org.jboss.web.tomcat.security: public class: SecurityAssociationValve

org.jboss.web.tomcat.security
public class: SecurityAssociationValve [javadoc | source]

java.lang.Object
   org.apache.catalina.valves.ValveBase
      org.jboss.web.tomcat.security.SecurityAssociationValve

A Valve that sets/clears the SecurityAssociation information associated with the request thread for identity propagation.

author: Scott.Stark - @jboss.org

author: Thomas.Diesler - @jboss.org

author: Anil.Saldhana - @jboss.org

version: $ - Revision: 67525 $

Field Summary
public static ThreadLocal	userPrincipal
public static ThreadLocal	activeWebMetaData	Maintain the active WebMetaData for request security checks
public static ThreadLocal	activeRequest	Maintain the Catalina Request for programmatic web login
public static ThreadLocal	activeResponse	Maintain the Catalina Response for programmatic web login

Constructor:
public SecurityAssociationValve(JBossWebMetaData metaData, JaasSecurityManagerServiceMBean secMgrService) { this.metaData = metaData; this.secMgrService = secMgrService; this.trace = log.isTraceEnabled(); }

Constructor:

 public SecurityAssociationValve(JBossWebMetaData metaData,
    JaasSecurityManagerServiceMBean secMgrService) {
  
      this.metaData = metaData;
      this.secMgrService = secMgrService;
      this.trace = log.isTraceEnabled();
}

Method from org.jboss.web.tomcat.security.SecurityAssociationValve Summary:
invoke, setSubjectAttributeName

Methods from java.lang.Object:
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.jboss.web.tomcat.security.SecurityAssociationValve Detail:
public void invoke(Request request, Response response) throws IOException, ServletException { Session session = null; // Get the request caller which could be set due to SSO Principal caller = request.getPrincipal(); // The cached web container principal JBossGenericPrincipal principal = null; HttpSession hsession = request.getSession(false); if( trace ) log.trace("Begin invoke, caller"+caller); // Set the active meta data activeWebMetaData.set(metaData); //Set the active request and response objects activeRequest.set(request); activeResponse.set(response); try { Wrapper servlet = null; try { servlet = request.getWrapper(); if (servlet != null) { String name = servlet.getName(); RunAsIdentityMetaData identity = metaData.getRunAsIdentity(name); RunAsIdentity runAsIdentity = null; if(identity != null) { if (trace) log.trace(name + ", runAs: " + identity); runAsIdentity = new RunAsIdentity(identity.getRoleName(), identity.getPrincipalName(), identity.getRunAsRoles()); } SecurityAssociationActions.pushRunAsIdentity(runAsIdentity); } userPrincipal.set(caller); // If there is a session, get the tomcat session for the principal Manager manager = container.getManager(); if (manager != null && hsession != null) { try { session = manager.findSession(hsession.getId()); } catch (IOException ignore) { } } if (caller == null \|\| (caller instanceof JBossGenericPrincipal) == false) { // Look to the session for the active caller security context if (session != null) { principal = (JBossGenericPrincipal) session.getPrincipal(); } } else { // Use the request principal as the caller identity principal = (JBossGenericPrincipal) caller; } // If there is a caller use this as the identity to propagate if (principal != null) { if (trace) log.trace("Restoring principal info from cache"); SecurityAssociationActions.setPrincipalInfo(principal.getAuthPrincipal(), principal.getCredentials(), principal.getSubject()); } // Put the authenticated subject in the session if requested if (subjectAttributeName != null) { javax.naming.Context securityNamingCtx = getSecurityNamingContext(); if (securityNamingCtx != null) { // Get the JBoss security manager from the ENC context AuthenticationManager securityMgr = (AuthenticationManager) securityNamingCtx.lookup("securityMgr"); Subject subject = securityMgr.getActiveSubject(); request.getRequest().setAttribute(subjectAttributeName, subject); } } } catch (Throwable e) { log.debug("Failed to determine servlet", e); } // Perform the request getNext().invoke(request, response); if(servlet != null) { SecurityAssociationActions.popRunAsIdentity(); } /* If the security domain cache is to be kept in synch with the session then flush the cache if the session has been invalidated. */ if( secMgrService != null && session != null && session.isValid() == false && metaData.isFlushOnSessionInvalidation() == true ) { if( principal != null ) { String securityDomain = metaData.getSecurityDomain(); if (trace) { log.trace("Session is invalid, security domain: "+securityDomain +", user="+principal); } try { Principal authPrincipal = principal.getAuthPrincipal(); secMgrService.flushAuthenticationCache(securityDomain, authPrincipal); } catch(Exception e) { log.debug("Failed to flush auth cache", e); } } } } finally { if( trace ) log.trace("End invoke, caller"+caller); activeWebMetaData.set(null); userPrincipal.set(null); activeRequest.set(null); activeResponse.set(null); } }
public void setSubjectAttributeName(String subjectAttributeName) { this.subjectAttributeName = subjectAttributeName; if (subjectAttributeName != null && subjectAttributeName.length() == 0) this.subjectAttributeName = null; } The name of the request attribute under with the authenticated JAAS Subject is stored on successful authentication. If null or empty then the Subject will not be stored.

