001 /** 002 * Licensed to the Apache Software Foundation (ASF) under one or more 003 * contributor license agreements. See the NOTICE file distributed with 004 * this work for additional information regarding copyright ownership. 005 * The ASF licenses this file to You under the Apache License, Version 2.0 006 * (the "License"); you may not use this file except in compliance with 007 * the License. You may obtain a copy of the License at 008 * 009 * http://www.apache.org/licenses/LICENSE-2.0 010 * 011 * Unless required by applicable law or agreed to in writing, software 012 * distributed under the License is distributed on an "AS IS" BASIS, 013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 014 * See the License for the specific language governing permissions and 015 * limitations under the License. 016 */ 017 018 package org.apache.geronimo.security.deployment; 019 020 import java.security.Principal; 021 import java.util.HashMap; 022 import java.util.HashSet; 023 import java.util.Map; 024 import java.util.Set; 025 import java.util.Collections; 026 027 import javax.xml.namespace.QName; 028 029 import org.apache.geronimo.common.DeploymentException; 030 import org.apache.geronimo.deployment.DeploymentContext; 031 import org.apache.geronimo.deployment.NamespaceDrivenBuilder; 032 import org.apache.geronimo.deployment.service.SingleGBeanBuilder; 033 import org.apache.geronimo.deployment.xbeans.PatternType; 034 import org.apache.geronimo.deployment.xmlbeans.XmlBeansUtil; 035 import org.apache.geronimo.gbean.AbstractName; 036 import org.apache.geronimo.gbean.GBeanData; 037 import org.apache.geronimo.gbean.GBeanInfo; 038 import org.apache.geronimo.gbean.GBeanInfoBuilder; 039 import org.apache.geronimo.gbean.AbstractNameQuery; 040 import org.apache.geronimo.j2ee.deployment.EARContext; 041 import org.apache.geronimo.j2ee.j2eeobjectnames.NameFactory; 042 import org.apache.geronimo.kernel.GBeanAlreadyExistsException; 043 import org.apache.geronimo.kernel.Naming; 044 import org.apache.geronimo.kernel.repository.Environment; 045 import org.apache.geronimo.security.deploy.LoginDomainPrincipalInfo; 046 import org.apache.geronimo.security.deploy.PrincipalInfo; 047 import org.apache.geronimo.security.deploy.RealmPrincipalInfo; 048 import org.apache.geronimo.security.deploy.Role; 049 import org.apache.geronimo.security.deploy.Security; 050 import org.apache.geronimo.security.deploy.SubjectInfo; 051 import org.apache.geronimo.security.jacc.ApplicationPolicyConfigurationManager; 052 import org.apache.geronimo.security.jacc.ApplicationPrincipalRoleConfigurationManager; 053 import org.apache.geronimo.security.util.ConfigurationUtil; 054 import org.apache.geronimo.security.credentialstore.CredentialStore; 055 import org.apache.geronimo.xbeans.geronimo.security.GerLoginDomainPrincipalType; 056 import org.apache.geronimo.xbeans.geronimo.security.GerPrincipalType; 057 import org.apache.geronimo.xbeans.geronimo.security.GerRealmPrincipalType; 058 import org.apache.geronimo.xbeans.geronimo.security.GerRoleMappingsType; 059 import org.apache.geronimo.xbeans.geronimo.security.GerRoleType; 060 import org.apache.geronimo.xbeans.geronimo.security.GerSecurityDocument; 061 import org.apache.geronimo.xbeans.geronimo.security.GerSecurityType; 062 import org.apache.geronimo.xbeans.geronimo.security.GerSubjectInfoType; 063 import org.apache.xmlbeans.QNameSet; 064 import org.apache.xmlbeans.XmlException; 065 import org.apache.xmlbeans.XmlObject; 066 067 /** 068 * @version $Rev: 560772 $ $Date: 2007-07-29 13:43:05 -0400 (Sun, 29 Jul 2007) $ 069 */ 070 public class GeronimoSecurityBuilderImpl implements NamespaceDrivenBuilder { 071 private