org.jboss.security.plugins
Class JaasSecurityManager

java.lang.Object
  extended by org.jboss.mx.util.JBossNotificationBroadcasterSupport
      extended by org.jboss.system.ServiceMBeanSupport
          extended by org.jboss.security.plugins.JaasSecurityManager
All Implemented Interfaces:
javax.management.MBeanRegistration, javax.management.NotificationBroadcaster, javax.management.NotificationEmitter, AuthenticationManager, RealmMapping, SubjectSecurityManager, org.jboss.system.Service, org.jboss.system.ServiceMBean
Direct Known Subclasses:
JaasSecurityDomain

public class JaasSecurityManager
extends org.jboss.system.ServiceMBeanSupport
implements SubjectSecurityManager, RealmMapping

The JaasSecurityManager is responsible both for authenticating credentials associated with principals and for role mapping. This implementation relies on the JAAS LoginContext/LoginModules associated with the security domain name associated with the class for authentication, and the context JAAS Subject object for role mapping.

Version:
$Revision: 1.41.2.9 $
Author:
Oleg Nitz, Scott.Stark@jboss.org
See Also:
isValid(Principal, Object, Subject), getPrincipal(Principal), doesUserHaveRole(Principal, Set)

Nested Class Summary
static class JaasSecurityManager.DomainInfo
          The authentication cache object.
 
Field Summary
protected  org.jboss.logging.Logger log
          The log4j category for the security manager domain
protected  boolean trace
           
 
Fields inherited from class org.jboss.system.ServiceMBeanSupport
server, SERVICE_CONTROLLER_SIG, serviceName
 
Fields inherited from interface org.jboss.system.ServiceMBean
CREATE_EVENT, CREATED, DESTROY_EVENT, DESTROYED, FAILED, REGISTERED, START_EVENT, STARTED, STARTING, states, STOP_EVENT, STOPPED, STOPPING, UNREGISTERED
 
Constructor Summary
JaasSecurityManager()
          Creates a default JaasSecurityManager for with a securityDomain name of 'other'.
JaasSecurityManager(String securityDomain, CallbackHandler handler)
          Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.
 
Method Summary
protected  boolean doesRoleGroupHaveRole(Principal role, Group userRoles)
          Check that the indicated application domain role is a member of the user's assigned roles.
 boolean doesUserHaveRole(Principal principal, Principal role)
          Does the current Subject have a role(a Principal) that equates to one of the role names.
 boolean doesUserHaveRole(Principal principal, Set rolePrincipals)
          Does the current Subject have a role(a Principal) that equates to one of the role names.
 void flushCache()
          Not really used anymore as the security manager service manages the security domain authentication caches.
 Subject getActiveSubject()
          Get the currently authenticated Subject.
 Principal getPrincipal(Principal principal)
          Map the argument principal from the deployment environment principal to the developer environment.
 String getSecurityDomain()
          Get the name of the security domain associated with this security mgr.
 Set getUserRoles(Principal principal)
          Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.
 boolean isValid(Principal principal, Object credential)
          Validate that the given credential is correct for principal.
 boolean isValid(Principal principal, Object credential, Subject activeSubject)
          Validate that the given credential is correct for principal.
 void setCachePolicy(org.jboss.util.CachePolicy domainCache)
          The domainCache is typically a shared object that is populated by the login code(LoginModule, etc.) and read by this class in the isValid() method.
 void setDeepCopySubjectOption(Boolean flag)
          Flag to specify if deep copy of subject sets needs to be enabled
 
Methods inherited from class org.jboss.system.ServiceMBeanSupport
create, createService, destroy, destroyService, getDeploymentInfo, getLog, getName, getNextNotificationSequenceNumber, getObjectName, getServer, getServiceName, getState, getStateString, jbossInternalCreate, jbossInternalDescription, jbossInternalDestroy, jbossInternalLifecycle, jbossInternalStart, jbossInternalStop, postDeregister, postRegister, preDeregister, preRegister, start, startService, stop, stopService
 
Methods inherited from class org.jboss.mx.util.JBossNotificationBroadcasterSupport
addNotificationListener, getNotificationInfo, handleNotification, nextNotificationSequenceNumber, removeNotificationListener, removeNotificationListener, sendNotification
 
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
 

Field Detail

log

protected org.jboss.logging.Logger log
The log4j category for the security manager domain


trace

protected boolean trace
Constructor Detail

JaasSecurityManager

public JaasSecurityManager()
Creates a default JaasSecurityManager for with a securityDomain name of 'other'.


JaasSecurityManager

public JaasSecurityManager(String securityDomain,
                           CallbackHandler handler)
Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.

