001 /** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 package org.apache.geronimo.jmxremoting; 018 019 import java.util.Map; 020 import java.util.Collections; 021 import java.util.HashMap; 022 import javax.management.remote.JMXAuthenticator; 023 import javax.management.remote.JMXConnectionNotification; 024 import javax.management.NotificationListener; 025 import javax.management.Notification; 026 import javax.security.auth.Subject; 027 import javax.security.auth.login.LoginContext; 028 import javax.security.auth.login.LoginException; 029 030 /** 031 * JMX Authenticator that checks the Credentials by logging in via JAAS. 032 * 033 * @version $Rev: 565912 $ $Date: 2007-08-14 17:03:11 -0400 (Tue, 14 Aug 2007) $ 034 */ 035 public class Authenticator implements JMXAuthenticator, NotificationListener { 036 private final String configName; 037 private final ClassLoader cl; 038 private ThreadLocal<LoginContext> threadContext = new ThreadLocal<LoginContext>(); 039 private Map<String, LoginContext> contextMap = Collections.synchronizedMap(new HashMap<String, LoginContext>()); 040 041 /** 042 * Constructor indicating which JAAS Application Configuration Entry to use. 043 * @param configName the JAAS config name 044 * @param cl classloader to use as TCCL for operations 045 */ 046 public Authenticator(String configName, ClassLoader cl) { 047 this.configName = configName; 048 this.cl = cl; 049 } 050 051 public Subject authenticate(Object o) throws SecurityException { 052 if (!(o instanceof String[])) { 053 throw new IllegalArgumentException("Expected String[2], got " + o == null ? null : o.getClass().getName()); 054 } 055 String[] params = (String[]) o; 056 if (params.length != 2) { 057 throw new IllegalArgumentException("Expected String[2] but length was " + params.length); 058 } 059 060 Thread thread = Thread.currentThread(); 061 ClassLoader oldCL = thread.getContextClassLoader(); 062 Credentials credentials = new Credentials(params[0], params[1]); 063 try { 064 thread.setContextClassLoader(cl); 065 //TODO consider using ContextManager for login and checking a permission against the ACC 066 //to do e.g. deployments. 067 LoginContext context = new LoginContext(configName, credentials); 068 context.login(); 069 threadContext.set(context); 070 return context.getSubject(); 071 } catch (LoginException e) { 072 // do not propogate cause - we don't know what information is may contain 073 throw new SecurityException("Invalid login"); 074 } finally { 075 credentials.clear(); 076 thread.setContextClassLoader(oldCL); 077 } 078 } 079 080 public void handleNotification(Notification notification, Object o) { 081 if (notification instanceof JMXConnectionNotification) { 082 JMXConnectionNotification cxNotification = (JMXConnectionNotification) notification; 083 String type = cxNotification.getType(); 084 String connectionId = cxNotification.getConnectionId(); 085 if (JMXConnectionNotification.OPENED.equals(type)) { 086 LoginContext context = threadContext.get(); 087 threadContext.set(null); 088 contextMap.put(connectionId, context); 089 } else { 090 LoginContext context = contextMap.remove(connectionId); 091 if (context != null) { 092 try { 093 context.logout(); 094 } catch (LoginException e) { 095 //nothing we can do here... 096 } 097 } 098 } 099 } 100 } 101 }