static final QName SECURITY_QNAME = GerSecurityDocument.type.getDocumentElementName(); 072 private static final QNameSet SECURITY_QNAME_SET = QNameSet.singleton(SECURITY_QNAME); 073 private final AbstractNameQuery credentialStoreName; 074 075 public GeronimoSecurityBuilderImpl(AbstractNameQuery credentialStoreName) { 076 this.credentialStoreName = credentialStoreName; 077 } 078 079 public void buildEnvironment(XmlObject container, Environment environment) throws DeploymentException { 080 } 081 082 public void build(XmlObject container, DeploymentContext applicationContext, DeploymentContext moduleContext) throws DeploymentException { 083 EARContext earContext = (EARContext) applicationContext; 084 XmlObject[] items = container.selectChildren(SECURITY_QNAME_SET); 085 if (items.length > 1) { 086 throw new DeploymentException("Unexpected count of security elements in geronimo plan " + items.length + " qnameset: " + SECURITY_QNAME_SET); 087 } 088 if (items.length == 1) { 089 GerSecurityType securityType; 090 try { 091 securityType = (GerSecurityType) XmlBeansUtil.typedCopy(items[0], GerSecurityType.type); 092 } catch (XmlException e) { 093 throw new DeploymentException("Could not validate security element", e); 094 } 095 Security security = buildSecurityConfig(securityType); 096 ClassLoader classLoader = applicationContext.getClassLoader(); 097 SecurityConfiguration securityConfiguration = buildSecurityConfiguration(security, classLoader); 098 earContext.setSecurityConfiguration(securityConfiguration); 099 100 Naming naming = earContext.getNaming(); 101 GBeanData roleMapperData = configureRoleMapper(naming, earContext.getModuleName(), securityConfiguration); 102 try { 103 earContext.addGBean(roleMapperData); 104 } catch (GBeanAlreadyExistsException e) { 105 throw new DeploymentException("Role mapper gbean already present", e); 106 } 107 AbstractNameQuery credentialStoreName; 108 if (securityType.isSetCredentialStoreRef()) { 109 PatternType credentialStoreType = securityType.getCredentialStoreRef(); 110 credentialStoreName = SingleGBeanBuilder.buildAbstractNameQuery(credentialStoreType, NameFactory.GERONIMO_SERVICE, Collections.singleton(CredentialStore.class.getName())); 111 } else { 112 credentialStoreName = this.credentialStoreName; 113 } 114 GBeanData jaccBeanData = configureApplicationPolicyManager(naming, earContext.getModuleName(), earContext.getContextIDToPermissionsMap(), securityConfiguration, credentialStoreName); 115 jaccBeanData.setReferencePattern("PrincipalRoleMapper", roleMapperData.getAbstractName()); 116 try { 117 earContext.addGBean(jaccBeanData); 118 } catch (GBeanAlreadyExistsException e) { 119 throw new DeploymentException("JACC manager gbean already present", e); 120 } 121 earContext.setJaccManagerName(jaccBeanData.getAbstractName()); 122 } 123 } 124 125 private static SecurityConfiguration buildSecurityConfiguration(Security security, ClassLoader classLoader) { 126 Map<String, SubjectInfo> roleDesignates = security.getRoleSubjectMappings(); 127 Map<Principal, Set<String>> principalRoleMap = new HashMap<Principal, Set<String>>(); 128 Map<String, Set<Principal>> roleToPrincipalMap = new HashMap<String, Set<Principal>>(); 129 buildRolePrincipalMap(security, roleToPrincipalMap, classLoader); 130 invertMap(roleToPrincipalMap, principalRoleMap); 131 return new SecurityConfiguration(principalRoleMap, roleDesignates, security.getDefaultSubjectInfo(), security.getDefaultRole(), security.isDoAsCurrentCaller(), security.isUseContextHandler()); 132 } 133 134 private static Map invertMap(Map<String, Set<Principal>> roleToPrincipalMap, Map<Principal, Set<String>> principalRoleMapping) { 135 for (Map.Entry<String, Set<java.security.Principal>> entry : roleToPrincipalMap.entrySet()) { 136 String role = entry.getKey(); 137 Set<Principal> principals = entry.getValue(); 138 for (Principal principal : principals) { 139 140 Set<String> roleSet = principalRoleMapping.get(principal); 141 if (roleSet == null) { 142 roleSet = new HashSet<String>(); 143 principalRoleMapping.put(principal, roleSet); 144 } 145 roleSet.add(role); 146 } 147 } 148 return principalRoleMapping; 149 } 150 151 /** 152 * non-interface, used in some jetty/tomcat tests 153 * 154 * @param security Security object holding security info as it is extracted 155 * @param roleToPrincipalMap role to set of Principals mapping 156 * @param classLoader application classloader in case we need to load some principal classes. 157 */ 158 public static void buildRolePrincipalMap(Security security, Map<String, Set<Principal>> roleToPrincipalMap, ClassLoader classLoader) { 159 160 for (Object o : security.getRoleMappings().values()) { 161 Role role = (Role) o; 162 163 String roleName = role.getRoleName(); 164 Set<Principal> principalSet = new HashSet<Principal>(); 165 166 for (Object o1 : role.getRealmPrincipals()) { 167 RealmPrincipalInfo realmPrincipal = (RealmPrincipalInfo) o1; 168 Principal principal = ConfigurationUtil.generateRealmPrincipal(realmPrincipal.getRealm(), realmPrincipal.getDomain(), realmPrincipal, classLoader); 169 170 principalSet.add(principal); 171 } 172 173 for (Object o2 : role.getLoginDomainPrincipals()) { 174 LoginDomainPrincipalInfo domainPrincipal = (LoginDomainPrincipalInfo) o2; 175 Principal principal = ConfigurationUtil.generateDomainPrincipal(domainPrincipal.getDomain(), domainPrincipal, classLoader); 176 177 principalSet.add(principal); 178 } 179 180 for (Object o3 : role.getPrincipals()) { 181 PrincipalInfo plainPrincipalInfo = (PrincipalInfo) o3; 182 Principal principal = ConfigurationUtil.generatePrincipal(plainPrincipalInfo, classLoader); 183 184 principalSet.add(principal); 185 } 186 187 Set<Principal> roleMapping = roleToPrincipalMap.get(roleName); 188 if (roleMapping == null) { 189 roleMapping = new HashSet<Principal>(); 190 roleToPrincipalMap.put(roleName, roleMapping); 191 } 192 roleMapping.addAll(principalSet); 193 194 } 195 } 196 197 private Security buildSecurityConfig(GerSecurityType securityType) { 198 Security security; 199 200 if (securityType == null) { 201 return null; 202 } 203 security = new Security(); 204 205 security.setDoAsCurrentCaller(securityType.getDoasCurrentCaller()); 206 security.setUseContextHandler(securityType.getUseContextHandler()); 207 if (securityType.isSetDefaultRole()) { 208 security.setDefaultRole(securityType.getDefaultRole().trim()); 209 } 210 211 if (securityType.isSetRoleMappings()) { 212 GerRoleMappingsType roleMappingsType = securityType.getRoleMappings(); 213 for (int i = 0; i < roleMappingsType.sizeOfRoleArray(); i++) { 214 GerRoleType roleType = roleMappingsType.getRoleArray(i); 215 Role role = new Role(); 216 217 String roleName = roleType.getRoleName().trim(); 218 role.setRoleName(roleName); 219 220 if (roleType.isSetRunAsSubject()) { 221 SubjectInfo subjectInfo = buildSubjectInfo(roleType.getRunAsSubject()); 222 security.getRoleSubjectMappings().put(roleName, subjectInfo); 223 } 224 225 for (int j = 0; j < roleType.sizeOfRealmPrincipalArray(); j++) { 226 role.getRealmPrincipals().add(GeronimoSecurityBuilderImpl.buildRealmPrincipal(roleType.getRealmPrincipalArray(j))); 227 } 228 229 for (int j = 0; j < roleType.sizeOfLoginDomainPrincipalArray(); j++) { 230 role.getLoginDomainPrincipals().add(GeronimoSecurityBuilderImpl.buildDomainPrincipal(roleType.getLoginDomainPrincipalArray(j))); 