SynchronizedJaasSecurityManager (JBoss Security Implementation for the JBAS

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.jboss.security.plugins.auth
Class SynchronizedJaasSecurityManager

java.lang.Object
  org.jboss.security.plugins.auth.SynchronizedJaasSecurityManager

All Implemented Interfaces:: org.jboss.security.AuthenticationManager, org.jboss.security.BaseSecurityManager, org.jboss.security.RealmMapping, org.jboss.security.SubjectSecurityManager

public class SynchronizedJaasSecurityManager
extends Object
implements org.jboss.security.SubjectSecurityManager, org.jboss.security.RealmMapping
extends Object
implements org.jboss.security.SubjectSecurityManager, org.jboss.security.RealmMapping

The JaasSecurityManager is responsible both for authenticating credentials associated with principals and for role mapping. This implementation relies on the JAAS LoginContext/LoginModules associated with the security domain name associated with the class for authentication, and the context JAAS Subject object for role mapping.

Version:: $Revision: 62860 $
Author:: Oleg Nitz, Scott.Stark@jboss.org, Anil.Saldhana@jboss.org, Marcus Moyses
See Also:: isValid(Principal, Object, Subject), getPrincipal(Principal), doesUserHaveRole(Principal, Set)

Field Summary
`protected org.jboss.logging.Logger`	`log` The log4j category for the security manager domain
`protected boolean`	`trace`

Constructor Summary
`SynchronizedJaasSecurityManager()` Creates a default JaasSecurityManager for with a securityDomain name of 'other'.
`SynchronizedJaasSecurityManager(String securityDomain, CallbackHandler handler)` Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.

Method Summary
`boolean`	`doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)` Does the current Subject have a role(a Principal) that equates to one of the role names.
`void`	`flushCache()` Not really used anymore as the security manager service manages the security domain authentication caches.
`Subject`	`getActiveSubject()` Get the currently authenticated Subject.
`Principal`	`getPrincipal(Principal principal)` Map the argument principal from the deployment environment principal to the developer environment.
`String`	`getSecurityDomain()` Get the name of the security domain associated with this security mgr.
`Principal`	`getTargetPrincipal(Principal anotherDomainPrincipal, Map<String,Object> contextMap)`
`Set<Principal>`	`getUserRoles(Principal principal)` Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.
`boolean`	`isValid(Principal principal, Object credential)` Validate that the given credential is correct for principal.
`boolean`	`isValid(Principal principal, Object credential, Subject activeSubject)` Validate that the given credential is correct for principal.
`void`	`setCachePolicy(org.jboss.util.CachePolicy domainCache)` The domainCache is typically a shared object that is populated by the login code(LoginModule, etc.) and read by this class in the isValid() method.
`void`	`setDeepCopySubjectOption(Boolean flag)` Flag to specify if deep copy of subject sets needs to be enabled

Methods inherited from class java.lang.Object
`clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait`

Field Detail

log

protected org.jboss.logging.Logger log

The log4j category for the security manager domain

trace

protected boolean trace

Constructor Detail

SynchronizedJaasSecurityManager

public SynchronizedJaasSecurityManager()

Creates a default JaasSecurityManager for with a securityDomain name of 'other'.

SynchronizedJaasSecurityManager

public SynchronizedJaasSecurityManager(String securityDomain,
                                       CallbackHandler handler)

Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.

Parameters:: securityDomain - the name of the security domain; handler - the JAAS callback handler instance to use
Throws:: UndeclaredThrowableException - thrown if handler does not implement a setSecurityInfo(Princpal, Object) method

Method Detail

setCachePolicy

public void setCachePolicy(org.jboss.util.CachePolicy domainCache)

The domainCache is typically a shared object that is populated by the login code(LoginModule, etc.) and read by this class in the isValid() method.

See Also:: isValid(Principal, Object, Subject)

setDeepCopySubjectOption

public void setDeepCopySubjectOption(Boolean flag)

Flag to specify if deep copy of subject sets needs to be enabled

Parameters:: flag -

flushCache

public void flushCache()

Not really used anymore as the security manager service manages the security domain authentication caches.

getSecurityDomain

public String getSecurityDomain()

Get the name of the security domain associated with this security mgr.

