/** @see javax.security.auth.spi.LoginModule#commit() */ @Override public boolean commit() throws LoginException { if (!authenticated) { resetStateData(); return false; } try { // create Jetty JAASPrincipal userPrincipal = new JAASPrincipal(currentUser.name); // create Jetty JAASRole rolePrincipals = getUserGroups(currentUser.name); // update Subject subject.getPrincipals().add(userPrincipal); subject.getPrincipals().addAll(rolePrincipals); if (LOG.isDebugEnabled()) { LOG.debug(subject.toString()); } commited = true; return commited; } catch (Exception e) { LOG.error("JAAS commit() failure", e); resetStateData(); throw new LoginException(e.getMessage()); } }
public void testEvaluateCombinativePermissionCollection() throws Throwable { PermissionUtils.setCachesEnabled(true); PermissionUtils.createCaches(); Subject subject = new Subject(); JGuardCredential nameA = new JGuardCredential(NAME, USER_A); JGuardCredential nameB = new JGuardCredential(NAME, USER_B); JGuardCredential companyA = new JGuardCredential(COMPANY, COMPANY_A); JGuardCredential companyB = new JGuardCredential(COMPANY, COMPANY_B); JGuardCredential age = new JGuardCredential(AGE, DUMMY_AGE); subject.getPublicCredentials().add(nameA); subject.getPublicCredentials().add(nameB); subject.getPublicCredentials().add(companyA); subject.getPublicCredentials().add(companyB); subject.getPublicCredentials().add(age); if (logger.isDebugEnabled()) { logger.debug("---- logging subject ----"); logger.debug(subject.toString()); } UserPrincipal userPrincipal = new UserPrincipal(subject); ProtectionDomain protectionDomain = new ProtectionDomain(null, new Permissions(), null, new Principal[] {userPrincipal}); PermissionCollection pc = new Permissions(); Permission p1 = new FilePermission("file://home", "read"); Permission p2 = new FilePermission("file://home/user/${subject.publicCredentials.name}", "read"); Permission p3 = new FilePermission("file://home/user/${subject.publicCredentials.company}", "read"); Permission p4 = new FilePermission( "file://home/user/${subject.publicCredentials.name}/" + "${subject.publicCredentials.company}/${subject.publicCredentials.age}", "read"); Permission p5 = new FilePermission( "file://home/user/${subject.publicCredentials.company}/${subject.publicCredentials.company}", "read"); Permission p6 = new URLPermission( "index", "http://www.website.com/index.html?name=${subject.publicCredentials.name}&company=${subject.publicCredentials.company}&age=${subject.publicCredentials.age}"); pc.add(p1); pc.add(p2); pc.add(p3); pc.add(p4); pc.add(p5); pc.add(p6); if (logger.isDebugEnabled()) { logger.debug("---- logging unresolved permissions ----"); Enumeration unresolvedPermEnum = pc.elements(); while (unresolvedPermEnum.hasMoreElements()) { logger.debug(unresolvedPermEnum.nextElement().toString()); } } PermissionCollection expectedPc = new Permissions(); Permission expectedP1 = new FilePermission("file://home", "read"); Permission expectedP2a = new FilePermission("file://home/user/userA", "read"); Permission expectedP2b = new FilePermission("file://home/user/userB", "read"); Permission expectedP3a = new FilePermission("file://home/user/companyA", "read"); Permission expectedP3b = new FilePermission("file://home/user/companyB", "read"); Permission expectedP4a = new FilePermission("file://home/user/userA/companyA/100", "read"); Permission expectedP4b = new FilePermission("file://home/user/userA/companyB/100", "read"); Permission expectedP4c = new FilePermission("file://home/user/userB/companyA/100", "read"); Permission expectedP4d = new FilePermission("file://home/user/userB/companyB/100", "read"); Permission expectedP5a = new FilePermission("file://home/user/companyA/companyA", "read"); Permission expectedP5b = new FilePermission("file://home/user/companyA/companyB", "read"); Permission expectedP5c = new FilePermission("file://home/user/companyB/companyA", "read"); Permission expectedP5d = new FilePermission("file://home/user/companyB/companyB", "read"); Permission