001: /**
002: * Licensed to the Apache Software Foundation (ASF) under one or more
003: * contributor license agreements. See the NOTICE file distributed with
004: * this work for additional information regarding copyright ownership.
005: * The ASF licenses this file to You under the Apache License, Version 2.0
006: * (the "License"); you may not use this file except in compliance with
007: * the License. You may obtain a copy of the License at
008: *
009: * http://www.apache.org/licenses/LICENSE-2.0
010: *
011: * Unless required by applicable law or agreed to in writing, software
012: * distributed under the License is distributed on an "AS IS" BASIS,
013: * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014: * See the License for the specific language governing permissions and
015: * limitations under the License.
016: */package org.apache.geronimo.security.jacc;
017:
018: import java.security.Permission;
019: import java.security.PermissionCollection;
020: import java.security.Policy;
021: import java.util.Enumeration;
022: import java.util.HashMap;
023: import java.util.Map;
024:
025: import javax.security.auth.Subject;
026: import javax.security.auth.login.LoginException;
027: import javax.security.jacc.PolicyConfiguration;
028: import javax.security.jacc.PolicyConfigurationFactory;
029: import javax.security.jacc.PolicyContextException;
030:
031: import org.apache.geronimo.gbean.GBeanInfo;
032: import org.apache.geronimo.gbean.GBeanInfoBuilder;
033: import org.apache.geronimo.gbean.GBeanLifecycle;
034: import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory;
035: import org.apache.geronimo.security.ContextManager;
036: import org.apache.geronimo.security.IdentificationPrincipal;
037: import org.apache.geronimo.security.SubjectId;
038: import org.apache.geronimo.security.credentialstore.CredentialStore;
039: import org.apache.geronimo.security.deploy.SubjectInfo;
040:
041: /**
042: * @version $Rev: 612602 $ $Date: 2008-01-16 14:45:14 -0800 (Wed, 16 Jan 2008) $
043: */
044: public class ApplicationPolicyConfigurationManager implements
045: GBeanLifecycle, RunAsSource {
046:
047: private final Map<String, PolicyConfiguration> contextIdToPolicyConfigurationMap = new HashMap<String, PolicyConfiguration>();
048: private final Map<String, Subject> roleDesignates = new HashMap<String, Subject>();
049: private final Subject defaultSubject;
050: private final PrincipalRoleMapper principalRoleMapper;
051:
052: public ApplicationPolicyConfigurationManager(
053: Map<String, ComponentPermissions> contextIdToPermissionsMap,
054: SubjectInfo defaultSubjectInfo,
055: Map<String, SubjectInfo> roleDesignates, ClassLoader cl,
056: CredentialStore credentialStore,
057: PrincipalRoleMapper principalRoleMapper)
058: throws PolicyContextException, ClassNotFoundException,
059: LoginException {
060: if (credentialStore == null
061: && (!roleDesignates.isEmpty() || defaultSubjectInfo != null)) {
062: throw new NullPointerException(
063: "No CredentialStore supplied to resolve default and run-as subjects");
064: }
065: this .principalRoleMapper = principalRoleMapper;
066: Thread currentThread = Thread.currentThread();
067: ClassLoader oldClassLoader = currentThread
068: .getContextClassLoader();
069: currentThread.setContextClassLoader(cl);
070: PolicyConfigurationFactory policyConfigurationFactory;
071: try {
072: policyConfigurationFactory = PolicyConfigurationFactory
073: .getPolicyConfigurationFactory();
074: } finally {
075: currentThread.setContextClassLoader(oldClassLoader);
076: }
077:
078: for (Map.Entry<String, ComponentPermissions> entry : contextIdToPermissionsMap
079: .entrySet()) {
080: String contextID = entry.getKey();
081: ComponentPermissions componentPermissions = entry
082: .getValue();
083:
084: PolicyConfiguration policyConfiguration = policyConfigurationFactory
085: .getPolicyConfiguration(contextID, true);
086: contextIdToPolicyConfigurationMap.put(contextID,
087: policyConfiguration);
088: policyConfiguration
089: .addToExcludedPolicy(componentPermissions
090: .getExcludedPermissions());
091: policyConfiguration
092: .addToUncheckedPolicy(componentPermissions
093: .getUncheckedPermissions());
094: for (Map.Entry<String, PermissionCollection> roleEntry : componentPermissions
