001: /*
002: * JBoss, Home of Professional Open Source
003: * Copyright 2006, JBoss Inc., and individual contributors as indicated
004: * by the @authors tag. See the copyright.txt in the distribution for a
005: * full listing of individual contributors.
006: *
007: * This is free software; you can redistribute it and/or modify it
008: * under the terms of the GNU Lesser General Public License as
009: * published by the Free Software Foundation; either version 2.1 of
010: * the License, or (at your option) any later version.
011: *
012: * This software is distributed in the hope that it will be useful,
013: * but WITHOUT ANY WARRANTY; without even the implied warranty of
014: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
015: * Lesser General Public License for more details.
016: *
017: * You should have received a copy of the GNU Lesser General Public
018: * License along with this software; if not, write to the Free
019: * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
020: * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
021: */
022: package org.jboss.web.tomcat.security;
023:
024: import java.security.Permission;
025: import java.security.Principal;
026: import java.util.ArrayList;
027: import java.util.HashSet;
028: import java.util.Iterator;
029: import java.util.Set;
030:
031: import javax.security.auth.Subject;
032:
033: import org.jboss.metadata.WebMetaData;
034: import org.jboss.security.RealmMapping;
035: import org.jboss.security.SimplePrincipal;
036:
037: //$Id$
038:
039: /**
040: * JBAS-4149: Extension of JACCAuthorizationRealm that considers deployment level
041: * role mapping
042: * @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
043: * @since Feb 23, 2007
044: * @version $Revision$
045: */
046: public class ExtendedJaccAuthorizationRealm extends
047: JaccAuthorizationRealm {
048: protected Principal getCachingPrincpal(RealmMapping realmMapping,
049: Principal authPrincipal, Principal callerPrincipal,
050: Object credential, Subject subject) {
051: if (SecurityAssociationActions.getCallerRunAsIdentity() == null) {
052: //Check if there are deployment level roles
053: WebMetaData wmd = (WebMetaData) JaccContextValve.activeWebMetaData
054: .get();
055: if (wmd != null) {
056: Set secroles = wmd
057: .getSecurityRoleNamesByPrincipal(authPrincipal
058: .getName());
059: Set<Principal> principalroles = new HashSet<Principal>();
060:
061: if (secroles != null && secroles.isEmpty() == false) {
062: Iterator iter = secroles.iterator();
063: while (iter.hasNext()) {
064: principalroles.add(new SimplePrincipal(
065: (String) iter.next()));
066: }
067:
068: return new JBossGenericPrincipal(this , subject,
069: authPrincipal, callerPrincipal, credential,
070: new ArrayList(secroles), principalroles);
071: }
072: }
073: }
074: return super .getCachingPrincpal(realmMapping, authPrincipal,
075: callerPrincipal, credential, subject);
076: }
077:
078: /** See if the given JACC permission is implied using the caller as
079: * obtained from either the
080: * PolicyContext.getContext(javax.security.auth.Subject.container) or
081: * the info associated with the requestPrincipal.
082: *
083: * @param perm - the JACC permission to check
084: * @param requestPrincpal - the http request getPrincipal
085: * @return true if the permission is allowed, false otherwise
086: */
087: protected boolean checkSecurityAssociation(Permission perm,
088: Principal requestPrincpal) {
089: // Get the caller
090: establishSubjectContext(requestPrincpal);
091:
092: // Get the caller principals, its null if there is no caller
093: Principal[] principals = null;
094:
095: //Use the roles cached in the principal
096: if (requestPrincpal instanceof JBossGenericPrincipal) {
097: JBossGenericPrincipal jgp = (JBossGenericPrincipal) requestPrincpal;
098: String[] rolenames = jgp.getRoles();
099: int len = rolenames.length;
100: principals = new Principal[len];
101: for (int i = 0; i < len; i++) {
102: principals[i] = new SimplePrincipal(rolenames[i]);
103: }
104: }
105: return checkSecurityAssociation(perm, principals);
106: }
107: }
|