/** @see javax.security.auth.spi.LoginModule#commit() */
@Override
public boolean commit() throws LoginException {
if (!authenticated) {
resetStateData();
return false;
}
try {
// create Jetty JAASPrincipal
userPrincipal = new JAASPrincipal(currentUser.name);
// create Jetty JAASRole
rolePrincipals = getUserGroups(currentUser.name);
// update Subject
subject.getPrincipals().add(userPrincipal);
subject.getPrincipals().addAll(rolePrincipals);
if (LOG.isDebugEnabled()) {
LOG.debug(subject.toString());
}
commited = true;
return commited;
} catch (Exception e) {
LOG.error("JAAS commit() failure", e);
resetStateData();
throw new LoginException(e.getMessage());
}
}
public void testEvaluateCombinativePermissionCollection() throws Throwable {
PermissionUtils.setCachesEnabled(true);
PermissionUtils.createCaches();
Subject subject = new Subject();
JGuardCredential nameA = new JGuardCredential(NAME, USER_A);
JGuardCredential nameB = new JGuardCredential(NAME, USER_B);
JGuardCredential companyA = new JGuardCredential(COMPANY, COMPANY_A);
JGuardCredential companyB = new JGuardCredential(COMPANY, COMPANY_B);
JGuardCredential age = new JGuardCredential(AGE, DUMMY_AGE);
subject.getPublicCredentials().add(nameA);
subject.getPublicCredentials().add(nameB);
subject.getPublicCredentials().add(companyA);
subject.getPublicCredentials().add(companyB);
subject.getPublicCredentials().add(age);
if (logger.isDebugEnabled()) {
logger.debug("---- logging subject ----");
logger.debug(subject.toString());
}
UserPrincipal userPrincipal = new UserPrincipal(subject);
ProtectionDomain protectionDomain =
new ProtectionDomain(null, new Permissions(), null, new Principal[] {userPrincipal});
PermissionCollection pc = new Permissions();
Permission p1 = new FilePermission("file://home", "read");
Permission p2 =
new FilePermission("file://home/user/${subject.publicCredentials.name}", "read");
Permission p3 =
new FilePermission("file://home/user/${subject.publicCredentials.company}", "read");
Permission p4 =
new FilePermission(
"file://home/user/${subject.publicCredentials.name}/"
+ "${subject.publicCredentials.company}/${subject.publicCredentials.age}",
"read");
Permission p5 =
new FilePermission(
"file://home/user/${subject.publicCredentials.company}/${subject.publicCredentials.company}",
"read");
Permission p6 =
new URLPermission(
"index",
"http://www.website.com/index.html?name=${subject.publicCredentials.name}&company=${subject.publicCredentials.company}&age=${subject.publicCredentials.age}");
pc.add(p1);
pc.add(p2);
pc.add(p3);
pc.add(p4);
pc.add(p5);
pc.add(p6);
if (logger.isDebugEnabled()) {
logger.debug("---- logging unresolved permissions ----");
Enumeration unresolvedPermEnum = pc.elements();
while (unresolvedPermEnum.hasMoreElements()) {
logger.debug(unresolvedPermEnum.nextElement().toString());
}
}
PermissionCollection expectedPc = new Permissions();
Permission expectedP1 = new FilePermission("file://home", "read");
Permission expectedP2a = new FilePermission("file://home/user/userA", "read");
Permission expectedP2b = new FilePermission("file://home/user/userB", "read");
Permission expectedP3a = new FilePermission("file://home/user/companyA", "read");
Permission expectedP3b = new FilePermission("file://home/user/companyB", "read");
Permission expectedP4a = new FilePermission("file://home/user/userA/companyA/100", "read");
Permission expectedP4b = new FilePermission("file://home/user/userA/companyB/100", "read");
Permission expectedP4c = new FilePermission("file://home/user/userB/companyA/100", "read");
Permission expectedP4d = new FilePermission("file://home/user/userB/companyB/100", "read");
Permission expectedP5a = new FilePermission("file://home/user/companyA/companyA", "read");
Permission expectedP5b = new FilePermission("file://home/user/companyA/companyB", "read");
Permission expectedP5c = new FilePermission("file://home/user/companyB/companyA", "read");
Permission expectedP5d = new FilePermission("file://home/user/companyB/companyB", "read");
Permission expectedP6a =
