From 8624934bb83a3bcecaf215e6ce33c81763755076 Mon Sep 17 00:00:00 2001 From: lresende Date: Thu, 21 May 2009 23:54:31 +0000 Subject: Enhancment to allow verification of user credentials and roles in a Geronimo Java EE environment. Some code are commented out as I still need to find a more generic (not so geronimo specific way) to perform some of these actions git-svn-id: http://svn.us.apache.org/repos/asf/tuscany@777325 13f79535-47bb-0310-9956-ffa450edef68 --- .../modules/policy-security-http/pom.xml | 11 +++- ...AuthenticationImplementationPolicyProvider.java | 40 +++++++++--- .../http/LDAPRealmAuthenticationInterceptor.java | 71 ++++++++++++++++++++-- ...APRealmAuthenticationServicePolicyProvider.java | 60 ++++++++++++++++-- 4 files changed, 164 insertions(+), 18 deletions(-) diff --git a/branches/sca-java-1.x/modules/policy-security-http/pom.xml b/branches/sca-java-1.x/modules/policy-security-http/pom.xml index 36ff3748e6..e33a6bdf69 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/pom.xml +++ b/branches/sca-java-1.x/modules/policy-security-http/pom.xml @@ -52,14 +52,21 @@ tuscany-assembly-xml 1.6-SNAPSHOT - + + + org.apache.geronimo.modules + geronimo-security + 2.0.1 + provided + + org.apache.tuscany.sca tuscany-contribution-impl 1.6-SNAPSHOT test - + commons-codec commons-codec diff --git a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java index 9b0ab3c8a1..bb1950f7f8 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java +++ b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationImplementationPolicyProvider.java @@ -29,8 +29,7 @@ import org.apache.tuscany.sca.interfacedef.Operation; import org.apache.tuscany.sca.invocation.Interceptor; import org.apache.tuscany.sca.invocation.Phase; import org.apache.tuscany.sca.policy.PolicySet; -import org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationInterceptor; -import org.apache.tuscany.sca.policy.security.jaas.JaasAuthenticationPolicy; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; import org.apache.tuscany.sca.provider.PolicyProvider; import org.apache.tuscany.sca.runtime.RuntimeComponent; @@ -50,11 +49,11 @@ public class LDAPRealmAuthenticationImplementationPolicyProvider implements Poli } public Interceptor createInterceptor(Operation operation) { - List policies = findPolicies(operation); + List policies = findAuthenticationPolicies(operation); if (policies == null || policies.isEmpty()) { return null; } else { - return new LDAPRealmAuthenticationInterceptor(findPolicies(operation)); + return new LDAPRealmAuthenticationInterceptor(findAuthenticationPolicies(operation), findAuthorizationPolicies(operation)); } } @@ -67,16 +66,15 @@ public class LDAPRealmAuthenticationImplementationPolicyProvider implements Poli * @param op * @return */ - private List findPolicies(Operation op) { + private List findAuthenticationPolicies(Operation op) { List polices = new ArrayList(); - // FIXME: How do we get a list of effective policySets for a given operation? if (implementation instanceof OperationsConfigurator) { OperationsConfigurator operationsConfigurator = (OperationsConfigurator)implementation; for (ConfiguredOperation cop : operationsConfigurator.getConfiguredOperations()) { if (cop.getName().equals(op.getName())) { for (PolicySet ps : cop.getPolicySets()) { for (Object p : ps.getPolicies()) { - if (JaasAuthenticationPolicy.class.isInstance(p)) { + if (LDAPRealmAuthenticationPolicy.class.isInstance(p)) { polices.add((LDAPRealmAuthenticationPolicy)p); } } @@ -95,4 +93,32 @@ public class LDAPRealmAuthenticationImplementationPolicyProvider implements Poli } return polices; } + + private List findAuthorizationPolicies(Operation op) { + List polices = new ArrayList(); + if (implementation instanceof OperationsConfigurator) { + OperationsConfigurator operationsConfigurator = (OperationsConfigurator)implementation; + for (ConfiguredOperation cop : operationsConfigurator.getConfiguredOperations()) { + if (cop.getName().equals(op.getName())) { + for (PolicySet ps : cop.getPolicySets()) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + } + } + } + + List policySets = component.getPolicySets(); + for (PolicySet ps : policySets) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + return polices; + } } diff --git a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java index 787d41f584..0de09c6129 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java +++ b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationInterceptor.java @@ -19,15 +19,20 @@ package org.apache.tuscany.sca.policy.security.http; +import java.security.AccessControlContext; import java.util.List; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginContext; +import javax.security.jacc.WebRoleRefPermission; +import javax.servlet.http.HttpServletRequest; +import org.apache.geronimo.security.ContextManager; import org.apache.tuscany.sca.invocation.Interceptor; import org.apache.tuscany.sca.invocation.Invoker; import org.apache.tuscany.sca.invocation.Message; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; import org.apache.tuscany.sca.policy.security.http.util.HttpSecurityUtil; import org.osoa.sca.ServiceRuntimeException; @@ -36,11 +41,14 @@ import org.osoa.sca.ServiceRuntimeException; */ public class LDAPRealmAuthenticationInterceptor implements Interceptor { private List authenticationPolicies; + private List authorizationPolicies; private Invoker next; - public LDAPRealmAuthenticationInterceptor(List authenticationPolicies) { + public