Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 1. Security Context
The Security Context combines the Authentication, Authorization, Mapping and Auditing aspects of a security-conscious system. The following code is an example interface for the Security Context (
SecurityContext):
package org.jboss.security;
/**
* Encapsulation of Authentication, Authorization, Mapping and other
* security aspects at the level of a security domain
* @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
*/
public interface SecurityContext extends Serializable,Cloneable
{
/**
* Authentication Manager for the security domain
*/
public AuthenticationManager getAuthenticationManager();
/**
* Authorization Manager for the security domain
*/
public AuthorizationManager getAuthorizationManager();
/**
* Mapping manager configured with providers
*/
public MappingManager getMappingManager();
/**
* AuditManager configured for the security domain
*/
public AuditManager getAuditManager();
/**
* Context Map
*/
public Map<String,Object> getData();
/**
* Return the Security Domain
*/
public String getSecurityDomain();
/**
* Subject Info
*
* @see SecurityContextUtil#getSubject()
* @see SecurityContextUtil#createSubjectInfo(Principal, Object, Subject)
*/
SubjectInfo getSubjectInfo();
/**
* Subject Info
*
* @see SecurityContextUtil#getSubject()
* @see SecurityContextUtil#createSubjectInfo(Principal, Object, Subject)
*/
void setSubjectInfo(SubjectInfo si);
/**
* RunAs Representation
*
* @see #setRunAs(RunAs)
*/
public RunAs getRunAs();
/**
* Set the current RunAs for the security context that will be
* propagated out to other security context.
*
* RunAs coming into this security context needs to be done
* from SecurityContextUtil.getCallerRunAs/setCallerRunAs
*
* @see SecurityContextUtil#getCallerRunAs()
* @see SecurityContextUtil#setCallerRunAs(RunAs)
*
* @param runAs
*/
public void setRunAs(RunAs runAs);
/**
* Return a utility that is a facade to the internal
* storage mechanism of the Security Context
*
* This utility can be used to store information like
* roles etc in an implementation specific way
* @return
*/
public SecurityContextUtil getUtil();
}
package org.jboss.security;
/**
* Encapsulation of Authentication, Authorization, Mapping and other
* security aspects at the level of a security domain
* @author <a href="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
*/
public interface SecurityContext extends Serializable,Cloneable
{
/**
* Authentication Manager for the security domain
*/
public AuthenticationManager getAuthenticationManager();
/**
* Authorization Manager for the security domain
*/
public AuthorizationManager getAuthorizationManager();
/**
* Mapping manager configured with providers
*/
public MappingManager getMappingManager();
/**
* AuditManager configured for the security domain
*/
public AuditManager getAuditManager();
/**
* Context Map
*/
public Map<String,Object> getData();
/**
* Return the Security Domain
*/
public String getSecurityDomain();
/**
* Subject Info
*
* @see SecurityContextUtil#getSubject()
* @see SecurityContextUtil#createSubjectInfo(Principal, Object, Subject)
*/
SubjectInfo getSubjectInfo();
/**
* Subject Info
*
* @see SecurityContextUtil#getSubject()
* @see SecurityContextUtil#createSubjectInfo(Principal, Object, Subject)
*/
void setSubjectInfo(SubjectInfo si);
/**
* RunAs Representation
*
* @see #setRunAs(RunAs)
*/
public RunAs getRunAs();
/**
* Set the current RunAs for the security context that will be
* propagated out to other security context.
