Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

JaasAuthenticationProvider no longer supports the useSystemProperty setting.This is because it no longer uses the java.security.auth.login.config system property for configuring Jaas. Custom Jaas configuration needs can be implemented in a subclass that overrides the configureJaas method. 

JaasAuthenticationProvider now handles logout by associating the LoginContext with a new JaasAuthenticationToken
This commit is contained in:
Ray Krueger 2005-11-04 15:02:27 +00:00
parent 6049e9ac65
commit 0aa4989dad
3 changed files with 182 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

202
core/src/main/java/org/acegisecurity/providers/jaas/JaasAuthenticationProvider.java
View File

@ -19,40 +19,37 @@ import net.sf.acegisecurity.AcegiSecurityException;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.AuthenticationException;
import net.sf.acegisecurity.GrantedAuthority;
import net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter;
import net.sf.acegisecurity.context.SecurityContext;
import net.sf.acegisecurity.providers.AuthenticationProvider;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import net.sf.acegisecurity.providers.jaas.event.JaasAuthenticationFailedEvent;
import net.sf.acegisecurity.providers.jaas.event.JaasAuthenticationSuccessEvent;
import net.sf.acegisecurity.ui.session.HttpSessionDestroyedEvent;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.BeansException;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.core.io.Resource;
import org.springframework.util.Assert;
import java.io.IOException;
import java.security.Principal;
import java.security.Security;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.IOException;
import java.security.Principal;
import java.security.Security;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
/**
@ -157,15 +154,14 @@ import javax.security.auth.login.LoginException;
* </p>
*
* A configuration note:
* The JaasAuthenticationProvider configures jaas using the system property 'java.security.auth.login.config' by default.
* If use of the java.security.auth.login.config property is not allowed by the Security property 'policy.allowSystemProperty', OR if the JaasAuthenticationProvider
* useSystemProperty option is false, then Jaas will be configured using the 'login.config.url.x' properties.
* The JaasAuthenticationProvider uses the security properites &quote;login.config.url.X&quote; to configure jaas.
* If you would like to customize the way Jaas gets configured, create a subclass of this and override the {@link #configureJaas(Resource)} method.
*
* @author Ray Krueger
* @version $Id$
*/
public class JaasAuthenticationProvider implements AuthenticationProvider,
InitializingBean, ApplicationContextAware {
InitializingBean, ApplicationContextAware, ApplicationListener {
//~ Static fields/initializers =============================================
protected static final Log log = LogFactory.getLog(JaasAuthenticationProvider.class);
@ -175,11 +171,10 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
private ApplicationContext context;
private LoginExceptionResolver loginExceptionResolver = new DefaultLoginExceptionResolver();
private Resource loginConfig;
private final String SYSPROP = "java.security.auth.login.config";
private String loginContextName = "ACEGI";
private AuthorityGranter[] authorityGranters;
private JaasAuthenticationCallbackHandler[] callbackHandlers;
private boolean useSystemProperty = true;
//~ Methods ================================================================
@ -197,7 +192,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
* granted to the Authentication.
*
* @param authorityGranters AuthorityGranter array
*
* @see JaasAuthenticationProvider
*/
public void setAuthorityGranters(AuthorityGranter[] authorityGranters) {
@ -210,8 +204,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
* were ever set.
*
* @return The AuthorityGranter array, or null
*
* @see #setAuthorityGranters(net.sf.acegisecurity.providers.jaas.AuthorityGranter[])
* @see #setAuthorityGranters(AuthorityGranter[])
*/
public AuthorityGranter[] getAuthorityGranters() {
return authorityGranters;
@ -233,8 +226,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
* none are set.
*
* @return the JAASAuthenticationCallbackHandlers.
*
* @see #setCallbackHandlers(net.sf.acegisecurity.providers.jaas.JaasAuthenticationCallbackHandler[])
* @see #setCallbackHandlers(JaasAuthenticationCallbackHandler[])
*/
public JaasAuthenticationCallbackHandler[] getCallbackHandlers() {
return callbackHandlers;
@ -246,7 +238,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
* @param loginConfig <a
* href="http://www.springframework.org/docs/api/org/springframework/core/io/Resource.html">Spring
* Resource</a>
*
* @see <a
* href="http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html">JAAS
* Reference</a>
@ -287,47 +278,59 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
Assert.hasLength(loginContextName,
"loginContextName must be set on " + getClass());
String loginConfigStr = null;
try {
loginConfigStr = loginConfig.getFile().toString();
} catch (IOException e) {
if (log.isDebugEnabled()) {
log.debug("Could not resolve loginConfig [" + loginConfig
+ "] as a File, using URL");
}
loginConfigStr = loginConfig.getURL().toString();
}
boolean allowed = "true".equalsIgnoreCase(Security.getProperty(
"policy.allowSystemProperty"));
if (useSystemProperty && allowed) {
log.debug("Setting system property [" + SYSPROP + "] to: "
+ loginConfigStr);
System.setProperty(SYSPROP, loginConfigStr);
} else {
if (useSystemProperty && !allowed) {
log.warn("useSystemProperty is true, but the security property 'policy.allowSystemProperty' is false. " +
"Jaas will be configured using the login.config.url property.");
}
setPropertyUsingLoop(loginConfig.getURL().toString());
}
configureJaas(loginConfig);
Assert.notNull(Configuration.getConfiguration(),