Method from org.jboss.web.tomcat.security.SecurityAssociationValve Detail:

 public  void invoke(Request request,
    Response response) throws IOException, ServletException {
      Session session = null;
      // Get the request caller which could be set due to SSO 
      Principal caller = request.getPrincipal();
      // The cached web container principal
      JBossGenericPrincipal principal = null;
      HttpSession hsession = request.getSession(false);
      if( trace )
         log.trace("Begin invoke, caller"+caller);
      // Set the active meta data
      activeWebMetaData.set(metaData); 
      //Set the active request and response objects
      activeRequest.set(request);
      activeResponse.set(response);
      try
      {
         Wrapper servlet = null;
         try
         {
            servlet = request.getWrapper();
            if (servlet != null)
            {
               String name = servlet.getName();
               RunAsIdentityMetaData identity = metaData.getRunAsIdentity(name);
               RunAsIdentity runAsIdentity = null;
               if(identity != null)
               {
                  if (trace)
                     log.trace(name + ", runAs: " + identity);
                  runAsIdentity = new RunAsIdentity(identity.getRoleName(),
                        identity.getPrincipalName(), identity.getRunAsRoles());
               }
               SecurityAssociationActions.pushRunAsIdentity(runAsIdentity); 
            }
            userPrincipal.set(caller);
            // If there is a session, get the tomcat session for the principal
            Manager manager = container.getManager();
            if (manager != null && hsession != null)
            {
               try
               {
                  session = manager.findSession(hsession.getId());
               }
               catch (IOException ignore)
               {
               }
            }
            if (caller == null || (caller instanceof JBossGenericPrincipal) == false)
            {
               // Look to the session for the active caller security context
               if (session != null)
               {
                  principal =
                     (JBossGenericPrincipal) session.getPrincipal();
               }
            }
            else
            {
               // Use the request principal as the caller identity
               principal = (JBossGenericPrincipal) caller;
            }
            // If there is a caller use this as the identity to propagate
            if (principal != null)
            {
               if (trace)
                  log.trace("Restoring principal info from cache");
               SecurityAssociationActions.setPrincipalInfo(principal.getAuthPrincipal(),
                  principal.getCredentials(), principal.getSubject());  
            }
            // Put the authenticated subject in the session if requested
            if (subjectAttributeName != null)
            {
               javax.naming.Context securityNamingCtx = getSecurityNamingContext();
               if (securityNamingCtx != null)
               {
                  // Get the JBoss security manager from the ENC context
                  AuthenticationManager securityMgr = (AuthenticationManager) securityNamingCtx.lookup("securityMgr");
                  Subject subject = securityMgr.getActiveSubject();
                  request.getRequest().setAttribute(subjectAttributeName, subject);
               }
            }
         }
         catch (Throwable e)
         {
            log.debug("Failed to determine servlet", e);
         }
         // Perform the request
         getNext().invoke(request, response);
         if(servlet != null)
         { 
            SecurityAssociationActions.popRunAsIdentity();
         }
         /* If the security domain cache is to be kept in synch with the
         session then flush the cache if the session has been invalidated.
         */
         if( secMgrService != null &&
            session != null && session.isValid() == false &&
            metaData.isFlushOnSessionInvalidation() == true )
         {
            if( principal != null )
            {
               String securityDomain = metaData.getSecurityDomain();
               if (trace)
               {
                  log.trace("Session is invalid, security domain: "+securityDomain
                     +", user="+principal);
               }
               try
               {
                  Principal authPrincipal = principal.getAuthPrincipal();
                  secMgrService.flushAuthenticationCache(securityDomain, authPrincipal);
               }
               catch(Exception e)
               {
                  log.debug("Failed to flush auth cache", e);
               }
            }
         } 
      }
      finally
      {
         if( trace )
            log.trace("End invoke, caller"+caller);
         activeWebMetaData.set(null);
         userPrincipal.set(null);
         activeRequest.set(null);
         activeResponse.set(null);
      }
}

 public  void setSubjectAttributeName(String subjectAttributeName) {
      this.subjectAttributeName = subjectAttributeName;
      if (subjectAttributeName != null && subjectAttributeName.length() == 0)
         this.subjectAttributeName = null;
}

The name of the request attribute under with the authenticated JAAS Subject is stored on successful authentication. If null or empty then the Subject will not be stored.