Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD

jrun.security
Class JRunSecurityManagerService

jrunx.kernel.ServiceAdapter
  |
  +--jrun.security.JRunSecurityManagerService
All Implemented Interfaces:
JRunSecurityManager, JRunSecurityManagerServiceMBean, javax.naming.Referenceable, java.io.Serializable, Service, ServiceMBean
public class JRunSecurityManagerService
extends ServiceAdapter
implements JRunSecurityManager

Default Service Implementation of JRunSecurityManager Interface

Author:
Ramesh Natarajan
See Also:
, Serialized Form

Field Summary
 boolean checkForSharedPrincipals
          Flag to turn on or off the checkForSharedPrincipals behavior.
static java.lang.String DEFAULT_SECURITY_ID
           
static java.lang.String DEFAULT_USER_PRINCIPAL
          Default User Principal is "guest".
 boolean guestAccessAllowed
          Flag set in jrun.xml to allow remote access as guest without providing username and password Set to true by default
 java.util.ArrayList hostNames
          List of Trusted hosts for interop
static java.lang.String SECURITY_CONTEXT_CACHE_NAME
           
static java.lang.String SECURITY_CONTEXT_CACHE_PREFIX
           
 
Fields inherited from class jrunx.kernel.ServiceAdapter
DEFAULT_DEACTIVATED, DEFAULT_DOMAIN, DOMAIN_NAME_SEPARATOR, DOMAIN_NAME_SUFFIX, domainName, jndiBindable, LOGGER_CACHE_TIME, SCHEDULER_SERVICE, SECURITY_MANAGER, server, status, TRANSACTION_MANAGER
 
Fields inherited from interface jrunx.kernel.Service
INITIALIZED, STARTED, STARTING, STOPPED, STOPPING, UNINITIALIZED
 
Constructor Summary
JRunSecurityManagerService()
           
 
Method Summary
 void addLoginModule(java.lang.String domain, java.util.Properties loginModule)
          Add the specified login module to the security configuration.
protected  boolean authenticate(java.lang.String mode, java.security.Principal p, java.lang.Object credential, java.lang.String securityDomain)
          Authenticate the User against the Credential (which can be a password) or a role depending on the mode param
 java.lang.Object authenticateInternalSecurityContext(java.security.Principal principal, java.lang.Object credential)
           
 java.lang.Object authenticateSecurityContext(java.lang.Object principalname, java.lang.Object credential)
          Authenticate the Principal Credential pair and return Object containing SecurityContextId Uses the default SecurityContext implementation, JRunSecurityContext
 java.lang.Object authenticateSecurityContext(java.lang.Object principalname, java.lang.Object credential, java.lang.String hostName)
          Authentication for trusted hosts If the hostname is part of the trusted hosts collection, no authentication is needed We create a new security context andd return the securityID
 java.lang.Object authenticateSecurityContext(java.security.Principal principal, java.lang.Object credential)
          Authenticate this principal/credential pair and return a SecurityContextId
 boolean checkSharedPrincipals(java.util.Collection permissions, SimplePrincipal thisRole)
          This method is called when a bean has a runAs identity and the runAs role is not one of the permissioned roles for the current EJB method.
 void closeSecurityContext(java.lang.Object securityContextId)
          Close the SecurityContext
 java.lang.String getAuthConfig()
           
 boolean getCheckForSharedPrincipals()
           
 JRunSecurityManager getJRunSecurityManager()
          Return this instance.
 java.util.ArrayList getLoginModules(java.lang.String domain)
           
 java.lang.String getRoleMappingDomain()
           