expectedP6a = new URLPermission( "index", "http://www.website.com/index.html?name=userA&company=companyA&age=100"); Permission expectedP6b = new URLPermission( "index", "http://www.website.com/index.html?name=userA&company=companyB&age=100"); Permission expectedP6c = new URLPermission( "index", "http://www.website.com/index.html?name=userB&company=companyA&age=100"); Permission expectedP6d = new URLPermission( "index", "http://www.website.com/index.html?name=userB&company=companyB&age=100"); expectedPc.add(expectedP1); expectedPc.add(expectedP2a); expectedPc.add(expectedP2b); expectedPc.add(expectedP3a); expectedPc.add(expectedP3b); expectedPc.add(expectedP4a); expectedPc.add(expectedP4b); expectedPc.add(expectedP4c); expectedPc.add(expectedP4d); expectedPc.add(expectedP5a); expectedPc.add(expectedP5b); expectedPc.add(expectedP5c); expectedPc.add(expectedP5d); expectedPc.add(expectedP6a); expectedPc.add(expectedP6b); expectedPc.add(expectedP6c); expectedPc.add(expectedP6d); // getting resolved permissions PermissionCollection resolvedPc = PrincipalUtils.evaluatePermissionCollection(protectionDomain, pc); if (logger.isDebugEnabled()) { logger.debug("---- logging expected permissions ----"); Enumeration expectedPermEnum = expectedPc.elements(); while (expectedPermEnum.hasMoreElements()) { logger.debug(expectedPermEnum.nextElement().toString()); } logger.debug("---- logging resolved permissions ----"); } int collectionSize = 0; Enumeration permEnum = resolvedPc.elements(); while (permEnum.hasMoreElements()) { Permission resolvedPerm = (Permission) permEnum.nextElement(); logger.debug("verify implies for " + resolvedPerm.toString()); System.out.println("verify implies for " + resolvedPerm.toString()); assertTrue(expectedPc.implies(resolvedPerm)); collectionSize++; } assertEquals(17, collectionSize); System.out.println("END EVALUATE COMBINATIVE PERMISSION TEST"); }
public void testEvaluatePermissionCollection() throws Throwable { PermissionUtils.setCachesEnabled(true); PermissionUtils.createCaches(); Subject subjectA = new Subject(); JGuardCredential nameA = new JGuardCredential(NAME, USER_A); JGuardCredential companyA = new JGuardCredential(COMPANY, COMPANY_A); subjectA.getPublicCredentials().add(nameA); subjectA.getPublicCredentials().add(companyA); if (logger.isDebugEnabled()) { logger.debug("---- logging subject ----"); logger.debug(subjectA.toString()); } UserPrincipal userPrincipal = new UserPrincipal(subjectA); ProtectionDomain protectionDomain = new ProtectionDomain(null, new Permissions(), null, new Principal[] {userPrincipal}); PermissionCollection pc = new Permissions(); Permission p1 = new FilePermission("file://home", "read"); Permission p2 = new FilePermission("file://home/user/${subject.publicCredentials.name}", "read"); Permission p3 = new FilePermission("file://home/user/${subject.publicCredentials.company}", "read"); Permission p4 = new FilePermission( "file://home/user/${subject.publicCredentials.name}/" + "${subject.publicCredentials.company}/${subject.publicCredentials.name}/" + "${subject.publicCredentials.name}/${subject.publicCredentials.company}", "read"); Permission p5 = new FilePermission("file://home/user/${subject.publicCredentials.age}", "read"); Permission p6 = new URLPermission( "index", "http://www.website.com/index.html?name=${subject.publicCredentials.name}"); Permission p7 = new URLPermission( "index2", "http://www.web�site.com/index.html?name=${subject.publicCredentials.name}"); pc.add(p1); pc.add(p2); pc.add(p3); pc.add(p4); pc.add(p5); pc.add(p6); pc.add(p7); if (logger.isDebugEnabled()) { logger.debug("---- logging unresolved permissions ----"); Enumeration unresolvedPermEnum = pc.elements(); while (unresolvedPermEnum.hasMoreElements()) { logger.debug(unresolvedPermEnum.nextElement().toString()); } } PermissionCollection expectedPc = new Permissions(); Permission expectedP1 = new FilePermission("file://home", "read"); Permission expectedP2 = new FilePermission("file://home/user/userA", "read"); Permission