Package org.jboss.security.plugins.auth
Class JaasSecurityManagerBase
- java.lang.Object
-
- org.jboss.security.plugins.auth.JaasSecurityManagerBase
-
- All Implemented Interfaces:
AuthenticationManager
,BaseSecurityManager
,RealmMapping
,SubjectSecurityManager
- Direct Known Subclasses:
JASPIServerAuthenticationManager
,JBossAuthenticationManager
public class JaasSecurityManagerBase extends Object implements SubjectSecurityManager, RealmMapping
The JaasSecurityManager is responsible both for authenticating credentials associated with principals and for role mapping. This implementation relies on the JAAS LoginContext/LoginModules associated with the security domain name associated with the class for authentication, and the context JAAS Subject object for role mapping.- Version:
- $Revision: 62860 $
- Author:
- Oleg Nitz, Scott.Stark@jboss.org, Anil.Saldhana@jboss.org
- See Also:
isValid(Principal, Object, Subject)
,getPrincipal(Principal)
,doesUserHaveRole(Principal, Set)
-
-
Constructor Summary
Constructors Constructor Description JaasSecurityManagerBase()
Creates a default JaasSecurityManager for with a securityDomain name of 'other'.JaasSecurityManagerBase(String securityDomain, CallbackHandler handler)
Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description boolean
doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)
Does the current Subject have a role(a Principal) that equates to one of the role names.Subject
getActiveSubject()
Get the currently authenticated Subject.Principal
getPrincipal(Principal principal)
Map the argument principal from the deployment environment principal to the developer environment.String
getSecurityDomain()
Get the name of the security domain associated with this security mgr.Principal
getTargetPrincipal(Principal anotherDomainPrincipal, Map<String,Object> contextMap)
Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principalSet<Principal>
getUserRoles(Principal principal)
Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.boolean
isValid(Principal principal, Object credential)
Validate that the given credential is correct for principal.boolean
isValid(Principal principal, Object credential, Subject activeSubject)
Validate that the given credential is correct for principal.void
logout(Principal principal, Subject subject)
Performs the JAAS logout.void
setAuthorizationManager(AuthorizationManager authorizationManager)
Set an AuthorizationManagervoid
setDeepCopySubjectOption(Boolean flag)
Flag to specify if deep copy of subject sets needs to be enabled
-
-
-
Constructor Detail
-
JaasSecurityManagerBase
public JaasSecurityManagerBase()
Creates a default JaasSecurityManager for with a securityDomain name of 'other'.
-
JaasSecurityManagerBase
public JaasSecurityManagerBase(String securityDomain, CallbackHandler handler)
Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.- Parameters:
securityDomain
- the name of the security domainhandler
- the JAAS callback handler instance to use- Throws:
UndeclaredThrowableException
- thrown if handler does not implement a setSecurityInfo(Princpal, Object) method
-
-
Method Detail
-
setDeepCopySubjectOption
public void setDeepCopySubjectOption(Boolean flag)
Flag to specify if deep copy of subject sets needs to be enabled- Parameters:
flag
-
-
setAuthorizationManager
public void setAuthorizationManager(AuthorizationManager authorizationManager)
Set an AuthorizationManager- Parameters:
authorizationManager
-
-
getSecurityDomain
public String getSecurityDomain()
Get the name of the security domain associated with this security mgr.- Specified by:
getSecurityDomain
in interfaceBaseSecurityManager
- Returns:
- Name of the security manager security domain.
-
getActiveSubject
public Subject getActiveSubject()
Get the currently authenticated Subject. This is a thread local property shared across all JaasSecurityManager instances.- Specified by:
getActiveSubject
in interfaceAuthenticationManager
- Returns:
- The Subject authenticated in the current thread if one exists, null otherwise.