 SimplePrincipal getRunAsIdentityPrincipal(SimplePrincipal thisRole)
          This calls returns a principal associated with the role.
 SecurityContext getSecurityContext(java.lang.Object Id)
          Returns the SecurityContext for the given Id Returns a null if the Context id is invalid
 java.lang.String getSecurityDomain()
           
 void init()
          Sets the auth.config property if it has not been set.
 boolean isGuestAccessAllowed()
          Flag set in jrun.xml to allow remote access as guest without providing username and password Set to true by default
 boolean isPrincipalInRole(java.security.Principal principal, java.util.Collection roles, java.lang.String containerRoleMapDomain)
          Is the principal set up to play one of the roles in the set ?
 boolean isPrincipalValid(java.security.Principal p, java.lang.Object credential, java.lang.String containerSecurityDomain)
          Authenticate without Client Id, but specify a securityDomain
 void modifyLoginModule(java.lang.String domain, java.util.Properties originalModule, java.util.Properties updateModule)
          Update the properties for the specified login module in the specified domain.
 void removeLoginModule(java.lang.String domain, java.util.Properties loginModule)
          Remove the specified login module from the security configuration.
 void setAuthConfig(java.lang.String configFileName)
          filename for JAAS configuration
 void setCheckForSharedPrincipals(boolean checkForSharedPrincipals)
          Flag to turn ON checking for shared principals when method authorization fails for an EJB running under runAS identity.
 void setGuestAccessAllowed(boolean guestAccessAllowed)
           
 void setRoleMappingDomain(java.lang.String domain)
          The RoleMappingDomain value for Role Resource Authorization can be customized according to the container type.
 void setSecurityDomain(java.lang.String domain)
          SecurityDomain property decides the configuration in the auth.config file that JAAS uses for authentication This is only for Principal, Credential Authentication.
 void setTrustedHost(java.lang.String hostName)
          List of trusted hosts for interop
 void start()
          Every service other than mere data collections should start
 
Methods inherited from class jrunx.kernel.ServiceAdapter
bind, destroy, findObjectInstance, findObjectInstance, findObjectInstance, getBindToJNDI, getDeactivated, getDomainName, getDomainSearchPath, getJRunService, getLogger, getName, getParentService, getReference, getResourceManager, getServerName, getServerProperties, getStatus, invokeMethod, isInPartition, isPartition, lookup, postDeregister, postRegister, preDeregister, preRegister, requestServer, scheduleRunnable, setBindToJNDI, setDeactivated, setDomainName, setName, setParentService, stop, toString, unbind, unscheduleRunnable, updateStatus
 
Methods inherited from interface jrunx.kernel.ServiceMBean
bind, getBindToJNDI, getDeactivated, getDomainName, getJRunService, getLogger, getName, getParentService, getServerName, requestServer, setBindToJNDI, setDeactivated, setDomainName, setName, setParentService, unbind
 
Methods inherited from interface jrunx.kernel.Service
destroy, getStatus, stop, updateStatus
 

Field Detail

checkForSharedPrincipals

public boolean checkForSharedPrincipals
Flag to turn on or off the checkForSharedPrincipals behavior. Default value is false This means, if a method is invoked on an EJB using runAs identity, the principals shared between the permissioned roles and the runAs roles, are checked and if found, the call on the EJB method is authorized, else rejected. This check is made only if these two conditions are met: 1. The EJB is running under runAs identity from the calling EJB 2. The runAs role is not in the permissioned roles set

hostNames

public java.util.ArrayList hostNames
List of Trusted hosts for interop

guestAccessAllowed

public boolean guestAccessAllowed
Flag set in jrun.xml to allow remote access as guest without providing username and password Set to true by default

DEFAULT_USER_PRINCIPAL

public static final java.lang.String DEFAULT_USER_PRINCIPAL
Default User Principal is "guest". Added in JRunUserManager only for jrun-users.xml, not for custome user stores

DEFAULT_SECURITY_ID

public static final java.lang.String DEFAULT_SECURITY_ID

SECURITY_CONTEXT_CACHE_PREFIX

public static final java.lang.String SECURITY_CONTEXT_CACHE_PREFIX

SECURITY_CONTEXT_CACHE_NAME

public static final java.lang.String SECURITY_CONTEXT_CACHE_NAME
Constructor Detail

JRunSecurityManagerService

public JRunSecurityManagerService()
Method Detail

setSecurityDomain

public void setSecurityDomain(java.lang.String domain)
Description copied from interface: JRunSecurityManagerServiceMBean

SecurityDomain property decides the configuration in the auth.config file that JAAS uses for authentication This is only for Principal, Credential Authentication.

