old;
     }
 
+    @Override
+    @Deprecated
     public boolean hasRole(Principal principal, String role) {
         AccessControlContext acc = ContextManager.getCurrentContext();
         String name = currentRequestWrapperName.get();
@@ -73,6 +72,25 @@ public class JACCRealm implements Realm 
         }
     }
 
+    @Override
+    public boolean hasRole(Wrapper wrapper, Principal principal, String role) {
+        AccessControlContext acc = ContextManager.getCurrentContext();
+        String name = wrapper.getName();
+
+        /**
+         * JACC v1.0 secion B.19
+         */
+        if (name == null || name.equals("jsp")) {
+            name = "";
+        }
+        try {
+            acc.checkPermission(new WebRoleRefPermission(name, role));
+            return true;
+        } catch (AccessControlException e) {
+            return false;
+        }
+    }
+
     public Container getContainer() {
         return null;
     }



Mime
View raw message