org.jboss.security.plugins: public class: JaasSecurityManagerService

org.jboss.security.plugins
public class: JaasSecurityManagerService [javadoc | source]

java.lang.Object
   org.jboss.mx.util.JBossNotificationBroadcasterSupport
      org.jboss.system.ServiceMBeanSupport
         org.jboss.security.plugins.JaasSecurityManagerService

All Implemented Interfaces:
JaasSecurityManagerServiceMBean, org.jboss.kernel.spi.dependency.KernelControllerContextAware, ServiceMBean, MBeanRegistration, NotificationEmitter

This is a JMX service which manages JAAS based SecurityManagers. JAAS SecurityManagers are responsible for validating credentials associated with principals. The service defaults to the org.jboss.security.plugins.JaasSecurityManager implementation but this can be changed via the securityManagerClass property.

Also see:

JaasSecurityManager

org.jboss.security.SubjectSecurityManager

author: < - a href="on@ibis.odessa.ua">Oleg Nitz

author: < - a href="rickard@telkel.com">Rickard Oberg

author: < - a href="mailto:Scott.Stark@jboss.org">Scott Stark

version: $ - Revision: 62903 $

Nested Class Summary:
public static class	JaasSecurityManagerService.SecurityDomainObjectFactory
static class	JaasSecurityManagerService.DomainEnumeration
public static class	JaasSecurityManagerService.DefaultCacheObjectFactory	java:/timedCacheFactory ObjectFactory implementation

Fields inherited from org.jboss.system.ServiceMBeanSupport:
SERVICE_CONTROLLER_SIG, log, server, serviceName

Constructor:
public JaasSecurityManagerService() { // Get a log interface, required for some statics below // can not use instance field inherited from ServiceMBeanSupport log = Logger.getLogger(JaasSecurityManagerService.class); } The constructor does nothing as the security manager is created on each lookup into java:/jaas/xxx. This is also why all variables in this class are static.

Constructor:

 public JaasSecurityManagerService() {
  
      // Get a log interface, required for some statics below
      // can not use instance field inherited from ServiceMBeanSupport
      log = Logger.getLogger(JaasSecurityManagerService.class);
}

The constructor does nothing as the security manager is created on each lookup into java:/jaas/xxx. This is also why all variables in this class are static.

Method from org.jboss.security.plugins.JaasSecurityManagerService Summary:
displayJCAInformation, doesUserHaveRole, flushAuthenticationCache, flushAuthenticationCache, getAuthenticationCacheJndiName, getAuthenticationCachePrincipals, getCallbackHandlerClassName, getDeepCopySubjectMode, getDefaultCacheResolution, getDefaultCacheTimeout, getDefaultUnauthenticatedPrincipal, getPrincipal, getSecurityManagerClassName, getSecurityProxyFactoryClassName, getServerMode, getUserRoles, isValid, lookupCachePolicy, registerSecurityDomain, setAuthenticationCacheJndiName, setCacheTimeout, setCallbackHandlerClassName, setDeepCopySubjectMode, setDefaultCacheResolution, setDefaultCacheTimeout, setDefaultUnauthenticatedPrincipal, setSecurityManagerClassName, setSecurityProxyFactoryClassName, setServerMode, startService, stopService

Method from org.jboss.security.plugins.JaasSecurityManagerService Summary:

displayJCAInformation, doesUserHaveRole, flushAuthenticationCache, flushAuthenticationCache, getAuthenticationCacheJndiName, getAuthenticationCachePrincipals, getCallbackHandlerClassName, getDeepCopySubjectMode, getDefaultCacheResolution, getDefaultCacheTimeout, getDefaultUnauthenticatedPrincipal, getPrincipal, getSecurityManagerClassName, getSecurityProxyFactoryClassName, getServerMode, getUserRoles, isValid, lookupCachePolicy, registerSecurityDomain, setAuthenticationCacheJndiName, setCacheTimeout, setCallbackHandlerClassName, setDeepCopySubjectMode, setDefaultCacheResolution, setDefaultCacheTimeout, setDefaultUnauthenticatedPrincipal, setSecurityManagerClassName, setSecurityProxyFactoryClassName, setServerMode, startService, stopService

Methods from org.jboss.system.ServiceMBeanSupport:
create, createService, destroy, destroyService, getDeploymentInfo, getLog, getName, getNextNotificationSequenceNumber, getObjectName, getServer, getServiceName, getState, getStateString, jbossInternalCreate, jbossInternalDescription, jbossInternalDestroy, jbossInternalLifecycle, jbossInternalStart, jbossInternalStop, pojoChange, pojoCreate, pojoDestroy, pojoStart, pojoStop, postDeregister, postRegister, preDeregister, preRegister, setKernelControllerContext, start, startService, stop, stopService, unsetKernelControllerContext

