Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

[EAP6-69] Modify the quickstart to make use of the new API to achieve this capability. #868

Closed
wants to merge 5 commits into from

3 participants

@darranl

No description provided.

ejb-security-interceptors/pom.xml
@@ -46,7 +46,7 @@
<version.jboss.maven.plugin>7.4.Final</version.jboss.maven.plugin>
- <version.jboss.as>7.2.1.Final-redhat-10</version.jboss.as>
+ <version.jboss.as>7.4.0.Final-redhat-SNAPSHOT</version.jboss.as>
@rafabene Owner

Shouldn't we release a -build version on jboss-developer.github.io/temp-maven-repo/ ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda
Owner

@rafabene is right. This is an API change, however. This change will break this for JBoss EAP 6.2. You need JBoss EAP 6.3 for this one.

@darranl , I noticed a few things:

  • These changes only work against EAP 6.3, correct?
  • Should the README be updated to talk about the new API and also to note that it only works against JBoss EAP 6.3?

I am having difficulty getting this to compile.
I believe the new module should be added to the http://jboss-developer.github.io/temp-maven-repo/ Maven repository
I had to changed the following property:

    <!--   <version.jboss.as>7.4.0.Final-redhat-SNAPSHOT</version.jboss.as> -->
    <version.jboss.as>7.4.0.Final-redhat-2</version.jboss.as>

Even with these changes, I get the following errors when I try to build the quickstart:

    [ERROR] The build could not read 1 project -> [Help 1]
    [ERROR]   
    [ERROR]   The project org.jboss.quickstarts.eap:jboss-ejb-security-interceptors:6.2.0-redhat-SNAPSHOT (/home/sgilda/GitRepos/jboss-eap-quickstarts/ejb-security-interceptors/pom.xml) has 2 errors
    [ERROR]     'dependencies.dependency.version' for org.jboss.as:jboss-as-security-api:jar is missing. @ line 90, column 21
    [ERROR]     'dependencies.dependency.version' for org.wildfly:wildfly-core-security-api:jar is missing. @ line 94, column 21

I also noticed the following in the POM file, which does not sound correct:

    <dependency>
        <groupId>org.wildfly</groupId>
        <artifactId>wildfly-core-security-api</artifactId>
    </dependency>
@sgilda
Owner

Now I am getting this error on the build:

[ERROR] The project org.jboss.quickstarts.eap:jboss-ejb-security-interceptors:6.2.0-redhat-SNAPSHOT (/home/sgilda/GitRepos/jboss-eap-quickstarts/ejb-security-interceptors/pom.xml) has 9 errors
[ERROR] Non-resolvable import POM: Could not find artifact org.jboss.as:jboss-as-ejb-client-bom:pom:7.4.0.build-1 in jboss-developer-repository (http://jboss-developer.github.io/temp-maven-repo/) @ line 78, column 25 -> [Help 2]
[ERROR] 'dependencies.dependency.version' for org.jboss.as:jboss-as-security-api:jar is missing. @ line 90, column 21
[ERROR] 'dependencies.dependency.version' for org.picketbox:picketbox:jar is missing. @ line 104, column 21
[ERROR] 'dependencies.dependency.version' for org.wildfly:wildfly-core-security-api:jar is missing. @ line 109, column 21
[ERROR] 'dependencies.dependency.version' for org.jboss.ejb3:jboss-ejb3-ext-api:jar is missing. @ line 146, column 21
[ERROR] 'dependencies.dependency.version' for org.jboss:jboss-ejb-client:jar is missing. @ line 153, column 21
[ERROR] 'dependencies.dependency.version' for org.jboss.xnio:xnio-api:jar is missing. @ line 159, column 21
[ERROR] 'dependencies.dependency.version' for org.jboss.xnio:xnio-nio:jar is missing. @ line 165, column 21
[ERROR] 'dependencies.dependency.version' for org.jboss.marshalling:jboss-marshalling-river:jar is missing. @ line 172, column 21
[ERROR]

@sgilda sgilda commented on the diff
ejb-security-interceptors/pom.xml
((8 lines not shown))
+ <groupId>org.jboss.as</groupId>
+ <artifactId>jboss-as-build-config</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.jboss.as</groupId>
+ <artifactId>jboss-as-security</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.picketbox</groupId>
+ <artifactId>picketbox</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.wildfly</groupId>
@sgilda Owner
sgilda added a note

Do we need wildfly dependencies with EAP 6.3?