expectedP3 = new FilePermission("file://home/user/companyA", "read"); Permission expectedP4 = new FilePermission("file://home/user/userA/companyA/userA/userA/companyA", "read"); Permission expectedP6 = new URLPermission("index", "http://www.website.com/index.html?name=userA"); Permission expectedP7 = new URLPermission("index2", "http://www.web�site.com/index.html?name=userA"); expectedPc.add(expectedP1); expectedPc.add(expectedP2); expectedPc.add(expectedP3); expectedPc.add(expectedP4); expectedPc.add(expectedP6); expectedPc.add(expectedP7); // getting resolved permissions PermissionCollection resolvedPc = PrincipalUtils.evaluatePermissionCollection(protectionDomain, pc); if (logger.isDebugEnabled()) { logger.debug("---- logging expected permissions ----"); Enumeration expectedPermEnum = expectedPc.elements(); while (expectedPermEnum.hasMoreElements()) { logger.debug(expectedPermEnum.nextElement().toString()); } logger.debug("---- logging resolved permissions ----"); } int collectionSize = 0; Enumeration permEnum = resolvedPc.elements(); while (permEnum.hasMoreElements()) { Permission resolvedPerm = (Permission) permEnum.nextElement(); logger.debug("verify implies for " + resolvedPerm.toString()); System.out.println("verify implies for " + resolvedPerm.toString()); assertTrue(expectedPc.implies(resolvedPerm)); collectionSize++; } assertEquals(6, collectionSize); System.out.println("END EVALUATE PERMISSION TEST"); }
/** Create a KerberosSaslNettyClient for authentication with servers. */ public KerberosSaslNettyClient(Map storm_conf, String jaas_section) { LOG.debug( "KerberosSaslNettyClient: Creating SASL {} client to authenticate to server ", SaslUtils.KERBEROS); LOG.info("Creating Kerberos Client."); Configuration login_conf; try { login_conf = AuthUtils.GetConfiguration(storm_conf); } catch (Throwable t) { LOG.error("Failed to get login_conf: ", t); throw t; } LOG.debug("KerberosSaslNettyClient: authmethod {}", SaslUtils.KERBEROS); SaslClientCallbackHandler ch = new SaslClientCallbackHandler(); subject = null; try { LOG.debug("Setting Configuration to login_config: {}", login_conf); // specify a configuration object to be used Configuration.setConfiguration(login_conf); // now login LOG.debug("Trying to login."); Login login = new Login(jaas_section, ch); subject = login.getSubject(); LOG.debug("Got Subject: {}", subject.toString()); } catch (LoginException ex) { LOG.error("Client failed to login in principal:" + ex, ex); throw new RuntimeException(ex); } // check the credential of our principal if (subject.getPrivateCredentials(KerberosTicket.class).isEmpty()) { LOG.error("Failed to verify user principal."); throw new RuntimeException( "Fail to verify user principal with section \"" + jaas_section + "\" in login configuration file " + login_conf); } String serviceName = null; try { serviceName = AuthUtils.get(login_conf, jaas_section, "serviceName"); } catch (IOException e) { LOG.error("Failed to get service name.", e); throw new RuntimeException(e); } try { Principal principal = (Principal) subject.getPrincipals().toArray()[0]; final String fPrincipalName = principal.getName(); final String fHost = (String) storm_conf.get(Config.PACEMAKER_HOST); final String fServiceName = serviceName; final CallbackHandler fch = ch; LOG.debug("Kerberos Client with principal: {}, host: {}", fPrincipalName, fHost); saslClient = Subject.doAs( subject, new PrivilegedExceptionAction<SaslClient>() { public SaslClient run() { try { Map<String, String> props = new TreeMap<String, String>(); props.put(Sasl.QOP, "auth"); props.put(Sasl.SERVER_AUTH, "false"); return Sasl.createSaslClient( new String[] {SaslUtils.KERBEROS}, fPrincipalName, fServiceName, fHost, props, fch); } catch (Exception e) { LOG.error("Subject failed to create sasl client.", e); return null; } } }); LOG.info("Got Client: {}", saslClient); } catch (PrivilegedActionException e) { LOG.error("KerberosSaslNettyClient: Could not create Sasl Netty Client."); throw new RuntimeException(e); } }