*
* RunAs coming into this security context needs to be done
* from SecurityContextUtil.getCallerRunAs/setCallerRunAs
*
* @see SecurityContextUtil#getCallerRunAs()
* @see SecurityContextUtil#setCallerRunAs(RunAs)
*
* @param runAs
*/
public void setRunAs(RunAs runAs);
/**
* Return a utility that is a facade to the internal
* storage mechanism of the Security Context
*
* This utility can be used to store information like
* roles etc in an implementation specific way
* @return
*/
public SecurityContextUtil getUtil();
}
The
SecurityUtil is associated with the SecurityContext. It provides some utility methods to shield the details of any vendor implementation of the SecurityContext from the implementation. The following code is an example of the SecurityUtil abstract class:
package org.jboss.security;
import java.security.Principal;
import javax.security.auth.Subject;
/**
* General Utility methods for dealing with the SecurityContext
*/
public abstract class SecurityContextUtil
{
protected SecurityContext securityContext = null;
public void setSecurityContext(SecurityContext sc)
{
this.securityContext = sc;
}
/**
* Get the username from the security context
* @return username
*/
public abstract String getUserName();
/**
* Get the user principal the security context
* @return user principal
*/
public abstract Principal getUserPrincipal();
/**
* Get the credential
* @return
*/
public abstract Object getCredential();
/**
* Get the subject the security context
* @return
*/
public abstract Subject getSubject();
/**
* Get the RunAs that was passed into the current security context
* The security context RunAs is the RunAs that will be propagated out of it
* @return
*/
public abstract RunAs getCallerRunAs();
/**
* Set the Caller RunAs in the security context
* Security Context implementations are free to store
* the caller runas in any manner
* @param runAs
*/
public abstract void setCallerRunAs(RunAs runAs);
/**
* Get a holder of subject, runAs and caller RunAs
* @return
*/
public abstract SecurityIdentity getSecurityIdentity();
/**
* Inject subject, runAs and callerRunAs into the security context
* Mainly used by integration code base to cache the security identity
* and put back to the security context
* @param si The SecurityIdentity Object
*/
public abstract void setSecurityIdentity(SecurityIdentity si);
/**
* Get the Roles associated with the user for the
* current security context
* @param <T>
* @return
*/
public abstract <T> T getRoles();
/**
* Set the roles for the user for the current security context
* @param <T>
* @param roles
*/
public abstract <T> void setRoles(T roles);
/**
* Create SubjectInfo and set it in the current security context
* @param principal
* @param credential
* @param subject
*/
public void createSubjectInfo(Principal principal, Object credential,Subject subject)
{
SubjectInfo si = new SubjectInfo(principal, credential, subject);
this.securityContext.setSubjectInfo(si);
}
/**
* Set an object on the Security Context
* The context implementation may place the object in its internal
* data structures (like the Data Map)
* @param <T> Generic Type
* @param sc Security Context Object
* @param key Key representing the object being set
* @param obj
*/
public abstract <T> void set(String key, T obj);
/**
* Return an object from the Security Context
* @param <T>
* @param sc Security Context Object
* @param key key identifies the type of object we are requesting
* @return
*/
public abstract <T> T get(String key);
/**
* Remove an object represented by the key from the security context
* @param <T>
* @param sc Security Context Object
* @param key key identifies the type of object we are requesting
* @return the removed object
*/
public abstract <T> T remove(String key);
}
package org.jboss.security;
import java.security.Principal;
import javax.security.auth.Subject;
/**
* General Utility methods for dealing with the SecurityContext
*/
public abstract class SecurityContextUtil
{
protected SecurityContext securityContext = null;
public void setSecurityContext(SecurityContext sc)
{
this.securityContext = sc;
}
/**
* Get the username from the security context
* @return username
*/
public abstract String getUserName();
/**
* Get the user principal the security context
* @return user principal
*/
public abstract Principal getUserPrincipal();
/**
* Get the credential
* @return
*/
public abstract Object getCredential();
/**
* Get the subject the security context
* @return
*/
public abstract Subject getSubject();
/**
* Get the RunAs that was passed into the current security context
* The security context RunAs is the RunAs that will be propagated out of it
* @return
*/
public abstract RunAs getCallerRunAs();
/**
* Set the Caller RunAs in the security context
* Security Context implementations are free to store
* the caller runas in any manner
* @param runAs
*/
public abstract void setCallerRunAs(RunAs runAs);
/**
* Get a holder of subject, runAs and caller RunAs
* @return
*/
public abstract SecurityIdentity getSecurityIdentity();
/**
* Inject subject, runAs and callerRunAs into the security context
* Mainly used by integration code base to cache the security identity
* and put back to the security context
* @param si The SecurityIdentity Object
*/
public abstract void setSecurityIdentity(SecurityIdentity si);
/**
* Get the Roles associated with the user for the
* current security context
* @param <T>
* @return
*/
public abstract <T> T getRoles();
/**
* Set the roles for the user for the current security context
* @param <T>
* @param roles
*/
public abstract <T> void setRoles(T roles);
/**
* Create SubjectInfo and set it in the current security context
* @param principal
* @param credential
* @param subject
*/
public void createSubjectInfo(Principal principal, Object credential,Subject subject)
{
SubjectInfo si = new SubjectInfo(principal, credential, subject);
this.securityContext.setSubjectInfo(si);
}
/**
* Set an object on the Security Context
* The context implementation may place the object in its internal
* data structures (like the Data Map)
* @param <T> Generic Type
* @param sc Security Context Object
* @param key Key representing the object being set
* @param obj
*/
public abstract <T> void set(String key, T obj);
/**
* Return an object from the Security Context
* @param <T>
* @param sc Security Context Object
* @param key key identifies the type of object we are requesting
* @return
*/
public abstract <T> T get(String key);
/**
* Remove an object represented by the key from the security context
* @param <T>
* @param sc Security Context Object
* @param key key identifies the type of object we are requesting
* @return the removed object
*/
public abstract <T> T remove(String key);
}
The
SecurityContextUtil provides methods that retrieve the user principal and credential, handle the RunAs operation and allow you to use the SecurityContext to store objects by using key pairs.
