JaasSecurityManager

Overview

Package

Class

Tree

Deprecated

Index

Help

PREV CLASS (src) NEXT CLASS (src)

FRAMES NO FRAMES

SUMMARY: NESTED | FIELD | CONSTR | METHOD

DETAIL: FIELD | CONSTR | METHOD

org.jboss.security.plugins
Class JaasSecurityManager

java.lang.Object
  org.jboss.mx.util.JBossNotificationBroadcasterSupport (src) 
      org.jboss.system.ServiceMBeanSupport (src) 
          org.jboss.security.plugins.JaasSecurityManager

All Implemented Interfaces:: AuthenticationManager (src) , MBeanRegistration (src) , NotificationBroadcaster (src) , NotificationEmitter (src) , RealmMapping (src) , Service (src) , ServiceMBean (src) , SubjectSecurityManager (src)

Direct Known Subclasses:: JaasSecurityDomain (src)

public class JaasSecurityManager
extends ServiceMBeanSupport (src)
implements SubjectSecurityManager (src) , RealmMapping (src)

The JaasSecurityManager is responsible both for authenticating credentials associated with principals and for role mapping. This implementation relies on the JAAS LoginContext/LoginModules associated with the security domain name associated with the class for authentication, and the context JAAS Subject object for role mapping.

See Also:: isValid(Principal, Object), getPrincipal(Principal), doesUserHaveRole(Principal, Set)

Nested Class Summary
`static class`	`JaasSecurityManager.DomainInfo (src)` The authentication cache object.

Field Summary
`protected Logger (src)`	`log` The log4j category for the security manager domain
`protected boolean`	`trace`

Fields inherited from class org.jboss.system.ServiceMBeanSupport (src)

server, SERVICE_CONTROLLER_SIG, serviceName

Fields inherited from interface org.jboss.system.ServiceMBean (src)

CREATE_EVENT, CREATED, DESTROY_EVENT, DESTROYED, FAILED, REGISTERED, START_EVENT, STARTED, STARTING, states, STOP_EVENT, STOPPED, STOPPING, UNREGISTERED

Constructor Summary
`JaasSecurityManager()` Creates a default JaasSecurityManager for with a securityDomain name of 'other'.
`JaasSecurityManager(java.lang.String securityDomain, javax.security.auth.callback.CallbackHandler handler)` Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.

Method Summary
`protected boolean`	`doesRoleGroupHaveRole(java.security.Principal role, java.security.acl.Group userRoles)` Check that the indicated application domain role is a member of the user's assigned roles.
`boolean`	`doesUserHaveRole(java.security.Principal principal, java.security.Principal role)` Validates operational environment Principal against the specified application domain role.
`boolean`	`doesUserHaveRole(java.security.Principal principal, java.util.Set rolePrincipals)` Does the current Subject have a role(a Principal) that equates to one of the role names.
`void`	`flushCache()` Not really used anymore as the security manager service manages the security domain authentication caches.
`javax.security.auth.Subject`	`getActiveSubject()` Get the currently authenticated Subject.
`java.security.Principal`	`getPrincipal(java.security.Principal principal)` Map the argument principal from the deployment environment principal to the developer environment.
`java.lang.String`	`getSecurityDomain()` Get the name of the security domain associated with this security mgr.
`java.util.Set`	`getUserRoles(java.security.Principal principal)` Return the set of domain roles the principal has been assigned.
`boolean`	`isValid(java.security.Principal principal, java.lang.Object credential)` Validate that the given credential is correct for principal.
`boolean`	`isValid(java.security.Principal principal, java.lang.Object credential, javax.security.auth.Subject activeSubject)` Validate that the given credential is correct for principal.
`void`	`setCachePolicy(CachePolicy (src) domainCache)` The domainCache is typically a shared object that is populated by the login code(LoginModule, etc.) and read by this class in the isValid() method.

Methods inherited from class org.jboss.system.ServiceMBeanSupport (src)

create, createService, destroy, destroyService, getLog, getName, getNextNotificationSequenceNumber, getObjectName, getServer, getServiceName, getState, getStateString, jbossInternalCreate, jbossInternalDescription, jbossInternalDestroy, jbossInternalLifecycle, jbossInternalStart, jbossInternalStop, postDeregister, postRegister, preDeregister, preRegister, start, startService, stop, stopService

Methods inherited from class org.jboss.mx.util.JBossNotificationBroadcasterSupport (src)

addNotificationListener, getNotificationInfo, handleNotification, removeNotificationListener, removeNotificationListener, sendNotification

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

log

protected Logger (src)  log

The log4j category for the security manager domain

trace

protected boolean trace

Constructor Detail

JaasSecurityManager

public JaasSecurityManager()

Creates a default JaasSecurityManager for with a securityDomain name of 'other'.

