Help ... flushAuthenticationCache don't work
venika Feb 12, 2007 3:49 PMHallo,
I have a problem with JAAS-Security in my application. I need to change the user roles on the fly in my application. So I try to call the "flushAuthenticationCache" ? method in my application, but this call has no effect. In other JBoss topics I have found that after this call the JASS-Security should call my custom LoginModule again and the subject should be initialized once more. I have tried to control this with my debugger, but my custom LoginModule is called once, only at the login.
The call of the "flushAuthenticationCache"-method don't remove the principal from the TimedCache.
Can anybody say me what is wrong in my application?
I use the JBoss Application Server 4.0.5 GA (at home) and 4.0.2 (at work). I have written a small prototype of my application. The prototype consists of two servlets. One servlet is an admin Servlet and second is a user servlet. In user Servlet I want to change the user role to admin. I am using CustomPrincipal and CustomLoginModule to authenticate the user.
Hier is my source:
a) web.xml
b) jboss-web.xml
c) CustomLoginModule.java
d) CustomPrincipal.java
e) SecureServlet.java
f) AdminSecureServlet.java
g) login-config.xml
web.xml
<?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>Refresh</display-name> <servlet> <description>Servlet ohne Zugriffsbeschraenkung</description> <display-name>UnsecureServlet</display-name> <servlet-name>UnsecureServlet</servlet-name> <servlet-class>de.venia.servlets.UnsecureServlet</servlet-class> </servlet> <servlet> <description>Zugriffsgeschuetzter Servlet</description> <display-name>SecureServlet</display-name> <servlet-name>SecureServlet</servlet-name> <servlet-class>de.venia.servlets.SecureServlet</servlet-class> </servlet> <servlet> <description>Admin Servlet</description> <display-name>AdminSecureServlet</display-name> <servlet-name>AdminSecureServlet</servlet-name> <servlet-class>de.venia.servlets.AdminSecureServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>UnsecureServlet</servlet-name> <url-pattern>/UnsecureServlet/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>SecureServlet</servlet-name> <url-pattern>/SecureServlet/*</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>AdminSecureServlet</servlet-name> <url-pattern>/AdminServlet/*</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>First</web-resource-name> <url-pattern>/SecureServlet/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>user</role-name> <role-name>admin</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Admin</web-resource-name> <url-pattern>/AdminServlet/*</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>admin</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>ReportingServcieJAAS</realm-name> <form-login-config> <form-login-page>/jsp/login.jsp</form-login-page> <form-error-page>/jsp/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>user</role-name> </security-role> <security-role> <role-name>admin</role-name> </security-role> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list> </web-app>
Jboss-web.xml
<?xml version="1.0" encoding="UTF-8" ?> <jboss-web> <security-domain>java:/jaas/ReportingServcieJAAS</security-domain> </jboss-web>
CustomLoginModule
package de.venia.login; import java.security.Principal; import java.security.acl.Group; import java.util.Map; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.LoginException; import javax.security.jacc.PolicyContext; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpSession; import org.jboss.security.SimpleGroup; import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.spi.AbstractServerLoginModule; public class CustomLoginModule extends AbstractServerLoginModule { public void initialize( Subject arg0, CallbackHandler arg1, Map arg2, Map arg3) { this.subject = arg0; this.callbackHandler = arg1; this.sharedState = arg2; this.options = arg3; } public boolean login() throws LoginException { this.loginOk = true; return true; } public boolean abort() throws LoginException { return true; } public boolean commit() throws LoginException { String userRole = null; try { HttpServletRequest request = (HttpServletRequest) PolicyContext.getContext("javax.servlet.http.HttpServletRequest"); if( request != null) { HttpSession session = request.getSession(); Object obj = session.getAttribute("newRole"); if( obj != null) userRole = (String) obj; } }catch( Exception e) { } if( userRole == null) userRole = "user"; SimpleGroup gr = new SimpleGroup("CallerPrincipal"); SimpleGroup gr2 = new SimpleGroup("Roles"); gr.addMember( new CustomPrincipal("Benjamin")); gr2.addMember( new SimplePrincipal( userRole)); this.subject.getPrincipals().add(gr); this.subject.getPrincipals().add(gr2); return true; } public boolean logout() throws LoginException { this.subject.getPrincipals().clear(); this.subject.getPublicCredentials().clear(); this.subject.getPrivateCredentials().clear(); return true; } protected Principal getIdentity() { return null; } protected Group[] getRoleSets() throws LoginException { return null; } }
