1 17 18 package org.apache.geronimo.security.deployment; 19 20 import java.util.Map ; 21 import java.util.HashMap ; 22 import java.util.Iterator ; 23 import java.util.Set ; 24 import java.util.HashSet ; 25 26 import javax.security.auth.Subject ; 27 import javax.security.auth.x500.X500Principal ; 28 import javax.xml.namespace.QName ; 29 30 import org.apache.xmlbeans.XmlObject; 31 import org.apache.xmlbeans.QNameSet; 32 import org.apache.xmlbeans.XmlException; 33 import org.apache.geronimo.deployment.DeploymentContext; 34 import org.apache.geronimo.deployment.xmlbeans.XmlBeansUtil; 35 import org.apache.geronimo.common.DeploymentException; 36 import org.apache.geronimo.security.deploy.Security; 37 import org.apache.geronimo.security.deploy.Role; 38 import org.apache.geronimo.security.deploy.RealmPrincipalInfo; 39 import org.apache.geronimo.security.deploy.LoginDomainPrincipalInfo; 40 import org.apache.geronimo.security.deploy.PrincipalInfo; 41 import org.apache.geronimo.security.deploy.DistinguishedName; 42 import org.apache.geronimo.security.deploy.DefaultPrincipal; 43 import org.apache.geronimo.security.util.ConfigurationUtil; 44 import org.apache.geronimo.security.jaas.NamedUsernamePasswordCredential; 45 import org.apache.geronimo.security.jacc.ApplicationPrincipalRoleConfigurationManager; 46 import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager; 47 import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType; 48 import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType; 49 import org.apache.geronimo.xbeans.geronimo.security.GerRoleType; 50 import org.apache.geronimo.xbeans.geronimo.security.GerDistinguishedNameType; 51 import org.apache.geronimo.xbeans.geronimo.security.GerDefaultPrincipalType; 52 import org.apache.geronimo.xbeans.geronimo.security.GerNamedUsernamePasswordCredentialType; 53 import org.apache.geronimo.xbeans.geronimo.security.GerRealmPrincipalType; 54 import org.apache.geronimo.xbeans.geronimo.security.GerLoginDomainPrincipalType; 55 import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType; 56 import org.apache.geronimo.xbeans.geronimo.security.GerSecurityDocument; 57 import org.apache.geronimo.gbean.GBeanData; 58 import org.apache.geronimo.gbean.AbstractName; 59 import org.apache.geronimo.gbean.GBeanInfo; 60 import org.apache.geronimo.gbean.GBeanInfoBuilder; 61 import org.apache.geronimo.kernel.Naming; 62 import org.apache.geronimo.kernel.GBeanAlreadyExistsException; 63 import org.apache.geronimo.kernel.repository.Environment; 64 import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory; 65 import org.apache.geronimo.j2ee.deployment.SecurityBuilder; 66 import org.apache.geronimo.j2ee.deployment.EARContext; 67 68 71 public class GeronimoSecurityBuilderImpl implements SecurityBuilder { 72 private static final QName SECURITY_QNAME = GerSecurityDocument.type.getDocumentElementName(); 73 private static final QNameSet SECURITY_QNAME_SET = QNameSet.singleton(SECURITY_QNAME); 74 75 76 public void buildEnvironment(XmlObject container, Environment environment) throws DeploymentException { 77 } 78 79 public void build(XmlObject container, DeploymentContext applicationContext, DeploymentContext moduleContext) throws DeploymentException { 80 EARContext earContext = (EARContext) applicationContext; 81 XmlObject[] items = container.selectChildren(SECURITY_QNAME_SET); 82 if (items.length > 1) { 83 throw new DeploymentException("Unexpected count of security elements in geronimo plan " + items.length + " qnameset: " + SECURITY_QNAME_SET); 84 } 85 if (items.length == 1) { 86 GerSecurityType securityType; 87 try { 88 securityType = (GerSecurityType) XmlBeansUtil.typedCopy(items[0], GerSecurityType.type); 89 } catch (XmlException e) { 90 throw new DeploymentException("Could not validate