Methods from org.jboss.system.ServiceMBeanSupport:

create, createService, destroy, destroyService, getDeploymentInfo, getLog, getName, getNextNotificationSequenceNumber, getObjectName, getServer, getServiceName, getState, getStateString, jbossInternalCreate, jbossInternalDescription, jbossInternalDestroy, jbossInternalLifecycle, jbossInternalStart, jbossInternalStop, pojoChange, pojoCreate, pojoDestroy, pojoStart, pojoStop, postDeregister, postRegister, preDeregister, preRegister, setKernelControllerContext, start, startService, stop, stopService, unsetKernelControllerContext

Methods from org.jboss.mx.util.JBossNotificationBroadcasterSupport:
addNotificationListener, getNotificationInfo, handleNotification, nextNotificationSequenceNumber, removeNotificationListener, removeNotificationListener, sendNotification

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.jboss.security.plugins.JaasSecurityManagerService Detail:
public String displayJCAInformation() { String[] sarr = new String[]{"Cipher","Signature","KeyFactory", "SecretKeyFactory","AlgorithmParameters", "MessageDigest","Mac"}; StringBuilder sb = new StringBuilder(); JCASecurityInfo jsi = new JCASecurityInfo(); sb.append("JCA Providers=").append(jsi.getJCAProviderInfo()); sb.append("JCA Service/Algorithms="); for(String serviceName:sarr) { sb.append(jsi.getJCAAlgorithms(serviceName)); } return sb.toString(); }
public boolean doesUserHaveRole(String securityDomain, Principal principal, Object credential, Set roles) { boolean doesUserHaveRole = false; try { SecurityDomainContext sdc = lookupSecurityDomain(securityDomain); // Must first validate the user Subject subject = new Subject(); boolean isValid = sdc.getSecurityManager().isValid(principal, credential, subject); if( isValid ) { // Now can query if the authenticated Subject has the role SubjectActions.pushSubjectContext(principal, credential, subject, sdc.getSecurityManager().getSecurityDomain()); doesUserHaveRole = sdc.getRealmMapping().doesUserHaveRole(principal, roles); SubjectActions.popSubjectContext(); } } catch(NamingException e) { log.debug("doesUserHaveRole("+securityDomain+") failed", e); } return doesUserHaveRole; }
public void flushAuthenticationCache(String securityDomain) { CachePolicy cache = getCachePolicy(securityDomain); if( cache != null ) { cache.flush(); } else { log.warn("Failed to find cache policy for securityDomain='" + securityDomain + "'"); } } flush the cache policy for the indicated security domain if one exists.
public void flushAuthenticationCache(String securityDomain, Principal user) { CachePolicy cache = getCachePolicy(securityDomain); if( cache != null ) { cache.remove(user); } else { log.warn("Failed to find cache policy for securityDomain='" + securityDomain + "'"); } } Flush a principal's authentication cache entry associated with the given securityDomain.
public String getAuthenticationCacheJndiName() { return cacheJndiName; } Get the jndi name under which the authentication cache policy is found
public List getAuthenticationCachePrincipals(String securityDomain) { CachePolicy cache = getCachePolicy(securityDomain); List validPrincipals = null; if( cache instanceof TimedCachePolicy ) { TimedCachePolicy tcache = (TimedCachePolicy) cache; validPrincipals = tcache.getValidKeys(); } return validPrincipals; } Return the active principals in the indicated security domain auth cache.
public String getCallbackHandlerClassName() { return JaasSecurityManagerService.callbackHandlerClassName; } Get the default CallbackHandler implementation class name
public boolean getDeepCopySubjectMode() { return deepCopySubjectMode; }
public int getDefaultCacheResolution() { return defaultCacheResolution; } Get the default timed cache policy resolution.
public int getDefaultCacheTimeout() { return defaultCacheTimeout; } Get the default timed cache policy timeout.
public String getDefaultUnauthenticatedPrincipal() { return defaultUnauthenticatedPrincipal; } Get the default unauthenticated principal.
public Principal getPrincipal(String securityDomain, Principal principal) { Principal realmPrincipal = null; try { SecurityDomainContext sdc = lookupSecurityDomain(securityDomain); realmPrincipal = sdc.getRealmMapping().getPrincipal(principal); } catch(NamingException e) { log.debug("getPrincipal("+securityDomain+") failed", e); } return realmPrincipal; }
