Skip to content
Permalink
Browse files

more on web jacc; fix digest authentication

fixing principal propagation
  • Loading branch information...
mmoyses committed Oct 17, 2011
1 parent e58a13a commit ba3c43f8dfc9c201098392c5ebf90474e49aa5a8
@@ -31,6 +31,7 @@
<dependencies>
<module name="javax.api"/>
<module name="javax.security.jacc.api"/>
<module name="javax.servlet.api"/>
<module name="javax.transaction.api"/>
<module name="org.infinispan"/>
<module name="org.jboss.as.clustering.infinispan"/>
@@ -33,6 +33,7 @@
<module name="javax.resource.api"/>
<module name="javax.security.auth.message.api"/>
<module name="javax.security.jacc.api"/>
<module name="javax.servlet.api"/>
<module name="javax.transaction.api"/>
<module name="javax.xml.bind.api"/>
<module name="javax.xml.stream.api"/>
@@ -359,6 +359,16 @@
<login-module code="UsersRoles" flag="required"/>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
</security-domains>
</subsystem>
<subsystem xmlns="urn:jboss:domain:threads:1.0"/>
@@ -207,7 +207,7 @@
<version.org.jboss.xnio.xnio-nio>3.0.0.Beta5</version.org.jboss.xnio.xnio-nio>
<version.org.jgroups>2.12.1.3.Final</version.org.jgroups>
<version.org.mockito>1.8.5</version.org.mockito>
<version.org.picketbox>4.0.4.Final</version.org.picketbox>
<version.org.picketbox>4.0.5.Final</version.org.picketbox>
<version.org.picketbox.picketbox-commons>1.0.0.CR1</version.org.picketbox.picketbox-commons>
<version.org.projectodd.stilts>0.1.20</version.org.projectodd.stilts>
<version.org.scannotation>1.0.2</version.org.scannotation>
@@ -108,7 +108,7 @@ public void start(StartContext context) throws StartException {

// Register the JAAS CallbackHandler JACC PolicyContextHandlers
CallbackHandlerPolicyContextHandler chandler = new CallbackHandlerPolicyContextHandler();
PolicyContext.registerHandler(CallbackHandlerPolicyContextHandler.CALLBACK_HANDLER_KEY, chandler, true);
PolicyContext.registerHandler(SecurityConstants.CALLBACK_HANDLER_KEY, chandler, true);

// Handle the Security Properties
if (securityProperty != null) {
@@ -130,7 +130,7 @@ public void start(StartContext context) throws StartException {
public void stop(StopContext context) {
// remove handlers
Set handlerKeys = PolicyContext.getHandlerKeys();
handlerKeys.remove(CallbackHandlerPolicyContextHandler.CALLBACK_HANDLER_KEY);
handlerKeys.remove(SecurityConstants.CALLBACK_HANDLER_KEY);
handlerKeys.remove(SecurityConstants.SUBJECT_CONTEXT_KEY);

// Install the policy provider that existed on startup
@@ -26,9 +26,7 @@
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;

import javax.servlet.HttpConstraintElement;
import javax.servlet.HttpMethodConstraintElement;
@@ -65,7 +63,6 @@
import org.jboss.as.web.deployment.helpers.VFSDirContext;
import org.jboss.as.web.session.DistributableSessionManager;
import org.jboss.logging.Logger;
import org.jboss.metadata.javaee.jboss.RunAsIdentityMetaData;
import org.jboss.metadata.javaee.spec.DescriptionGroupMetaData;
import org.jboss.metadata.javaee.spec.ParamValueMetaData;
import org.jboss.metadata.javaee.spec.SecurityRoleMetaData;
@@ -882,22 +879,6 @@ protected void completeConfig() {
if (ok && (metaData != null)) {
// Resolve run as
metaData.resolveRunAs();
Map<String, RunAsIdentityMetaData> runAs = metaData.getRunAsIdentity();
Map<String, RunAsIdentityMetaData> newRunAs = new ConcurrentHashMap<String, RunAsIdentityMetaData>();
Map<String, Set<String>> principalVersusRolesMap = metaData.getSecurityRoles().getPrincipalVersusRolesMap();
for (Entry<String, RunAsIdentityMetaData> entry : runAs.entrySet()) {
String roleName = entry.getValue().getRoleName();
if (principalVersusRolesMap.containsKey(roleName)) {
Set<String> principals = principalVersusRolesMap.get(roleName);
// assign the first (and probably only) principal as the run as principal
String runAsPrincipal = principals.iterator().next();
RunAsIdentityMetaData newRunAsIdentity = new RunAsIdentityMetaData(roleName, runAsPrincipal);
newRunAs.put(entry.getKey(), newRunAsIdentity);
}
}
if (!newRunAs.isEmpty()) {
metaData.setRunAsIdentity(newRunAs);
}
}

