geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From djen...@apache.org
Subject svn commit: r1330031 - in /geronimo/server/branches/3.0-beta: framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/ plugins/connec...
Date Tue, 24 Apr 2012 21:45:03 GMT
Author: djencks
Date: Tue Apr 24 21:45:02 2012
New Revision: 1330031

URL: http://svn.apache.org/viewvc?rev=1330031&view=rev
Log:
GERONIMO-6337, GERONIMO-6338 initial fix for tomcat, connector, and jetty.  More work needed
for jetty at eclipse. Code unification may be a good idea too

Added:
    geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
  (with props)
Modified:
    geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
    geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
    geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java
    geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java
    geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java
    geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java
    geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java
    geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java
    geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java
    geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
    geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java
    geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
    geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java
    geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java
    geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java
    geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java

Modified: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
(original)
+++ geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/Context.java
Tue Apr 24 21:45:02 2012
@@ -34,14 +34,12 @@ public class Context {
     private final AccessControlContext context;
     private final Subject subject;
     private final Principal principal;
-    private final List<String> groups;
 
-    public Context(SubjectId id, AccessControlContext context, Subject subject, Principal
principal, List<String> groups) {
+    public Context(SubjectId id, AccessControlContext context, Subject subject, Principal
principal) {
         this.id = id;
         this.context = context;
         this.subject = subject;
         this.principal = principal;
-        this.groups = groups;
     }
 
     public SubjectId getId() {
@@ -60,7 +58,4 @@ public class Context {
         return principal;
     }
 
-    public List<String> getGroups() {
-        return groups;
-    }
 }

Modified: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
(original)
+++ geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/ContextManager.java
Tue Apr 24 21:45:02 2012
@@ -296,14 +296,14 @@ public class ContextManager {
             throw new ProviderException("Invalid key: " + key.toString());
         }
         List<String> groups = Collections.emptyList();
-        Context context = new Context(subjectId, acc, subject, principal, groups);
+        Context context = new Context(subjectId, acc, subject, principal);
         subjectIds.put(context.getId(), subject);
         subjectContexts.put(subject, context);
 
         return context.getId();
     }
 
-    public static synchronized AccessControlContext registerSubjectShort(Subject subject,
Principal callerPrincipal, List<String> groups) {
+    public static synchronized AccessControlContext registerSubjectShort(Subject subject,
Principal callerPrincipal) {
         SecurityManager sm = System.getSecurityManager();
         if (sm != null) sm.checkPermission(SET_CONTEXT);
 
@@ -334,7 +334,7 @@ public class ContextManager {
         if(!subject.isReadOnly()){
             subject.getPrincipals().add(principal);
         }
-        Context context = new Context(subjectId, acc, subject, callerPrincipal, groups);
+        Context context = new Context(subjectId, acc, subject, callerPrincipal);
         subjectIds.put(context.getId(), subject);
         subjectContexts.put(subject, context);
 

Added: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java?rev=1330031&view=auto
==============================================================================
--- geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
(added)
+++ geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
Tue Apr 24 21:45:02 2012
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+
+package org.apache.geronimo.security.realm.providers;
+
+
+import java.security.Principal;
+
+/**
+ * @version $Rev$ $Date$
+ */
+public class WrappingCallerPrincipal implements GeronimoCallerPrincipal {
+
+    private final Principal wrapped;
+
+    public WrappingCallerPrincipal(Principal wrapped) {
+        this.wrapped = wrapped;
+    }
+
+    public Principal getWrapped() {
+        return wrapped;
+    }
+
+    @Override
+    public String getName() {
+        return null;
+    }
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) {
+            return true;
+        }
+        if (o instanceof WrappingCallerPrincipal) {
+            return wrapped.equals(((WrappingCallerPrincipal)o).wrapped);
+        }
+        return wrapped.equals(o);
+    }
+
+    @Override
+    public int hashCode() {
+        return wrapped.hashCode();
+    }
+}

Propchange: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/branches/3.0-beta/framework/modules/geronimo-security/src/main/java/org/apache/geronimo/security/realm/providers/WrappingCallerPrincipal.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain

Modified: geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/ConnectorCallbackHandler.java
Tue Apr 24 21:45:02 2012
@@ -24,6 +24,7 @@ import java.io.IOException;
 import java.security.Principal;
 import java.util.List;
 import java.util.Arrays;
+import java.util.Set;
 
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.Callback;
@@ -42,6 +43,10 @@ import javax.security.auth.login.LoginCo
 import javax.security.auth.login.LoginException;
 
 import org.apache.geronimo.security.ContextManager;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
 
 /**
  * Spec 16.4.1:  must support CallerPrincipalCallback, GroupPrincipalCallback, PasswordValidationCallback.
@@ -53,9 +58,6 @@ public class ConnectorCallbackHandler im
 
     private final String realm;
 
-    private Principal callerPrincipal;
-    private String[] groupsArray;
-
     public ConnectorCallbackHandler(String realm) {
         if (realm == null) throw new NullPointerException("No realm provided");
         this.realm = realm;
@@ -65,17 +67,29 @@ public class ConnectorCallbackHandler im
     {
         for (Callback callback: callbacks)
         {
-            //jaspi to server communication
-            if (callback instanceof CallerPrincipalCallback)
-            {
-                callerPrincipal = ((CallerPrincipalCallback) callback).getPrincipal();
-            }
-            else if (callback instanceof GroupPrincipalCallback)
-            {
-                groupsArray = ((GroupPrincipalCallback)callback).getGroups();
-            }
-            else if (callback instanceof PasswordValidationCallback)
-            {
+            // jaspi to server communication
+            if (callback instanceof CallerPrincipalCallback) {
+                CallerPrincipalCallback callerPrincipalCallback = (CallerPrincipalCallback)
callback;
+                if (callerPrincipalCallback.getPrincipal() != null) {
+                    Principal callerPrincipal = callerPrincipalCallback.getPrincipal();
+                    if (callerPrincipal instanceof GeronimoCallerPrincipal) {
+                        callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+                    } else {
+                        callerPrincipalCallback.getSubject().getPrincipals().add(new WrappingCallerPrincipal(callerPrincipal));
+                    }
+                } else if (callerPrincipalCallback.getName() != null) {
+                    Principal callerPrincipal = new GeronimoUserPrincipal(callerPrincipalCallback.getName());
+                    callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+                }
+            } else if (callback instanceof GroupPrincipalCallback) {
+                GroupPrincipalCallback groupPrincipalCallback = ( GroupPrincipalCallback
) callback;
+                if (groupPrincipalCallback.getGroups() != null) {
+                    Set<Principal> principalSet = groupPrincipalCallback.getSubject().getPrincipals();
+                    for (String groupName : groupPrincipalCallback.getGroups()) {
+                        principalSet.add(new GeronimoGroupPrincipal(groupName));
+                    }
+                }
+            } else if (callback instanceof PasswordValidationCallback) {
                 PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback)
callback;
                 Subject subject = passwordValidationCallback.getSubject();
                 final String userName = passwordValidationCallback.getUsername();
@@ -119,12 +133,4 @@ public class ConnectorCallbackHandler im
         }
     }
 
-    public Principal getCallerPrincipal() {
-        return callerPrincipal;
-    }
-
-    public List<String> getGroups() {
-        return groupsArray == null? null: Arrays.asList(groupsArray);
-    }
-
 }

Modified: geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/connector-1_6/geronimo-connector-1_6/src/main/java/org/apache/geronimo/connector/wrapper/work/SecurityContextHandler.java
Tue Apr 24 21:45:02 2012
@@ -20,6 +20,7 @@
 
 package org.apache.geronimo.connector.wrapper.work;
 