- See Also:
PolicyContextHandler.getContext(String, Object)
-
isValid
public boolean isValid(Principal principal, Object credential)
Validate that the given credential is correct for principal. This returns the value from invoking isValid(principal, credential, null).- Specified by:
isValid
in interfaceAuthenticationManager
- Parameters:
principal
- - the security domain principal attempting accesscredential
- - the proof of identity offered by the principal- Returns:
- true if the principal was authenticated, false otherwise.
- See Also:
AuthenticationManager.isValid(Principal, Object, Subject)
-
isValid
public boolean isValid(Principal principal, Object credential, Subject activeSubject)
Validate that the given credential is correct for principal. This first will check the current CachePolicy object if one exists to see if the user's cached credentials match the given credential. If there is no credential cache or the cache information is invalid or does not match, the user is authenticated against the JAAS login modules configured for the security domain.- Specified by:
isValid
in interfaceAuthenticationManager
- Parameters:
principal
- - the security domain principal attempting accesscredential
- the proof of identity offered by the principalactiveSubject
- - if not null, a Subject that will be populated with the state of the authenticated Subject.- Returns:
- true if the principal was authenticated, false otherwise.
-
getPrincipal
public Principal getPrincipal(Principal principal)
Map the argument principal from the deployment environment principal to the developer environment. This is called by the EJB context getCallerPrincipal() to return the Principal as described by the EJB developer domain.- Specified by:
getPrincipal
in interfaceRealmMapping
- Parameters:
principal
- the caller principal as known in the operation environment.- Returns:
- a Principal object that is valid in the deployment environment if one exists. If no Subject exists or the Subject has no principals then the argument principal is returned.
-
doesUserHaveRole
public boolean doesUserHaveRole(Principal principal, Set<Principal> rolePrincipals)
Does the current Subject have a role(a Principal) that equates to one of the role names. This method obtains the Group named 'Roles' from the principal set of the currently authenticated Subject as determined by the SecurityAssociation.getSubject() method and then creates a SimplePrincipal for each name in roleNames. If the role is a member of the Roles group, then the user has the role. This requires that the caller establish the correct SecurityAssociation subject prior to calling this method. In the past this was done as a side-effect of an isValid() call, but this is no longer the case.- Specified by:
doesUserHaveRole
in interfaceRealmMapping
- Parameters:
principal
- - ignored. The current authenticated Subject determines the active user and assigned user roles.rolePrincipals
- - a Set of Principals for the roles to check.- Returns:
- true if the principal has at least one of the roles in the roles set, false otherwise.
- See Also:
Subject.getPrincipals()
-
getUserRoles
public Set<Principal> getUserRoles(Principal principal)
Return the set of domain roles the current active Subject 'Roles' group found in the subject Principals set.- Specified by:
getUserRoles
in interfaceRealmMapping
- Parameters:
principal
- - ignored. The current authenticated Subject determines the active user and assigned user roles.- Returns:
- The Set
for the application domain roles that the principal has been assigned.
-
getTargetPrincipal
public Principal getTargetPrincipal(Principal anotherDomainPrincipal, Map<String,Object> contextMap)
Description copied from interface:AuthenticationManager
Trust related usecases may require translation of a principal from another domain to the current domain An implementation of this interface may need to do a backdoor contact of the external trust provider in deriving the target principal- Specified by:
getTargetPrincipal
in interfaceAuthenticationManager
- Parameters:
anotherDomainPrincipal
- Principal that is applicable in the other domain (Can be null - in which case the contextMap is used solely to derive the target principal)contextMap
- Any context information (including information on the other domain that may be relevant in deriving the target principal). Any SAML assertions that may be relevant can be passed here.- Returns:
- principal from a target security domain
- See Also:
AuthenticationManager.getTargetPrincipal(Principal,Map)
-
logout
public void logout(Principal principal, Subject subject)
Performs the JAAS logout. The incomingSubject
is used to create theLoginContext
and passed to the JAAS login modules so that proper cleanup can be performed by each module.- Specified by:
logout
in interfaceAuthenticationManager
- Parameters:
principal
- thePrincipal
being logged out.subject
- theSubject
associated with the principal being logged out.
-
-