diff options
Diffstat (limited to 'sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo')
3 files changed, 231 insertions, 0 deletions
diff --git a/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/pom.xml b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/pom.xml new file mode 100644 index 0000000000..4cd7b03ac9 --- /dev/null +++ b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/pom.xml @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. +--> +<project> + <modelVersion>4.0.0</modelVersion> + <parent> + <groupId>org.apache.tuscany.sca</groupId> + <artifactId>tuscany-modules</artifactId> + <version>1.6-SNAPSHOT</version> + <relativePath>../pom.xml</relativePath> + </parent> + <artifactId>tuscany-policy-security-geronimo</artifactId> + <name>Apache Tuscany SCA Geronimo Policy Security</name> + + <dependencies> + <dependency> + <groupId>org.apache.tuscany.sca</groupId> + <artifactId>tuscany-policy-security-http</artifactId> + <version>1.6-SNAPSHOT</version> + </dependency> + + <dependency> + <groupId>org.apache.geronimo.modules</groupId> + <artifactId>geronimo-security</artifactId> + <version>2.0.1</version> + <scope>provided</scope> + </dependency> + + <dependency> + <groupId>javax.servlet</groupId> + <artifactId>servlet-api</artifactId> + <version>2.4</version> <!-- to keep compatible with older servlet containers --> + <scope>provided</scope> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.felix</groupId> + <artifactId>maven-bundle-plugin</artifactId> + + <configuration> + <instructions> + <Bundle-Version>${tuscany.version}</Bundle-Version> + <Bundle-SymbolicName>org.apache.tuscany.sca.policy.security.geronimo</Bundle-SymbolicName> + <Bundle-Description>${pom.name}</Bundle-Description> + <Export-Package>org.apache.tuscany.sca.policy.security.geronimo*</Export-Package> + </instructions> + </configuration> + </plugin> + </plugins> + </build> +</project> diff --git a/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/java/org/apache/tuscany/sca/policy/security/geronimo/GeronimoLDAPSecurityHandler.java b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/java/org/apache/tuscany/sca/policy/security/geronimo/GeronimoLDAPSecurityHandler.java new file mode 100644 index 0000000000..89faccd699 --- /dev/null +++ b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/java/org/apache/tuscany/sca/policy/security/geronimo/GeronimoLDAPSecurityHandler.java @@ -0,0 +1,143 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.tuscany.sca.policy.security.geronimo; + +import java.security.AccessControlContext; +import java.util.List; + +import javax.security.auth.Subject; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.login.FailedLoginException; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import javax.security.jacc.WebRoleRefPermission; + +import org.apache.geronimo.security.ContextManager; +import org.apache.tuscany.sca.invocation.Message; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; +import org.apache.tuscany.sca.policy.security.http.LDAPRealmAuthenticationCallbackHandler; +import org.apache.tuscany.sca.policy.security.http.LDAPRealmAuthenticationPolicy; +import org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler; +import org.apache.tuscany.sca.policy.security.http.util.HttpSecurityUtil; + +public class GeronimoLDAPSecurityHandler implements LDAPSecurityHandler { + + public GeronimoLDAPSecurityHandler() { + + } + + /** + * The Http Service calls this method prior to servicing the specified request. + * This method controls whether the request is processed in the normal manner + * or an error is returned. + * + * If the request requires authentication and the Authorization header + * in the request is missing or not acceptable, then this method should + * set the WWW-Authenticate header in the response object, set the status + * in the response object to Unauthorized(401) and return false. + * See also RFC 2617: HTTP Authentication: Basic and Digest Access Authentication + * (available at http://www.ietf.org/rfc/rfc2617.txt). + * + * If the request requires a secure connection and the getScheme method + * in the request does not return 'https' or some other acceptable secure protocol, + * then this method should set the status in the response object to Forbidden(403) + * and return false. + * + * When this method returns false, the Http Service will send the response back to + * the client, thereby completing the request. When this method returns true, the + * Http Service will proceed with servicing the request. + * + * If the specified request has been authenticated, this method must set the + * AUTHENTICATION_TYPE request attribute to the type of authentication used, + * and the REMOTE_USER request attribute to the remote user + * (request attributes are set using the setAttribute method on the request). + * If this method does not perform any authentication, it must not set these attributes. + * + * @param msg + * @return + */ + public void handleSecurity(Message msg, + List<LDAPRealmAuthenticationPolicy> authenticationPolicies, + List<AuthorizationPolicy> authorizationPolicies) throws javax.security.auth.login.LoginException { + Subject subject = null; + Subject authenticatedSubject = null; + + + // Perform user authentication + LDAPRealmAuthenticationPolicy authenticationPolicy = authenticationPolicies.get(0); + if( authenticationPolicy != null) { + subject = HttpSecurityUtil.getSubject(msg); + CallbackHandler callbackHandler = new LDAPRealmAuthenticationCallbackHandler(subject); + + /* Uses Geronimo to login */ + try { + LoginContext geronimoLoginContext = ContextManager.login(authenticationPolicy.getRealmConfigurationName(), callbackHandler); + + authenticatedSubject = geronimoLoginContext.getSubject(); + ContextManager.setCallers(authenticatedSubject, authenticatedSubject); + if (authenticatedSubject != null) { + //TODO: add authenticated subject to the msg header ? + } + + } catch(LoginException le) { + throw new FailedLoginException("Login failed: " + le.getMessage()); + } + + } + + AuthorizationPolicy authorizationPolicy = authorizationPolicies.get(0); + if(authorizationPolicy != null) { + if(authorizationPolicy.getAccessControl() == AuthorizationPolicy.AcessControl.allow) { + /* Geronimo Specific code */ + AccessControlContext acc = ContextManager.getCurrentContext(); + + boolean isAllowed = false; + for (String requiredRole : authorizationPolicy.getRoleNames()) { + isAllowed = isUserInRole(acc, requiredRole); + if(isAllowed) { + break; + } + } + + if(! isAllowed ) { + throw new javax.security.auth.login.LoginException("Insufficient access rights !"); + } + } + + } + + } + + + + + public boolean isUserInRole(AccessControlContext acc, String role) { + /* Geronimo Specific code */ + try { + acc.checkPermission(new WebRoleRefPermission("", role)); + } catch (Exception e) { + return false; + } + + return true; + } + + +} diff --git a/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/resources/META-INF/services/org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/resources/META-INF/services/org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler new file mode 100644 index 0000000000..f435bf408e --- /dev/null +++ b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/resources/META-INF/services/org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler @@ -0,0 +1,18 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +org.apache.tuscany.sca.policy.security.geronimo.GeronimoLDAPSecurityHandler
\ No newline at end of file |