+import java.security.Principal;
 import java.util.Stack;
 
 import javax.resource.spi.work.WorkCompletedException;
@@ -35,6 +36,8 @@ import org.apache.geronimo.gbean.annotat
 import org.apache.geronimo.gbean.annotation.GBean;
 import org.apache.geronimo.gbean.annotation.ParamReference;
 import org.apache.geronimo.connector.work.WorkContextHandler;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -86,7 +89,15 @@ public class SecurityContextHandler impl
             clientSubject = new Subject();
             ConnectorCallbackHandler callbackHandler = new ConnectorCallbackHandler(realm);
             securityContext.setupSecurityContext(callbackHandler, clientSubject, serviceSubject);
-            ContextManager.registerSubjectShort(clientSubject, callbackHandler.getCallerPrincipal(),
callbackHandler.getGroups());
+            Principal callerPrincipal = null;
+            for (GeronimoCallerPrincipal principal: clientSubject.getPrincipals(GeronimoCallerPrincipal.class))
{
+                if (principal instanceof WrappingCallerPrincipal) {
+                    callerPrincipal = ((WrappingCallerPrincipal)principal).getWrapped();
+                } else {
+                    callerPrincipal = principal;
+                }
+            }
+            ContextManager.registerSubjectShort(clientSubject, callerPrincipal);
         }
         callers.get().push(ContextManager.getCallers());
         ContextManager.setCallers(clientSubject, clientSubject);

Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/AuthConfigProviderHandlerFactory.java
Tue Apr 24 21:45:02 2012
@@ -91,7 +91,7 @@ public class AuthConfigProviderHandlerFa
         if (defaultSubject == null) {
             defaultSubject = ContextManager.EMPTY;
         }
-        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
null, null);
+        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
null);
         IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject,
runAsSource);
         authConfigProperties.put(POLICY_CONTEXT_ID_KEY, policyContextID);
         Authenticator authenticator = new JaspiAuthenticator(serverAuthConfig, authConfigProperties,
servletCallbackHandler, serviceSubject, allowLazyAuthentication, identityService);

Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettyIdentityService.java
Tue Apr 24 21:45:02 2012
@@ -31,6 +31,8 @@ import org.apache.geronimo.jetty8.handle
 import org.apache.geronimo.security.Callers;
 import org.apache.geronimo.security.ContextManager;
 import org.apache.geronimo.security.jacc.RunAsSource;
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
 import org.eclipse.jetty.security.IdentityService;
 import org.eclipse.jetty.security.RunAsToken;
 import org.eclipse.jetty.server.UserIdentity;
@@ -79,7 +81,16 @@ public class JettyIdentityService implem
 
     public UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, String[]
roles) {
         if (subject != null) {
-            AccessControlContext acc = ContextManager.registerSubjectShort(subject, userPrincipal,
roles == null? null: Arrays.asList(roles));
+            Principal callerPrincipal = null;
+            for (GeronimoCallerPrincipal principal: subject.getPrincipals(GeronimoCallerPrincipal.class))
{
+                if (principal instanceof WrappingCallerPrincipal) {
+                    callerPrincipal = ((WrappingCallerPrincipal)principal).getWrapped();
+                } else {
+                    callerPrincipal = principal;
+                }
+            }
+
+            AccessControlContext acc = ContextManager.registerSubjectShort(subject, callerPrincipal);
             return new GeronimoUserIdentity(subject, userPrincipal, acc);
         }
         return new GeronimoUserIdentity(null, null, defaultAcc);

Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/main/java/org/apache/geronimo/jetty8/security/JettySecurityHandlerFactory.java
Tue Apr 24 21:45:02 2012
@@ -80,7 +80,7 @@ public class JettySecurityHandlerFactory
         if (defaultSubject == null) {
             defaultSubject = ContextManager.EMPTY;
         }
-        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
null, null);
+        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
null);
         IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject,
runAsSource);
         if (checkRolePermissions) {
             return new JaccSecurityHandler(policyContextID, authenticator, loginService,
identityService, defaultAcc);

Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/AbstractWebModuleTest.java
Tue Apr 24 21:45:02 2012
@@ -128,7 +128,7 @@ public class AbstractWebModuleTest exten
             LoginService loginService = newLoginService();
 //            final ServletCallbackHandler callbackHandler = new ServletCallbackHandler(loginService);
             final Subject subject = new Subject();
-            final AccessControlContext acc = ContextManager.registerSubjectShort(subject,
null, null);
+            final AccessControlContext acc = ContextManager.registerSubjectShort(subject,
null);
             securityHandlerFactory = new ServerAuthenticationGBean(new Authenticator() {
                 public Authentication validateRequest(ServletRequest request, ServletResponse
response, boolean mandatory) throws ServerAuthException {
                     return new UserAuthentication("test", new GeronimoUserIdentity(subject,
new GeronimoUserPrincipal("foo"), acc));

Modified: geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/jetty8/geronimo-jetty8/src/test/java/org/apache/geronimo/jetty8/security/ServerAuthenticationGBean.java
Tue Apr 24 21:45:02 2012
@@ -56,7 +56,7 @@ public class ServerAuthenticationGBean i
         if (defaultSubject == null) {
             defaultSubject = ContextManager.EMPTY;
         }
-        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
null, null);
+        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
null);
         IdentityService identityService = new JettyIdentityService(defaultAcc, defaultSubject,
runAsSource);
         return new JaccSecurityHandler(policyContextID, authenticator, loginService, identityService,
defaultAcc);
     }

Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/BaseGeronimoContextConfig.java
Tue Apr 24 21:45:02 2012
@@ -140,7 +140,7 @@ public abstract class BaseGeronimoContex
             defaultSubject = ContextManager.EMPTY;
         }
         IdentityService identityService = new GeronimoIdentityService(defaultSubject);
-        UserIdentity unauthenticatedIdentity = identityService.newUserIdentity(defaultSubject,
null, null);
+        UserIdentity unauthenticatedIdentity = identityService.newUserIdentity(defaultSubject);
         LoginService loginService = new GeronimoLoginService(configurationFactory, identityService);
         Authenticator authenticator;
         AuthConfigFactory authConfigFactory = AuthConfigFactory.getFactory();
@@ -183,7 +183,7 @@ public abstract class BaseGeronimoContex
             authenticator = new NoneAuthenticator(unauthenticatedIdentity);
         }
 
-        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
 null, null);
+        AccessControlContext defaultAcc = ContextManager.registerSubjectShort(defaultSubject,
 null);
         Authorizer authorizer = createAuthorizer(defaultAcc);
 
         SecurityValve securityValve = new JACCSecurityValve(authenticator, authorizer, identityService,
policyContextId);

Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/IdentityService.java
Tue Apr 24 21:45:02 2012
@@ -33,6 +33,6 @@ public interface IdentityService {
 
     void dissociate(Object previous);
 
-    UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, List<String>
gropus);
+    UserIdentity newUserIdentity(Subject subject);
 
 }

Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicAuthenticator.java
Tue Apr 24 21:45:02 2012
@@ -98,26 +98,7 @@ public class JaspicAuthenticator impleme
                 if (ids.size() > 0) {
                     userIdentity = ids.iterator().next();
                 } else {
-                    CallerPrincipalCallback principalCallback = callbackHandler.getThreadCallerPrincipalCallback();
-                    if (principalCallback == null) throw new NullPointerException("No CallerPrincipalCallback");
-                    Principal principal = principalCallback.getPrincipal();
-                    if (principal == null) {
-                        String principalName = principalCallback.getName();
-                        Set<Principal> principals = principalCallback.getSubject().getPrincipals();
-                        for (Principal p : principals) {
-                            if (p.getName().equals(principalName)) {
-                                principal = p;
-                                break;
-                            }
-                        }
-                        if (principal == null) {
-                            //TODO not clear what to do here.
-                            return new AuthResult(TomcatAuthStatus.SUCCESS, null, false);
-                        }
-                    }
-                    GroupPrincipalCallback groupPrincipalCallback = callbackHandler.getThreadGroupPrincipalCallback();
-                    String[] groups = groupPrincipalCallback == null ? null : groupPrincipalCallback.getGroups();
-                    userIdentity = identityService.newUserIdentity(clientSubject, principal,
groups == null ? Collections.<String>emptyList() : Arrays.asList(groups));
+                    userIdentity = identityService.newUserIdentity(clientSubject);
                 }
                 return new AuthResult(TomcatAuthStatus.SUCCESS, userIdentity, containerCaching);
             }

Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/authentication/jaspic/JaspicCallbackHandler.java
Tue Apr 24 21:45:02 2012
@@ -21,6 +21,8 @@
 package org.apache.geronimo.tomcat.security.authentication.jaspic;
 
 import java.io.IOException;
+import java.security.Principal;
+import java.util.Set;
 
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.Callback;
@@ -34,6 +36,10 @@ import javax.security.auth.message.callb
 import javax.security.auth.message.callback.TrustStoreCallback;
 import javax.security.auth.Subject;
 
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
 import org.apache.geronimo.tomcat.security.LoginService;
 import org.apache.geronimo.tomcat.security.UserIdentity;
 
@@ -43,9 +49,6 @@ import org.apache.geronimo.tomcat.securi
 public class JaspicCallbackHandler implements CallbackHandler {
     private final LoginService loginService;
 
-    private final ThreadLocal<CallerPrincipalCallback> callerPrincipals = new ThreadLocal<CallerPrincipalCallback>();
-    private final ThreadLocal<GroupPrincipalCallback> groupPrincipals = new ThreadLocal<GroupPrincipalCallback>();
-
     public JaspicCallbackHandler(LoginService loginService) {
         this.loginService = loginService;
     }
@@ -54,9 +57,26 @@ public class JaspicCallbackHandler imple
         for (Callback callback : callbacks) {
             // jaspi to server communication
             if (callback instanceof CallerPrincipalCallback) {
-                callerPrincipals.set((CallerPrincipalCallback) callback);
+                CallerPrincipalCallback callerPrincipalCallback = (CallerPrincipalCallback)
callback;
+                if (callerPrincipalCallback.getPrincipal() != null) {
+                    Principal callerPrincipal = callerPrincipalCallback.getPrincipal();
+                    if (callerPrincipal instanceof GeronimoCallerPrincipal) {
+                        callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+                    } else {
+                        callerPrincipalCallback.getSubject().getPrincipals().add(new WrappingCallerPrincipal(callerPrincipal));
+                    }
+                } else if (callerPrincipalCallback.getName() != null) {
+                    Principal callerPrincipal = new GeronimoUserPrincipal(callerPrincipalCallback.getName());
+                    callerPrincipalCallback.getSubject().getPrincipals().add(callerPrincipal);
+                }
             } else if (callback instanceof GroupPrincipalCallback) {
-                groupPrincipals.set((GroupPrincipalCallback) callback);
+                GroupPrincipalCallback groupPrincipalCallback = ( GroupPrincipalCallback
) callback;
+                if (groupPrincipalCallback.getGroups() != null) {
+                    Set<Principal> principalSet = groupPrincipalCallback.getSubject().getPrincipals();
+                    for (String groupName : groupPrincipalCallback.getGroups()) {
+                        principalSet.add(new GeronimoGroupPrincipal(groupName));
+                    }
+                }
             } else if (callback instanceof PasswordValidationCallback) {
                 PasswordValidationCallback passwordValidationCallback = (PasswordValidationCallback)
callback;
                 Subject subject = passwordValidationCallback.getSubject();
@@ -65,8 +85,8 @@ public class JaspicCallbackHandler imple
 
                 if (user != null) {
                     passwordValidationCallback.setResult(true);
-                    passwordValidationCallback.getSubject().getPrincipals().addAll(user.getSubject().getPrincipals());
-                    passwordValidationCallback.getSubject().getPrivateCredentials().add(user);
+                    subject.getPrincipals().addAll(user.getSubject().getPrincipals());
+                    subject.getPrivateCredentials().add(user);
                 }
             }
             // server to jaspi communication
@@ -81,15 +101,4 @@ public class JaspicCallbackHandler imple
         }
     }
 
-    public CallerPrincipalCallback getThreadCallerPrincipalCallback() {
-        CallerPrincipalCallback callerPrincipalCallback = callerPrincipals.get();
-        callerPrincipals.remove();
-        return callerPrincipalCallback;
-    }
-
-    public GroupPrincipalCallback getThreadGroupPrincipalCallback() {
-        GroupPrincipalCallback groupPrincipalCallback = groupPrincipals.get();
-        groupPrincipals.remove();
-        return groupPrincipalCallback;
-    }
 }

Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoIdentityService.java
Tue Apr 24 21:45:02 2012
@@ -20,12 +20,13 @@
 
 package org.apache.geronimo.tomcat.security.impl;
 
-import java.security.Principal;
 import java.security.AccessControlContext;
-import java.util.List;
+import java.security.Principal;
 
 import javax.security.auth.Subject;
 
+import org.apache.geronimo.security.realm.providers.GeronimoCallerPrincipal;
+import org.apache.geronimo.security.realm.providers.WrappingCallerPrincipal;
 import org.apache.geronimo.tomcat.security.IdentityService;
 import org.apache.geronimo.tomcat.security.UserIdentity;
 import org.apache.geronimo.tomcat.security.jacc.JACCUserIdentity;
@@ -53,8 +54,16 @@ public class GeronimoIdentityService imp
         ContextManager.popCallers((Callers) previous);
     }
 
-    public UserIdentity newUserIdentity(Subject subject, Principal userPrincipal, List<String>
groups) {
-        AccessControlContext acc = ContextManager.registerSubjectShort(subject, userPrincipal,
groups);
-        return new JACCUserIdentity(subject, userPrincipal, groups, acc);
+    public UserIdentity newUserIdentity(Subject subject) {
+        Principal callerPrincipal = null;
+        for (GeronimoCallerPrincipal principal: subject.getPrincipals(GeronimoCallerPrincipal.class))
{
+            if (principal instanceof WrappingCallerPrincipal) {
+                callerPrincipal = ((WrappingCallerPrincipal)principal).getWrapped();
+            } else {
+                callerPrincipal = principal;
+            }
+        }
+        AccessControlContext acc = ContextManager.registerSubjectShort(subject, callerPrincipal);
+        return new JACCUserIdentity(subject, callerPrincipal, acc);
     }
 }

Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/impl/GeronimoLoginService.java
Tue Apr 24 21:45:02 2012
@@ -20,7 +20,6 @@
 
 package org.apache.geronimo.tomcat.security.impl;
 
-import java.security.Principal;
 import java.security.cert.X509Certificate;
 
 import javax.security.auth.callback.CallbackHandler;
@@ -61,8 +60,7 @@ public class GeronimoLoginService implem
         try {
             LoginContext loginContext = ContextManager.login(configurationFactory.getConfigurationName(),
callbackHandler, configurationFactory.getConfiguration());
             Subject establishedSubject = loginContext.getSubject();
-            Principal userPrincipal = ContextManager.getCurrentPrincipal(establishedSubject);
-            return identityService.newUserIdentity(establishedSubject, userPrincipal, null);
+            return identityService.newUserIdentity(establishedSubject);
         } catch (LoginException e) {
             return null;
         }

Modified: geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java?rev=1330031&r1=1330030&r2=1330031&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java
(original)
+++ geronimo/server/branches/3.0-beta/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/security/jacc/JACCUserIdentity.java
Tue Apr 24 21:45:02 2012
@@ -34,14 +34,12 @@ import javax.security.auth.Subject;
 public class JACCUserIdentity implements UserIdentity {
     private final Subject subject;
     private final Principal userPrincipal;
-    private final List<String> groups;
     private final AccessControlContext acc;
 
-    public JACCUserIdentity(Subject subject, Principal userPrincipal, List<String>
groups, AccessControlContext acc) {
+    public JACCUserIdentity(Subject subject, Principal userPrincipal, AccessControlContext
acc) {
         if (subject == null) throw new NullPointerException("No Subject in user identity");
         this.subject = subject;
         this.userPrincipal = userPrincipal;
-        this.groups = groups;
         this.acc = acc;
     }
 
@@ -53,10 +51,6 @@ public class JACCUserIdentity implements
         return subject;
     }
 
-    public List<String> getGroups() {
-        return groups;
-    }
-
     public AccessControlContext getAccessControlContext() {
         return acc;
     }



Mime
View raw message