@darranl
darranl added a note

Yes this is the name of the module containing the new API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@sgilda
Owner

@darranl : Got further this time, but got this error:

[ERROR] Failed to execute goal on project jboss-ejb-security-interceptors: Could not resolve dependencies for project org.jboss.quickstarts.eap:jboss-ejb-security-interceptors:jar:6.2.0-redhat-SNAPSHOT: Failed to collect dependencies for [org.jboss.as:jboss-as-security-api:jar:7.4.0.build-1 (compile), org.picketbox:picketbox:jar:4.0.17.SP2-redhat-2 (compile), org.wildfly:wildfly-core-security-api:jar:7.4.0.build-1 (compile), javax.enterprise:cdi-api:jar:1.0-SP4-redhat-2 (compile), org.jboss.spec.javax.annotation:jboss-annotations-api_1.1_spec:jar:1.0.1.Final-redhat-2 (compile), org.jboss.spec.javax.servlet:jboss-servlet-api_3.0_spec:jar:1.0.2.Final-redhat-1 (compile), org.jboss.spec.javax.ejb:jboss-ejb-api_3.1_spec:jar:1.0.2.Final-redhat-2 (compile), org.jboss.ejb3:jboss-ejb3-ext-api:jar:2.0.0-redhat-2 (compile), org.jboss:jboss-ejb-client:jar:1.0.23.Final-redhat-1 (compile), org.jboss.xnio:xnio-api:jar:3.0.7.GA-redhat-1 (runtime), org.jboss.xnio:xnio-nio:jar:3.0.7.GA-redhat-1 (runtime), org.jboss.marshalling:jboss-marshalling-river:jar:1.3.18.GA-redhat-1 (runtime), org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec:jar:1.0.1.Final-redhat-2 (runtime)]: Failed to read artifact descriptor for org.jboss.as:jboss-as-security-api:jar:7.4.0.build-1: Could not find artifact org.jboss.as:jboss-as-security-parent:pom:7.4.0.build-1 in jboss-developer-repository (http://jboss-developer.github.io/temp-maven-repo/) -> [Help 1]

@darranl

I will have another look later.

@darranl darranl [EAP6-69] Add a dependency on JBoss SASL, this was previously being i…
…mported as a tansitive dependency however if we add it like this we can ensure it is a runtime only dependency.
64602a4
@sgilda
Owner

This was merged.

@sgilda sgilda closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 13, 2014
  1. @darranl
  2. @darranl
  3. @darranl
  4. @darranl

    [EAP6-69] Specify the exact version just for the new API artefacts, l…

    darranl authored
    …eave the original dependencies on the old version.
  5. @darranl