public String getSecurityManagerClassName() { return securityMgrClassName; }
public String getSecurityProxyFactoryClassName() { return securityProxyFactoryClassName; }
public boolean getServerMode() { return serverMode; }
public Set getUserRoles(String securityDomain, Principal principal, Object credential) { Set userRoles = null; try { SecurityDomainContext sdc = lookupSecurityDomain(securityDomain); // Must first validate the user Subject subject = new Subject(); boolean isValid = sdc.getSecurityManager().isValid(principal, credential, subject); // Now can query if the authenticated Subject has the role if( isValid ) { SubjectActions.pushSubjectContext(principal, credential, subject, sdc.getSecurityManager().getSecurityDomain() ); userRoles = sdc.getRealmMapping().getUserRoles(principal); SubjectActions.popSubjectContext(); } } catch(NamingException e) { log.debug("getUserRoles("+securityDomain+") failed", e); } return userRoles; }
public boolean isValid(String securityDomain, Principal principal, Object credential) { boolean isValid = false; try { SecurityDomainContext sdc = lookupSecurityDomain(securityDomain); isValid = sdc.getSecurityManager().isValid(principal, credential, null); } catch(NamingException e) { log.debug("isValid("+securityDomain+") failed", e); } return isValid; }
static CachePolicy lookupCachePolicy(String securityDomain) { CachePolicy authCache = null; String domainCachePath = cacheJndiName + '/" + securityDomain; try { InitialContext iniCtx = new InitialContext(); authCache = (CachePolicy) iniCtx.lookup(domainCachePath); } catch(Exception e) { // Failed, treat the cacheJndiName name as a global CachePolicy binding try { InitialContext iniCtx = new InitialContext(); authCache = (CachePolicy) iniCtx.lookup(cacheJndiName); } catch(Exception e2) { log.warn("Failed to locate auth CachePolicy at: "+cacheJndiName + " for securityDomain="+securityDomain); } } return authCache; } Lookup the authentication CachePolicy object for a security domain. This method first treats the cacheJndiName as a ObjectFactory location that is capable of returning CachePolicy instances on a per security domain basis by appending a '/security-domain-name' string to the cacheJndiName when looking up the CachePolicy for a domain. If this fails then the cacheJndiName location is treated as a single CachePolicy for all security domains.
public synchronized void registerSecurityDomain(String securityDomain, SecurityDomain instance) { log.debug("Added "+securityDomain+", "+instance+" to map"); CachePolicy authCache = lookupCachePolicy(securityDomain); SecurityDomainContext sdc = new SecurityDomainContext(instance, authCache); securityDomainCtxMap.put(securityDomain, sdc); // See if the security mgr supports an externalized cache policy setSecurityDomainCache(instance, authCache); } Register a SecurityDomain implmentation. This is synchronized to ensure that the binding of the security domain and cache population is atomic.
public void setAuthenticationCacheJndiName(String jndiName) { cacheJndiName = jndiName; } Set the jndi name under which the authentication cache policy is found
public void setCacheTimeout(String securityDomain, int timeoutInSecs, int resInSecs) { CachePolicy cache = getCachePolicy(securityDomain); if( cache != null && cache instanceof TimedCachePolicy ) { TimedCachePolicy tcp = (TimedCachePolicy) cache; synchronized( tcp ) { tcp.setDefaultLifetime(timeoutInSecs); tcp.setResolution(resInSecs); } } else { log.warn("Failed to find cache policy for securityDomain='" + securityDomain + "'"); } //Set the CacheTimeOut on JNDIBasedSecurityManagement JNDIBasedSecurityManagement.setCacheTimeout(securityDomain, timeoutInSecs, resInSecs); } Set the indicated security domain cache timeout. This only has an effect if the security domain is using the default jboss TimedCachePolicy implementation.
public void setCallbackHandlerClassName(String className) throws ClassNotFoundException { callbackHandlerClassName = className; ClassLoader loader = Thread.currentThread().getContextClassLoader(); callbackHandlerClass = loader.loadClass(callbackHandlerClassName); } Set the default CallbackHandler implementation class name
