summaryrefslogtreecommitdiffstats
path: root/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo
diff options
context:
space:
mode:
Diffstat (limited to 'sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo')
-rw-r--r--sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/pom.xml70
-rw-r--r--sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/java/org/apache/tuscany/sca/policy/security/geronimo/GeronimoLDAPSecurityHandler.java143
-rw-r--r--sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/resources/META-INF/services/org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler18
3 files changed, 231 insertions, 0 deletions
diff --git a/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/pom.xml b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/pom.xml
new file mode 100644
index 0000000000..4cd7b03ac9
--- /dev/null
+++ b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/pom.xml
@@ -0,0 +1,70 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+-->
+<project>
+ <modelVersion>4.0.0</modelVersion>
+ <parent>
+ <groupId>org.apache.tuscany.sca</groupId>
+ <artifactId>tuscany-modules</artifactId>
+ <version>1.6-SNAPSHOT</version>
+ <relativePath>../pom.xml</relativePath>
+ </parent>
+ <artifactId>tuscany-policy-security-geronimo</artifactId>
+ <name>Apache Tuscany SCA Geronimo Policy Security</name>
+
+ <dependencies>
+ <dependency>
+ <groupId>org.apache.tuscany.sca</groupId>
+ <artifactId>tuscany-policy-security-http</artifactId>
+ <version>1.6-SNAPSHOT</version>
+ </dependency>
+
+ <dependency>
+ <groupId>org.apache.geronimo.modules</groupId>
+ <artifactId>geronimo-security</artifactId>
+ <version>2.0.1</version>
+ <scope>provided</scope>
+ </dependency>
+
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ <version>2.4</version> <!-- to keep compatible with older servlet containers -->
+ <scope>provided</scope>
+ </dependency>
+ </dependencies>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+
+ <configuration>
+ <instructions>
+ <Bundle-Version>${tuscany.version}</Bundle-Version>
+ <Bundle-SymbolicName>org.apache.tuscany.sca.policy.security.geronimo</Bundle-SymbolicName>
+ <Bundle-Description>${pom.name}</Bundle-Description>
+ <Export-Package>org.apache.tuscany.sca.policy.security.geronimo*</Export-Package>
+ </instructions>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+</project>
diff --git a/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/java/org/apache/tuscany/sca/policy/security/geronimo/GeronimoLDAPSecurityHandler.java b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/java/org/apache/tuscany/sca/policy/security/geronimo/GeronimoLDAPSecurityHandler.java
new file mode 100644
index 0000000000..89faccd699
--- /dev/null
+++ b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/java/org/apache/tuscany/sca/policy/security/geronimo/GeronimoLDAPSecurityHandler.java
@@ -0,0 +1,143 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.tuscany.sca.policy.security.geronimo;
+
+import java.security.AccessControlContext;
+import java.util.List;
+
+import javax.security.auth.Subject;
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.FailedLoginException;
+import javax.security.auth.login.LoginContext;
+import javax.security.auth.login.LoginException;
+import javax.security.jacc.WebRoleRefPermission;
+
+import org.apache.geronimo.security.ContextManager;
+import org.apache.tuscany.sca.invocation.Message;
+import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy;
+import org.apache.tuscany.sca.policy.security.http.LDAPRealmAuthenticationCallbackHandler;
+import org.apache.tuscany.sca.policy.security.http.LDAPRealmAuthenticationPolicy;
+import org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler;
+import org.apache.tuscany.sca.policy.security.http.util.HttpSecurityUtil;
+
+public class GeronimoLDAPSecurityHandler implements LDAPSecurityHandler {
+
+ public GeronimoLDAPSecurityHandler() {
+
+ }
+
+ /**
+ * The Http Service calls this method prior to servicing the specified request.
+ * This method controls whether the request is processed in the normal manner
+ * or an error is returned.
