geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From xuhaih...@apache.org
Subject svn commit: r1349652 - /geronimo/server/branches/3.0-beta/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/Authenticator.java
Date Wed, 13 Jun 2012 06:16:53 GMT
Author: xuhaihong
Date: Wed Jun 13 06:16:53 2012
New Revision: 1349652

URL: http://svn.apache.org/viewvc?rev=1349652&view=rev
Log:
GERONIMO-6314 Remove user principal in the subject, maybe we need to create a new Subject
with JMXPrincipal. 

Modified:
    geronimo/server/branches/3.0-beta/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/Authenticator.java

Modified: geronimo/server/branches/3.0-beta/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/Authenticator.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/3.0-beta/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/Authenticator.java?rev=1349652&r1=1349651&r2=1349652&view=diff
==============================================================================
--- geronimo/server/branches/3.0-beta/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/Authenticator.java
(original)
+++ geronimo/server/branches/3.0-beta/framework/modules/geronimo-jmx-remoting/src/main/java/org/apache/geronimo/jmxremoting/Authenticator.java
Wed Jun 13 06:16:53 2012
@@ -16,6 +16,8 @@
  */
 package org.apache.geronimo.jmxremoting;
 
+import java.security.Principal;
+import java.util.Iterator;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
@@ -29,6 +31,7 @@ import javax.security.auth.login.LoginCo
 import javax.security.auth.login.LoginException;
 
 import org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal;
+import org.apache.geronimo.security.realm.providers.GeronimoUserPrincipal;
 /**
  * JMX Authenticator that checks the Credentials by logging in via JAAS.
  *
@@ -71,19 +74,26 @@ public class Authenticator implements JM
             threadContext.set(context);
             Subject sub = context.getSubject();
             Set<GeronimoGroupPrincipal> pricipalsGroup = sub.getPrincipals(GeronimoGroupPrincipal.class);
-            boolean isInAdminGroup = false;
+            boolean isAllowedGroups = false;
             for (GeronimoGroupPrincipal principal : pricipalsGroup) {
-                if (principal.getName().equals("admin")||principal.getName().equals("monitor"))
{
-                    isInAdminGroup = true;
+                if (principal.getName().equals("admin") || principal.getName().equals("monitor"))
{
+                    isAllowedGroups = true;
                     break;
-                 }
+                }
             }
-            if(!isInAdminGroup){
+            if (!isAllowedGroups) {
                 throw new LoginException("Only users in admin group or monitor group are
allowed");
             }
-            return context.getSubject();
+            //Let's remove the GeronimoUserPrincipal, as in the access control file, the
identities are group names
+            for (Iterator<Principal> it = sub.getPrincipals().iterator(); it.hasNext();)
{
+                Principal principal = it.next();
+                if (principal instanceof GeronimoUserPrincipal) {
+                    it.remove();
+                }
+            }
+            return sub;
         } catch (LoginException e) {
-            // do not propogate cause - we don't know what information is may contain
+            // do not propagate cause - we don't know what information is may contain
             throw new SecurityException("Invalid login");
         } finally {
             credentials.clear();



Mime
View raw message