8 Replies Latest reply on Jun 25, 2008 3:42 PM by Anil Saldanha

    Legacy client SecurityAssociation

    Adrian Brock Master

      This work:
      http://jira.jboss.com/jira/browse/SECURITY-75
      isn't much use without this:
      http://jira.jboss.com/jira/browse/SECURITY-125

      Most clients (if they used the SecurityAssociation api) will be using on the client
      to do a single login for the entire jvm.

      When the SecurityAssociation is not in server mode, it doesn't work at all with JBoss5.

      e.g. You can see this in org.jboss.test.jmx.test.DeployXMBeanUnitTestCase

      The following patch makes it work:

      [ejort@warjort testsuite]$ svn diff
      Index: src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java
      ===================================================================
      --- src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java (revision 74958)
      +++ src/main/org/jboss/test/jmx/test/DeployXMBeanUnitTestCase.java (working copy)
      @@ -487,6 +487,7 @@
       }
      
       SimplePrincipal jduke = new SimplePrincipal("jduke");
      + SecurityAssociation.setServer();
       SecurityAssociation.setPrincipal(jduke);
       SecurityAssociation.setCredential("theduke".toCharArray());
       naming.bind(hello, "HelloBinding", "java.lang.String");
      @@ -536,6 +537,7 @@
       Name hello = ctx.getNameParser("").parse("Hello");
      
       SimplePrincipal jduke = new SimplePrincipal("jduke");
      + SecurityAssociation.setServer();
       SecurityAssociation.setPrincipal(jduke);
       SecurityAssociation.setCredential("theduke".toCharArray());
      


      But that isn't the correct fix.