new URLPermission(
"index", "http://www.website.com/index.html?name=userA&company=companyA&age=100");
Permission expectedP6b =
new URLPermission(
"index", "http://www.website.com/index.html?name=userA&company=companyB&age=100");
Permission expectedP6c =
new URLPermission(
"index", "http://www.website.com/index.html?name=userB&company=companyA&age=100");
Permission expectedP6d =
new URLPermission(
"index", "http://www.website.com/index.html?name=userB&company=companyB&age=100");
expectedPc.add(expectedP1);
expectedPc.add(expectedP2a);
expectedPc.add(expectedP2b);
expectedPc.add(expectedP3a);
expectedPc.add(expectedP3b);
expectedPc.add(expectedP4a);
expectedPc.add(expectedP4b);
expectedPc.add(expectedP4c);
expectedPc.add(expectedP4d);
expectedPc.add(expectedP5a);
expectedPc.add(expectedP5b);
expectedPc.add(expectedP5c);
expectedPc.add(expectedP5d);
expectedPc.add(expectedP6a);
expectedPc.add(expectedP6b);
expectedPc.add(expectedP6c);
expectedPc.add(expectedP6d);
// getting resolved permissions
PermissionCollection resolvedPc =
PrincipalUtils.evaluatePermissionCollection(protectionDomain, pc);
if (logger.isDebugEnabled()) {
logger.debug("---- logging expected permissions ----");
Enumeration expectedPermEnum = expectedPc.elements();
while (expectedPermEnum.hasMoreElements()) {
logger.debug(expectedPermEnum.nextElement().toString());
}
logger.debug("---- logging resolved permissions ----");
}
int collectionSize = 0;
Enumeration permEnum = resolvedPc.elements();
while (permEnum.hasMoreElements()) {
Permission resolvedPerm = (Permission) permEnum.nextElement();
logger.debug("verify implies for " + resolvedPerm.toString());
System.out.println("verify implies for " + resolvedPerm.toString());
assertTrue(expectedPc.implies(resolvedPerm));
collectionSize++;
}
assertEquals(17, collectionSize);
System.out.println("END EVALUATE COMBINATIVE PERMISSION TEST");
}
public void testEvaluatePermissionCollection() throws Throwable {
PermissionUtils.setCachesEnabled(true);
PermissionUtils.createCaches();
Subject subjectA = new Subject();
JGuardCredential nameA = new JGuardCredential(NAME, USER_A);
JGuardCredential companyA = new JGuardCredential(COMPANY, COMPANY_A);
subjectA.getPublicCredentials().add(nameA);
subjectA.getPublicCredentials().add(companyA);
if (logger.isDebugEnabled()) {
logger.debug("---- logging subject ----");
logger.debug(subjectA.toString());
}
UserPrincipal userPrincipal = new UserPrincipal(subjectA);
ProtectionDomain protectionDomain =
new ProtectionDomain(null, new Permissions(), null, new Principal[] {userPrincipal});
PermissionCollection pc = new Permissions();
Permission p1 = new FilePermission("file://home", "read");
Permission p2 =
new FilePermission("file://home/user/${subject.publicCredentials.name}", "read");
Permission p3 =
new FilePermission("file://home/user/${subject.publicCredentials.company}", "read");
Permission p4 =
new FilePermission(
"file://home/user/${subject.publicCredentials.name}/"
+ "${subject.publicCredentials.company}/${subject.publicCredentials.name}/"
+ "${subject.publicCredentials.name}/${subject.publicCredentials.company}",
"read");
Permission p5 = new FilePermission("file://home/user/${subject.publicCredentials.age}", "read");
Permission p6 =
new URLPermission(
"index", "http://www.website.com/index.html?name=${subject.publicCredentials.name}");
Permission p7 =
new URLPermission(
"index2", "http://www.web�site.com/index.html?name=${subject.publicCredentials.name}");
pc.add(p1);
pc.add(p2);
pc.add(p3);
pc.add(p4);
pc.add(p5);
pc.add(p6);
pc.add(p7);
if (logger.isDebugEnabled()) {
logger.debug("---- logging unresolved permissions ----");
Enumeration unresolvedPermEnum = pc.elements();
while (unresolvedPermEnum.hasMoreElements()) {
logger.debug(unresolvedPermEnum.nextElement().toString());
}
}
PermissionCollection expectedPc = new Permissions();
Permission expectedP1 = new FilePermission("file://home", "read");
Permission expectedP2 = new FilePermission("file://home/user/userA", "read");
