In response to: http://forum.springframework.org/viewtopic.php?t=3874

JaasAuthenticationProvider now checks that the java.security.auth.login.config is null before attempting to use it.

Also, The loginConfig resource is attempted as a file first as spaces in the path name can cause FileNotFoundExceptions for URLs

core/src/main/java/org/acegisecurity/providers/jaas/JaasAuthenticationProvider.java

@@ -23,47 +23,41 @@ import net.sf.acegisecurity.providers.AuthenticationProvider;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
 import net.sf.acegisecurity.providers.jaas.event.JaasAuthenticationFailedEvent;
 import net.sf.acegisecurity.providers.jaas.event.JaasAuthenticationSuccessEvent;
-
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.InitializingBean;
-
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
-import org.springframework.context.ApplicationContextException;
-
 import org.springframework.core.io.Resource;
-
 import org.springframework.util.Assert;
 
-import java.io.IOException;
-
-import java.security.Principal;
-import java.security.Security;
-
-import java.util.Arrays;
-import java.util.HashSet;
-import java.util.Iterator;
-import java.util.Set;
-
 import javax.security.auth.callback.Callback;
 import javax.security.auth.callback.CallbackHandler;
 import javax.security.auth.callback.UnsupportedCallbackException;
 import javax.security.auth.login.Configuration;
 import javax.security.auth.login.LoginContext;
 import javax.security.auth.login.LoginException;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.Security;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
 
 
 /**
  * An {@link AuthenticationProvider} implementation that retrieves user details
  * from a JAAS login configuration.
- * 
+ * <p/>
- * <p>
+ * <p/>
  * This <code>AuthenticationProvider</code> is capable of validating {@link
  * net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken}
  * requests contain the correct username and password.
  * </p>
- * 
+ * <p/>
- * <p>
+ * <p/>
  * This implementation is backed by a <a
  * href="http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html">JAAS</a>
  * configuration. The loginConfig property must be set to a given JAAS
@@ -72,37 +66,37 @@ import javax.security.auth.login.LoginException;
  * configuration file containing an index matching the {@link
  * #setLoginContextName(java.lang.String) loginContextName} property.
  * </p>
- * 
+ * <p/>
- * <p>
+ * <p/>
  * For example: If this JaasAuthenticationProvider were configured in a Spring
  * WebApplicationContext the xml to set the loginConfiguration could be as
  * follows...
  * <pre>
-&lt;property name="loginConfig"&gt;
+ * &lt;property name="loginConfig"&gt;
- &lt;value&gt;/WEB-INF/login.conf&lt;/value&gt;
+ * &lt;value&gt;/WEB-INF/login.conf&lt;/value&gt;
-&lt;/property&gt;
+ * &lt;/property&gt;
-</pre>
+ * </pre>
  * </p>
- * 
+ * <p/>
- * <p>
+ * <p/>
  * The loginContextName should coincide with a given index in the loginConfig
  * specifed. The loginConfig file used in the JUnit tests appears as the
  * following...
  * <pre>
-JAASTest {
+ * JAASTest {
-  net.sf.acegisecurity.providers.jaas.TestLoginModule required;
+ * net.sf.acegisecurity.providers.jaas.TestLoginModule required;
-};
+ * };
-</pre>
+ * </pre>
  * Using the example login configuration above, the loginContextName property
  * would be set as <i>JAASTest</i>...
  * <pre>
-&lt;property name="loginContextName"&gt;
+ * &lt;property name="loginContextName"&gt;
- &lt;value&gt;JAASTest&lt;/value&gt;
+ * &lt;value&gt;JAASTest&lt;/value&gt;
-&lt;/property&gt;
+ * &lt;/property&gt;
-</pre>
+ * </pre>
  * </p>
- * 
+ * <p/>
- * <p>
+ * <p/>
  * When using JAAS login modules as the authentication source, sometimes the <a
  * href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/login/LoginContext.html">LoginContext</a>
  * will require <i>CallbackHandler</i>s. The JaasAuthenticationProvider uses
@@ -113,24 +107,24 @@ JAASTest {
  * CallbackHandler, control is passed to each {@link
  * JaasAuthenticationCallbackHandler} for each Callback passed.
  * </p>
- * 
+ * <p/>
- * <p>
+ * <p/>
  * {{@link JaasAuthenticationCallbackHandler}s are passed to the
  * JaasAuthenticationProvider through the {@link
  * #setCallbackHandlers(net.sf.acegisecurity.providers.jaas.JaasAuthenticationCallbackHandler[])
  * callbackHandlers} property. }
  * <pre>
-  &lt;property name="callbackHandlers"&gt;
+ * &lt;property name="callbackHandlers"&gt;
-      &lt;list&gt;
+ * &lt;list&gt;
-          &lt;bean class="net.sf.acegisecurity.providers.jaas.TestCallbackHandler"/&gt;
+ * &lt;bean class="net.sf.acegisecurity.providers.jaas.TestCallbackHandler"/&gt;
-          &lt;bean class="{@link JaasNameCallbackHandler net.sf.acegisecurity.providers.jaas.JaasNameCallbackHandler}"/&gt;
+ * &lt;bean class="{@link JaasNameCallbackHandler net.sf.acegisecurity.providers.jaas.JaasNameCallbackHandler}"/&gt;
-          &lt;bean class="{@link JaasPasswordCallbackHandler net.sf.acegisecurity.providers.jaas.JaasPasswordCallbackHandler}"/&gt;
+ * &lt;bean class="{@link JaasPasswordCallbackHandler net.sf.acegisecurity.providers.jaas.JaasPasswordCallbackHandler}"/&gt;
-      &lt;/list&gt;
+ * &lt;/list&gt;
-  &lt;/property&gt;
+ * &lt;/property&gt;
-</pre>
+ * </pre>
  * </p>
- * 
+ * <p/>
- * <p>
+ * <p/>
  * After calling LoginContext.login(), the JaasAuthenticationProvider will
  * retrieve the returned Principals from the Subject
  * (LoginContext.getSubject().getPrincipals). Each returned principal is then
@@ -141,17 +135,17 @@ JAASTest {
  * method. The returned role will be applied to the Authorization object as a
  * {@link GrantedAuthority}.
  * </p>
- * 
+ * <p/>
- * <p>
+ * <p/>
  * AuthorityGranters are configured in spring xml as follows...
  * <pre>
-&lt;property name="authorityGranters"&gt;
+ * &lt;property name="authorityGranters"&gt;
-  &lt;list&gt;
+ * &lt;list&gt;
-      &lt;bean class="net.sf.acegisecurity.providers.jaas.TestAuthorityGranter"/&gt;
+ * &lt;bean class="net.sf.acegisecurity.providers.jaas.TestAuthorityGranter"/&gt;
-  &lt;/list&gt;
+ * &lt;/list&gt;
-&lt;/property&gt;
+ * &lt;/property&gt;
-<p/>
+ * <p/>
-</pre>
+ * </pre>
  * </p>
  *
  * @author Ray Krueger
@@ -159,6 +153,9 @@ JAASTest {
  */
 public class JaasAuthenticationProvider implements AuthenticationProvider,
         InitializingBean, ApplicationContextAware {
+
+    private static final Log log = LogFactory.getLog(JaasAuthenticationProvider.class);
+
     //~ Instance fields ========================================================
 
