From 5a9aa6d1aa78867ddeef22ccaad459833474d69d Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 20 Apr 2011 14:35:09 +0100 Subject: [PATCH] SEC-1700: Allow for case where JAAS config is not a simple file, but may be a jar resource, for example. --- .../jaas/JaasAuthenticationProvider.java | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java index bbb1a32020..baa5fe5ccc 100644 --- a/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java +++ b/core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java @@ -15,16 +15,6 @@ package org.springframework.security.authentication.jaas; -import java.io.File; -import java.io.IOException; -import java.net.URL; -import java.security.Security; - -import javax.security.auth.callback.CallbackHandler; -import javax.security.auth.login.Configuration; -import javax.security.auth.login.LoginContext; -import javax.security.auth.login.LoginException; - import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.core.io.Resource; @@ -35,6 +25,15 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.util.Assert; +import javax.security.auth.callback.CallbackHandler; +import javax.security.auth.login.Configuration; +import javax.security.auth.login.LoginContext; +import javax.security.auth.login.LoginException; +import java.io.File; +import java.io.IOException; +import java.net.URL; +import java.security.Security; + /** * An {@link AuthenticationProvider} implementation that retrieves user details from a JAAS login configuration. @@ -192,16 +191,22 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid } private String convertLoginConfigToUrl() throws IOException { - String loginConfigPath = loginConfig.getFile().getAbsolutePath(); - loginConfigPath = loginConfigPath.replace(File.separatorChar, '/'); + String loginConfigPath; - if (!loginConfigPath.startsWith("/")) { - loginConfigPath = "/" + loginConfigPath; + try { + loginConfigPath = loginConfig.getFile().getAbsolutePath().replace(File.separatorChar, '/'); + + if (!loginConfigPath.startsWith("/")) { + loginConfigPath = "/" + loginConfigPath; + } + + return new URL("file", "", loginConfigPath).toString(); + } catch (IOException e) { + // SEC-1700: May be inside a jar + return loginConfig.getURL().toString(); } - - return new URL("file", "", loginConfigPath).toString(); } - + /** * Publishes the {@link JaasAuthenticationFailedEvent}. Can be overridden by subclasses for different * functionality @@ -233,7 +238,7 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid * If set, a call to {@code Configuration#refresh()} will be made by {@code #configureJaas(Resource) } * method. Defaults to {@code true}. * - * @see SEC-1230 + * @see SEC-1320 * * @param refresh set to {@code false} to disable reloading of the configuration. * May be useful in some environments.