// Configure an authenticator if we need one
@@ -28,7 +28,6 @@
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.security.jacc.PolicyConfiguration;
import javax.servlet.ServletContext;
@@ -202,7 +201,6 @@ protected void processDeployment(final String hostName, final WarMetaData warMet

String securityDomain = metaDataSecurityDomain == null ? SecurityConstants.DEFAULT_APPLICATION_POLICY : SecurityUtil
.unprefixSecurityDomain(metaDataSecurityDomain);
Map<String, Set<String>> principalVersusRolesMap = metaData.getSecurityRoles().getPrincipalVersusRolesMap();

// Setup an deployer configured ServletContext attributes
final List<ServletContextAttribute> attributes = deploymentUnit.getAttachment(ServletContextAttribute.ATTACHMENT_KEY);
@@ -217,7 +215,7 @@ protected void processDeployment(final String hostName, final WarMetaData warMet
final ServiceName deploymentServiceName = WebSubsystemServices.deploymentServiceName(hostName, pathName);
final ServiceName realmServiceName = deploymentServiceName.append("realm");

final JBossWebRealmService realmService = new JBossWebRealmService(principalVersusRolesMap);
final JBossWebRealmService realmService = new JBossWebRealmService(deploymentUnit);
ServiceBuilder<?> builder = serviceTarget.addService(realmServiceName, realmService);
builder.addDependency(DependencyType.REQUIRED, SecurityDomainService.SERVICE_NAME.append(securityDomain),
SecurityDomainContext.class, realmService.getSecurityDomainContextInjector()).setInitialMode(Mode.ACTIVE)
@@ -0,0 +1,59 @@
/*
* JBoss, Home of Professional Open Source.
* Copyright 2011, Red Hat, Inc., and individual contributors
* as indicated by the @author tags. See the copyright.txt file in the
* distribution for a full listing of individual contributors.
*
* This is free software; you can redistribute it and/or modify it
* under the terms of the GNU Lesser General Public License as
* published by the Free Software Foundation; either version 2.1 of
* the License, or (at your option) any later version.
*
* This software is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this software; if not, write to the Free
* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/

package org.jboss.as.web.security;

import javax.security.jacc.PolicyContextException;
import javax.security.jacc.PolicyContextHandler;

import org.jboss.security.SecurityConstants;

/**
* A PolicyContextHandler for the active HttpServletRequest
*
* @author Scott.Stark@jboss.org
* @author <a href="mailto:mmoyses@redhat.com">Marcus Moyses</a>
*/
public class HttpServletRequestPolicyContextHandler implements PolicyContextHandler {

/** {@inheritDoc} */
@Override
public Object getContext(String key, Object data) throws PolicyContextException {
if (!key.equalsIgnoreCase(SecurityConstants.WEB_REQUEST_KEY))
return null;
return SecurityContextAssociationValve.getActiveRequest();
}

/** {@inheritDoc} */
@Override
public String[] getKeys() throws PolicyContextException {
String[] keys = { SecurityConstants.WEB_REQUEST_KEY };
return keys;
}

/** {@inheritDoc} */
@Override
public boolean supports(String key) throws PolicyContextException {
return key.equalsIgnoreCase(SecurityConstants.WEB_REQUEST_KEY);
}

}

0 comments on commit ba3c43f

Please sign in to comment.
You can’t perform that action at this time.