      There's a tonne of other code in the JBoss5 testsuite still using the SecurityAssoication:
      [ejort@warjort test]$ grep -ri SecurityAssociation * | grep -v svn
      aop/bean/SecurityTester.java: //SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("somebody"), password);
      aop/bean/SecurityTester.java: /*SecurityAssociation.popSubjectContext();
      aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("authfail"), password);
      aop/bean/SecurityTester.java: SecurityAssociation.popSubjectContext();
      aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("rolefail"), password);
      aop/bean/SecurityTester.java: SecurityAssociation.popSubjectContext();
      aop/bean/SecurityTester.java: SecurityAssociation.pushSubjectContext(null, new SimplePrincipal("pass"), password);
      aop/bean/SimpleBeanTester.java:import org.jboss.security.SecurityAssociation;
      cluster/invokerha/HAService.java:import org.jboss.security.SecurityAssociation;
      cluster/invokerha/HAService.java: SecurityAssociation.setPrincipal(principal);
      cluster/invokerha/HAService.java: SecurityAssociation.setCredential(credential);
      cluster/invokerha/HAService.java: SecurityAssociation.clear();
      jacc/test/portal/BasePortalJaccTestCase.java:import org.jboss.security.SecurityAssociation;
      jacc/test/portal/BasePortalJaccTestCase.java: SecurityAssociation.setSubject(subject);
      jmx/interceptors/PrincipalInterceptor.java:import org.jboss.security.SecurityAssociation;
      jmx/interceptors/PrincipalInterceptor.java: Principal caller = SecurityAssociation.getPrincipal();
      jmx/interceptors/JNDISecurity.java:import org.jboss.security.SecurityAssociation;
      jmx/interceptors/JNDISecurity.java: SecurityAssociation.pushSubjectContext(subject, principal, credential);
      jmx/interceptors/JNDISecurity.java: SecurityAssociation.popSubjectContext();
      jmx/test/DeployXMBeanUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setServer();
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(jduke);
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("theduke".toCharArray());
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(guest);
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("guest".toCharArray());
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setServer();
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setPrincipal(jduke);
      jmx/test/DeployXMBeanUnitTestCase.java: SecurityAssociation.setCredential("theduke".toCharArray());
      naming/test/SecurityUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      naming/test/SecurityUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
      naming/test/SecurityUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal is null", p == null);
      security/interceptors/ClientEncryptionInterceptor.java:import org.jboss.security.SecurityAssociation;
      security/interceptors/ClientEncryptionInterceptor.java: Subject subject = SecurityAssociation.getSubject();
      security/interceptors/ServerEncryptionInterceptor.java:import org.jboss.security.SecurityAssociation;
      security/interceptors/ServerEncryptionInterceptor.java: Subject subject = SecurityAssociation.getSubject();
      security/ejb/SubjectSessionBean.java:import org.jboss.security.SecurityAssociation;
      security/ejb/SubjectSessionBean.java: * SecurityAssociation.getSubject and PolicyContext. This will not run under
      security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("enter", callerPrincipals);
      security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("post stateless", callerPrincipals);
      security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("post stateful", callerPrincipals);
      security/ejb/SubjectSessionBean.java: validateSecurityAssociationSubject("exit", callerPrincipals);
      security/ejb/SubjectSessionBean.java: * Get the active subject as seen by the jboss SecurityAssociation
      security/ejb/SubjectSessionBean.java: protected void validateSecurityAssociationSubject(String ctx, Set callerPrincipals)
      security/ejb/SubjectSessionBean.java: Subject caller = SecurityAssociation.getSubject();
      security/ejb/SubjectSessionBean.java: String msg = ctx+", SecurityAssociation subject: "+caller
      security/ejb/SecuredBean.java: * SecurityAssociation.getSubject and PolicyContext. This will not run under
      security/test/SecurityMgrStressTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
      security/test/SecurityMgrStressTestCase.java: //SecurityAssociation.setServer();
      security/test/SecurityMgrStressTestCase.java: JaasSecurityManager secMgr = new JaasSecurityManager("testIdentity", new SecurityAssociationHandler());
      security/test/SecurityMgrStressTestCase.java: //SecurityAssociation.pushSubjectContext(subject, user, "any");
      security/test/ClientLoginModuleUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      security/test/ClientLoginModuleUnitTestCase.java: ClientLoginModuleUnitTestCase/SecurityAssociation interaction tests
      security/test/ClientLoginModuleUnitTestCase.java: //Clear SecurityAssociation
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.clear();
      security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
      security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setPrincipal(jduke1);
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setCredential("theduke1");
      security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
      security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
      security/test/ClientLoginModuleUnitTestCase.java: String theduke1 = (String) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
      security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
      security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.popSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
      security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == theduke", saPrincipal.equals(theduke));
      security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setPrincipal(jduke1);
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.setCredential("theduke1");
      security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke2", saPrincipal.equals(jduke2));
      security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke1", saPrincipal.equals(jduke1));
      security/test/ClientLoginModuleUnitTestCase.java: String theduke1 = (String) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject1, jduke1, "theduke1");
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.pushSubjectContext(subject2, jduke2, "theduke2");
      security/test/ClientLoginModuleUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == jduke3", saPrincipal.equals(jduke3));
      security/test/ClientLoginModuleUnitTestCase.java: char[] password = (char[]) SecurityAssociation.getCredential();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc3 = SecurityAssociation.peekSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke3", sc3.getPrincipal().equals(jduke3));
