[AS7-3418] Add support for roles to be read from a properties file.

rhusar · Feb 6, 2012 · fa9ac8b · fa9ac8b
1 parent 85af475
commit fa9ac8b
Show file tree

Hide file tree

Showing 29 changed files with 1,086 additions and 276 deletions.
diff --git a/build/src/main/resources/docs/schema/jboss-as-config_1_1.xsd b/build/src/main/resources/docs/schema/jboss-as-config_1_1.xsd
@@ -239,6 +239,7 @@
         <xs:sequence>
             <xs:element name="server-identities" type="server-identitiesType" minOccurs="0" />
             <xs:element name="authentication" type="authenticationType" minOccurs="0" />
+            <xs:element name="authorization" type="authorizationType" minOccurs="0" /> 
         </xs:sequence>
         <xs:attribute name="name" type="xs:string" use="required">
             <xs:annotation>
@@ -248,6 +249,21 @@
             </xs:annotation>
         </xs:attribute>
     </xs:complexType>
+
+    <xs:complexType name="authorizationType">
+        <xs:annotation>
+            <xs:documentation>
+                Configuration defining how to load the authorization information for the authenticated user.
+
+                After a user has been authenticated additional information such as roles can be loaded and 
+                associated with the user for subsequent authorization checks, this type is used to define 
+                how the roles are loaded.                
+            </xs:documentation>
+        </xs:annotation>
+        <xs:sequence>                                                        
+            <xs:element name="properties" type="propertiesFileType" minOccurs="1" />  <!-- minOccurs="1" while this is the only mech -->
+        </xs:sequence>
+    </xs:complexType>    
 
     <xs:complexType name="server-identitiesType">
         <xs:annotation>
@@ -465,14 +481,11 @@
             </xs:annotation>
         </xs:attribute>
     </xs:complexType>
-
-    <xs:complexType name="propertiesAuthenticationType">
+        
+    <xs:complexType name="propertiesFileType">
         <xs:annotation>
             <xs:documentation>
-                Declaration of users stored within properties files.
-
-                The entries within the properties file are username={credentials} with each user
-                being specified on it's own line.
+                Declaration of a location of a properties file.
             </xs:documentation>
         </xs:annotation>
         <xs:attribute name="relative-to" use="optional" type="xs:string">
@@ -488,20 +501,33 @@
         <xs:attribute name="path" type="xs:string" use="required">
             <xs:annotation>
                 <xs:documentation>
-                    The path of the properties file containing the users.
-                </xs:documentation>
-            </xs:annotation>
-        </xs:attribute>
-        <xs:attribute name="plain-text" type="xs:boolean" default="false">
-            <xs:annotation>
-                <xs:documentation>
-                    Are the credentials within the properties file stored in plain text, if not
-                    the {credential} is expected to be the hex encoded Digest hash
-                    of 'username : realm : password'.
+                    The path of the properties file.
                 </xs:documentation>
             </xs:annotation>
         </xs:attribute>
     </xs:complexType>
+
+    <xs:complexType name="propertiesAuthenticationType">
+        <xs:annotation>
+            <xs:documentation>
+                Declaration of users stored within properties files.
+
+                The entries within the properties file are username={credentials} with each user
+                being specified on it's own line.
+            </xs:documentation>
+        </xs:annotation>
+        <xs:complexContent>
+            <xs:attribute name="plain-text" type="xs:boolean" default="false">
+                <xs:annotation>
+                    <xs:documentation>
+                        Are the credentials within the properties file stored in plain text, if not
+                        the {credential} is expected to be the hex encoded Digest hash
+                        of 'username : realm : password'.
+                    </xs:documentation>
+                </xs:annotation>
+            </xs:attribute>        
+        </xs:complexContent>                                
+    </xs:complexType>
 
