Newer
Older
AccessControlContext acContext = AccessController.getContext();
Subject subject = Subject.getSubject(acContext);
// only consult cache if the userID is of the calling subject
if (userIsSubject(userID, subject))
Patrick Dowler
committed
Set<GroupMemberships> gset = subject.getPrivateCredentials(GroupMemberships.class);
if (gset == null || gset.isEmpty())
GroupMemberships mems = new GroupMemberships(serviceID.toString(), userID);
Patrick Dowler
committed
subject.getPrivateCredentials().add(mems);
return mems;
Patrick Dowler
committed
GroupMemberships mems = gset.iterator().next();
// check to ensure they have the same service URI
if (!serviceID.toString().equals(mems.getServiceURI()))
{
log.debug("Not using cache because of differing service URIs: " +
"[" + serviceID.toString() + "][" + mems.getServiceURI() + "]");
return null;
}
Patrick Dowler
committed
return mems;
Patrick Dowler
committed
return null; // no cache
}
protected Group getCachedGroup(Principal userID, String groupID, Role role)
Patrick Dowler
committed
{
List<Group> groups = getCachedGroups(userID, role, false);
Patrick Dowler
committed
if (groups == null)
return null; // no cache
for (Group g : groups)
{
if (g.getID().getName().equals(groupID))
Patrick Dowler
committed
return g;
protected List<Group> getCachedGroups(Principal userID, Role role, boolean complete)
Patrick Dowler
committed
{
GroupMemberships mems = getGroupCache(userID);
Patrick Dowler
committed
if (mems == null)
return null; // no cache
Patrick Dowler
committed
Boolean cacheState = mems.isComplete(role);
Patrick Dowler
committed
if (!complete || Boolean.TRUE.equals(cacheState))
Patrick Dowler
committed
return mems.getMemberships(role);
Patrick Dowler
committed
// caller wanted complete and we don't have that
Patrick Dowler
committed
protected void addCachedGroup(Principal userID, Group group, Role role)
GroupMemberships mems = getGroupCache(userID);
Patrick Dowler
committed
if (mems == null)
return; // no cache
Patrick Dowler
committed
}
protected void setCachedGroups(Principal userID, List<Group> groups, Role role)
GroupMemberships mems = getGroupCache(userID);
Patrick Dowler
committed
if (mems == null)
return; // no cache
protected boolean userIsSubject(Principal userID, Subject subject)
{
if (userID == null || subject == null)
{
return false;
}
for (Principal subjectPrincipal : subject.getPrincipals())
Patrick Dowler
committed
if (AuthenticationUtil.equals(subjectPrincipal, userID))
protected RegistryClient getRegistryClient()
{
return new RegistryClient();
}
/**
* Lookup the Service URL for the given standard. The current AuthMethod
* will be taken into account.
*
* @param standard The URI standard to look up.
* @return URL for the service.
* @throws AccessControlException If the URL cannot be found for the
* provided AuthMethod.
*/
private URL lookupServiceURL(final URI standard)
throws AccessControlException
{
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
Subject subject = AuthenticationUtil.getCurrentSubject();
AuthMethod am = getAuthMethod(subject);
URL serviceURL = getRegistryClient().getServiceURL(this.serviceID, standard, am);
// now that we have a URL we can check if the cookie will actually be sent to it
if (AuthMethod.COOKIE.equals(am))
{
try
{
boolean domainMatch = false;
String domain = NetUtil.getDomainName(serviceURL);
for (SSOCookieCredential cc : subject.getPublicCredentials(SSOCookieCredential.class))
{
if (cc.getDomain().equals(domain))
domainMatch = true;
}
if (!domainMatch)
{
throw new AccessControlException("No valid public credentials.");
}
}
catch(IOException ex)
{
throw new RuntimeException("failure checking domain for cookie use", ex);
}
}
String.format("Unable to get Service URL for '%s', '%s', '%s'",
serviceID.toString(), standard, am));
private AuthMethod getAuthMethod(Subject subject)
// web services use CDP to load a proxy cert so prefer that
X509CertificateChain privateKeyChain = X509CertificateChain.findPrivateKeyChain(
subject.getPublicCredentials());
if (privateKeyChain != null)
return AuthMethod.CERT;
// ui applications pass cookie(s) along
Set sso = subject.getPublicCredentials(SSOCookieCredential.class);
if ( !sso.isEmpty() )
return AuthMethod.COOKIE;
// AuthMethod.PASSWORD not supported
// AuthMethod.TOKEN not supported
throw new AccessControlException("No valid public credentials.");
}
else
{
throw new AccessControlException("Anonymous access not supported.");