security element", e); 91 } 92 Security security = buildSecurityConfig(securityType); 93 ClassLoader classLoader = applicationContext.getClassLoader(); 94 SecurityConfiguration securityConfiguration = buildSecurityConfiguration(security, classLoader); 95 earContext.setSecurityConfiguration(securityConfiguration); 96 } 97 if (earContext.getSecurityConfiguration() != null && applicationContext == moduleContext) { 99 Naming naming = earContext.getNaming(); 100 GBeanData roleMapperData = configureRoleMapper(naming, earContext.getModuleName(), earContext.getSecurityConfiguration()); 101 try { 102 earContext.addGBean(roleMapperData); 103 } catch (GBeanAlreadyExistsException e) { 104 throw new DeploymentException("Role mapper gbean already present", e); 105 } 106 GBeanData jaccBeanData = configureApplicationPolicyManager(naming, earContext.getModuleName(), earContext.getContextIDToPermissionsMap(), earContext.getSecurityConfiguration()); 107 jaccBeanData.setReferencePattern("PrincipalRoleMapper", roleMapperData.getAbstractName()); 108 try { 109 earContext.addGBean(jaccBeanData); 110 } catch (GBeanAlreadyExistsException e) { 111 throw new DeploymentException("JACC manager gbean already present", e); 112 } 113 earContext.setJaccManagerName(jaccBeanData.getAbstractName()); 114 } 115 } 116 117 private static SecurityConfiguration buildSecurityConfiguration(Security security, ClassLoader classLoader) { 118 Map roleDesignates = new HashMap (); 119 Map principalRoleMap = new HashMap (); 120 Map roleToPrincipalMap = new HashMap (); 121 GeronimoSecurityBuilderImpl.buildRolePrincipalMap(security, roleDesignates, roleToPrincipalMap, classLoader); 122 GeronimoSecurityBuilderImpl.invertMap(roleToPrincipalMap, principalRoleMap); 123 return new SecurityConfiguration(principalRoleMap, roleDesignates, security.getDefaultPrincipal(), security.getDefaultRole(), security.isDoAsCurrentCaller(), security.isUseContextHandler()); 124 } 125 126 private static Map invertMap(Map roleToPrincipalMap, Map principalRoleMapping) { 127 for (Iterator roles = roleToPrincipalMap.entrySet().iterator(); roles.hasNext();) { 128 Map.Entry entry = (Map.Entry ) roles.next(); 129 String role = (String ) entry.getKey(); 130 Set principals = (Set ) entry.getValue(); 131 for (Iterator iter = principals.iterator(); iter.hasNext();) { 132 java.security.Principal principal = (java.security.Principal ) iter.next(); 133 134 HashSet roleSet = (HashSet ) principalRoleMapping.get(principal); 135 if (roleSet == null) { 136 roleSet = new HashSet (); 137 principalRoleMapping.put(principal, roleSet); 138 } 139 roleSet.add(role); 140 } 141 } 142 return principalRoleMapping; 143 } 144 145 153 public static void buildRolePrincipalMap(Security security, Map roleDesignates, Map roleToPrincipalMap, ClassLoader classLoader) { 154 155 Iterator roleMappings = security.getRoleMappings().values().iterator(); 156 while (roleMappings.hasNext()) { 157 Role role = (Role) roleMappings.next(); 158 159 String roleName = role.getRoleName(); 160 Subject roleDesignate = new Subject (); 161 Set principalSet = new HashSet (); 162 163 Iterator realmPrincipals = role.getRealmPrincipals().iterator(); 164 while (realmPrincipals.hasNext()) { 165 RealmPrincipalInfo realmPrincipal = (RealmPrincipalInfo) realmPrincipals.next(); 166 java.security.Principal principal = ConfigurationUtil.generateRealmPrincipal(realmPrincipal.getRealm(), realmPrincipal.getDomain(), realmPrincipal, classLoader); 167 168 principalSet.add(principal); 169 if (realmPrincipal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(principal); 170 } 171 172 Iterator domainPrincipals = role.getLoginDomainPrincipals().iterator(); 173 while (domainPrincipals.hasNext()) { 174 LoginDomainPrincipalInfo domainPrincipal = (LoginDomainPrincipalInfo) domainPrincipals.next(); 175 java.security.Principal principal = ConfigurationUtil.generateDomainPrincipal(domainPrincipal.getDomain(), domainPrincipal, classLoader); 176 177 principalSet.add(principal); 178 if (domainPrincipal.isDesignatedRunAs()) roleDesignate.getPrincipals().add(principal); 179 } 180 181 Iterator principals = role.getPrincipals().iterator(); 182 while (principals.hasNext()) { 183 PrincipalInfo plainPrincipalInfo = (PrincipalInfo) principals.next(); 184 java.security.Principal principal = ConfigurationUtil.generatePrincipal(plainPrincipalInfo, classLoader); 185 186 principalSet.add(principal); 187 if (plainPrincipalInfo.isDesignatedRunAs()) roleDesignate.getPrincipals().add(principal); 188 } 189 190 for (Iterator names = role.getDistinguishedNames().iterator(); names.hasNext();) { 191 DistinguishedName dn = (DistinguishedName) names.next(); 192 193 X500Principal x500Principal = ConfigurationUtil.generateX500Principal(dn.getName()); 194 195 principalSet.add(x500Principal); 196 if (dn.isDesignatedRunAs()) roleDesignate.getPrincipals().add(x500Principal); 197 } 198 199 Set roleMapping = (Set ) roleToPrincipalMap.get(roleName); 200 if (roleMapping == null) { 201 roleMapping = new HashSet (); 202 roleToPrincipalMap.put(roleName, roleMapping); 203 } 204 roleMapping.addAll(principalSet); 205 206 if (roleDesignate.getPrincipals().size() > 0) { 207 roleDesignates.put(roleName, roleDesignate); 208 } 209 } 210 } 211 212 private Security buildSecurityConfig(GerSecurityType securityType) { 213 Security security; 214 215 if (securityType == null) { 216 return null; 217 } 218 security = new Security(); 219 220 security.setDoAsCurrentCaller(securityType.getDoasCurrentCaller()); 221 security.setUseContextHandler(securityType.getUseContextHandler()); 222 if (securityType.isSetDefaultRole()) { 223 security.setDefaultRole(securityType.getDefaultRole().trim()); 224 } 225 226 if (securityType.isSetRoleMappings()) { 227 GerRoleMappingsType roleMappingsType = securityType.getRoleMappings(); 228 for (int i = 0; i < roleMappingsType.sizeOfRoleArray(); i++) { 229 GerRoleType roleType = roleMappingsType.getRoleArray(i); 230 Role role = new Role(); 231 232 String roleName = roleType.getRoleName().trim(); 233 role.setRoleName(roleName); 234 235 for (int j = 0; j < roleType.sizeOfRealmPrincipalArray(); j++) { 236 role.getRealmPrincipals().add(GeronimoSecurityBuilderImpl.buildRealmPrincipal(roleType.getRealmPrincipalArray(j))); 237 } 238 239 for (int j = 0; j < roleType.sizeOfLoginDomainPrincipalArray(); j++) { 240 role.getLoginDomainPrincipals().add(GeronimoSecurityBuilderImpl.buildDomainPrincipal(roleType.getLoginDomainPrincipalArray(j))); 241 } 242 243 for (int j = 0; j < roleType.sizeOfPrincipalArray(); j++) { 244 role.getPrincipals().add(buildPrincipal(roleType.getPrincipalArray(j))); 245 } 246 247 for (int j = 0; j < roleType.sizeOfDistinguishedNameArray(); j++) { 248 GerDistinguishedNameType dnType = roleType.getDistinguishedNameArray(j); 249 250 role.getDistinguishedNames().add(new DistinguishedName(dnType.getName().trim(), dnType.getDesignatedRunAs())); 251 } 252 253 security.getRoleMappings().put(roleName, role); 254 } 255 } 256 257 security.setDefaultPrincipal(buildDefaultPrincipal(securityType.getDefaultPrincipal())); 258 259 return security; 260 } 261 262 public DefaultPrincipal buildDefaultPrincipal(XmlObject xmlObject) { 264 GerDefaultPrincipalType defaultPrincipalType = (GerDefaultPrincipalType) xmlObject; 265 DefaultPrincipal defaultPrincipal = new DefaultPrincipal(); 266 267 if(defaultPrincipalType.isSetPrincipal()) { 268 defaultPrincipal.setPrincipal(buildPrincipal(defaultPrincipalType.getPrincipal())); 269 } else if(defaultPrincipalType.isSetLoginDomainPrincipal()) { 270 