     <xs:complexType name="host-management-interfacesType">
         <xs:sequence>

diff --git a/build/src/main/resources/modules/org/jboss/as/domain-management/main/module.xml b/build/src/main/resources/modules/org/jboss/as/domain-management/main/module.xml
@@ -38,6 +38,6 @@
         <module name="org.jboss.msc" />
         <module name="org.jboss.sasl"/>
         <module name="org.jboss.staxmapper"/>
-        <module name="javax.api" />
+        <module name="javax.api"/>
     </dependencies>
 </module>
diff --git a/controller/src/main/java/org/jboss/as/controller/descriptions/ModelDescriptionConstants.java b/controller/src/main/java/org/jboss/as/controller/descriptions/ModelDescriptionConstants.java
@@ -49,6 +49,7 @@ public class ModelDescriptionConstants {
     public static final String ARCHIVE = "archive";
     public static final String ATTRIBUTES = "attributes";
     public static final String AUTHENTICATION = "authentication";
+    public static final String AUTHORIZATION = "authorization";
     public static final String AUTO_START = "auto-start";
     public static final String BASE_DN = "base-dn";
     public static final String BOOT_TIME = "boot-time";

diff --git a/controller/src/main/java/org/jboss/as/controller/parsing/Element.java b/controller/src/main/java/org/jboss/as/controller/parsing/Element.java
@@ -34,7 +34,7 @@ public enum Element {
     // must be first
     UNKNOWN(null),
 
-    // Domain 1.0 elements in alpha order
+    // Domain elements in alpha order
     ADVANCED_FILTER("advanced-filter"),
     AGENT_LIB("agent-lib"),
     AGENT_PATH("agent-path"),
@@ -43,6 +43,7 @@ public enum Element {
     ANY_IPV4_ADDRESS("any-ipv4-address"),
     ANY_IPV6_ADDRESS("any-ipv6-address"),
     AUTHENTICATION("authentication"),
+    AUTHORIZATION("authorization"),
 
     CLIENT_MAPPING("client-mapping"),
     CONTENT("content"),

diff --git a/...c/main/resources/org/jboss/as/controller/descriptions/common/LocalDescriptions.properties b/...c/main/resources/org/jboss/as/controller/descriptions/common/LocalDescriptions.properties
@@ -63,6 +63,12 @@ core.management.security-realm.authentication.xml.user=An authorized user.
 core.management.security-realm.authentication.xml.user.add=Adds an authorized user.
 core.management.security-realm.authentication.xml.user.remove=Removes an authorized user.
 core.management.security-realm.authentication.xml.user.password=The user's password.
+core.management.security-realm.authorization=Configuration server side for loading additional user information such as roles to be used for subsequent authorization checks.
+core.management.security-realm.authorization.properties=Configuration to use properties file to load a users roles. The entries within the properties file are username={roles} where roles is a comma separated list of users roles.
+core.management.security-realm.authorization.properties.add=Adds a configuration to use a properties file to load a users roles.
+core.management.security-realm.authorization.properties.remove=Removes a configuration to use a properties file to load a users roles.
+core.management.security-realm.authorization.properties.path=The path of the properties file containing the users roles.
+core.management.security-realm.authorization.properties.relative-to=The name of another previously named path, or of one of the standard paths provided by the system. If 'relative-to' is provided, the value of the 'path' attribute is treated as relative to the path specified by this attribute.
 core.management.ldap-connections=Configurations of connection factories that can be used by a security realm to access LDAP servers as a source of authentication and authorization information.
 core.management.ldap-connection=A connection factory that can be used by a security realm to access an LDAP server as a source of authentication and authorization information.
 core.management.ldap-connection.add=Adds a connection factory that can be used by a security realm to access an LDAP server as a source of authentication and authorization information.

diff --git a/domain-management/pom.xml b/domain-management/pom.xml
@@ -86,11 +86,6 @@
             <artifactId>jboss-msc</artifactId>
         </dependency>
 
-        <dependency>
-            <groupId>org.jboss.remoting3</groupId>
-            <artifactId>jboss-remoting</artifactId>
-        </dependency>
-
         <dependency>
             <groupId>org.jboss.as</groupId>
             <artifactId>jboss-as-controller</artifactId>

diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/DomainManagementMessages.java b/domain-management/src/main/java/org/jboss/as/domain/management/DomainManagementMessages.java
@@ -426,4 +426,13 @@ public interface DomainManagementMessages {
     @Message(id = 15247, value = "Only one of '%s' or '%s' is required.")
     OperationFailedException operationFailedOnlyOneOfRequired(String attr1, String attr2);
 