"As per http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html \"If a Configuration object was set via the Configuration.setConfiguration method, then that object is returned. Otherwise, a default Configuration object is returned\". Your JRE returned null to Configuration.getConfiguration().");
}
/**
* Hook method for configuring Jaas
*
* @param loginConfigStr URL to Jaas login configuration
*/
protected void configureJaas(Resource loginConfig) throws IOException {
configureJaasUsingLoop();
}
/**
* Loops through the login.config.url.1,login.config.url.2 properties
* looking for the login configuration. If it is not set, it will be set
* to the last available login.config.url.X property.
*/
private void configureJaasUsingLoop() throws IOException {
String loginConfigUrl = loginConfig.getURL().toString();
boolean alreadySet = false;
int n = 1;
String prefix = "login.config.url.";
String existing = null;
while ((existing = Security.getProperty(prefix + n)) != null) {
alreadySet = existing.equals(loginConfigUrl);
if (alreadySet) {
break;
}
n++;
}
if (!alreadySet) {
String key = prefix + n;
log.debug("Setting security property [" + key + "] to: "
+ loginConfigUrl);
Security.setProperty(key, loginConfigUrl);
}
}
/**
* Attempts to login the user given the Authentication objects principal
* and credential
*
* @param auth The Authentication object to be authenticated.
*
* @return The authenticated Authentication object, with it's
* grantedAuthorities set.
*
* @throws AuthenticationException This implementation does not handle
* 'locked' or 'disabled' accounts. This method only throws a
* AuthenticationServiceException, with the message of the
@ -341,11 +344,11 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
try {
//Create the LoginContext object, and pass our InternallCallbackHandler
LoginContext lc = new LoginContext(loginContextName,
LoginContext loginContext = new LoginContext(loginContextName,
new InternalCallbackHandler(auth));
//Attempt to login the user, the LoginContext will call our InternalCallbackHandler at this point.
lc.login();
loginContext.login();
//create a set to hold the authorities, and add any that have already been applied.
Set authorities = new HashSet();
@ -355,7 +358,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
}
//get the subject principals and pass them to each of the AuthorityGranters
Set principals = lc.getSubject().getPrincipals();
Set principals = loginContext.getSubject().getPrincipals();
for (Iterator iterator = principals.iterator();
iterator.hasNext();) {
@ -378,10 +381,10 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
}
//Convert the authorities set back to an array and apply it to the token.
UsernamePasswordAuthenticationToken result = new UsernamePasswordAuthenticationToken(request
JaasAuthenticationToken result = new JaasAuthenticationToken(request
.getPrincipal(), request.getCredentials(),
(GrantedAuthority[]) authorities.toArray(
new GrantedAuthority[authorities.size()]));
new GrantedAuthority[authorities.size()]), loginContext);
//Publish the success event
publishSuccessEvent(result);
@ -404,6 +407,38 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
return UsernamePasswordAuthenticationToken.class.isAssignableFrom(aClass);
}
public void onApplicationEvent(ApplicationEvent applicationEvent) {
if (applicationEvent instanceof HttpSessionDestroyedEvent) {
HttpSessionDestroyedEvent event = (HttpSessionDestroyedEvent) applicationEvent;
handleLogout(event);
}
}
/**
* Handles the logout by getting the SecurityContext for the session that was destroyed.
* <b>MUST NOT use SecurityContextHolder we are logging out a session that is not related to the current user.</b>
* @param event
*/
protected void handleLogout(HttpSessionDestroyedEvent event) {
SecurityContext context = (SecurityContext) event.getSession().getAttribute(HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY);
Authentication auth = context.getAuthentication();
if (auth instanceof JaasAuthenticationToken) {
JaasAuthenticationToken token = (JaasAuthenticationToken) auth;
try {
LoginContext loginContext = token.getLoginContext();
if (loginContext != null) {
log.debug("Logging principal: [" + token.getPrincipal() + "] out of LoginContext");
loginContext.logout();
} else {
log.debug("Cannot logout principal: [" + token.getPrincipal() + "] from LoginContext. " +
"The LoginContext is unavailable");
}
} catch (LoginException e) {
log.warn("Error error logging out of LoginContext", e);
}
}
}
/**
* Publishes the {@link JaasAuthenticationFailedEvent}. Can be overridden
* by subclasses for different functionality
@ -431,51 +466,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
token));
}
/**
* Loops through the login.config.url.1,login.config.url.2 properties
* looking for the login configuration. If it is not set, it will be set
* to the last available login.config.url.X property.
*
* @param loginConfigStr
*/
private void setPropertyUsingLoop(String loginConfigStr) {
boolean alreadySet = false;
int n = 1;
String prefix = "login.config.url.";
String existing = null;
while ((existing = Security.getProperty(prefix + n)) != null) {
alreadySet = existing.equals(loginConfigStr);
if (alreadySet) {
break;
}
n++;
}
if (!alreadySet) {
String key = prefix + n;
log.debug("Setting security property [" + key + "] to: "
+ loginConfigStr);
Security.setProperty(key, loginConfigStr);
}
}
public boolean isUseSystemProperty() {
return useSystemProperty;
}
/**
* If true, the JaasAuthenticationProvider will configure Jaas using the system property 'java.security.auth.login.config'.
* If false, the JaasAuthenticationProvider will configure Jaas using the 'login.config.url.x' property.
* <br/><b>Default:True</b>
* @param useSystemProperty
*/
public void setUseSystemProperty(boolean useSystemProperty) {
this.useSystemProperty = useSystemProperty;
}
//~ Inner Classes ==========================================================
/**