Specified by:
setSecurityDomain in interface JRunSecurityManagerServiceMBean

getSecurityDomain

public java.lang.String getSecurityDomain()
Specified by:
getSecurityDomain in interface JRunSecurityManagerServiceMBean

setRoleMappingDomain

public void setRoleMappingDomain(java.lang.String domain)
Description copied from interface: JRunSecurityManagerServiceMBean

The RoleMappingDomain value for Role Resource Authorization can be customized according to the container type. The default value comes from jrun.xml

Specified by:
setRoleMappingDomain in interface JRunSecurityManagerServiceMBean

getRoleMappingDomain

public java.lang.String getRoleMappingDomain()
Specified by:
getRoleMappingDomain in interface JRunSecurityManagerServiceMBean

setAuthConfig

public void setAuthConfig(java.lang.String configFileName)
Description copied from interface: JRunSecurityManagerServiceMBean
filename for JAAS configuration
Specified by:
setAuthConfig in interface JRunSecurityManagerServiceMBean

getAuthConfig

public java.lang.String getAuthConfig()
Specified by:
getAuthConfig in interface JRunSecurityManagerServiceMBean

getCheckForSharedPrincipals

public boolean getCheckForSharedPrincipals()
Specified by:
getCheckForSharedPrincipals in interface JRunSecurityManagerServiceMBean

setCheckForSharedPrincipals

public void setCheckForSharedPrincipals(boolean checkForSharedPrincipals)
Description copied from interface: JRunSecurityManagerServiceMBean
Flag to turn ON checking for shared principals when method authorization fails for an EJB running under runAS identity. Default value is false
Specified by:
setCheckForSharedPrincipals in interface JRunSecurityManagerServiceMBean

setTrustedHost

public void setTrustedHost(java.lang.String hostName)
Description copied from interface: JRunSecurityManagerServiceMBean
List of trusted hosts for interop
Specified by:
setTrustedHost in interface JRunSecurityManagerServiceMBean

isGuestAccessAllowed

public boolean isGuestAccessAllowed()
Description copied from interface: JRunSecurityManagerServiceMBean
Flag set in jrun.xml to allow remote access as guest without providing username and password Set to true by default
Specified by:
isGuestAccessAllowed in interface JRunSecurityManagerServiceMBean

setGuestAccessAllowed

public void setGuestAccessAllowed(boolean guestAccessAllowed)
Specified by:
setGuestAccessAllowed in interface JRunSecurityManagerServiceMBean

init

public void init()
          throws java.lang.Exception
Sets the auth.config property if it has not been set. This property specifies which file JAAS should look in for LoginModule configuration information. Also creates a default SecurityContext with ID as JRunSecurityManagerService.DEFAULT_SECURITY_ID
Specified by:
init in interface Service
Overrides:
init in class ServiceAdapter

start

public void start()
           throws java.lang.Exception
Description copied from class: ServiceAdapter
Every service other than mere data collections should start
Specified by:
start in interface Service
Overrides:
start in class ServiceAdapter

authenticateSecurityContext

public java.lang.Object authenticateSecurityContext(java.lang.Object principalname,
                                                    java.lang.Object credential)
                                             throws JRunSecurityException
Authenticate the Principal Credential pair and return Object containing SecurityContextId Uses the default SecurityContext implementation, JRunSecurityContext
Specified by:
authenticateSecurityContext in interface JRunSecurityManagerServiceMBean

authenticateSecurityContext

public java.lang.Object authenticateSecurityContext(java.lang.Object principalname,
                                                    java.lang.Object credential,
                                                    java.lang.String hostName)
                                             throws java.lang.Exception
Authentication for trusted hosts If the hostname is part of the trusted hosts collection, no authentication is needed We create a new security context andd return the securityID
Specified by:
authenticateSecurityContext in interface JRunSecurityManagerServiceMBean

authenticateSecurityContext

public java.lang.Object authenticateSecurityContext(java.security.Principal principal,
                                                    java.lang.Object credential)
                                             throws JRunSecurityException
Description copied from interface: JRunSecurityManagerServiceMBean
Authenticate this principal/credential pair and return a SecurityContextId
Specified by:
authenticateSecurityContext in interface JRunSecurityManagerServiceMBean

