org.jboss.security.plugins.auth

Class JaasSecurityManagerBase

java.lang.Object

org.jboss.security.plugins.auth.JaasSecurityManagerBase

All Implemented Interfaces:

AuthenticationManager, BaseSecurityManager, RealmMapping, SubjectSecurityManager

Direct Known Subclasses:

JASPIServerAuthenticationManager, JBossAuthenticationManager

public class JaasSecurityManagerBase
extends Object
implements SubjectSecurityManager, RealmMapping

The JaasSecurityManager is responsible both for authenticating credentials associated with principals and for role mapping. This implementation relies on the JAAS LoginContext/LoginModules associated with the security domain name associated with the class for authentication, and the context JAAS Subject object for role mapping.

Version:

$Revision: 62860 $

Author:

Oleg Nitz, Scott.Stark@jboss.org, Anil.Saldhana@jboss.org

See Also:

isValid(Principal, Object, Subject), getPrincipal(Principal), doesUserHaveRole(Principal, Set)

Constructor Summary

Constructors

Constructor and Description
JaasSecurityManagerBase() Creates a default JaasSecurityManager for with a securityDomain name of 'other'.
JaasSecurityManagerBase(String securityDomain, CallbackHandler handler) Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.

Method Summary

Modifier and Type	Method and Description
boolean	doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals) Does the current Subject have a role(a Principal) that equates to one of the role names.
Subject	getActiveSubject() Get the currently authenticated Subject.
Principal	getPrincipal(Principal principal) Map the argument principal from the deployment environment principal to the developer environment.
String	getSecurityDomain() Get the name of the security domain associated with this security mgr.
Principal	getTargetPrincipal(Principal anotherDomainPrincipal, Map<String,Object> contextMap) Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principal
Set<Principal>	getUserRoles(Principal principal) Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.
boolean	isValid(Principal principal, Object credential) Validate that the given credential is correct for principal.
boolean	isValid(Principal principal, Object credential, Subject activeSubject) Validate that the given credential is correct for principal.
void	logout(Principal principal, Subject subject) Performs the JAAS logout.
void	setAuthorizationManager(AuthorizationManager authorizationManager) Set an AuthorizationManager
void	setDeepCopySubjectOption(Boolean flag) Flag to specify if deep copy of subject sets needs to be enabled

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

JaasSecurityManagerBase

public JaasSecurityManagerBase()

Creates a default JaasSecurityManager for with a securityDomain name of 'other'.

JaasSecurityManagerBase

public JaasSecurityManagerBase(String securityDomain,
                               CallbackHandler handler)

Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.

Parameters:

securityDomain - the name of the security domain

handler - the JAAS callback handler instance to use

Throws:

UndeclaredThrowableException - thrown if handler does not implement a setSecurityInfo(Princpal, Object) method

Method Detail

setDeepCopySubjectOption

public void setDeepCopySubjectOption(Boolean flag)

Flag to specify if deep copy of subject sets needs to be enabled

Parameters:

flag -

setAuthorizationManager

public void setAuthorizationManager(AuthorizationManager authorizationManager)

Set an AuthorizationManager

Parameters:

authorizationManager -

getSecurityDomain

public String getSecurityDomain()

Get the name of the security domain associated with this security mgr.

Specified by:

getSecurityDomain in interface BaseSecurityManager

Returns:

Name of the security manager security domain.

getActiveSubject

public Subject getActiveSubject()

Get the currently authenticated Subject. This is a thread local property shared across all JaasSecurityManager instances.

Specified by:

getActiveSubject in interface AuthenticationManager

Returns:

The Subject authenticated in the current thread if one exists, null otherwise.

See Also:

PolicyContextHandler.getContext(String, Object)

isValid

public boolean isValid(Principal principal,
                       Object credential)

Validate that the given credential is correct for principal. This returns the value from invoking isValid(principal, credential, null).

Specified by:

isValid in interface AuthenticationManager

Parameters:

principal - - the security domain principal attempting access

credential - - the proof of identity offered by the principal

Returns:

true if the principal was authenticated, false otherwise.

See Also:

AuthenticationManager.isValid(Principal, Object, Subject)

isValid

public boolean isValid(Principal principal,
                       Object credential,
                       Subject activeSubject)

Validate that the given credential is correct for principal. This first will check the current CachePolicy object if one exists to see if the user's cached credentials match the given credential. If there is no credential cache or the cache information is invalid or does not match, the user is authenticated against the JAAS login modules configured for the security domain.

Specified by:

isValid in interface AuthenticationManager

Parameters:

principal - - the security domain principal attempting access

credential - the proof of identity offered by the principal

activeSubject - - if not null, a Subject that will be populated with the state of the authenticated Subject.

Returns:

true if the principal was authenticated, false otherwise.

getPrincipal

public Principal getPrincipal(Principal principal)

Map the argument principal from the deployment environment principal to the developer environment. This is called by the EJB context getCallerPrincipal() to return the Principal as described by the EJB developer domain.

Specified by:

getPrincipal in interface RealmMapping

Parameters:

principal - the caller principal as known in the operation environment.

Returns:

a Principal object that is valid in the deployment environment if one exists. If no Subject exists or the Subject has no principals then the argument principal is returned.

doesUserHaveRole

public boolean doesUserHaveRole(Principal principal,
                                Set<Principal> rolePrincipals)

Does the current Subject have a role(a Principal) that equates to one of the role names. This method obtains the Group named 'Roles' from the principal set of the currently authenticated Subject as determined by the SecurityAssociation.getSubject() method and then creates a SimplePrincipal for each name in roleNames. If the role is a member of the Roles group, then the user has the role. This requires that the caller establish the correct SecurityAssociation subject prior to calling this method. In the past this was done as a side-effect of an isValid() call, but this is no longer the case.

Specified by:

doesUserHaveRole in interface RealmMapping

Parameters:

principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.

rolePrincipals - - a Set of Principals for the roles to check.

Returns:

true if the principal has at least one of the roles in the roles set, false otherwise.

See Also:

Group;, Subject.getPrincipals()

getUserRoles

public Set<Principal> getUserRoles(Principal principal)

Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.

Specified by:

getUserRoles in interface RealmMapping

Parameters:

principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.

Returns:

The Set for the application domain roles that the principal has been assigned.

getTargetPrincipal

public Principal getTargetPrincipal(Principal anotherDomainPrincipal,
                                    Map<String,Object> contextMap)

Description copied from interface: AuthenticationManager

Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principal

Specified by:

getTargetPrincipal in interface AuthenticationManager

Parameters:

anotherDomainPrincipal - Principal that is applicable in the other domain (Can be null - in which case the contextMap is used solely to derive the target principal)

contextMap - Any context information (including information on the other domain that may be relevant in deriving the target principal). Any SAML assertions that may be relevant can be passed here.

Returns:

principal from a target security domain

See Also:

AuthenticationManager.getTargetPrincipal(Principal,Map)

logout

public void logout(Principal principal,
                   Subject subject)

Performs the JAAS logout. The incoming Subject is used to create the LoginContext and passed to the JAAS login modules so that proper cleanup can be performed by each module.

Specified by:

logout in interface AuthenticationManager

Parameters:

principal - the Principal being logged out.

subject - the Subject associated with the principal being logged out.