     private ApplicationContext context;
@@ -181,7 +178,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      * granted to the Authentication.
      *
      * @param authorityGranters AuthorityGranter array
-     *
      * @see JaasAuthenticationProvider
      */
     public void setAuthorityGranters(AuthorityGranter[] authorityGranters) {
@@ -194,7 +190,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      * were ever set.
      *
      * @return The AuthorityGranter array, or null
-     *
      * @see #setAuthorityGranters(net.sf.acegisecurity.providers.jaas.AuthorityGranter[])
      */
     public AuthorityGranter[] getAuthorityGranters() {
@@ -207,8 +202,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      *
      * @param callbackHandlers Array of JAASAuthenticationCallbackHandlers
      */
-    public void setCallbackHandlers(
+    public void setCallbackHandlers(JaasAuthenticationCallbackHandler[] callbackHandlers) {
-        JaasAuthenticationCallbackHandler[] callbackHandlers) {
         this.callbackHandlers = callbackHandlers;
     }
 
@@ -217,7 +211,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      * none are set.
      *
      * @return the JAASAuthenticationCallbackHandlers.
-     *
      * @see #setCallbackHandlers(net.sf.acegisecurity.providers.jaas.JaasAuthenticationCallbackHandler[])
      */
     public JaasAuthenticationCallbackHandler[] getCallbackHandlers() {
@@ -230,7 +223,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      * @param loginConfig <a
      *                    href="http://www.springframework.org/docs/api/org/springframework/core/io/Resource.html">Spring
      *                    Resource</a>
-     *
      * @see <a
      *      href="http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html">JAAS
      *      Reference</a>
@@ -257,8 +249,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
         return loginContextName;
     }
 
-    public void setLoginExceptionResolver(
+    public void setLoginExceptionResolver(LoginExceptionResolver loginExceptionResolver) {
-        LoginExceptionResolver loginExceptionResolver) {
         this.loginExceptionResolver = loginExceptionResolver;
     }
 