    [EAP6-69] Add a dependency on JBoss SASL, this was previously being i…

    darranl authored
    …mported as a tansitive dependency however if we add it like this we can ensure it is a runtime only dependency.
This page is out of date. Refresh to see the latest.
View
24 ejb-security-interceptors/README.md
@@ -5,7 +5,7 @@ Level: Advanced
Technologies: EJB, Security
Summary: Demonstrates how interceptors can be used to switch the identity for EJB calls on a call by call basis.
Target Product: EAP
-Product Versions: EAP 6.1, EAP 6.2
+Product Versions: EAP 6.3
Source: <https://github.com/jboss-developer/jboss-eap-quickstarts/>
What is it?
@@ -21,7 +21,7 @@ Rather than open multiple client connections, this quickstart offers an alternat
The quickstart then makes use of two EJBs, `SecuredEJB` and `IntermediateEJB`, to verify that the propagation and identity switching is correct and a `RemoteClient` standalone client.
-_Note: This quickstart uses two classes, org.jboss.as.controller.security.SubjectUserInfo and org.jboss.as.domain.management.security.RealmUser, that are part of the JBoss EAP private API. A public API will become available in the EAP 6.3 release and the private classes will be deprecated, but these classes will be maintained and available for the duration of the EAP 6.x release cycle._
+_Note: A previous version of this quickstart had been making use of internal classes, this quickstart has now been updated to make use a new API available from EAP 6.3_
### SecuredEJB
@@ -67,7 +67,7 @@ This quickstart uses the ServiceLoader mechanism for registering the EJB client
System requirements
-------------------
-The application this project produces is designed to be run on Red Hat JBoss Enterprise Application Platform 6.1 or later.
+The application this project produces is designed to be run on Red Hat JBoss Enterprise Application Platform 6.3 or later.
All you need to build this project is Java 6.0 (Java SDK 1.6) or later, Maven 3.0 or later.
@@ -140,19 +140,11 @@ You configure the security domain by running JBoss CLI commands. For your conven
EAP_HOME/bin/jboss-cli.sh --connect --file=configure-security-domain.cli
You should see the following result when you run the script:
- #1 /subsystem=security/security-domain=quickstart-domain:add(cache-type=default)
- #2 /subsystem=security/security-domain=quickstart-domain/authentication=classic:add
- #3 /subsystem=security/security-domain=quickstart-domain/authentication=classic/login-module=DelegationLoginModule:add(code=org.jboss.as.quickstarts.ejb_security_interceptors.DelegationLoginModule,flag=optional,module-options={password-stacking=useFirstPass})
- #4 /subsystem=security/security-domain=quickstart-domain/authentication=classic/login-module=Remoting:add(code=Remoting,flag=optional,module-options={password-stacking=useFirstPass})
- #5 /subsystem=security/security-domain=quickstart-domain/authentication=classic/login-module=RealmDirect:add(code=RealmDirect,flag=required,module-options={password-stacking=useFirstPass})
- #6 /core-service=management/security-realm=ejb-outbound-realm:add
- #7 /core-service=management/security-realm=ejb-outbound-realm/server-identity=secret:add(value="Q29ubmVjdGlvblBhc3N3b3JkMSE=")
- #8 /socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=ejb-outbound:add(host=localhost,port=4447)
- #9 /subsystem=remoting/remote-outbound-connection=ejb-outbound-connection:add(outbound-socket-binding-ref=ejb-outbound,username=ConnectionUser,security-realm=ejb-outbound-realm)
- #10 /subsystem=remoting/remote-outbound-connection=ejb-outbound-connection/property=SSL_ENABLED:add(value=false)
- The batch executed successfully.
- {"outcome" => "success"}
-
+ The batch executed successfully
+ {
+ "outcome" => "success",
+ "result" => undefined
+ }
Review the Modified Server Configuration
-----------------------------------
View
37 ejb-security-interceptors/pom.xml
@@ -46,6 +46,7 @@
<version.jboss.maven.plugin>7.4.Final</version.jboss.maven.plugin>
+ <version.security.api>7.4.0.build-1</version.security.api>
<version.jboss.as>7.2.1.Final-redhat-10</version.jboss.as>
<version.jboss.spec.javaee.6.0>3.0.2.Final-redhat-4</version.jboss.spec.javaee.6.0>
@@ -88,7 +89,34 @@
<dependency>
<groupId>org.jboss.as</groupId>
- <artifactId>jboss-as-security</artifactId>
+ <artifactId>jboss-as-security-api</artifactId>
+ <version>${version.security.api}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.jboss.as</groupId>
+ <artifactId>jboss-as-build-config</artifactId>
+ </exclusion>
+ <exclusion>
+ <groupId>org.jboss.as</groupId>
+ <artifactId>jboss-as-security</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>org.picketbox</groupId>
+ <artifactId>picketbox</artifactId>
+ </dependency>
+
+ <dependency>
+ <groupId>org.wildfly</groupId>
@sgilda Owner
sgilda added a note

Do we need wildfly dependencies with EAP 6.3?

