8 Replies Latest reply on Jun 25, 2008 3:42 PM by anil.saldhana

Legacy client SecurityAssociation

adrian.brock Jun 24, 2008 1:09 PM

This work:
http://jira.jboss.com/jira/browse/SECURITY-75
isn't much use without this:
http://jira.jboss.com/jira/browse/SECURITY-125

Most clients (if they used the SecurityAssociation api) will be using on the client
to do a single login for the entire jvm.

When the SecurityAssociation is not in server mode, it doesn't work at all with JBoss5.

e.g. You can see this in org.jboss.test.jmx.test.DeployXMBeanUnitTestCase

The following patch makes it work:

[ejort@warjort testsuite]$ svn diff
Index: src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java
===================================================================
--- src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java (revision 74958)
+++ src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java (working copy)
@@ -487,6 +487,7 @@
 }

 SimplePrincipal jduke = new SimplePrincipal("jduke");
+ SecurityAssociation.setServer();
 SecurityAssociation.setPrincipal(jduke);
 SecurityAssociation.setCredential("theduke".toCharArray());
 naming.bind(hello, "HelloBinding", "java.lang.String");
@@ -536,6 +537,7 @@
 Name hello = ctx.getNameParser("").parse("Hello");

 SimplePrincipal jduke = new SimplePrincipal("jduke");
+ SecurityAssociation.setServer();
 SecurityAssociation.setPrincipal(jduke);
 SecurityAssociation.setCredential("theduke".toCharArray());

But that isn't the correct fix.

There's a tonne of other code in the JBoss5 testsuite still using the SecurityAssoication:

[ejort@warjort test]$ grep -ri SecurityAssociation * | grep -v svn
aop/bean/SecurityTester.java: //SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("somebody"), password);
aop/bean/SecurityTester.java: /*SecurityAssociation.popSubjectContext();
aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("authfail"), password);
aop/bean/SecurityTester.java: SecurityAssociation.popSubjectContext();
aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("rolefail"), password);
aop/bean/SecurityTester.java: SecurityAssociation.popSubjectContext();
aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("pass"), password);
aop/bean/SimpleBeanTester.java:import org.jboss.security.SecurityAssociation;
cluster/invokerha/HAService.java:import org.jboss.security.SecurityAssociation;
cluster/invokerha/HAService.java: SecurityAssociation.setPrincipal(principal);
cluster/invokerha/HAService.java: SecurityAssociation.setCredential(credential);
cluster/invokerha/HAService.java: SecurityAssociation.clear();
jacc/test/portal/BasePortalJaccTestCase.java:import org.jboss.security.SecurityAssociation;
jacc/test/portal/BasePortalJaccTestCase.java: SecurityAssociation.setSubject(subject);
jmx/interceptors/PrincipalInterceptor.java:import org.jboss.security.SecurityAssociation;
jmx/interceptors/PrincipalInterceptor.java: Principal caller = SecurityAssociation.getPrincipal();
jmx/interceptors/JNDISecurity.java:import org.jboss.security.SecurityAssociation;
jmx/interceptors/JNDISecurity.java: SecurityAssociation.pushSubjectContext(subject, principal, credential);
jmx/interceptors/JNDISecurity.java: SecurityAssociation.popSubjectContext();
jmx/test/DeployXMBeanUnitTestCase.java:import org.jboss.security.SecurityAssociation;
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setServer();
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(jduke);
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("theduke".toCharArray());
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(guest);
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("guest".toCharArray());
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setServer();
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(jduke);
jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("theduke".toCharArray());
naming/test/SecurityUnitTestCase.java:import org.jboss.security.SecurityAssociation;
naming/test/SecurityUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
naming/test/SecurityUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal is null", p == null);
security/interceptors/ClientEncryptionInterceptor.java:import org.jboss.security.SecurityAssociation;
security/interceptors/ClientEncryptionInterceptor.java: Subject subject = SecurityAssociation.getSubject();
security/interceptors/ServerEncryptionInterceptor.java:import org.jboss.security.SecurityAssociation;
security/interceptors/ServerEncryptionInterceptor.java: Subject subject = SecurityAssociation.getSubject();
security/ejb/SubjectSessionBean.java:import org.jboss.security.SecurityAssociation;
security/ejb/SubjectSessionBean.java: * SecurityAssociation.getSubject and PolicyContext. This will not run under
security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("enter", callerPrincipals);
security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("post stateless", callerPrincipals);
security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("post stateful", callerPrincipals);
security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("exit", callerPrincipals);
security/ejb/SubjectSessionBean.java: * Get the active subject as seen by the jboss SecurityAssociation
security/ejb/SubjectSessionBean.java: protected void validateSecurityAssociationSubject(String ctx, Set callerPrincipals)
security/ejb/SubjectSessionBean.java: Subject caller = SecurityAssociation.getSubject();
security/ejb/SubjectSessionBean.java: String msg = ctx+", SecurityAssociation subject: "+caller
security/ejb/SecuredBean.java: * SecurityAssociation.getSubject and PolicyContext. This will not run under
security/test/SecurityMgrStressTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
security/test/SecurityMgrStressTestCase.java: //SecurityAssociation.setServer();
security/test/SecurityMgrStressTestCase.java: JaasSecurityManager secMgr = new JaasSecurityManager("testIdentity", new SecurityAssociationHandler());
security/test/SecurityMgrStressTestCase.java: //SecurityAssociation.pushSubjectContext(subject, user, "any");
security/test/ClientLoginModuleUnitTestCase.java:import org.jboss.security.SecurityAssociation;
security/test/ClientLoginModuleUnitTestCase.java: ClientLoginModuleUnitTestCase/SecurityAssociation interaction tests
security/test/ClientLoginModuleUnitTestCase.java: //Clear SecurityAssociation
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.clear();
security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setPrincipal(jduke1);
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setCredential("theduke1");
security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
security/test/ClientLoginModuleUnitTestCase.java: String theduke1 = (String) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.popSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setPrincipal(jduke1);
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setCredential("theduke1");
security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
security/test/ClientLoginModuleUnitTestCase.java: String theduke1 = (String) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.popSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
security/test/SRPLoginModuleUnitTestCase.java:import org.jboss.security.SecurityAssociation;
security/test/SRPLoginModuleUnitTestCase.java: Principal user = SecurityAssociation.getPrincipal();
security/test/SRPLoginModuleUnitTestCase.java: byte[] key = (byte[]) SecurityAssociation.getCredential();
security/test/SAThreadLocalUnitTestCase.java:import org.jboss.security.SecurityAssociation;
security/test/SAThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
security/test/SAThreadLocalUnitTestCase.java: * SecurityAssociation.getSubject() == authSubject
security/test/SAThreadLocalUnitTestCase.java: * SecurityAssociation.getPrincipal() == authPrincipal
security/test/SAThreadLocalUnitTestCase.java: Subject s = SecurityAssociation.getSubject();
security/test/SAThreadLocalUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
security/test/SAThreadLocalUnitTestCase.java: System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "true");
security/test/SAThreadLocalUnitTestCase.java: SecurityAssociation.setServer();
security/test/LoginModulesUnitTestCase.java:import org.jboss.security.SecurityAssociation;
security/test/LoginModulesUnitTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
security/test/LoginModulesUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
security/test/LoginModulesUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott2", saPrincipal.equals(scott2));
security/test/LoginModulesUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
security/test/LoginModulesUnitTestCase.java: SecurityAssociation.setPrincipal(new SimplePrincipal("jduke2"));
security/test/LoginModulesUnitTestCase.java: SecurityAssociation.setCredential("theduke2".toCharArray());
security/test/LoginModulesUnitTestCase.java: SecurityAssociationHandler handler = new SecurityAssociationHandler(x509, cert);
security/test/LoginModulesUnitTestCase.java: SecurityAssociationHandler handler = new SecurityAssociationHandler(x509, cert);
security/test/SAInheritableThreadLocalUnitTestCase.java:import org.jboss.security.SecurityAssociation;
security/test/SAInheritableThreadLocalUnitTestCase.java: * Test the expected security context exists via the SecurityAssociation accessors
security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
security/test/SAInheritableThreadLocalUnitTestCase.java: * SecurityAssociation.getSubject() == authSubject
security/test/SAInheritableThreadLocalUnitTestCase.java: * SecurityAssociation.getPrincipal() == authPrincipal
security/test/SAInheritableThreadLocalUnitTestCase.java: Subject s = SecurityAssociation.getSubject();
security/test/SAInheritableThreadLocalUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
security/test/SAInheritableThreadLocalUnitTestCase.java: System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "false");
security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.setServer();
security/test/SubjectContextUnitTestCase.java:import org.jboss.security.SecurityAssociation;
security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
security/test/JaasSecurityManagerUnitTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
security/test/JaasSecurityManagerUnitTestCase.java: CallbackHandler handler = new SecurityAssociationHandler(jduke, "theduke".toCharArray());
security/test/JaasSecurityManagerUnitTestCase.java: CallbackHandler handler = new SecurityAssociationHandler(jduke, "theduke".toCharArray());
securitymgr/ejb/IOStatelessSessionBean.java:import org.jboss.security.SecurityAssociation;
securitymgr/ejb/BadBean.java:import org.jboss.security.SecurityAssociation;
securitymgr/ejb/BadBean.java: return SecurityAssociation.getPrincipal();
securitymgr/ejb/BadBean.java: return SecurityAssociation.getCredential();
securitymgr/ejb/BadBean.java: SecurityAssociation.setPrincipal(user);
securitymgr/ejb/BadBean.java: SecurityAssociation.setCredential(password);
securitymgr/ejb/BadBean.java: Subject s = SecurityAssociation.getSubject();
securitymgr/ejb/BadBean.java: Subject s = SecurityAssociation.getSubject();
securitymgr/ejb/BadBean.java: SecurityAssociation.pushSubjectContext(s, null, null);
securitymgr/ejb/BadBean.java: SecurityAssociation.popRunAsIdentity();
securitymgr/ejb/BadBean.java: SecurityAssociation.pushRunAsIdentity(runAs);
securitymgr/test/SecurityUnitTestCase.java: /** Test that a bean cannot access the SecurityAssociation class
securitymgr/test/PolicyUnitTestCase.java: /** Test that a bean cannot access the SecurityAssociation class
securitymgr/test/PolicyUnitTestCase.java: public void testSecurityAssociation() throws Exception
securitymgr/test/PolicyUnitTestCase.java: log.debug("+++ testSecurityAssociation()");
web/test/FormAuthUnitTestCase.java: * a SecurityAssociation setting Subject.
web/security/JASPISecurityFilter.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
web/security/JASPISecurityFilter.java: CallbackHandler cbh = new SecurityAssociationHandler();
web/servlets/SecureServlet.java:import org.jboss.security.SecurityAssociation;
web/servlets/SecureServlet.java: // Assert that there is a valid SecurityAssociation Subject
web/servlets/SecureServlet.java: Subject subject = SecurityAssociation.getSubject();
webservice/jbws309/JBWS309TestCase.java:import org.jboss.security.SecurityAssociation;
webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setPrincipal(null);
webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setCredential(null);
webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setPrincipal(new SimplePrincipal(USERNAME));
webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setCredential(PASSWORD);

