Permalink
Browse files

Security manager changes

  • Loading branch information...
1 parent cc1a75c commit 0868ec5618d868c8df97cdb9bc398e5d74fb8b4c @clebertsuconic clebertsuconic committed Jun 11, 2010
Showing with 68 additions and 44 deletions.
  1. +68 −44 src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java
View
112 src/main/org/hornetq/integration/jboss/security/JBossASSecurityManager.java
@@ -13,7 +13,9 @@
package org.hornetq.integration.jboss.security;
+import java.security.AccessController;
import java.security.Principal;
+import java.security.PrivilegedAction;
import java.util.HashSet;
import java.util.Set;
@@ -88,73 +90,95 @@ public boolean validateUserAndRole(final String user,
final Set<Role> roles,
final CheckType checkType)
{
- if(allowClientLogin && SecurityContextAssociation.isClient())
+ if (allowClientLogin && SecurityContextAssociation.isClient())
{
- return authoriseOnClientLogin? useClientAuthentication(roles, checkType):true;
+ return authoriseOnClientLogin ? useClientAuthentication(roles, checkType) : true;
}
else
{
return useConnectionAuthentication(user, password, roles, checkType);
}
}
- private boolean useConnectionAuthentication(final String user, final String password, final Set<Role> roles, final CheckType checkType)
+ private boolean useConnectionAuthentication(final String user,
+ final String password,
+ final Set<Role> roles,
+ final CheckType checkType)
{
- SimplePrincipal principal = user == null ? null : new SimplePrincipal(user);
-
- char[] passwordChars = null;
-
- if (password != null)
+ return AccessController.doPrivileged(new PrivilegedAction<Boolean>()
{
- passwordChars = password.toCharArray();
- }
-
- Subject subject = new Subject();
-
- boolean authenticated = authenticationManager.isValid(principal, passwordChars, subject);
- // Authenticate. Successful authentication will place a new SubjectContext on thread local,
- // which will be used in the authorization process. However, we need to make sure we clean up
- // thread local immediately after we used the information, otherwise some other people
- // security my be screwed up, on account of thread local security stack being corrupted.
- if (authenticated)
- {
- pushSecurityContext(principal, passwordChars, subject);
- Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles);
-
- authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
-
- if (trace)
+ public Boolean run()
{
- JBossASSecurityManager.log.trace("user " + user + (authenticated ? " is " : " is NOT ") + "authorized");
+
+ SimplePrincipal principal = user == null ? null : new SimplePrincipal(user);
+
+ char[] passwordChars = null;
+
+ if (password != null)
+ {
+ passwordChars = password.toCharArray();
+ }
+
+ Subject subject = new Subject();
+
+ boolean authenticated = authenticationManager.isValid(principal, passwordChars, subject);
+ // Authenticate. Successful authentication will place a new SubjectContext on thread local,
+ // which will be used in the authorization process. However, we need to make sure we clean up
+ // thread local immediately after we used the information, otherwise some other people
+ // security my be screwed up, on account of thread local security stack being corrupted.
+ if (authenticated)
+ {
+ pushSecurityContext(principal, passwordChars, subject);
+ Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles);
+
+ authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
+
+ if (trace)
+ {
+ JBossASSecurityManager.log.trace("user " + user +
+ (authenticated ? " is " : " is NOT ") +
+ "authorized");
+ }
+ popSecurityContext();
+ }
+ return authenticated;
}
- popSecurityContext();
- }
- return authenticated;
+ });
}
private boolean useClientAuthentication(final Set<Role> roles, final CheckType checkType)
{
- SecurityContext sc = SecurityContextAssociation.getSecurityContext();
- Principal principal = sc.getUtil().getUserPrincipal();
+ return AccessController.doPrivileged(new PrivilegedAction<Boolean>()
+ {
+ public Boolean run()
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ Principal principal = sc.getUtil().getUserPrincipal();
- char[] passwordChars = (char[]) sc.getUtil().getCredential();
+ char[] passwordChars = (char[])sc.getUtil().getCredential();
- Subject subject = sc.getSubjectInfo().getAuthenticatedSubject();
+ Subject subject = sc.getSubjectInfo().getAuthenticatedSubject();
- boolean authenticated = authenticationManager.isValid(principal, passwordChars, subject);
+ boolean authenticated = authenticationManager.isValid(principal, passwordChars, subject);
- if (authenticated)
- {
- Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles);
+ if (authenticated)
+ {
+ Set<Principal> rolePrincipals = getRolePrincipals(checkType, roles);
- authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
+ authenticated = realmMapping.doesUserHaveRole(principal, rolePrincipals);
- if (trace)
- {
- JBossASSecurityManager.log.trace("user " + principal.getName() + (authenticated ? " is " : " is NOT ") + "authorized");
+ if (trace)
+ {
+ JBossASSecurityManager.log.trace("user " + principal.getName() +
+ (authenticated ? " is " : " is NOT ") +
+ "authorized");
+ }
+ }
+ return authenticated;
}
- }
- return authenticated;
+
+ });
+
}
private void popSecurityContext()

0 comments on commit 0868ec5

Please sign in to comment.