1 22 package org.jboss.web.tomcat.security; 23 24 import java.io.IOException ; 25 import java.security.Principal ; 26 import java.security.acl.Group ; 27 import java.util.ArrayList ; 28 import java.util.HashMap ; 29 import java.util.Iterator ; 30 import java.util.Map ; 31 import java.util.Set ; 32 33 import javax.management.JMException ; 34 import javax.management.MBeanServer ; 35 import javax.management.ObjectName ; 36 import javax.security.auth.Subject ; 37 import javax.security.auth.message.AuthParam; 38 import javax.security.auth.message.AuthStatus; 39 import javax.security.jacc.PolicyContext ; 40 import javax.servlet.http.HttpServletResponse ; 41 42 import org.apache.catalina.Context; 43 import org.apache.catalina.authenticator.Constants; 44 import org.apache.catalina.connector.Request; 45 import org.apache.catalina.connector.Response; 46 import org.apache.catalina.deploy.LoginConfig; 47 import org.apache.catalina.deploy.SecurityConstraint; 48 import org.apache.catalina.realm.RealmBase; 49 import org.jboss.logging.Logger; 50 import org.jboss.mx.util.MBeanServerLocator; 51 import org.jboss.security.AuthorizationManager; 52 import org.jboss.security.GeneralizedAuthenticationManager; 53 import org.jboss.security.SimplePrincipal; 54 import org.jboss.security.auth.message.HttpServletAuthParam; 55 import org.jboss.security.authorization.AuthorizationContext; 56 import org.jboss.web.tomcat.security.authorization.WebResource; 57 58 60 67 public class JBossExtendedSecurityMgrRealm extends JBossSecurityMgrRealm 68 implements ExtendedRealm 69 { 70 private static Logger logger = Logger.getLogger(JBossExtendedSecurityMgrRealm.class); 71 protected ObjectName authenticationManagerService = null; 72 protected ObjectName authorizationManagerService = null; 73 74 public JBossExtendedSecurityMgrRealm() 75 { 76 try 77 { 78 this.authenticationManagerService = new ObjectName ("jboss.security:service=JASPISecurityManager"); 79 this.authorizationManagerService = new ObjectName ("jboss.security:service=AuthorizationManager"); 80 } 81 catch(JMException jme) 82 { 83 log.error("Error in instantiating object names:",jme); 84 } 85 } 86 92 public void setAuthenticationManagerService(String oname) 93 { 94 ObjectName temp = null; 95 try 96 { 97 temp = new ObjectName (oname); 98 } 99 catch(JMException jme) 100 { 101 log.error("Error in setAuthenticationManagerService:",jme); 102 } 103 if(temp != null) 104 this.authenticationManagerService = temp; 105 } 106 107 113 public void setAuthorizationManagerService(String oname) 114 { 115 ObjectName temp = null; 116 try 117 { 118 temp = new ObjectName (oname); 119 } 120 catch(JMException jme) 121 { 122 log.error("Error in setAuthorizationManagerService:",jme); 123 } 124 if(temp != null) 125 this.authorizationManagerService = temp; 126 } 127 128 131 public Principal authenticate(Request request, Response response, 132 LoginConfig config) throws Exception 133 { 134 log.debug("ExtendedSecurityMgrRealm:authenticate"); 135 AuthParam authParam = new HttpServletAuthParam(request,response); 136 GeneralizedAuthenticationManager gam = getAuthenticationManager(); 137 Subject clientSubject = new Subject (); 138 Subject serviceSubject = new Subject (); 139 Map sharedState = getSharedState(request,config); 140 AuthStatus status = AuthStatus.FAIL; 141 while(!status.equals(AuthStatus.PROCEED)) 142 { 143 status = gam.validateRequest(authParam, clientSubject, serviceSubject, sharedState); 144 if(status.equals(AuthStatus.FAIL)) 145 throw new SecurityException ("Authentication failed"); 146 } 147 Principal authenticatedPrincipal = this.getAuthenticatedPrincipal(clientSubject); 148 return null; 149 154 } 155 156 160 public boolean hasResourcePermission(Request request, Response response, 161 