The
SecurityContextUtil also uses a SecurityIdentity component, which represents the identity of the agent that is interfacing with the security system. It contains the subject and several run-as options, such as RunAs and CallerRunAs:
package org.jboss.security;
import java.security.Principal;
import javax.security.auth.Subject;
//$Id$
/**
* Represents an Identity of an agent interacting with the
* security service. It can be an user or a process. It
* consists of a subject and various run-as
*/
public class SecurityIdentity
{
SubjectInfo theSubject = null;
RunAs runAs = null;
RunAs callerRunAs = null;
public SecurityIdentity(SubjectInfo subject, RunAs runAs, RunAs callerRunAs)
{
this.theSubject = subject;
this.runAs = runAs;
this.callerRunAs = callerRunAs;
}
public Principal getPrincipal()
{
return theSubject != null ? theSubject.getAuthenticationPrincipal() : null;
}
public Object getCredential()
{
return theSubject != null ? theSubject.getAuthenticationCredential(): null;
}
public Subject getSubject()
{
return theSubject != null ? theSubject.getAuthenticatedSubject() : null;
}
public RunAs getRunAs()
{
return runAs;
}
public RunAs getCallerRunAs()
{
return callerRunAs;
}
}
package org.jboss.security;
import java.security.Principal;
import javax.security.auth.Subject;
//$Id$
/**
* Represents an Identity of an agent interacting with the
* security service. It can be an user or a process. It
* consists of a subject and various run-as
*/
public class SecurityIdentity
{
SubjectInfo theSubject = null;
RunAs runAs = null;
RunAs callerRunAs = null;
public SecurityIdentity(SubjectInfo subject, RunAs runAs, RunAs callerRunAs)
{
this.theSubject = subject;
this.runAs = runAs;
this.callerRunAs = callerRunAs;
}
public Principal getPrincipal()
{
return theSubject != null ? theSubject.getAuthenticationPrincipal() : null;
}
public Object getCredential()
{
return theSubject != null ? theSubject.getAuthenticationCredential(): null;
}
public Subject getSubject()
{
return theSubject != null ? theSubject.getAuthenticatedSubject() : null;
}
public RunAs getRunAs()
{
return runAs;
}
public RunAs getCallerRunAs()
{
return callerRunAs;
}
}RunAs differs from CallerRunAs in that it represents the run-as that is leaving the current context. The CallerRunAs represents the run-as method that is entering the security context. The folllowing is a RunAs interface:
package org.jboss.security;
import java.security.Principal;
/**
* Represent an entity X with a proof of identity Y
*/
public interface RunAs extends Principal
{
/**
* Return the identity represented
* @return
*/
public <T> T getIdentity();
/**
* Return the proof of identity
* @return
*/
public <T> T getProof();
}
package org.jboss.security;
import java.security.Principal;
/**
* Represent an entity X with a proof of identity Y
*/
public interface RunAs extends Principal
{
/**
* Return the identity represented
* @return
*/
public <T> T getIdentity();
/**
* Return the proof of identity
* @return
*/
public <T> T getProof();
}
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}