095: .getRolePermissions().entrySet()) {
096: String roleName = roleEntry.getKey();
097: PermissionCollection rolePermissions = roleEntry
098: .getValue();
099: for (Enumeration permissions = rolePermissions
100: .elements(); permissions.hasMoreElements();) {
101: Permission permission = (Permission) permissions
102: .nextElement();
103: policyConfiguration.addToRole(roleName, permission);
104:
105: }
106: }
107: }
108:
109: if (principalRoleMapper != null) {
110: principalRoleMapper.install(contextIdToPermissionsMap
111: .keySet());
112: }
113:
114: //link everything together
115: for (PolicyConfiguration policyConfiguration : contextIdToPolicyConfigurationMap
116: .values()) {
117: for (PolicyConfiguration policyConfiguration2 : contextIdToPolicyConfigurationMap
118: .values()) {
119: if (policyConfiguration != policyConfiguration2) {
120: policyConfiguration
121: .linkConfiguration(policyConfiguration2);
122: }
123: }
124: }
125:
126: //commit
127: for (PolicyConfiguration policyConfiguration : contextIdToPolicyConfigurationMap
128: .values()) {
129: policyConfiguration.commit();
130: }
131:
132: //refresh policy
133: Policy policy = Policy.getPolicy();
134: policy.refresh();
135:
136: if (defaultSubjectInfo == null) {
137: defaultSubject = ContextManager.EMPTY;
138: } else {
139: defaultSubject = credentialStore.getSubject(
140: defaultSubjectInfo.getRealm(), defaultSubjectInfo
141: .getId());
142: registerSubject(defaultSubject);
143: }
144:
145: for (Map.Entry<String, SubjectInfo> entry : roleDesignates
146: .entrySet()) {
147: String role = entry.getKey();
148: SubjectInfo subjectInfo = entry.getValue();
149: if (subjectInfo == null || credentialStore == null) {
150: throw new NullPointerException(
151: "No subjectInfo for role " + role);
152: }
153: Subject roleDesignate = credentialStore.getSubject(
154: subjectInfo.getRealm(), subjectInfo.getId());
155: registerSubject(roleDesignate);
156: this .roleDesignates.put(role, roleDesignate);
157: }
158: }
159:
160: private void registerSubject(Subject subject) {
161: ContextManager.registerSubject(subject);
162: SubjectId id = ContextManager.getSubjectId(subject);
163: subject.getPrincipals().add(new IdentificationPrincipal(id));
164: }
165:
166: public Subject getDefaultSubject() {
167: return defaultSubject;
168: }
169:
170: public Subject getSubjectForRole(String role) {
171: return roleDesignates.get(role);
172: }
173:
174: public void doStart() throws Exception {
175:
176: }
177:
178: public void doStop() throws Exception {
179: for (Map.Entry<String, Subject> entry : roleDesignates
180: .entrySet()) {
181: Subject roleDesignate = entry.getValue();
182: ContextManager.unregisterSubject(roleDesignate);
183: }
184: if (defaultSubject != ContextManager.EMPTY) {
185: ContextManager.unregisterSubject(defaultSubject);
186: }
187:
188: if (principalRoleMapper != null) {
189: principalRoleMapper
190: .uninstall(contextIdToPolicyConfigurationMap
191: .keySet());
192: }
193:
194: for (PolicyConfiguration policyConfiguration : contextIdToPolicyConfigurationMap
195: .values()) {
196: policyConfiguration.delete();
197: }
198: }
199:
200: public void doFail() {
201:
202: }
203:
204: public static final GBeanInfo GBEAN_INFO;
205:
206: static {
207: GBeanInfoBuilder infoBuilder = GBeanInfoBuilder.createStatic(
208: ApplicationPolicyConfigurationManager.class,
209: NameFactory.JACC_MANAGER);
210: infoBuilder.addAttribute("contextIdToPermissionsMap",
211: Map.class, true);
212: infoBuilder.addAttribute("defaultSubjectInfo",
213: SubjectInfo.class, true);
214: infoBuilder.addAttribute("roleDesignates", Map.class, true);
215: infoBuilder.addAttribute("classLoader", ClassLoader.class,
216: false);
217: infoBuilder.addReference("CredentialStore",
218: CredentialStore.class, NameFactory.GERONIMO_SERVICE);
219: infoBuilder.addReference("PrincipalRoleMapper",
220: PrincipalRoleMapper.class, NameFactory.JACC_MANAGER);
221: infoBuilder.setConstructor(new String[] {
222: "contextIdToPermissionsMap", "defaultSubjectInfo",
223: "roleDesignates", "classLoader", "CredentialStore",
224: "PrincipalRoleMapper" });
225: GBEAN_INFO = infoBuilder.getBeanInfo();
226: }
227:
228: public static GBeanInfo getGBeanInfo() {
229: return GBEAN_INFO;
230: }
231: }
|