SecurityConstraint[] constraints, Context context) throws IOException 162 { 163 boolean isAuthorized = super.hasResourcePermission(request, response, 164 constraints, context); 165 log.debug("Super class has authorized="+isAuthorized); 166 AuthorizationManager authzManager = null; 167 try 168 { 169 authzManager = this.getAuthorizationManager(); 170 } 171 catch(Exception e) 172 { 173 log.error("Error obtaining Authorization Manager:",e); 174 } 175 176 final HashMap map = new HashMap (); 177 map.put("catalina.request",request); 178 map.put("catalina.constraints",constraints); 179 map.put("catalina.context", context); 180 map.put("authorizationManager",authzManager); 181 WebResource resource = new WebResource(map); 182 try 183 { 184 int check = authzManager.authorize(resource); 185 isAuthorized = (check == AuthorizationContext.PERMIT); 186 } 187 catch (Exception e) 188 { 189 isAuthorized = false; 190 log.error("Error in authorization:",e); 191 } 192 log.debug("Final Authorization Result="+isAuthorized); 193 if(!isAuthorized) 194 { 195 ((HttpServletResponse )response).setStatus(HttpServletResponse.SC_FORBIDDEN); 196 } 197 return isAuthorized; 198 } 199 200 private Map getSharedState(Request request, LoginConfig config) 201 { 202 Map map = new HashMap (); 203 if(config.getAuthMethod().equals(Constants.FORM_METHOD)) 204 { 205 map.put("javax.security.auth.login.name", 206 getPrincipal(request.getParameter(Constants.FORM_USERNAME))); 207 map.put("javax.security.auth.login.password", 208 request.getParameter(Constants.FORM_PASSWORD)); 209 } 210 return map; 211 } 212 213 225 protected Principal getCachingPrincipal(AuthorizationManager authzManager, 226 Principal authPrincipal, Principal callerPrincipal, Object credential, 227 Subject subject) 228 { 229 Set userRoles = authzManager.getUserRoles(authPrincipal); 231 ArrayList roles = new ArrayList (); 232 if (userRoles != null) 233 { 234 Iterator iterator = userRoles.iterator(); 235 while (iterator.hasNext()) 236 { 237 Principal role = (Principal ) iterator.next(); 238 roles.add(role.getName()); 239 } 240 } 241 JBossGenericPrincipal gp = new JBossGenericPrincipal(this, subject, 242 authPrincipal, callerPrincipal, credential, roles, userRoles); 243 return gp; 244 } 245 246 private Principal getAuthenticatedPrincipal(Subject subject) 247 { 248 if(subject == null) 249 throw new IllegalArgumentException ("subject is null"); 250 Principal authPrincipal = null; 251 Iterator iter = subject.getPrincipals(SimplePrincipal.class).iterator(); 252 while(iter.hasNext()) 253 { 254 authPrincipal = (Principal )iter.next(); 255 if(authPrincipal instanceof Group == false) 256 break; 257 } 258 return authPrincipal; 259 } 260 261 private GeneralizedAuthenticationManager getAuthenticationManager() 262 throws Exception 263 { 264 String contextID = PolicyContext.getContextID(); 265 MBeanServer server = MBeanServerLocator.locateJBoss(); 266 String securityDomain = (String )server.invoke(this.authenticationManagerService, 267 "getSecurityDomain", 268 new String []{contextID}, new String []{"java.lang.String"}); 269 return (GeneralizedAuthenticationManager)server.invoke(this.authenticationManagerService, 270 "getSecurityManager", 271 new String []{securityDomain}, new String []{"java.lang.String"}); 272 } 273 274 private AuthorizationManager getAuthorizationManager() throws Exception 275 { 276 MBeanServer server = MBeanServerLocator.locateJBoss(); 277 GeneralizedAuthenticationManager gam = this.getAuthenticationManager(); 278 String securityDomain = gam.getSecurityDomain(); 279 return (AuthorizationManager)server.invoke(this.authorizationManagerService, 280 "getAuthorizationManager", 281 new String []{securityDomain}, new String []{"java.lang.String"}); 282 } 283 } 284 | Popular Tags |