| 1 | | | |
| 2 | | | |
| 3 | | | |
| 4 | | | |
| 5 | | | |
| 6 | | | |
| 7 | | | |
| 8 | | | |
| 9 | | | |
| 10 | | | |
| 11 | | | |
| 12 | | | |
| 13 | | | |
| 14 | | | |
| 15 | | | |
| 16 | | | |
| 17 | | | |
| 18 | | | |
| 19 | | | |
| 20 | | | |
| 21 | | | |
| 22 | | | |
| 23 | | | |
| 24 | | | |
| 25 | | | |
| 26 | | | |
| 27 | | | |
| 28 | | | |
| 29 | | | |
| 30 | | | |
| 31 | | | |
| 32 | | | |
| 33 | | | package org.jcoderz.commons.connector; |
| 34 | | | |
| 35 | | | import java.security.AccessController; |
| 36 | | | import java.security.PrivilegedAction; |
| 37 | | | import java.util.Iterator; |
| 38 | | | import java.util.Set; |
| 39 | | | import java.util.logging.Level; |
| 40 | | | import java.util.logging.Logger; |
| 41 | | | |
| 42 | | | import javax.resource.spi.ConnectionRequestInfo; |
| 43 | | | import javax.resource.spi.ManagedConnectionFactory; |
| 44 | | | import javax.resource.spi.SecurityException; |
| 45 | | | import javax.resource.spi.security.GenericCredential; |
| 46 | | | import javax.resource.spi.security.PasswordCredential; |
| 47 | | | import javax.security.auth.Subject; |
| 48 | | | |
| 49 | | | /** |
| 50 | | | * Utility provides method to extract user name and password from a set of |
| 51 | | | * security relevant objects such as |
| 52 | | | * {@link javax.resource.spi.security.PasswordCredential}, |
| 53 | | | * {@link javax.resource.spi.ConnectionRequestInfo} and so on. |
| 54 | | | * |
| 55 | | | */ |
| 56 | | (1) | public final class SecurityUtil |
| 57 | | | { |
| 58 | | | /** The full qualified name of this class. */ |
| 59 | | | private static final String CLASSNAME = SecurityUtil.class.getName(); |
| 60 | | | |
| 61 | | | /** The logger to use. */ |
| 62 | | | private static final Logger logger = Logger.getLogger(CLASSNAME); |
| 63 | | | |
| 64 | | | private SecurityUtil () |
| 65 | | | { |
| 66 | | | |
| 67 | | | } |
| 68 | | | |
| 69 | | | /** |
| 70 | | | * Extracts the user name and password from the given set of objects as |
| 71 | | | * specified in the JCA 1.0 Chapter 8.2.6. |
| 72 | | | * |
| 73 | | | * @param subject Current Security Subject passed by the application server. |
| 74 | | | * @param mcf The managed connection factory |
| 75 | | | * @param cri Connection reques info |
| 76 | | | * |
| 77 | | | * @return UserPassword instance. If no user name / password can be |
| 78 | | | * extracted, this method returns {@link UserPassword#EMPTY_USER_PASSWORD}. |
| 79 | | | * |
| 80 | | | * @throws SecurityException Thown if no applicable credentials found in |
| 81 | | | * the Subject. |
| 82 | | | */ |
| 83 | | | public static UserPassword getUserPassword (Subject subject, |
| 84 | | | ManagedConnectionFactory mcf, ConnectionRequestInfo cri) |
| 85 | | | throws SecurityException |
| 86 | | | { |
| 87 | | | final String method = "getUserPassword"; |
| 88 | | | final boolean finer = logger.isLoggable(Level.FINER); |
| 89 | | | if (finer) |
| 90 | | | { |
| 91 | | | logger.entering(CLASSNAME, method, new Object [] {subject, mcf, cri}); |
| 92 | | | } |
| 93 | | | |
| 94 | | | UserPassword result = UserPassword.EMPTY_USER_PASSWORD; |
| 95 | | | |
| 96 | | | if (subject != null) |
| 97 | | | { |
| 98 | | | |
| 99 | | | final PasswordCredential pc = PrivilegedExecutor.getPasswordCredential( |
| 100 | | | subject, mcf); |
| 101 | | | if (pc != null) |
| 102 | | | { |
| 103 | | | result = UserPassword.fromUserPassword(pc.getUserName(), new String( |
| 104 | | | pc.getPassword())); |
| 105 | | | } |
| 106 | | | else |
| 107 | | | { |
| 108 | | | final SecurityException rse = new SecurityException( |
| 109 | | | "No applicable credentials found in the Subject passed by the" |
| 110 | | | + " application server."); |
| 111 | | | |
| 112 | | | logger.throwing(CLASSNAME, method, rse); |
| 113 | | (2) | throw rse; |
| 114 | | | |
| 115 | | (3) | |
| 116 | | | |
| 117 | | | |
| 118 | | | |
| 119 | | | |
| 120 | | | |
| 121 | | | |
| 122 | | | |
| 123 | | | |
| 124 | | | |
| 125 | | | |
| 126 | | | |
| 127 | | | |
| 128 | | | } |
| 129 | | | |
| 130 | | | } |
| 131 | | | else if (cri != null) |
| 132 | | | { |
| 133 | | | |
| 134 | | | if (!(cri instanceof ConnectionRequestInfoBase)) |
| 135 | | | { |
| 136 | | | final SecurityException rse = new SecurityException("No applicable " |
| 137 | | | + "ConnectionRequestInfo passed by the application server."); |
| 138 | | | logger.throwing(CLASSNAME, method, rse); |
| 139 | | (4) | throw rse; |
| 140 | | | } |
| 141 | | | |
| 142 | | | result = UserPassword.fromUserPassword( |
| 143 | | | ((ConnectionRequestInfoBase) cri).getUserPassword()); |
| 144 | | | } |