+    /**
+     * Creates an IllegalArgumentException indicating that a value can not be null.
+     *
+     * @param name - The name of the paramter that can not be null.
+     * @return an {@link IllegalArgumentException} for the error.
+     */
+    @Message(id = 15248, value = "'%s' can not be null.")
+    IllegalArgumentException canNotBeNull(String name);
+
 }
diff --git a/...in-management/src/main/java/org/jboss/as/domain/management/DomainManagementPrincipal.java b/...in-management/src/main/java/org/jboss/as/domain/management/DomainManagementPrincipal.java
@@ -0,0 +1,70 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.domain.management;
+
+import static org.jboss.as.domain.management.DomainManagementMessages.MESSAGES;
+import java.security.Principal;
+
+/**
+ * Base class for Principals define in DomainManagement.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+public abstract class DomainManagementPrincipal implements Principal {
+
+    private final String name;
+
+    public DomainManagementPrincipal(final String name) {
+        if (name == null) {
+            throw MESSAGES.canNotBeNull("name");
+        }
+        this.name = name;
+    }
+
+    /**
+     * @see java.security.Principal#getName()
+     */
+    public String getName() {
+        return name;
+    }
+
+    @Override
+    public int hashCode() {
+        return name.hashCode();
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        return obj != null && this.getClass().equals(obj.getClass()) ? equals((DomainManagementPrincipal) obj) : false;
+    }
+
+    protected boolean equals(DomainManagementPrincipal principal) {
+        return this == principal || name.equals(principal.name);
+    }
+
+    @Override
+    public String toString() {
+        return name;
+    }
+
+}
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/RealmRole.java b/domain-management/src/main/java/org/jboss/as/domain/management/RealmRole.java
@@ -0,0 +1,35 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.domain.management;
+
+/**
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+public class RealmRole extends DomainManagementPrincipal {
+
+    public RealmRole(final String name) {
+        super(name);
+    }
+
+}
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/RealmUser.java b/domain-management/src/main/java/org/jboss/as/domain/management/RealmUser.java
@@ -0,0 +1,36 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.domain.management;
+
+/**
+ * The Principal used to represent the name of an authenticated user.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+public class RealmUser extends DomainManagementPrincipal {
+
+    public RealmUser(final String name) {
+        super(name);
+    }
+
+}
diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/SecurityRealm.java b/domain-management/src/main/java/org/jboss/as/domain/management/SecurityRealm.java
@@ -24,6 +24,7 @@
 import javax.net.ssl.SSLContext;
 
 import org.jboss.as.domain.management.security.DomainCallbackHandler;
+import org.jboss.as.domain.management.security.SubjectSupplemental;
 
 /**
  * Interface to the security realm.
@@ -42,6 +43,11 @@ public interface SecurityRealm {
      */
     DomainCallbackHandler getCallbackHandler();
 
+    /**
+     * @return The associated SubjectSupplemental (if set) to supplement the contents of the Subject.
+     */
+    SubjectSupplemental getSubjectSupplemental();
+
     /**
      * Used to obtain the SSLContext as configured for this security realm.
      *
@@ -51,8 +57,8 @@ public interface SecurityRealm {
     SSLContext getSSLContext();
 
     /**
-     * Identify if a trust store has been configured for authentication, if defined
-     * it means CLIENT-CERT type authentication can occur.
+     * Identify if a trust store has been configured for authentication, if defined it means CLIENT-CERT type authentication can
+     * occur.
      *
      * @return true if a trust store has been configured for authentication.
      */

diff --git a/domain-management/src/main/java/org/jboss/as/domain/management/SubjectCallback.java b/domain-management/src/main/java/org/jboss/as/domain/management/SubjectCallback.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.jboss.as.domain.management;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.Callback;
+
+/**
+ * A callback for a CallbackHandler to either user a supplied Subject or return the Subject used internally by the
+ * CallbackHandler.
+ *
+ * @author <a href="mailto:darran.lofthouse@jboss.com">Darran Lofthouse</a>
+ */
+public class SubjectCallback implements Callback {
+
+    private Subject subject;
+
+    public Subject getSubject() {
+        return subject;
+    }
+
+    public void setSubject(Subject subject) {
+        this.subject = subject;
+    }
+
+}