Specified by:: getSecurityDomain in interface org.jboss.security.BaseSecurityManager

Returns:: Name of the security manager security domain.

getActiveSubject

public Subject getActiveSubject()

Get the currently authenticated Subject. This is a thread local property shared across all JaasSecurityManager instances.

Specified by:: getActiveSubject in interface org.jboss.security.AuthenticationManager

Returns:: The Subject authenticated in the current thread if one exists, null otherwise.

isValid

public boolean isValid(Principal principal,
                       Object credential)

Validate that the given credential is correct for principal. This returns the value from invoking isValid(principal, credential, null).

Specified by:: isValid in interface org.jboss.security.AuthenticationManager

Parameters:: principal - - the security domain principal attempting access; credential - - the proof of identity offered by the principal
Returns:: true if the principal was authenticated, false otherwise.

isValid

public boolean isValid(Principal principal,
                       Object credential,
                       Subject activeSubject)

Validate that the given credential is correct for principal. This first will check the current CachePolicy object if one exists to see if the user's cached credentials match the given credential. If there is no credential cache or the cache information is invalid or does not match, the user is authenticated against the JAAS login modules configured for the security domain. This is done as an atomic operation synchronized in the principal's name to avoid multiple threads authenticating the same principal concurrently.

Specified by:: isValid in interface org.jboss.security.AuthenticationManager

Parameters:: principal - - the security domain principal attempting access; credential - the proof of identity offered by the principal; activeSubject - - if not null, a Subject that will be populated with the state of the authenticated Subject.
Returns:: true if the principal was authenticated, false otherwise.

getPrincipal

public Principal getPrincipal(Principal principal)

Map the argument principal from the deployment environment principal to the developer environment. This is called by the EJB context getCallerPrincipal() to return the Principal as described by the EJB developer domain.

Specified by:: getPrincipal in interface org.jboss.security.RealmMapping

Returns:: a Principal object that is valid in the deployment environment if one exists. If no Subject exists or the Subject has no principals then the argument principal is returned.

doesUserHaveRole

public boolean doesUserHaveRole(Principal principal,
                                Set<Principal> rolePrincipals)

Does the current Subject have a role(a Principal) that equates to one of the role names. This method obtains the Group named 'Roles' from the principal set of the currently authenticated Subject as determined by the SecurityAssociation.getSubject() method and then creates a SimplePrincipal for each name in roleNames. If the role is a member of the Roles group, then the user has the role. This requires that the caller establish the correct SecurityAssociation subject prior to calling this method. In the past this was done as a side-effect of an isValid() call, but this is no longer the case.

Specified by:: doesUserHaveRole in interface org.jboss.security.RealmMapping

Parameters:: principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.; rolePrincipals - - a Set of Principals for the roles to check.
See Also:: Group;, Subject.getPrincipals()

getUserRoles

public Set<Principal> getUserRoles(Principal principal)

Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.

Specified by:: getUserRoles in interface org.jboss.security.RealmMapping

Parameters:: principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.
Returns:: The Set for the application domain roles that the principal has been assigned.

getTargetPrincipal

public Principal getTargetPrincipal(Principal anotherDomainPrincipal,
                                    Map<String,Object> contextMap)

Specified by:: getTargetPrincipal in interface org.jboss.security.AuthenticationManager

See Also:: AuthenticationManager.getTargetPrincipal(Principal,Map)

Overview

Package

Class

Use

Tree

Deprecated

Index

Help

PREV CLASS NEXT CLASS

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.jboss.security.plugins.auth Class SynchronizedJaasSecurityManager

log

trace

SynchronizedJaasSecurityManager

SynchronizedJaasSecurityManager

setCachePolicy

setDeepCopySubjectOption

flushCache

getSecurityDomain

getActiveSubject

isValid

isValid

getPrincipal

doesUserHaveRole

getUserRoles

getTargetPrincipal

org.jboss.security.plugins.auth
Class SynchronizedJaasSecurityManager