| 145 | | | |
| 146 | | | if (finer) |
| 147 | | | { |
| 148 | | | logger.exiting(CLASSNAME, method, result); |
| 149 | | | } |
| 150 | | | |
| 151 | | | return result; |
| 152 | | | } |
| 153 | | | |
| 154 | | | /** |
| 155 | | | * This class is intended to execute a privileged action. |
| 156 | | | * The security contract assumes that a resource adapter has the necessary |
| 157 | | | * security permissions to extract a private credential set from a Subject |
| 158 | | | * instance. |
| 159 | | | */ |
| 160 | | | private static class PrivilegedExecutor |
| 161 | | | implements PrivilegedAction |
| 162 | | | { |
| 163 | | | private final Subject mSubject; |
| 164 | | | private final ManagedConnectionFactory mMcf; |
| 165 | | | private final boolean mPcAction; |
| 166 | | | |
| 167 | | | PrivilegedExecutor (Subject subject, ManagedConnectionFactory mcf, |
| 168 | | | boolean pcAction) |
| 169 | | | { |
| 170 | | | mSubject = subject; |
| 171 | | | mMcf = mcf; |
| 172 | | | mPcAction = pcAction; |
| 173 | | | } |
| 174 | | | |
| 175 | | | /** {@inheritDoc} */ |
| 176 | | | public Object run () |
| 177 | | | { |
| 178 | | | final Object result; |
| 179 | | | if (mPcAction) |
| 180 | | | { |
| 181 | | | result = getPwdCredential(); |
| 182 | | | } |
| 183 | | | else |
| 184 | | | { |
| 185 | | | result = getGenCredential(); |
| 186 | | | } |
| 187 | | | return result; |
| 188 | | | } |
| 189 | | | |
| 190 | | | private Object getPwdCredential () |
| 191 | | | { |
| 192 | | | |
| 193 | | | |
| 194 | | | |
| 195 | | | |
| 196 | | | |
| 197 | | | |
| 198 | | | final Set creds = mSubject.getPrivateCredentials( |
| 199 | | | PasswordCredential.class); |
| 200 | | | PasswordCredential pc = null; |
| 201 | | | |
| 202 | | | |
| 203 | | | |
| 204 | | | |
| 205 | | | final Iterator credentials = creds.iterator(); |
| 206 | | | while (credentials.hasNext()) |
| 207 | | | { |
| 208 | | | final PasswordCredential pcCurrent |
| 209 | | | = (PasswordCredential) credentials.next(); |
| 210 | | | |
| 211 | | | |
| 212 | | | |
| 213 | | | if (pcCurrent.getManagedConnectionFactory().equals(mMcf)) |
| 214 | | | { |
| 215 | | | pc = pcCurrent; |
| 216 | | | break; |
| 217 | | | } |
| 218 | | | } |
| 219 | | | return pc; |
| 220 | | | } |
| 221 | | | |
| 222 | | | private Object getGenCredential () |
| 223 | | | { |
| 224 | | | |
| 225 | | | |
| 226 | | | |
| 227 | | | |
| 228 | | | |
| 229 | | | |
| 230 | | | |
| 231 | | | final Set creds = mSubject.getPrivateCredentials( |
| 232 | | | GenericCredential.class); |
| 233 | | | |
| 234 | | | Object result = null; |
| 235 | | | |
| 236 | | | final Iterator credentials = creds.iterator(); |
| 237 | | | while (credentials.hasNext()) |
| 238 | | | { |
| 239 | | | final GenericCredential c = (GenericCredential) credentials.next(); |
| 240 | | | result = c; |
| 241 | | | break; |
| 242 | | | } |
| 243 | | | return result; |
| 244 | | | } |
| 245 | | | |
| 246 | | | /** |
| 247 | | | * Tries to extract a PasswordCredential from the Subject |
| 248 | | | * <code>subject</code> applicable to the managed connection factory |
| 249 | | | * <code>mcf</code>. |
| 250 | | | * Executes a privileged action. |
| 251 | | | * |
| 252 | | | * |
| 253 | | | * @param subject Current Security Subject passed by the |
| 254 | | | * application server. |
| 255 | | | * @param mcf The managed connection factory |
| 256 | | | * |
| 257 | | | * @return a PasswordCredential or null. |
| 258 | | | */ |
| 259 | | | static PasswordCredential getPasswordCredential (Subject subject, |
| 260 | | | ManagedConnectionFactory mcf) |
| 261 | | | { |
| 262 | | | return (PasswordCredential) AccessController.doPrivileged( |
| 263 | | | new PrivilegedExecutor(subject, mcf, true)); |
| 264 | | | } |
| 265 | | | |
| 266 | | | /** |
| 267 | | | * Tries to extract a GenericCredential from the Subject |
| 268 | | | * <code>subject</code> applicable to the managed connection factory |
| 269 | | | * <code>mcf</code>. |
| 270 | | | * Executes a privileged action. |
| 271 | | | * |
| 272 | | | * @param subject Current Security Subject passed by the application |
| 273 | | | * server. |
| 274 | | | * |
| 275 | | | * @param mcf The managed connection factory |
| 276 | | | * |
| 277 | | | * @return a GenericCredential or null. |
| 278 | | | */ |
| 279 | | | static GenericCredential getGenericCredential (Subject subject, |
| 280 | | | ManagedConnectionFactory mcf) |
| 281 | | | { |
| 282 | | | return (GenericCredential) AccessController.doPrivileged( |
| 283 | | | new PrivilegedExecutor(subject, mcf, false)); |
| 284 | | | } |
| 285 | | | } |
| 286 | | | } |
| 287 | | | |