Parameters:
securityDomain - the name of the security domain
handler - the JAAS callback handler instance to use
Throws:
UndeclaredThrowableException - thrown if handler does not implement a setSecurityInfo(Princpal, Object) method
Method Detail

setCachePolicy

public void setCachePolicy(org.jboss.util.CachePolicy domainCache)
The domainCache is typically a shared object that is populated by the login code(LoginModule, etc.) and read by this class in the isValid() method.

See Also:
isValid(Principal, Object, Subject)

setDeepCopySubjectOption

public void setDeepCopySubjectOption(Boolean flag)
Flag to specify if deep copy of subject sets needs to be enabled

Parameters:
flag -

flushCache

public void flushCache()
Not really used anymore as the security manager service manages the security domain authentication caches.


getSecurityDomain

public String getSecurityDomain()
Get the name of the security domain associated with this security mgr.

Specified by:
getSecurityDomain in interface AuthenticationManager
Returns:
Name of the security manager security domain.

getActiveSubject

public Subject getActiveSubject()
Get the currently authenticated Subject. This is a thread local property shared across all JaasSecurityManager instances.

Specified by:
getActiveSubject in interface AuthenticationManager
Returns:
The Subject authenticated in the current thread if one exists, null otherwise.
See Also:
PolicyContextHandler.getContext(String, Object)

isValid

public boolean isValid(Principal principal,
                       Object credential)
Validate that the given credential is correct for principal. This returns the value from invoking isValid(principal, credential, null).

Specified by:
isValid in interface AuthenticationManager
Parameters:
principal - - the security domain principal attempting access
credential - - the proof of identity offered by the principal
Returns:
true if the principal was authenticated, false otherwise.
See Also:
AuthenticationManager.isValid(Principal, Object, Subject)

isValid

public boolean isValid(Principal principal,
                       Object credential,
                       Subject activeSubject)
Validate that the given credential is correct for principal. This first will check the current CachePolicy object if one exists to see if the user's cached credentials match the given credential. If there is no credential cache or the cache information is invalid or does not match, the user is authenticated against the JAAS login modules configured for the security domain.

Specified by:
isValid in interface AuthenticationManager
Parameters:
principal - - the security domain principal attempting access
credential - the proof of identity offered by the principal
activeSubject - - if not null, a Subject that will be populated with the state of the authenticated Subject.
Returns:
true if the principal was authenticated, false otherwise.

getPrincipal

public Principal getPrincipal(Principal principal)
Map the argument principal from the deployment environment principal to the developer environment. This is called by the EJB context getCallerPrincipal() to return the Principal as described by the EJB developer domain.

Specified by:
getPrincipal in interface RealmMapping
Parameters:
principal - the caller principal as known in the operation environment.
Returns:
a Principal object that is valid in the deployment environment if one exists. If no Subject exists or the Subject has no principals then the argument principal is returned.

doesUserHaveRole

public boolean doesUserHaveRole(Principal principal,
                                Set rolePrincipals)
Does the current Subject have a role(a Principal) that equates to one of the role names. This method obtains the Group named 'Roles' from the principal set of the currently authenticated Subject as determined by the SecurityAssociation.getSubject() method and then creates a SimplePrincipal for each name in roleNames. If the role is a member of the Roles group, then the user has the role. This requires that the caller establish the correct SecurityAssociation subject prior to calling this method. In the past this was done as a side-effect of an isValid() call, but this is no longer the case.

Specified by:
doesUserHaveRole in interface RealmMapping
Parameters:
principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.
rolePrincipals - - a Set of Principals for the roles to check.
Returns:
true if the principal has at least one of the roles in the roles set, false otherwise.
See Also:
Group;, Subject.getPrincipals()

doesUserHaveRole

public boolean doesUserHaveRole(Principal principal,
                                Principal role)
Does the current Subject have a role(a Principal) that equates to one of the role names.

Parameters:
principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.
role - - the application domain role that the principal is to be validated against.
Returns:
true if the active principal has the role, false otherwise.
See Also:
doesUserHaveRole(Principal, Set)

getUserRoles

public Set getUserRoles(Principal principal)
Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.

Specified by:
getUserRoles in interface RealmMapping
Parameters:
principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.
Returns:
The Set for the application domain roles that the principal has been assigned.

doesRoleGroupHaveRole

protected boolean doesRoleGroupHaveRole(Principal role,
                                        Group userRoles)
Check that the indicated application domain role is a member of the user's assigned roles. This handles the special AnybodyPrincipal and NobodyPrincipal independent of the Group implementation.

Parameters:
role - , the application domain role required for access
userRoles - , the set of roles assigned to the user
Returns:
true if role is in userRoles or an AnybodyPrincipal instance, false if role is a NobodyPrincipal or no a member of userRoles


Copyright © 2002 JBoss Group, LLC. All Rights Reserved.