@darranl
darranl added a note

Yes this is the name of the module containing the new API

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ <artifactId>wildfly-core-security-api</artifactId>
+ <version>${version.security.api}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.jboss.as</groupId>
+ <artifactId>jboss-as-build-config</artifactId>
+ </exclusion>
+ </exclusions>
</dependency>
<!-- Import the CDI API, we use provided scope as the API is included in
@@ -129,6 +157,13 @@
<artifactId>jboss-ejb-client</artifactId>
</dependency>
+ <!-- Contains SASL mechanisms to authenticate to server. -->
+ <dependency>
+ <groupId>org.jboss.sasl</groupId>
+ <artifactId>jboss-sasl</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+
<!-- client communications with the server use XNIO -->
<dependency>
<groupId>org.jboss.xnio</groupId>
View
2  ejb-security-interceptors/src/main/java/org/jboss/as/quickstarts/ejb_security_interceptors/EJBUtil.java
@@ -23,7 +23,7 @@
/**
* Utility class for looking up EJBs
- *
+ *
* @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
*/
class EJBUtil {
View
9 ...y-interceptors/src/main/java/org/jboss/as/quickstarts/ejb_security_interceptors/OuterUserCredential.java
@@ -16,19 +16,18 @@
*/
package org.jboss.as.quickstarts.ejb_security_interceptors;
-// The following class is part of the JBoss private API and will be deprecated in the next release.
-import org.jboss.as.domain.management.security.RealmUser;
+import org.jboss.as.core.security.api.UserPrincipal;
/**
* A wrapper around the user for the Connection to act as a Credential.
- *
+ *
* @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
*/
public final class OuterUserCredential {
- private final RealmUser user;
+ private final UserPrincipal user;
- OuterUserCredential(final RealmUser user) {
+ OuterUserCredential(final UserPrincipal user) {
if (user == null) {
throw new IllegalArgumentException("UserPrincipal can not be null.");
}
View
102 ...urity-interceptors/src/main/java/org/jboss/as/quickstarts/ejb_security_interceptors/SecurityActions.java
@@ -21,18 +21,19 @@
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.util.Collection;
import javax.security.auth.Subject;
-import org.jboss.as.security.remoting.RemotingContext;
-import org.jboss.remoting3.Connection;
+import org.jboss.as.security.api.ConnectionSecurityContext;
+import org.jboss.as.security.api.ContextStateCache;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SecurityContextFactory;
/**
* Security actions for this package only.
- *
+ *
* @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
*/
final class SecurityActions {
@@ -41,83 +42,92 @@ private SecurityActions() {
}
/*
- * RemotingContext Actions
+ * ConnectionSecurityContext Actions
*/
- static void remotingContextClear() {
- remotingContextActions().clear();
+ static Collection<Principal> getConnectionPrincipals() {
+ return connectionSecurityContextActions().getConnectionPrincipals();
}
- static Connection remotingContextGetConnection() {
- return remotingContextActions().getConnection();
+ static ContextStateCache pushIdentity(final Principal principal, final Object credential) throws Exception {
+ return connectionSecurityContextActions().pushIdentity(principal, credential);
}
- static boolean remotingContextIsSet() {
- return remotingContextActions().isSet();
+ static void popIdentity(final ContextStateCache stateCache) {
+ connectionSecurityContextActions().popIdentity(stateCache);
}
- private static RemotingContextActions remotingContextActions() {
- return System.getSecurityManager() == null ? RemotingContextActions.NON_PRIVILEGED : RemotingContextActions.PRIVILEGED;
+ private static ConnectionSecurityContextActions connectionSecurityContextActions() {