LDAPRealmAuthenticationInterceptor(List authenticationPolicies, + List authorizationPolicies) { super(); this.authenticationPolicies = authenticationPolicies; + this.authorizationPolicies = authorizationPolicies; } public Invoker getNext() { @@ -52,17 +60,72 @@ public class LDAPRealmAuthenticationInterceptor implements Interceptor { } public Message invoke(Message msg) { + Subject subject = null; + Subject authenticatedSubject = null; + try { - for (LDAPRealmAuthenticationPolicy policy : authenticationPolicies) { - Subject subject = HttpSecurityUtil.getSubject(msg); + // Perform user authentication + LDAPRealmAuthenticationPolicy authenticationPolicy = authenticationPolicies.get(0); + if( authenticationPolicy != null) { + subject = HttpSecurityUtil.getSubject(msg); CallbackHandler callbackHandler = new LDAPRealmAuthenticationCallbackHandler(subject); - LoginContext lc = new LoginContext(policy.getRealmConfigurationName(), callbackHandler); + + /* This bypass Java EE */ + LoginContext lc = new LoginContext(authenticationPolicy.getRealmConfigurationName(), callbackHandler); lc.login(); + + + /* Uses Geronimo to login */ + /* + LoginContext geronimoLoginContext = ContextManager.login(authenticationPolicy.getRealmConfigurationName(), callbackHandler); + + authenticatedSubject = geronimoLoginContext.getSubject(); + if (authenticatedSubject != null) { + //TODO: add authenticated subject to the msg header ? + } + */ } + + AuthorizationPolicy authorizationPolicy = authorizationPolicies.get(0); + if(authorizationPolicy != null) { + if(authorizationPolicy.getAccessControl() == AuthorizationPolicy.AcessControl.allow) { + /* Geronimo Specific code */ + /* + boolean isAllowed = false; + for (String requiredRole : authorizationPolicy.getRoleNames()) { + isAllowed = isUserInRole(authenticatedSubject, requiredRole); + } + + if(! isAllowed ) { + throw new javax.security.auth.login.LoginException("Insufficient access rights !"); + } + */ + } + + } + } catch (Exception e) { throw new ServiceRuntimeException(e); } return getNext().invoke(msg); } + + public boolean isUserInRole(Subject subject, String role) { + /* Geronimo Specific code */ + /* + AccessControlContext acc = ContextManager.getCurrentContext(); + + try { + acc.checkPermission(new WebRoleRefPermission("", role)); + } catch (Exception e) { + return false; + } + + return true; + */ + + return false; + } + } diff --git a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java index dfe72bee36..fe14987948 100644 --- a/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java +++ b/branches/sca-java-1.x/modules/policy-security-http/src/main/java/org/apache/tuscany/sca/policy/security/http/LDAPRealmAuthenticationServicePolicyProvider.java @@ -29,6 +29,7 @@ import org.apache.tuscany.sca.interfacedef.Operation; import org.apache.tuscany.sca.invocation.Interceptor; import org.apache.tuscany.sca.invocation.Phase; import org.apache.tuscany.sca.policy.PolicySet; +import org.apache.tuscany.sca.policy.authorization.AuthorizationPolicy; import org.apache.tuscany.sca.provider.PolicyProvider; import org.apache.tuscany.sca.runtime.RuntimeComponent; import org.apache.tuscany.sca.runtime.RuntimeComponentService; @@ -59,16 +60,18 @@ public class LDAPRealmAuthenticationServicePolicyProvider implements PolicyProvi } public Interceptor createInterceptor(Operation operation) { - List policies = null; + List authenticationPolicies = null; + List authorizationPolicies = null; if (operation != null) { - policies = findPolicies(operation); + authenticationPolicies = findAuthenticationPolicies(operation); + authorizationPolicies = findAuthorizationPolicies(operation); } - if (policies == null || policies.isEmpty()) { + if (authenticationPolicies == null || authenticationPolicies.isEmpty()) { return null; } else { - return new LDAPRealmAuthenticationInterceptor(policies); + return new LDAPRealmAuthenticationInterceptor(authenticationPolicies, authorizationPolicies); } } @@ -82,7 +85,7 @@ public class LDAPRealmAuthenticationServicePolicyProvider implements PolicyProvi * @param op * @return */ - private List findPolicies(Operation op) { + private List findAuthenticationPolicies(Operation op) { List polices = new ArrayList(); // FIXME: How do we get a list of effective policySets for a given operation? for(Operation operation : operations) { @@ -123,5 +126,52 @@ public class LDAPRealmAuthenticationServicePolicyProvider implements PolicyProvi return polices; } + + /** + * + * @param op + * @return + */ + private List findAuthorizationPolicies(Operation op) { + List polices = new ArrayList(); + // FIXME: How do we get a list of effective policySets for a given operation? + for(Operation operation : operations) { + if (operation.getName().equals(op.getName())) { + for (PolicySet ps : operation.getPolicySets()) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + } + } + + if (service instanceof OperationsConfigurator) { + OperationsConfigurator operationsConfigurator = (OperationsConfigurator)service; + for (ConfiguredOperation cop : operationsConfigurator.getConfiguredOperations()) { + if (cop.getName().equals(op.getName())) { + for (PolicySet ps : cop.getApplicablePolicySets()) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + } + } + } + + List policySets = service.getPolicySets(); + for (PolicySet ps : policySets) { + for (Object p : ps.getPolicies()) { + if (AuthorizationPolicy.class.isInstance(p)) { + polices.add((AuthorizationPolicy)p); + } + } + } + + return polices; + } } -- cgit v1.2.3