231 } 232 233 for (int j = 0; j < roleType.sizeOfPrincipalArray(); j++) { 234 role.getPrincipals().add(buildPrincipal(roleType.getPrincipalArray(j))); 235 } 236 237 security.getRoleMappings().put(roleName, role); 238 } 239 } 240 241 security.setDefaultSubjectInfo(buildSubjectInfo(securityType.getDefaultSubject())); 242 243 return security; 244 } 245 246 private SubjectInfo buildSubjectInfo(GerSubjectInfoType defaultSubject) { 247 if (defaultSubject == null) { 248 return null; 249 } 250 String realmName = defaultSubject.getRealm().trim(); 251 String id = defaultSubject.getId().trim(); 252 return new SubjectInfo(realmName, id); 253 } 254 255 private static RealmPrincipalInfo buildRealmPrincipal(GerRealmPrincipalType realmPrincipalType) { 256 return new RealmPrincipalInfo(realmPrincipalType.getRealmName().trim(), realmPrincipalType.getDomainName().trim(), realmPrincipalType.getClass1().trim(), realmPrincipalType.getName().trim()); 257 } 258 259 private static LoginDomainPrincipalInfo buildDomainPrincipal(GerLoginDomainPrincipalType domainPrincipalType) { 260 return new LoginDomainPrincipalInfo(domainPrincipalType.getDomainName().trim(), domainPrincipalType.getClass1().trim(), domainPrincipalType.getName().trim()); 261 } 262 263 //used from TSSConfigEditor 264 public PrincipalInfo buildPrincipal(XmlObject xmlObject) { 265 GerPrincipalType principalType = (GerPrincipalType) xmlObject; 266 return new PrincipalInfo(principalType.getClass1().trim(), principalType.getName().trim()); 267 } 268 269 protected GBeanData configureRoleMapper(Naming naming, AbstractName moduleName, SecurityConfiguration securityConfiguration) { 270 AbstractName roleMapperName = naming.createChildName(moduleName, "RoleMapper", "RoleMapper"); 271 GBeanData roleMapperData = new GBeanData(roleMapperName, ApplicationPrincipalRoleConfigurationManager.GBEAN_INFO); 272 roleMapperData.setAttribute("principalRoleMap", securityConfiguration.getPrincipalRoleMap()); 273 return roleMapperData; 274 } 275 276 protected GBeanData configureApplicationPolicyManager(Naming naming, AbstractName moduleName, Map contextIDToPermissionsMap, SecurityConfiguration securityConfiguration, AbstractNameQuery credentialStoreName) { 277 AbstractName jaccBeanName = naming.createChildName(moduleName, NameFactory.JACC_MANAGER, NameFactory.JACC_MANAGER); 278 GBeanData jaccBeanData = new GBeanData(jaccBeanName, ApplicationPolicyConfigurationManager.GBEAN_INFO); 279 jaccBeanData.setAttribute("contextIdToPermissionsMap", contextIDToPermissionsMap); 280 Map<String, SubjectInfo> roleDesignates = securityConfiguration.getRoleDesignates(); 281 jaccBeanData.setAttribute("roleDesignates", roleDesignates); 282 jaccBeanData.setAttribute("defaultSubjectInfo", securityConfiguration.getDefaultSubjectInfo()); 283 if ((roleDesignates != null && !roleDesignates.isEmpty()) || securityConfiguration.getDefaultSubjectInfo() != null) { 284 jaccBeanData.setReferencePattern("CredentialStore", credentialStoreName); 285 } 286 return jaccBeanData; 287 } 288 289 public QNameSet getSpecQNameSet() { 290 return QNameSet.EMPTY; 291 } 292 293 public QNameSet getPlanQNameSet() { 294 return SECURITY_QNAME_SET; 295 } 296 297 public static final GBeanInfo GBEAN_INFO; 298 299 static { 300 GBeanInfoBuilder infoFactory = GBeanInfoBuilder.createStatic(GeronimoSecurityBuilderImpl.class, NameFactory.MODULE_BUILDER); 301 302 infoFactory.addAttribute("credentialStoreName", AbstractNameQuery.class, true, true); 303 infoFactory.setConstructor(new String[] {"credentialStoreName"}); 304 305 GBEAN_INFO = infoFactory.getBeanInfo(); 306 } 307 308 public static GBeanInfo getGBeanInfo() { 309 return GBEAN_INFO; 310 } 311 312 }