public void setDeepCopySubjectMode(boolean flag) { log.debug("setDeepCopySubjectMode="+flag); deepCopySubjectMode = flag; //Update the security managers if already present if(securityDomainCtxMap.isEmpty() == false) { Iterator iter = securityDomainCtxMap.keySet().iterator(); while(iter.hasNext()) { String securityDomainName = (String)iter.next(); SecurityDomainContext sdc = (SecurityDomainContext)securityDomainCtxMap.get(securityDomainName); setDeepCopySubjectOption(sdc.securityMgr, flag); } } SecurityConfiguration.setDeepCopySubjectMode(flag); }
public void setDefaultCacheResolution(int resInSecs) { defaultCacheResolution = resInSecs; SecurityConstantsBridge.defaultCacheResolution = resInSecs; } Set the default timed cache policy resolution. This has no affect if the AuthenticationCacheJndiName has been changed from the default value.
public void setDefaultCacheTimeout(int timeoutInSecs) { defaultCacheTimeout = timeoutInSecs; SecurityConstantsBridge.defaultCacheTimeout = timeoutInSecs; } Set the default timed cache policy timeout. This has no affect if the AuthenticationCacheJndiName has been changed from the default value.
public void setDefaultUnauthenticatedPrincipal(String principal) { defaultUnauthenticatedPrincipal = principal; } Set the default unauthenticated principal.
public void setSecurityManagerClassName(String className) throws ClassNotFoundException, ClassCastException { securityMgrClassName = className; ClassLoader loader = Thread.currentThread().getContextClassLoader(); securityMgrClass = loader.loadClass(securityMgrClassName); if( AuthenticationManager.class.isAssignableFrom(securityMgrClass) == false ) throw new ClassCastException(securityMgrClass+" does not implement "+AuthenticationManager.class); }
public void setSecurityProxyFactoryClassName(String className) throws ClassNotFoundException { securityProxyFactoryClassName = className; ClassLoader loader = Thread.currentThread().getContextClassLoader(); securityProxyFactoryClass = loader.loadClass(securityProxyFactoryClassName); }
public void setServerMode(boolean mode) { this.serverMode = mode; }
protected void startService() throws Exception { // use thread-local principal and credential propagation if (serverMode) SecurityAssociation.setServer(); // Register the default active Subject PolicyContextHandler SubjectPolicyContextHandler handler = new SubjectPolicyContextHandler(); PolicyContext.registerHandler(SecurityConstants.SUBJECT_CONTEXT_KEY, handler, true); // Register the JAAS CallbackHandler JACC PolicyContextHandlers CallbackHandlerPolicyContextHandler chandler = new CallbackHandlerPolicyContextHandler(); PolicyContext.registerHandler(CallbackHandlerPolicyContextHandler.CALLBACK_HANDLER_KEY, chandler, false); Context ctx = new InitialContext(); parser = ctx.getNameParser(""); /* Create a mapping from the java:/jaas context to a SecurityDomainObjectFactory so that any lookup against java:/jaas/domain returns an instance of our security manager class. / RefAddr refAddr = new StringRefAddr("nns", "JSM"); String factoryName = SecurityDomainObjectFactory.class.getName(); Reference ref = new Reference("javax.naming.Context", refAddr, factoryName, null); /ctx.rebind(SECURITY_MGR_PATH, ref); */ log.debug("securityMgrCtxPath="+SECURITY_MGR_PATH); refAddr = new StringRefAddr("nns", "JSMCachePolicy"); factoryName = DefaultCacheObjectFactory.class.getName(); ref = new Reference("javax.naming.Context", refAddr, factoryName, null); ctx.rebind(DEFAULT_CACHE_POLICY_PATH, ref); log.debug("cachePolicyCtxPath="+cacheJndiName); // Bind the default SecurityProxyFactory instance under java:/SecurityProxyFactory SecurityProxyFactory proxyFactory = (SecurityProxyFactory) securityProxyFactoryClass.newInstance(); ctx.bind("java:/SecurityProxyFactory", proxyFactory); log.debug("SecurityProxyFactory="+proxyFactory); // Register the Principal property editor PropertyEditorManager.registerEditor(Principal.class, PrincipalEditor.class); PropertyEditorManager.registerEditor(SecurityDomain.class, SecurityDomainEditor.class); log.debug("Registered PrincipalEditor, SecurityDomainEditor"); log.debug("ServerMode="+this.serverMode); log.debug("SecurityMgrClass="+JaasSecurityManagerService.securityMgrClass); log.debug("CallbackHandlerClass="+JaasSecurityManagerService.callbackHandlerClass); }
protected void stopService() throws Exception { InitialContext ic = new InitialContext(); try { ic.unbind(SECURITY_MGR_PATH); } catch(CommunicationException e) { // Do nothing, the naming services is already stopped } finally { ic.close(); } }