JaasSecurityManager

public JaasSecurityManager(java.lang.String securityDomain,
                           javax.security.auth.callback.CallbackHandler handler)

Creates a JaasSecurityManager for with a securityDomain name of that given by the 'securityDomain' argument.
Parameters:: securityDomain - the name of the security domain; handler - the JAAS callback handler instance to use
Throws:: java.lang.reflect.UndeclaredThrowableException - thrown if handler does not implement a setSecurityInfo(Princpal, Object) method

Method Detail

setCachePolicy

public void setCachePolicy(CachePolicy (src)  domainCache)

The domainCache is typically a shared object that is populated by the login code(LoginModule, etc.) and read by this class in the isValid() method.

See Also:: isValid(Principal, Object)

flushCache

public void flushCache()

Not really used anymore as the security manager service manages the security domain authentication caches.

getSecurityDomain

public java.lang.String getSecurityDomain()

Get the name of the security domain associated with this security mgr.

Specified by:: getSecurityDomain in interface AuthenticationManager (src)

Returns:: Name of the security manager security domain.

getActiveSubject

public javax.security.auth.Subject getActiveSubject()

Get the currently authenticated Subject. This is a thread local property shared across all JaasSecurityManager instances.

Specified by:: getActiveSubject in interface AuthenticationManager (src)

Returns:: The Subject authenticated in the current thread if one exists, null otherwise.
See Also:: AuthenticationManager.isValid(java.security.Principal, Object), AuthenticationManager.isValid(java.security.Principal, Object, javax.security.auth.Subject)

isValid

public boolean isValid(java.security.Principal principal,
                       java.lang.Object credential)

Validate that the given credential is correct for principal. This returns the value from invoking isValid(principal, credential, null).

Specified by:: isValid in interface AuthenticationManager (src)

Parameters:: principal - - the security domain principal attempting access; credential - - the proof of identity offered by the principal
Returns:: true if the principal was authenticated, false otherwise.

isValid

public boolean isValid(java.security.Principal principal,
                       java.lang.Object credential,
                       javax.security.auth.Subject activeSubject)

Validate that the given credential is correct for principal. This first will check the current CachePolicy object if one exists to see if the user's cached credentials match the given credential. If there is no credential cache or the cache information is invalid or does not match, the user is authenticated against the JAAS login modules configured for the security domain.

Specified by:: isValid in interface AuthenticationManager (src)

Parameters:: principal - - the security domain principal attempting access; credential - the proof of identity offered by the principal; activeSubject - - if not null, a Subject that will be populated with the state of the authenticated Subject.
Returns:: true if the principal was authenticated, false otherwise.

getPrincipal

public java.security.Principal getPrincipal(java.security.Principal principal)

Map the argument principal from the deployment environment principal to the developer environment. This is called by the EJB context getCallerPrincipal() to return the Principal as described by the EJB developer domain.

Specified by:: getPrincipal in interface RealmMapping (src)

Parameters:: principal - the caller principal as known in the operation environment.
Returns:: a Principal object that is valid in the deployment environment if one exists. If no Subject exists or the Subject has no principals then the argument principal is returned.

doesUserHaveRole

public boolean doesUserHaveRole(java.security.Principal principal,
                                java.util.Set rolePrincipals)

Does the current Subject have a role(a Principal) that equates to one of the role names. This method obtains the Group named 'Roles' from the principal set of the currently authenticated Subject and then creates a SimplePrincipal for each name in roleNames. If the role is a member of the Roles group, then the user has the role.

Specified by:: doesUserHaveRole in interface RealmMapping (src)

Parameters:: principal - - ignored. The current authenticated Subject determines the active user and assigned user roles.; rolePrincipals - - a Set of Principals for the roles to check.
Returns:: true if the principal has at least one of the roles in the roles set, false otherwise.
See Also:: java.security.acl.Group;, Subject.getPrincipals()

doesUserHaveRole

public boolean doesUserHaveRole(java.security.Principal principal,
                                java.security.Principal role)

Validates operational environment Principal against the specified application domain role.

Parameters:: principal - - the caller principal as known in the operation environment.; role - - the application domain role that the principal is to be validated against.
Returns:: true if the principal has the role, false otherwise.

getUserRoles

public java.util.Set getUserRoles(java.security.Principal principal)

Return the set of domain roles the principal has been assigned.

Specified by:: getUserRoles in interface RealmMapping (src)

Returns:: The Set for the application domain roles that the principal has been assigned.

doesRoleGroupHaveRole

protected boolean doesRoleGroupHaveRole(java.security.Principal role,
                                        java.security.acl.Group userRoles)

Check that the indicated application domain role is a member of the user's assigned roles. This handles the special AnybodyPrincipal and NobodyPrincipal independent of the Group implementation.

Parameters:: role - , the application domain role required for access; userRoles - , the set of roles assigned to the user
Returns:: true if role is in userRoles or an AnybodyPrincipal instance, false if role is a NobodyPrincipal or no a member of userRoles