+ return System.getSecurityManager() == null ? ConnectionSecurityContextActions.NON_PRIVILEGED : ConnectionSecurityContextActions.PRIVILEGED;
}
- private interface RemotingContextActions {
+ private interface ConnectionSecurityContextActions {
- void clear();
+ Collection<Principal> getConnectionPrincipals();
- Connection getConnection();
+ ContextStateCache pushIdentity(final Principal principal, final Object credential) throws Exception;
- boolean isSet();
+ void popIdentity(final ContextStateCache stateCache);
- RemotingContextActions NON_PRIVILEGED = new RemotingContextActions() {
+ ConnectionSecurityContextActions NON_PRIVILEGED = new ConnectionSecurityContextActions() {
- public void clear() {
- RemotingContext.clear();
+ public Collection<Principal> getConnectionPrincipals() {
+ return ConnectionSecurityContext.getConnectionPrincipals();
}
- public boolean isSet() {
- return RemotingContext.isSet();
+ @Override
+ public ContextStateCache pushIdentity(final Principal principal, final Object credential) throws Exception {
+ return ConnectionSecurityContext.pushIdentity(principal, credential);
}
- public Connection getConnection() {
- return RemotingContext.getConnection();
+ @Override
+ public void popIdentity(ContextStateCache stateCache) {
+ ConnectionSecurityContext.popIdentity(stateCache);
}
};
- RemotingContextActions PRIVILEGED = new RemotingContextActions() {
+ ConnectionSecurityContextActions PRIVILEGED = new ConnectionSecurityContextActions() {
- PrivilegedAction<Void> CLEAR_ACTION = new PrivilegedAction<Void>() {
+ PrivilegedAction<Collection<Principal>> GET_CONNECTION_PRINCIPALS_ACTION = new PrivilegedAction<Collection<Principal>>() {
- public Void run() {
- NON_PRIVILEGED.clear();
- return null;
+ @Override
+ public Collection<Principal> run() {
+ return NON_PRIVILEGED.getConnectionPrincipals();
}
};
- PrivilegedAction<Boolean> IS_SET_ACTION = new PrivilegedAction<Boolean>() {
-
- public Boolean run() {
- return NON_PRIVILEGED.isSet();
- }
- };
+ public Collection<Principal> getConnectionPrincipals() {
+ return AccessController.doPrivileged(GET_CONNECTION_PRINCIPALS_ACTION);
+ }
- PrivilegedAction<Connection> GET_CONNECTION_ACTION = new PrivilegedAction<Connection>() {
+ @Override
+ public ContextStateCache pushIdentity(final Principal principal, final Object credential) throws Exception {
+ try {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<ContextStateCache>() {
- public Connection run() {
- return NON_PRIVILEGED.getConnection();
+ @Override
+ public ContextStateCache run() throws Exception {
+ return NON_PRIVILEGED.pushIdentity(principal, credential);
+ }
+ });
+ } catch (PrivilegedActionException e) {
+ throw e.getException();
}
- };
-
- public void clear() {
- AccessController.doPrivileged(CLEAR_ACTION);
}
- public boolean isSet() {
- return AccessController.doPrivileged(IS_SET_ACTION);
- }
+ @Override
+ public void popIdentity(final ContextStateCache stateCache) {
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
+
+ @Override
+ public Void run() {
+ NON_PRIVILEGED.popIdentity(stateCache);
+ return null;
+ }
+ });
- public Connection getConnection() {
- return AccessController.doPrivileged(GET_CONNECTION_ACTION);
}
+
};
}
View
48 ...rceptors/src/main/java/org/jboss/as/quickstarts/ejb_security_interceptors/ServerSecurityInterceptor.java
@@ -17,17 +17,15 @@
package org.jboss.as.quickstarts.ejb_security_interceptors;
import java.security.Principal;
+import java.util.Collection;
import java.util.Map;
import javax.ejb.EJBAccessException;
import javax.interceptor.AroundInvoke;
import javax.interceptor.InvocationContext;
-import javax.resource.spi.IllegalStateException;
-// The following class is part of the JBoss private API and will be deprecated in the next release.