CustomPrincipal
package de.venia.login; import java.security.Principal; import java.sql.Timestamp; public class CustomPrincipal implements Principal { private String name = null; private Timestamp time = null; public CustomPrincipal( String nameM) { this.name = nameM; time = new Timestamp( System.currentTimeMillis()); } public String getName() { return this.getTimedName(); } private String getTimedName() { return this.name + "_" + this.time.toString(); } public int hashCode() { int hash = this.getTimedName().hashCode(); return hash; } public boolean equals( Object objM) { if( objM == null || !(objM instanceof CustomPrincipal)) { return false; } CustomPrincipal compar = (CustomPrincipal) objM; return ( this.getTimedName()).equals( compar.getTimedName()); } }
SecureServlet
package de.venia.servlets; import java.io.IOException; import java.io.PrintWriter; import java.security.Principal; import javax.management.MBeanServer; import javax.management.MBeanServerFactory; import javax.management.ObjectName; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import de.venia.login.CustomPrincipal; public class SecureServlet extends javax.servlet.http.HttpServlet implements javax.servlet.Servlet { private static final long serialVersionUID = 1L; public SecureServlet() { super(); } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost( request, response); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter outputter = response.getWriter(); outputter.println("I'm protected servlet, role - user"); outputter.println("<br />"); outputter.println("SessionID:" + request.getSession().getId()); outputter.println("<br />"); Object obj = request.getUserPrincipal(); if( obj != null) outputter.println("User:" + ((CustomPrincipal)obj).getName()); //Flush principal Object flushObj = request.getParameter("flush"); Object roleObj = request.getParameter("role"); if( flushObj != null && ((String) flushObj).equalsIgnoreCase("true")) if( roleObj != null) { request.getSession().setAttribute("newRole", (String) roleObj); try { String domain = "ReportingServcieJAAS"; //Principal principal = new SimplePrincipal(((CustomPrincipal)obj).getName()); Principal principal = (Principal) request.getUserPrincipal(); ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager"); Object[] params = { domain, principal }; String[] signature = { "java.lang.String", Principal.class.getName() }; MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0); server.invoke( jaasMgr, "flushAuthenticationCache", params, signature); } catch (Exception e) { e.printStackTrace(outputter); } } //Flush all Object flushAllObj = request.getParameter("flushAll"); if( flushAllObj != null && ((String) flushAllObj).equalsIgnoreCase("true")) { try { String domain = "ReportingServcieJAAS"; ObjectName jaasMgr = new ObjectName( "jboss.security:service=JaasSecurityManager"); Object[] params = { domain }; String[] signature = { "java.lang.String"}; MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0); server.invoke( jaasMgr, "flushAuthenticationCache", params, signature); } catch (Exception e) { e.printStackTrace(outputter); } } } }
AdminSecureServlet
package de.venia.servlets; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class AdminSecureServlet extends javax.servlet.http.HttpServlet implements javax.servlet.Servlet { private static final long serialVersionUID = 1L; public AdminSecureServlet() { super(); } protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { doPost( request, response); } protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter outputter = response.getWriter(); outputter.println("I'm protected servlet, role - admin"); outputter.println("<br />"); } }
Login-config.xml
<application-policy name="ReportingServcieJAAS"> <authentication> <login-module code="de.venia.login.CustomLoginModule" flag="required"> </login-module> </authentication> </application-policy>
Thanks a lot for your help ;-)))