31
core/src/main/java/org/acegisecurity/providers/jaas/JaasAuthenticationToken.java Normal file
View File

@ -0,0 +1,31 @@
package net.sf.acegisecurity.providers.jaas;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import net.sf.acegisecurity.GrantedAuthority;
import javax.security.auth.login.LoginContext;
/**
* UsernamePasswordAuthenticationToken extension to carry the Jaas LoginContext that the user was logged into
* @author Ray Krueger
*/
public class JaasAuthenticationToken extends UsernamePasswordAuthenticationToken {
private transient LoginContext loginContext = null;
public JaasAuthenticationToken(Object principal, Object credentials, LoginContext loginContext) {
super(principal, credentials);
this.loginContext = loginContext;
}
public JaasAuthenticationToken(Object principal, Object credentials, GrantedAuthority[] authorities, LoginContext loginContext) {
super(principal, credentials, authorities);
this.loginContext = loginContext;
}
public LoginContext getLoginContext() {
return loginContext;
}
}

36
core/src/test/java/org/acegisecurity/providers/jaas/JaasAuthenticationProviderTests.java
View File

@ -17,12 +17,17 @@ package net.sf.acegisecurity.providers.jaas;
import junit.framework.TestCase;
import net.sf.acegisecurity.*;
import net.sf.acegisecurity.context.HttpSessionContextIntegrationFilter;
import net.sf.acegisecurity.context.SecurityContextImpl;
import net.sf.acegisecurity.ui.session.HttpSessionDestroyedEvent;
import net.sf.acegisecurity.providers.TestingAuthenticationToken;
import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
import org.springframework.context.ApplicationContext;
import org.springframework.context.support.ClassPathXmlApplicationContext;
import org.springframework.mock.web.MockHttpSession;
import javax.security.auth.login.LoginException;
import javax.security.auth.login.LoginContext;
import java.net.URL;
import java.security.Security;
import java.util.Arrays;
@ -74,7 +79,6 @@ public class JaasAuthenticationProviderTests extends TestCase {
String resName = "/" + getClass().getName().replace('.', '/') + ".conf";
URL url = getClass().getResource(resName);
Security.setProperty("policy.allowSystemProperty", "false");
Security.setProperty("login.config.url.1", url.toString());
setUp();
@ -211,10 +215,40 @@ public class JaasAuthenticationProviderTests extends TestCase {
new GrantedAuthority[]{})));
}
public void testLogout() throws Exception {
MockLoginContext loginContext = new MockLoginContext(jaasProvider.getLoginContextName());
JaasAuthenticationToken token = new JaasAuthenticationToken(null, null, loginContext);
SecurityContextImpl context = new SecurityContextImpl();
context.setAuthentication(token);
MockHttpSession mockSession = new MockHttpSession();
mockSession.setAttribute(HttpSessionContextIntegrationFilter.ACEGI_SECURITY_CONTEXT_KEY, context);
jaasProvider.onApplicationEvent(new HttpSessionDestroyedEvent(mockSession));
assertTrue(loginContext.loggedOut);
}
protected void setUp() throws Exception {
String resName = "/" + getClass().getName().replace('.', '/') + ".xml";
context = new ClassPathXmlApplicationContext(resName);
eventCheck = (JaasEventCheck) context.getBean("eventCheck");
jaasProvider = (JaasAuthenticationProvider) context.getBean("jaasAuthenticationProvider");
}
private static class MockLoginContext extends LoginContext {
boolean loggedOut = false;
public MockLoginContext(String loginModule) throws LoginException {
super(loginModule);
}
public void logout() throws LoginException {
this.loggedOut = true;
}
}
}