Some of these are probably running on the server side so the mapping should work?

1. Re: Legacy client SecurityAssociation

anil.saldhana Jun 24, 2008 1:58 PM (in response to adrian.brock)
http://jira.jboss.com/jira/browse/SECURITY-236

With this change that came in 2.0.2.CR4, I have ensured that the client side SA usage works as is. But yes, on the server side, SA usage should set the setServer flag.

But the server side usage of SA should by default have the server flag set due to the JaasSecurityManagerService->startService()

protected void startService() throws Exception { // use thread-local principal and credential propagation if (serverMode) SecurityAssociation.setServer();

I will take a look at the tests that you mention that are failing and see why this is an issue.
Actions
2. Re: Legacy client SecurityAssociation

anil.saldhana Jun 24, 2008 2:12 PM (in response to adrian.brock)
Most clients (if they used the SecurityAssociation api) will be using on the client to do a single login for the entire jvm.

What is your personal opinion on this? I know this has been the legacy approach but what do you think about providing vm-wide security context?
Actions
3. Re: Legacy client SecurityAssociation

anil.saldhana Jun 24, 2008 2:26 PM (in response to adrian.brock)

The issue exists here:
http://anonsvn.jboss.org/repos/jbossas/trunk/server/src/main/org/jboss/proxy/SecurityActions.java

for the
http://anonsvn.jboss.org/repos/jbossas/trunk/server/src/main/org/jboss/proxy/SecurityInterceptor.java

The Client Side SecurityInterceptor has no clue whether the user used the legacy SecurityAssociation or the newer SecurityClient.

I can add additional logic to see if SA.getServer == false, then also consider sa.getprincipal, sa.getcredential as a potential provider of security context.
Actions
4. Re: Legacy client SecurityAssociation

anil.saldhana Jun 24, 2008 2:42 PM (in response to adrian.brock)

The above fix is applicable to ejb apps. I need to see what the issue is for the xmbean test (doing now)
Actions
5. Re: Legacy client SecurityAssociation

adrian.brock Jun 24, 2008 2:51 PM (in response to adrian.brock)
"anil.saldhana@jboss.com" wrote:
Most clients (if they used the SecurityAssociation api) will be using on the client to do a single login for the entire jvm.

What is your personal opinion on this? I know this has been the legacy approach but what do you think about providing vm-wide security context?

What's wrong with it? We're talking about a traditional client, not a server that
hosts many apps that can't be trusted.
Why can't there just be a mode which enables a global security context?

On the SecurityAssociation itself, I'm not really that worried
since people should always be using JAAS to establish the login,
I'm talking about the new stuff not having the same capabilities.

The real fix is to remove any mentioned of SecurityAssociation from the testsuite.
Actions
6. Re: Legacy client SecurityAssociation

anil.saldhana Jun 24, 2008 4:43 PM (in response to adrian.brock)

I am working on providing a client side VMwide usage to the SecurityClient approach. I will have a 2.0.2.CR6 release tomorrow.
Actions
7. Re: Legacy client SecurityAssociation

anil.saldhana Jun 24, 2008 5:00 PM (in response to adrian.brock)
I have finished making changes. I will test for regressions etc before updating AS.

one-test: [delete] Deleting: /tmp/test.log [junit] Running org.jboss.test.jmx.test.DeployXMBeanUnitTestCase [junit] Tests run: 11, Failures: 0, Errors: 0, Time elapsed: 2.843 sec

With my current changes, we still will be able to support legacy clients using SecurityAssociation while also handling the newer clients using SecurityClient.
Actions
8. Re: Legacy client SecurityAssociation

anil.saldhana Jun 25, 2008 3:42 PM (in response to adrian.brock)

http://jira.jboss.com/jira/browse/JBAS-5681
should fix this issue along with Security 2.0.2.CR6 upgrade. I will apply the patch after CR1 release.
Actions

Go to original post