+ *
+ * If the request requires authentication and the Authorization header
+ * in the request is missing or not acceptable, then this method should
+ * set the WWW-Authenticate header in the response object, set the status
+ * in the response object to Unauthorized(401) and return false.
+ * See also RFC 2617: HTTP Authentication: Basic and Digest Access Authentication
+ * (available at http://www.ietf.org/rfc/rfc2617.txt).
+ *
+ * If the request requires a secure connection and the getScheme method
+ * in the request does not return 'https' or some other acceptable secure protocol,
+ * then this method should set the status in the response object to Forbidden(403)
+ * and return false.
+ *
+ * When this method returns false, the Http Service will send the response back to
+ * the client, thereby completing the request. When this method returns true, the
+ * Http Service will proceed with servicing the request.
+ *
+ * If the specified request has been authenticated, this method must set the
+ * AUTHENTICATION_TYPE request attribute to the type of authentication used,
+ * and the REMOTE_USER request attribute to the remote user
+ * (request attributes are set using the setAttribute method on the request).
+ * If this method does not perform any authentication, it must not set these attributes.
+ *
+ * @param msg
+ * @return
+ */
+ public void handleSecurity(Message msg,
+ List<LDAPRealmAuthenticationPolicy> authenticationPolicies,
+ List<AuthorizationPolicy> authorizationPolicies) throws javax.security.auth.login.LoginException {
+ Subject subject = null;
+ Subject authenticatedSubject = null;
+
+
+ // Perform user authentication
+ LDAPRealmAuthenticationPolicy authenticationPolicy = authenticationPolicies.get(0);
+ if( authenticationPolicy != null) {
+ subject = HttpSecurityUtil.getSubject(msg);
+ CallbackHandler callbackHandler = new LDAPRealmAuthenticationCallbackHandler(subject);
+
+ /* Uses Geronimo to login */
+ try {
+ LoginContext geronimoLoginContext = ContextManager.login(authenticationPolicy.getRealmConfigurationName(), callbackHandler);
+
+ authenticatedSubject = geronimoLoginContext.getSubject();
+ ContextManager.setCallers(authenticatedSubject, authenticatedSubject);
+ if (authenticatedSubject != null) {
+ //TODO: add authenticated subject to the msg header ?
+ }
+
+ } catch(LoginException le) {
+ throw new FailedLoginException("Login failed: " + le.getMessage());
+ }
+
+ }
+
+ AuthorizationPolicy authorizationPolicy = authorizationPolicies.get(0);
+ if(authorizationPolicy != null) {
+ if(authorizationPolicy.getAccessControl() == AuthorizationPolicy.AcessControl.allow) {
+ /* Geronimo Specific code */
+ AccessControlContext acc = ContextManager.getCurrentContext();
+
+ boolean isAllowed = false;
+ for (String requiredRole : authorizationPolicy.getRoleNames()) {
+ isAllowed = isUserInRole(acc, requiredRole);
+ if(isAllowed) {
+ break;
+ }
+ }
+
+ if(! isAllowed ) {
+ throw new javax.security.auth.login.LoginException("Insufficient access rights !");
+ }
+ }
+
+ }
+
+ }
+
+
+
+
+ public boolean isUserInRole(AccessControlContext acc, String role) {
+ /* Geronimo Specific code */
+ try {
+ acc.checkPermission(new WebRoleRefPermission("", role));
+ } catch (Exception e) {
+ return false;
+ }
+
+ return true;
+ }
+
+
+}
diff --git a/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/resources/META-INF/services/org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/resources/META-INF/services/org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler
new file mode 100644
index 0000000000..f435bf408e
--- /dev/null
+++ b/sca-java-1.x/branches/sca-java-1.6/modules/policy-security-geronimo/src/main/resources/META-INF/services/org.apache.tuscany.sca.policy.security.http.extensibility.LDAPSecurityHandler
@@ -0,0 +1,18 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+org.apache.tuscany.sca.policy.security.geronimo.GeronimoLDAPSecurityHandler \ No newline at end of file