@@ -267,22 +258,29 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
     }
 
     public void afterPropertiesSet() throws Exception {
+
         if (loginConfig == null) {
-            throw new ApplicationContextException("loginConfig must be set on "
+            throw new IllegalArgumentException("loginConfig must be set on "
                     + getClass());
         }
 
         if ((loginContextName == null) || "".equals(loginContextName)) {
-            throw new ApplicationContextException(
+            throw new IllegalArgumentException("loginContextName must be set on " + getClass());
-                "loginContextName must be set on " + getClass());
         }
 
-        String loginConfigStr = loginConfig.getURL().toString();
+        String loginConfigStr = null;
 
-        boolean allowed = "true".equalsIgnoreCase(Security.getProperty(
+        try {
-                    "policy.allowSystemProperty"));
+            loginConfigStr = loginConfig.getFile().toString();
+        } catch (IOException e) {
+            log.debug("Could not resolve loginConfig [" + loginConfig + "] as a File, using URL");
+            loginConfigStr = loginConfig.getURL().toString();
+        }
 
-        if (allowed) {
+        boolean allowed = "true".equalsIgnoreCase(Security.getProperty("policy.allowSystemProperty"));
+
+        if (allowed && (System.getProperty(SYSPROP) == null)) {
+            log.debug("Setting system property [" + SYSPROP + "] to: " + loginConfigStr);
             System.setProperty(SYSPROP, loginConfigStr);
         } else {
             setPropertyUsingLoop(loginConfigStr);
@@ -297,10 +295,8 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      * and credential
      *
      * @param auth The Authentication object to be authenticated.
-     *
      * @return The authenticated Authentication object, with it's
      *         grantedAuthorities set.
-     *
      * @throws AuthenticationException This implementation does not handle
      *                                 'locked' or 'disabled' accounts. This method only throws a
      *                                 AuthenticationServiceException, with the message of the
@@ -309,6 +305,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
      */
     public Authentication authenticate(Authentication auth)
             throws AuthenticationException {
+
         if (auth instanceof UsernamePasswordAuthenticationToken) {
             UsernamePasswordAuthenticationToken token = (UsernamePasswordAuthenticationToken) auth;
 
@@ -347,8 +344,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
                 }
 
                 //Convert the authorities set back to an array and apply it to the token.
-                token.setAuthorities((GrantedAuthority[]) authorities.toArray(
+                token.setAuthorities((GrantedAuthority[]) authorities.toArray(new GrantedAuthority[authorities.size()]));
-                        new GrantedAuthority[authorities.size()]));
 
                 //Publish the success event
                 context.publishEvent(new JaasAuthenticationSuccessEvent(token));
@@ -389,7 +385,9 @@ public class JaasAuthenticationProvider implements AuthenticationProvider,
         }
 
         if (!alreadySet) {
-            Security.setProperty(prefix + n, loginConfigStr);
+            String key = prefix + n;
+            log.debug("Setting security property [" + key + "] to: " + loginConfigStr);
+            Security.setProperty(key, loginConfigStr);
         }
     }
 

core/src/test/java/org/acegisecurity/providers/jaas/JaasAuthenticationProviderTests.java

@@ -16,29 +16,18 @@
 package net.sf.acegisecurity.providers.jaas;
 
 import junit.framework.TestCase;
-
+import net.sf.acegisecurity.*;
-import net.sf.acegisecurity.AcegiSecurityException;
-import net.sf.acegisecurity.Authentication;
-import net.sf.acegisecurity.AuthenticationException;
-import net.sf.acegisecurity.GrantedAuthority;
-import net.sf.acegisecurity.GrantedAuthorityImpl;
-import net.sf.acegisecurity.LockedException;
 import net.sf.acegisecurity.providers.TestingAuthenticationToken;
 import net.sf.acegisecurity.providers.UsernamePasswordAuthenticationToken;
-
 import org.springframework.context.ApplicationContext;
-import org.springframework.context.ApplicationContextException;
 import org.springframework.context.support.ClassPathXmlApplicationContext;
 
+import javax.security.auth.login.LoginException;
 import java.net.URL;
-
 import java.security.Security;
-
 import java.util.Arrays;
 import java.util.List;
 
-import javax.security.auth.login.LoginException;
-
 
 /**
  * Tests for the JaasAuthenticationProvider
@@ -57,10 +46,10 @@ public class JaasAuthenticationProviderTests extends TestCase {
 
     public void testBadPassword() {
         try {
-            jaasProvider.authenticate(new UsernamePasswordAuthenticationToken(
+            jaasProvider.authenticate(new UsernamePasswordAuthenticationToken("user", "asdf"));
-                    "user", "asdf"));
             fail("LoginException should have been thrown for the bad password");
-        } catch (AuthenticationException e) {}
+        } catch (AuthenticationException e) {
+        }
 
         assertNotNull("Failure event not fired", eventCheck.failedEvent);
         assertNotNull("Failure event exception was null",
@@ -70,10 +59,10 @@ public class JaasAuthenticationProviderTests extends TestCase {
 