-import org.jboss.as.controller.security.SubjectUserInfo;
-// The following class is part of the JBoss private API and will be deprecated in the next release.
-import org.jboss.as.domain.management.security.RealmUser;
+import org.jboss.as.core.security.api.UserPrincipal;
+import org.jboss.as.security.api.ContextStateCache;
import org.jboss.logging.Logger;
import org.jboss.remoting3.Connection;
import org.jboss.remoting3.security.UserInfo;
@@ -35,7 +33,7 @@
/**
* The server side security interceptor responsible for handling any security identity propagated from the client.
- *
+ *
* @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
*/
public class ServerSecurityInterceptor {
@@ -47,23 +45,19 @@
@AroundInvoke
public Object aroundInvoke(final InvocationContext invocationContext) throws Exception {
Principal desiredUser = null;
- RealmUser connectionUser = null;
+ UserPrincipal connectionUser = null;
Map<String, Object> contextData = invocationContext.getContextData();
if (contextData.containsKey(DELEGATED_USER_KEY)) {
desiredUser = new SimplePrincipal((String) contextData.get(DELEGATED_USER_KEY));
- Connection con = SecurityActions.remotingContextGetConnection();
-
- if (con != null) {
- UserInfo userInfo = con.getUserInfo();
- if (userInfo instanceof SubjectUserInfo) {
- SubjectUserInfo sinfo = (SubjectUserInfo) userInfo;
- for (Principal current : sinfo.getPrincipals()) {
- if (current instanceof RealmUser) {
- connectionUser = (RealmUser) current;
- break;
- }
+ Collection<Principal> connectionPrincipals = SecurityActions.getConnectionPrincipals();
+
+ if (connectionPrincipals != null) {
+ for (Principal current : connectionPrincipals) {
+ if (current instanceof UserPrincipal) {
+ connectionUser = (UserPrincipal) current;
+ break;
}
}
@@ -72,20 +66,16 @@ public Object aroundInvoke(final InvocationContext invocationContext) throws Exc
}
}
- SecurityContext cachedSecurityContext = null;
- boolean contextSet = false;
+
+ ContextStateCache stateCache = null;
try {
if (desiredUser != null && connectionUser != null
&& (desiredUser.getName().equals(connectionUser.getName()) == false)) {
// The final part of this check is to verify that the change does actually indicate a change in user.
try {
- // We have been requested to switch user and have successfully identified the user from the connection
+ // We have been requested to use an authentication token
// so now we attempt the switch.
- cachedSecurityContext = SecurityActions.securityContextSetPrincipalInfo(desiredUser,
- new OuterUserCredential(connectionUser));
- // keep track that we switched the security context
- contextSet = true;
- SecurityActions.remotingContextClear();
+ stateCache = SecurityActions.pushIdentity(desiredUser, new OuterUserCredential(connectionUser));
} catch (Exception e) {
logger.error("Failed to switch security context for user", e);
// Don't propagate the exception stacktrace back to the client for security reasons
@@ -95,9 +85,9 @@ public Object aroundInvoke(final InvocationContext invocationContext) throws Exc
return invocationContext.proceed();
} finally {
- // switch back to original security context
- if (contextSet) {
- SecurityActions.securityContextSet(cachedSecurityContext);
+ // switch back to original context
+ if (stateCache != null) {
+ SecurityActions.popIdentity(stateCache);;
}
}
}
View
4 ejb-security-interceptors/src/main/resources/META-INF/jboss-deployment-structure.xml
@@ -19,8 +19,8 @@
<deployment>
<dependencies>
<module name="org.jboss.remoting3" />
- <module name="org.jboss.as.domain-management" />
- <module name="org.jboss.as.controller" />
+ <module name="org.jboss.as.core-security-api" />
+ <module name="org.jboss.as.security-api" />
</dependencies>
</deployment>
Something went wrong with that request. Please try again.