defaultPrincipal.setPrincipal(buildDomainPrincipal(defaultPrincipalType.getLoginDomainPrincipal())); 271 } else if(defaultPrincipalType.isSetRealmPrincipal()) { 272 defaultPrincipal.setPrincipal(buildRealmPrincipal(defaultPrincipalType.getRealmPrincipal())); 273 } else { 274 throw new IllegalStateException ("default-principal does not contain a principal, login-domain-principal, or realm-principal"); 275 } 276 GerNamedUsernamePasswordCredentialType[] namedCredentials = defaultPrincipalType.getNamedUsernamePasswordCredentialArray(); 277 if (namedCredentials.length > 0) { 278 Set defaultCredentialSet = new HashSet (); 279 for (int i = 0; i < namedCredentials.length; i++) { 280 GerNamedUsernamePasswordCredentialType namedCredentialType = namedCredentials[i]; 281 NamedUsernamePasswordCredential namedCredential = new NamedUsernamePasswordCredential(namedCredentialType.getUsername().trim(), namedCredentialType.getPassword().trim().toCharArray(), namedCredentialType.getName().trim()); 282 defaultCredentialSet.add(namedCredential); 283 } 284 defaultPrincipal.setNamedUserPasswordCredentials(defaultCredentialSet); 285 } 286 return defaultPrincipal; 287 } 288 289 private static RealmPrincipalInfo buildRealmPrincipal(GerRealmPrincipalType realmPrincipalType) { 290 return new RealmPrincipalInfo(realmPrincipalType.getRealmName().trim(), realmPrincipalType.getDomainName().trim(), realmPrincipalType.getClass1().trim(), realmPrincipalType.getName().trim(), realmPrincipalType.isSetDesignatedRunAs()); 291 } 292 293 private static LoginDomainPrincipalInfo buildDomainPrincipal(GerLoginDomainPrincipalType domainPrincipalType) { 294 return new LoginDomainPrincipalInfo(domainPrincipalType.getDomainName().trim(), domainPrincipalType.getClass1().trim(), domainPrincipalType.getName().trim(), domainPrincipalType.isSetDesignatedRunAs()); 295 } 296 297 public PrincipalInfo buildPrincipal(XmlObject xmlObject) { 299 GerPrincipalType principalType = (GerPrincipalType) xmlObject; 300 return new PrincipalInfo(principalType.getClass1().trim(), principalType.getName().trim(), principalType.isSetDesignatedRunAs()); 301 } 302 303 public GBeanData configureRoleMapper(Naming naming, AbstractName moduleName, Object securityConfiguration) { 304 AbstractName roleMapperName = naming.createChildName(moduleName, "RoleMapper", "RoleMapper"); 305 GBeanData roleMapperData = new GBeanData(roleMapperName, ApplicationPrincipalRoleConfigurationManager.GBEAN_INFO); 306 roleMapperData.setAttribute("principalRoleMap", ((SecurityConfiguration) securityConfiguration).getPrincipalRoleMap()); 307 return roleMapperData; 308 } 309 310 public GBeanData configureApplicationPolicyManager(Naming naming, AbstractName moduleName, Map contextIDToPermissionsMap, Object securityConfiguration) { 311 AbstractName jaccBeanName = naming.createChildName(moduleName, NameFactory.JACC_MANAGER, NameFactory.JACC_MANAGER); 312 GBeanData jaccBeanData = new GBeanData(jaccBeanName, ApplicationPolicyConfigurationManager.GBEAN_INFO); 313 jaccBeanData.setAttribute("contextIdToPermissionsMap", contextIDToPermissionsMap); 314 jaccBeanData.setAttribute("roleDesignates", ((SecurityConfiguration) securityConfiguration).getRoleDesignates()); 315 return jaccBeanData; 316 317 } 318 319 public QNameSet getSpecQNameSet() { 320 return QNameSet.EMPTY; 321 } 322 323 public QNameSet getPlanQNameSet() { 324 return SECURITY_QNAME_SET; 325 } 326 327 public static final GBeanInfo GBEAN_INFO; 328 329 static { 330 GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic(GeronimoSecurityBuilderImpl.class, NameFactory.MODULE_BUILDER); 331 332 infoFactory.addInterface(SecurityBuilder.class); 333 334 335 GBEAN_INFO = infoFactory.getBeanInfo(); 336 } 337 338 public static GBeanInfo getGBeanInfo() { 339 return GBEAN_INFO; 340 } 341 342 } 343 | Popular Tags |