     public void testBadUser() {
         try {
-            jaasProvider.authenticate(new UsernamePasswordAuthenticationToken(
+            jaasProvider.authenticate(new UsernamePasswordAuthenticationToken("asdf", "password"));
-                    "asdf", "password"));
             fail("LoginException should have been thrown for the bad user");
-        } catch (AuthenticationException e) {}
+        } catch (AuthenticationException e) {
+        }
 
         assertNotNull("Failure event not fired", eventCheck.failedEvent);
         assertNotNull("Failure event exception was null",
@@ -102,7 +91,7 @@ public class JaasAuthenticationProviderTests extends TestCase {
         try {
             myJaasProvider.afterPropertiesSet();
             fail("Should have thrown ApplicationContextException");
-        } catch (ApplicationContextException expected) {
+        } catch (IllegalArgumentException expected) {
             assertTrue(expected.getMessage().startsWith("loginConfig must be set on"));
         }
     }
@@ -117,8 +106,8 @@ public class JaasAuthenticationProviderTests extends TestCase {
 
         try {
             myJaasProvider.afterPropertiesSet();
-            fail("Should have thrown ApplicationContextException");
+            fail("Should have thrown IllegalArgumentException");
-        } catch (ApplicationContextException expected) {
+        } catch (IllegalArgumentException expected) {
             assertTrue(expected.getMessage().startsWith("loginContextName must be set on"));
         }
 
@@ -126,8 +115,8 @@ public class JaasAuthenticationProviderTests extends TestCase {
 
         try {
             myJaasProvider.afterPropertiesSet();
-            fail("Should have thrown ApplicationContextException");
+            fail("Should have thrown IllegalArgumentException");
-        } catch (ApplicationContextException expected) {
+        } catch (IllegalArgumentException expected) {
             assertTrue(expected.getMessage().startsWith("loginContextName must be set on"));
         }
     }
@@ -136,13 +125,12 @@ public class JaasAuthenticationProviderTests extends TestCase {
         GrantedAuthorityImpl role1 = new GrantedAuthorityImpl("ROLE_1");
         GrantedAuthorityImpl role2 = new GrantedAuthorityImpl("ROLE_2");
 
-        GrantedAuthority[] defaultAuths = new GrantedAuthority[] {role1, role2,};
+        GrantedAuthority[] defaultAuths = new GrantedAuthority[]{role1, role2, };
 
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user",
                 "password", defaultAuths);
 
-        assertTrue(jaasProvider.supports(
+        assertTrue(jaasProvider.supports(UsernamePasswordAuthenticationToken.class));
-                UsernamePasswordAuthenticationToken.class));
 
         Authentication auth = jaasProvider.authenticate(token);
 
@@ -193,10 +181,9 @@ public class JaasAuthenticationProviderTests extends TestCase {
         });
 
         try {
-            jaasProvider.authenticate(new UsernamePasswordAuthenticationToken(
+            jaasProvider.authenticate(new UsernamePasswordAuthenticationToken("user", "password"));
-                    "user", "password"));
+        } catch (LockedException e) {
-        } catch (LockedException e) {}
+        } catch (Exception e) {
-         catch (Exception e) {
             fail("LockedException should have been thrown and caught");
         }
     }
@@ -205,8 +192,7 @@ public class JaasAuthenticationProviderTests extends TestCase {
         UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken("user",
                 "password", null);
 
-        assertTrue(jaasProvider.supports(
+        assertTrue(jaasProvider.supports(UsernamePasswordAuthenticationToken.class));
-                UsernamePasswordAuthenticationToken.class));
 
         Authentication auth = jaasProvider.authenticate(token);
         assertTrue("Only ROLE_TEST should have been returned",
@@ -214,16 +200,14 @@ public class JaasAuthenticationProviderTests extends TestCase {
     }
 
     public void testUnsupportedAuthenticationObjectReturnsNull() {
-        assertNull(jaasProvider.authenticate(
+        assertNull(jaasProvider.authenticate(new TestingAuthenticationToken("foo", "bar",
-                new TestingAuthenticationToken("foo", "bar",
+                new GrantedAuthority[]{})));
-                    new GrantedAuthority[] {})));
     }
 
     protected void setUp() throws Exception {
         String resName = "/" + getClass().getName().replace('.', '/') + ".xml";
         context = new ClassPathXmlApplicationContext(resName);
         eventCheck = (JaasEventCheck) context.getBean("eventCheck");
-        jaasProvider = (JaasAuthenticationProvider) context.getBean(
+        jaasProvider = (JaasAuthenticationProvider) context.getBean("jaasAuthenticationProvider");
-                "jaasAuthenticationProvider");
     }
 }