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc2 = SecurityAssociation.peekSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke2", sc2.getPrincipal().equals(jduke2));
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.popSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: SecurityAssociation.SubjectContext sc1 = SecurityAssociation.peekSubjectContext();
      security/test/ClientLoginModuleUnitTestCase.java: assertTrue("SecurityAssociation.peekSubjectContext == jduke1", sc1.getPrincipal().equals(jduke1));
      security/test/SRPLoginModuleUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      security/test/SRPLoginModuleUnitTestCase.java: Principal user = SecurityAssociation.getPrincipal();
      security/test/SRPLoginModuleUnitTestCase.java: byte[] key = (byte[]) SecurityAssociation.getCredential();
      security/test/SAThreadLocalUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      security/test/SAThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
      security/test/SAThreadLocalUnitTestCase.java: * SecurityAssociation.getSubject() == authSubject
      security/test/SAThreadLocalUnitTestCase.java: * SecurityAssociation.getPrincipal() == authPrincipal
      security/test/SAThreadLocalUnitTestCase.java: Subject s = SecurityAssociation.getSubject();
      security/test/SAThreadLocalUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
      security/test/SAThreadLocalUnitTestCase.java: System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "true");
      security/test/SAThreadLocalUnitTestCase.java: SecurityAssociation.setServer();
      security/test/LoginModulesUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      security/test/LoginModulesUnitTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
      security/test/LoginModulesUnitTestCase.java: Principal saPrincipal = SecurityAssociation.getPrincipal();
      security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
      security/test/LoginModulesUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
      security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott2", saPrincipal.equals(scott2));
      security/test/LoginModulesUnitTestCase.java: saPrincipal = SecurityAssociation.getPrincipal();
      security/test/LoginModulesUnitTestCase.java: assertTrue("SecurityAssociation.getPrincipal == scott", saPrincipal.equals(scott));
      security/test/LoginModulesUnitTestCase.java: SecurityAssociation.setPrincipal(new SimplePrincipal("jduke2"));
      security/test/LoginModulesUnitTestCase.java: SecurityAssociation.setCredential("theduke2".toCharArray());
      security/test/LoginModulesUnitTestCase.java: SecurityAssociationHandler handler = new SecurityAssociationHandler(x509, cert);
      security/test/LoginModulesUnitTestCase.java: SecurityAssociationHandler handler = new SecurityAssociationHandler(x509, cert);
      security/test/SAInheritableThreadLocalUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      security/test/SAInheritableThreadLocalUnitTestCase.java: * Test the expected security context exists via the SecurityAssociation accessors
      security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
      security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.pushSubjectContext(authSubject, authPrincipal, "theduke");
      security/test/SAInheritableThreadLocalUnitTestCase.java: * SecurityAssociation.getSubject() == authSubject
      security/test/SAInheritableThreadLocalUnitTestCase.java: * SecurityAssociation.getPrincipal() == authPrincipal
      security/test/SAInheritableThreadLocalUnitTestCase.java: Subject s = SecurityAssociation.getSubject();
      security/test/SAInheritableThreadLocalUnitTestCase.java: Principal p = SecurityAssociation.getPrincipal();
      security/test/SAInheritableThreadLocalUnitTestCase.java: System.setProperty("org.jboss.security.SecurityAssociation.ThreadLocal", "false");
      security/test/SAInheritableThreadLocalUnitTestCase.java: SecurityAssociation.setServer();
      security/test/SubjectContextUnitTestCase.java:import org.jboss.security.SecurityAssociation;
      security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
      security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
      security/test/SubjectContextUnitTestCase.java: SecurityAssociation.clear();
      security/test/JaasSecurityManagerUnitTestCase.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
      security/test/JaasSecurityManagerUnitTestCase.java: CallbackHandler handler = new SecurityAssociationHandler(jduke, "theduke".toCharArray());
      security/test/JaasSecurityManagerUnitTestCase.java: CallbackHandler handler = new SecurityAssociationHandler(jduke, "theduke".toCharArray());
      securitymgr/ejb/IOStatelessSessionBean.java:import org.jboss.security.SecurityAssociation;
      securitymgr/ejb/BadBean.java:import org.jboss.security.SecurityAssociation;
      securitymgr/ejb/BadBean.java: return SecurityAssociation.getPrincipal();
      securitymgr/ejb/BadBean.java: return SecurityAssociation.getCredential();
      securitymgr/ejb/BadBean.java: SecurityAssociation.setPrincipal(user);
      securitymgr/ejb/BadBean.java: SecurityAssociation.setCredential(password);
      securitymgr/ejb/BadBean.java: Subject s = SecurityAssociation.getSubject();
      securitymgr/ejb/BadBean.java: Subject s = SecurityAssociation.getSubject();
      securitymgr/ejb/BadBean.java: SecurityAssociation.pushSubjectContext(s, null, null);
      securitymgr/ejb/BadBean.java: SecurityAssociation.popRunAsIdentity();
      securitymgr/ejb/BadBean.java: SecurityAssociation.pushRunAsIdentity(runAs);
      securitymgr/test/SecurityUnitTestCase.java: /** Test that a bean cannot access the SecurityAssociation class
      securitymgr/test/PolicyUnitTestCase.java: /** Test that a bean cannot access the SecurityAssociation class
      securitymgr/test/PolicyUnitTestCase.java: public void testSecurityAssociation() throws Exception
      securitymgr/test/PolicyUnitTestCase.java: log.debug("+++ testSecurityAssociation()");
      web/test/FormAuthUnitTestCase.java: * a SecurityAssociation setting Subject.
      web/security/JASPISecurityFilter.java:import org.jboss.security.auth.callback.SecurityAssociationHandler;
      web/security/JASPISecurityFilter.java: CallbackHandler cbh = new SecurityAssociationHandler();
      web/servlets/SecureServlet.java:import org.jboss.security.SecurityAssociation;
      web/servlets/SecureServlet.java: // Assert that there is a valid SecurityAssociation Subject
      web/servlets/SecureServlet.java: Subject subject = SecurityAssociation.getSubject();
      webservice/jbws309/JBWS309TestCase.java:import org.jboss.security.SecurityAssociation;
      webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setPrincipal(null);
      webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setCredential(null);
      webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setPrincipal(new SimplePrincipal(USERNAME));
      webservice/jbws309/JBWS309TestCase.java: SecurityAssociation.setCredential(PASSWORD);
      


      Some of these are probably running on the server side so the mapping should work?