diff options
| author | lresende <lresende@13f79535-47bb-0310-9956-ffa450edef68> | 2009-05-21 23:54:31 +0000 |
|---|---|---|
| committer | lresende <lresende@13f79535-47bb-0310-9956-ffa450edef68> | 2009-05-21 23:54:31 +0000 |
| commit | 8624934bb83a3bcecaf215e6ce33c81763755076 (patch) | |
| tree | 481e8ea7ed36137feb414896921d036b11cb8225 | |
| parent | 1434b39e33ca237516c758197ffb33b90b84517f (diff) | |
Enhancment to allow verification of user credentials and roles in a Geronimo Java EE environment. Some code are commented out as I still need to find a more generic (not so geronimo specific way) to perform some of these actions
git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@777325 13f79535-47bb-0310-9956-ffa450edef68
4 files changed, 164 insertions, 18 deletions
diff --git a/branches/sca-java-1.x/modules/policy-security-http/pom.xml b/branches/sca-java-1.x/modules/policy-security-http/pom.xml index 36ff3748e6..e33a6bdf69 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/pom.xml +++ b/branches/sca-java-1.x/modules/policy-security-http/pom.xml @@ -52,14 +52,21 @@ <artifactId>tuscany-assembly-xml</artifactId> <version>1.6-SNAPSHOT</version> </dependency> - + + <dependency> + <groupId>org.apache.geronimo.modules</groupId> + <artifactId>geronimo-security</artifactId> + <version>2.0.1</version> + <scope>provided</scope> + </dependency> + <dependency> <groupId>org.apache.tuscany.sca</groupId> <artifactId>tuscany-contribution-impl</artifactId> <version>1.6-SNAPSHOT</version> <scope>test</scope> </dependency> - + <dependency> <groupId>commons-codec</groupId> <artifactId>commons-codec</artifactId> diff --git a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java index 9b0ab3c8a1..bb1950f7f8 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java +++ b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java @@ -29,8 +29,7 @@ import org.apache.tuscany.sca.interfacedef.Operation; import org.apache.tuscany.sca.invocation.Interceptor; import org.apache.tuscany.sca.invocation.Phase; import org.apache.tuscany.sca.policy.PolicySet; -import org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationInterceptor; -import org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicy; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; import org.apache.tuscany.sca.provider.PolicyProvider; import org.apache.tuscany.sca.runtime.RuntimeComponent; @@ -50,11 +49,11 @@ public class LDAPRealmAuthenticationImplementationPolicyProvider implements Poli } public Interceptor createInterceptor(Operation operation) { - List<LDAPRealmAuthenticationPolicy> policies = findPolicies(operation); + List<LDAPRealmAuthenticationPolicy> policies = findAuthenticationPolicies(operation); if (policies == null || policies.isEmpty()) { return null; } else { - return new LDAPRealmAuthenticationInterceptor(findPolicies(operation)); + return new LDAPRealmAuthenticationInterceptor(findAuthenticationPolicies(operation), findAuthorizationPolicies(operation)); } } @@ -67,16 +66,15 @@ public class LDAPRealmAuthenticationImplementationPolicyProvider implements Poli * @param op * @return */ - private List<LDAPRealmAuthenticationPolicy> findPolicies(Operation op) { + private List<LDAPRealmAuthenticationPolicy> findAuthenticationPolicies(Operation op) { List<LDAPRealmAuthenticationPolicy> polices = new ArrayList<LDAPRealmAuthenticationPolicy>(); - // FIXME: How do we get a list of effective policySets for a given operation? if (implementation instanceof OperationsConfigurator) { OperationsConfigurator operationsConfigurator = (OperationsConfigurator)implementation; for (ConfiguredOperation cop : operationsConfigurator.getConfiguredOperations()) { if (cop.getName().equals(op.getName())) { for (PolicySet ps : cop.getPolicySets()) { for (Object p : ps.getPolicies()) { - if (JaasAuthenticationPolicy.class.isInstance(p)) { + if (LDAPRealmAuthenticationPolicy.class.isInstance(p)) { polices.add((LDAPRealmAuthenticationPolicy)p); } } @@ -95,4 +93,32 @@ public class LDAPRealmAuthenticationImplementationPolicyProvider implements Poli } return polices; } + + private List<AuthorizationPolicy> findAuthorizationPolicies(Operation op) { + List<AuthorizationPolicy> polices = new ArrayList<AuthorizationPolicy>(); + if (implementation instanceof OperationsConfigurator) { + OperationsConfigurator operationsConfigurator = (OperationsConfigurator)implementation; + for (ConfiguredOperation cop : operationsConfigurator.getConfiguredOperations()) { + if (cop.getName().equals(op.getName())) { + for (PolicySet ps : cop.getPolicySets()) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + } + } + } + + List<PolicySet> policySets = component.getPolicySets(); + for (PolicySet ps : policySets) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + return polices; + } } diff --git a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java index 787d41f584..0de09c6129 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java +++ b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java @@ -19,15 +19,20 @@ package org.apache.tuscany.sca.policy.security.http; +import java.security.AccessControlContext; import java.util.List; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; +import javax.security.jacc.WebRoleRefPermission; +import javax.servlet.http.HttpServletRequest; +import org.apache.geronimo.security.ContextManager; import org.apache.tuscany.sca.invocation.Interceptor; import org.apache.tuscany.sca.invocation.Invoker; import org.apache.tuscany.sca.invocation.Message; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; import org.apache.tuscany.sca.policy.security.http.util.HttpSecurityUtil; import org.osoa.sca.ServiceRuntimeException; @@ -36,11 +41,14 @@ import org.osoa.sca.ServiceRuntimeException; */ public class LDAPRealmAuthenticationInterceptor implements Interceptor { private List<LDAPRealmAuthenticationPolicy> authenticationPolicies; + private List<AuthorizationPolicy> authorizationPolicies; private Invoker next; - public LDAPRealmAuthenticationInterceptor(List<LDAPRealmAuthenticationPolicy> authenticationPolicies) { + public LDAPRealmAuthenticationInterceptor(List<LDAPRealmAuthenticationPolicy> authenticationPolicies, + List<AuthorizationPolicy> authorizationPolicies) { super(); this.authenticationPolicies = authenticationPolicies; + this.authorizationPolicies = authorizationPolicies; } public Invoker getNext() { @@ -52,17 +60,72 @@ public class LDAPRealmAuthenticationInterceptor implements Interceptor { } public Message invoke(Message msg) { + Subject subject = null; + Subject authenticatedSubject = null; + try { - for (LDAPRealmAuthenticationPolicy policy : authenticationPolicies) { - Subject subject = HttpSecurityUtil.getSubject(msg); + // Perform user authentication + LDAPRealmAuthenticationPolicy authenticationPolicy = authenticationPolicies.get(0); + if( authenticationPolicy != null) { + subject = HttpSecurityUtil.getSubject(msg); CallbackHandler callbackHandler = new LDAPRealmAuthenticationCallbackHandler(subject); - LoginContext lc = new LoginContext(policy.getRealmConfigurationName(), callbackHandler); + + /* This bypass Java EE */ + LoginContext lc = new LoginContext(authenticationPolicy.getRealmConfigurationName(), callbackHandler); lc.login(); + + + /* Uses Geronimo to login */ + /* + LoginContext geronimoLoginContext = ContextManager.login(authenticationPolicy.getRealmConfigurationName(), callbackHandler); + + authenticatedSubject = geronimoLoginContext.getSubject(); + if (authenticatedSubject != null) { + //TODO: add authenticated subject to the msg header ? + } + */ } + + AuthorizationPolicy authorizationPolicy = authorizationPolicies.get(0); + if(authorizationPolicy != null) { + if(authorizationPolicy.getAccessControl() == AuthorizationPolicy.AcessControl.allow) { + /* Geronimo Specific