Permission expectedP3 = new FilePermission("file://home/user/companyA", "read");
Permission expectedP4 =
new FilePermission("file://home/user/userA/companyA/userA/userA/companyA", "read");
Permission expectedP6 =
new URLPermission("index", "http://www.website.com/index.html?name=userA");
Permission expectedP7 =
new URLPermission("index2", "http://www.web�site.com/index.html?name=userA");
expectedPc.add(expectedP1);
expectedPc.add(expectedP2);
expectedPc.add(expectedP3);
expectedPc.add(expectedP4);
expectedPc.add(expectedP6);
expectedPc.add(expectedP7);
// getting resolved permissions
PermissionCollection resolvedPc =
PrincipalUtils.evaluatePermissionCollection(protectionDomain, pc);
if (logger.isDebugEnabled()) {
logger.debug("---- logging expected permissions ----");
Enumeration expectedPermEnum = expectedPc.elements();
while (expectedPermEnum.hasMoreElements()) {
logger.debug(expectedPermEnum.nextElement().toString());
}
logger.debug("---- logging resolved permissions ----");
}
int collectionSize = 0;
Enumeration permEnum = resolvedPc.elements();
while (permEnum.hasMoreElements()) {
Permission resolvedPerm = (Permission) permEnum.nextElement();
logger.debug("verify implies for " + resolvedPerm.toString());
System.out.println("verify implies for " + resolvedPerm.toString());
assertTrue(expectedPc.implies(resolvedPerm));
collectionSize++;
}
assertEquals(6, collectionSize);
System.out.println("END EVALUATE PERMISSION TEST");
}
/** Create a KerberosSaslNettyClient for authentication with servers. */
public KerberosSaslNettyClient(Map storm_conf, String jaas_section) {
LOG.debug(
"KerberosSaslNettyClient: Creating SASL {} client to authenticate to server ",
SaslUtils.KERBEROS);
LOG.info("Creating Kerberos Client.");
Configuration login_conf;
try {
login_conf = AuthUtils.GetConfiguration(storm_conf);
} catch (Throwable t) {
LOG.error("Failed to get login_conf: ", t);
throw t;
}
LOG.debug("KerberosSaslNettyClient: authmethod {}", SaslUtils.KERBEROS);
SaslClientCallbackHandler ch = new SaslClientCallbackHandler();
subject = null;
try {
LOG.debug("Setting Configuration to login_config: {}", login_conf);
// specify a configuration object to be used
Configuration.setConfiguration(login_conf);
// now login
LOG.debug("Trying to login.");
Login login = new Login(jaas_section, ch);
subject = login.getSubject();
LOG.debug("Got Subject: {}", subject.toString());
} catch (LoginException ex) {
LOG.error("Client failed to login in principal:" + ex, ex);
throw new RuntimeException(ex);
}
// check the credential of our principal
if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) {
LOG.error("Failed to verify user principal.");
throw new RuntimeException(
"Fail to verify user principal with section \""
+ jaas_section
+ "\" in login configuration file "
+ login_conf);
}
String serviceName = null;
try {
serviceName = AuthUtils.get(login_conf, jaas_section, "serviceName");
} catch (IOException e) {
LOG.error("Failed to get service name.", e);
throw new RuntimeException(e);
}
try {
Principal principal = (Principal) subject.getPrincipals().toArray()[0];
final String fPrincipalName = principal.getName();
final String fHost = (String) storm_conf.get(Config.PACEMAKER_HOST);
final String fServiceName = serviceName;
final CallbackHandler fch = ch;
LOG.debug("Kerberos Client with principal: {}, host: {}", fPrincipalName, fHost);
saslClient =
Subject.doAs(
subject,
new PrivilegedExceptionAction<SaslClient>() {
public SaslClient run() {
try {
Map<String, String> props = new TreeMap<String, String>();
props.put(Sasl.QOP, "auth");
props.put(Sasl.SERVER_AUTH, "false");
return Sasl.createSaslClient(
new String[] {SaslUtils.KERBEROS},
fPrincipalName,
fServiceName,
fHost,
props,
fch);
} catch (Exception e) {
LOG.error("Subject failed to create sasl client.", e);
return null;
}
}
});
LOG.info("Got Client: {}", saslClient);
} catch (PrivilegedActionException e) {
LOG.error("KerberosSaslNettyClient: Could not create Sasl Netty Client.");
throw new RuntimeException(e);
}
}