authenticateInternalSecurityContext

public java.lang.Object authenticateInternalSecurityContext(java.security.Principal principal,
                                                            java.lang.Object credential)
                                                     throws JRunSecurityException

getSecurityContext

public SecurityContext getSecurityContext(java.lang.Object Id)
Returns the SecurityContext for the given Id Returns a null if the Context id is invalid
Specified by:
getSecurityContext in interface JRunSecurityManagerServiceMBean

isPrincipalValid

public boolean isPrincipalValid(java.security.Principal p,
                                java.lang.Object credential,
                                java.lang.String containerSecurityDomain)
Authenticate without Client Id, but specify a securityDomain
Specified by:
isPrincipalValid in interface JRunSecurityManagerServiceMBean

isPrincipalInRole

public boolean isPrincipalInRole(java.security.Principal principal,
                                 java.util.Collection roles,
                                 java.lang.String containerRoleMapDomain)
Is the principal set up to play one of the roles in the set ?
Specified by:
isPrincipalInRole in interface JRunSecurityManagerServiceMBean

authenticate

protected boolean authenticate(java.lang.String mode,
                               java.security.Principal p,
                               java.lang.Object credential,
                               java.lang.String securityDomain)
                        throws JRunSecurityException
Authenticate the User against the Credential (which can be a password) or a role depending on the mode param

closeSecurityContext

public void closeSecurityContext(java.lang.Object securityContextId)
Close the SecurityContext
Specified by:
closeSecurityContext in interface JRunSecurityManagerServiceMBean

getJRunSecurityManager

public JRunSecurityManager getJRunSecurityManager()
Return this instance. Used for getting hold of the JRunSecurityManager through JMX
Specified by:
getJRunSecurityManager in interface JRunSecurityManagerServiceMBean

checkSharedPrincipals

public boolean checkSharedPrincipals(java.util.Collection permissions,
                                     SimplePrincipal thisRole)
This method is called when a bean has a runAs identity and the runAs role is not one of the permissioned roles for the current EJB method. In such cases we check to see if the runAs role shares any user principals with the permissioned roles for this method. If so, this method authorization returns true
Specified by:
checkSharedPrincipals in interface JRunSecurityManagerServiceMBean

getRunAsIdentityPrincipal

public SimplePrincipal getRunAsIdentityPrincipal(SimplePrincipal thisRole)
This calls returns a principal associated with the role. If more than one principal is defined under this role, the first one is returned Only applicable if shared principals flag is set to true
Specified by:
getRunAsIdentityPrincipal in interface JRunSecurityManagerServiceMBean

getLoginModules

public java.util.ArrayList getLoginModules(java.lang.String domain)
Specified by:
getLoginModules in interface JRunSecurityManagerServiceMBean

addLoginModule

public void addLoginModule(java.lang.String domain,
                           java.util.Properties loginModule)
                    throws JRunSecurityException
Add the specified login module to the security configuration.
Specified by:
addLoginModule in interface JRunSecurityManagerServiceMBean

removeLoginModule

public void removeLoginModule(java.lang.String domain,
                              java.util.Properties loginModule)
                       throws JRunSecurityException
Remove the specified login module from the security configuration.
Specified by:
removeLoginModule in interface JRunSecurityManagerServiceMBean

modifyLoginModule

public void modifyLoginModule(java.lang.String domain,
                              java.util.Properties originalModule,
                              java.util.Properties updateModule)
                       throws JRunSecurityException
Update the properties for the specified login module in the specified domain. Since there is no unique identifier for login module, both the current login module properties and the new login module properites must be specified.
Specified by:
modifyLoginModule in interface JRunSecurityManagerServiceMBean
Overview  Package   Class  Tree  Deprecated  Index  Help 
 PREV CLASS   NEXT CLASS FRAMES    NO FRAMES
SUMMARY:  INNER | FIELD | CONSTR | METHOD DETAIL:  FIELD | CONSTR | METHOD
Copyright � 2002 Macromedia Corporation. All Rights Reserved.