code */ + /* + boolean isAllowed = false; + for (String requiredRole : authorizationPolicy.getRoleNames()) { + isAllowed = isUserInRole(authenticatedSubject, requiredRole); + } + + if(! isAllowed ) { + throw new javax.security.auth.login.LoginException("Insufficient access rights !"); + } + */ + } + + } + } catch (Exception e) { throw new ServiceRuntimeException(e); } return getNext().invoke(msg); } + + public boolean isUserInRole(Subject subject, String role) { + /* Geronimo Specific code */ + /* + AccessControlContext acc = ContextManager.getCurrentContext(); + + try { + acc.checkPermission(new WebRoleRefPermission("", role)); + } catch (Exception e) { + return false; + } + + return true; + */ + + return false; + } + } diff --git a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java index dfe72bee36..fe14987948 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java +++ b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java @@ -29,6 +29,7 @@ import org.apache.tuscany.sca.interfacedef.Operation; import org.apache.tuscany.sca.invocation.Interceptor; import org.apache.tuscany.sca.invocation.Phase; import org.apache.tuscany.sca.policy.PolicySet; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; import org.apache.tuscany.sca.provider.PolicyProvider; import org.apache.tuscany.sca.runtime.RuntimeComponent; import org.apache.tuscany.sca.runtime.RuntimeComponentService; @@ -59,16 +60,18 @@ public class LDAPRealmAuthenticationServicePolicyProvider implements PolicyProvi } public Interceptor createInterceptor(Operation operation) { - List<LDAPRealmAuthenticationPolicy> policies = null; + List<LDAPRealmAuthenticationPolicy> authenticationPolicies = null; + List<AuthorizationPolicy> authorizationPolicies = null; if (operation != null) { - policies = findPolicies(operation); + authenticationPolicies = findAuthenticationPolicies(operation); + authorizationPolicies = findAuthorizationPolicies(operation); } - if (policies == null || policies.isEmpty()) { + if (authenticationPolicies == null || authenticationPolicies.isEmpty()) { return null; } else { - return new LDAPRealmAuthenticationInterceptor(policies); + return new LDAPRealmAuthenticationInterceptor(authenticationPolicies, authorizationPolicies); } } @@ -82,7 +85,7 @@ public class LDAPRealmAuthenticationServicePolicyProvider implements PolicyProvi * @param op * @return */ - private List<LDAPRealmAuthenticationPolicy> findPolicies(Operation op) { + private List<LDAPRealmAuthenticationPolicy> findAuthenticationPolicies(Operation op) { List<LDAPRealmAuthenticationPolicy> polices = new ArrayList<LDAPRealmAuthenticationPolicy>(); // FIXME: How do we get a list of effective policySets for a given operation? for(Operation operation : operations) { @@ -123,5 +126,52 @@ public class LDAPRealmAuthenticationServicePolicyProvider implements PolicyProvi return polices; } + + /** + * + * @param op + * @return + */ + private List<AuthorizationPolicy> findAuthorizationPolicies(Operation op) { + List<AuthorizationPolicy> polices = new ArrayList<AuthorizationPolicy>(); + // FIXME: How do we get a list of effective policySets for a given operation? + for(Operation operation : operations) { + if (operation.getName().equals(op.getName())) { + for (PolicySet ps : operation.getPolicySets()) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + } + } + + if (service instanceof OperationsConfigurator) { + OperationsConfigurator operationsConfigurator = (OperationsConfigurator)service; + for (ConfiguredOperation cop : operationsConfigurator.getConfiguredOperations()) { + if (cop.getName().equals(op.getName())) { + for (PolicySet ps : cop.getApplicablePolicySets()) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + } + } + } + + List<PolicySet> policySets = service.getPolicySets(); + for (PolicySet ps : policySets) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + + return polices; + } } |