Hi Everyone,
Attached is a patch I'd be interested in discussing. This is basically
input to the use Shiro for all security vs filters discussion.
Kevin.
--
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader
of this message is not the intended recipient, you are hereby notified that
any printing, copying, dissemination, distribution, disclosure or
forwarding of this communication is strictly prohibited. If you have
received this communication in error, please contact the sender immediately
and delete it from your system. Thank You.
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestGroupResolver.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestGroupResolver.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestGroupResolver.java
(revision )
@@ -0,0 +1,36 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+
+// Example implementation of a GroupResolver.
+// This just adds -group to the end of the input principal name and adds a new
GroupPrincipal.
+// Need to better understand what the things like the LdapRealm do for group.
+// It definitely doesn't add GroupPrincipal instances. There must be some
convention.
+public class TestGroupResolver implements GroupResolver {
+
+ @Override
+ public PrincipalCollection resolveGroups( String principalName, String
realmName ) {
+ GroupPrincipal group = new GroupPrincipal( principalName + "-group" );
+ PrincipalCollection principals = new SimplePrincipalCollection( group,
realmName );
+ return principals;
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAuthorizer.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAuthorizer.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAuthorizer.java
(revision )
@@ -0,0 +1,58 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.authz.SimpleAuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+import java.util.Set;
+
+// An extension to AuthorizingRealm to allow for RoleResolver.
+// This should really be pushed down into the base classes.
+// In addition the SecurityManager should support a global RoleResolver.
+public class TestAuthorizer extends AuthorizingRealm {
+
+ private RoleResolver roleResolver;
+
+ public void setRoleResolver( RoleResolver roleResolver ) {
+ this.roleResolver = roleResolver;
+ }
+
+ @Override
+ public boolean supports( AuthenticationToken token ) {
+ return false;
+ }
+
+ @Override
+ protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken
token ) throws AuthenticationException {
+ throw new AuthenticationException();
+ }
+
+ @Override
+ protected AuthorizationInfo doGetAuthorizationInfo( PrincipalCollection
principals ) {
+ Set<String> roles = roleResolver.resolveRoles( principals, getName() );
+ SimpleAuthorizationInfo info = new SimpleAuthorizationInfo( roles );
+ return info;
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAuthenticator.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAuthenticator.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAuthenticator.java
(revision )
@@ -0,0 +1,66 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.realm.AuthenticatingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+import org.apache.shiro.subject.SimplePrincipalCollection;
+
+// An extension to AuthenticatingRealm to allow for GroupResolver and
PrincipalMapper
+// This should really be pushed down into the base classes.
+// In addition the SecurityManager should support global GroupResolver and
PrincipalMapper
+public class TestAuthenticator extends AuthenticatingRealm {
+
+ private GroupResolver groupResolver;
+ private PrincipalMapper principalMapper;
+
+ public void setGroupResolver( GroupResolver groupResolver ) {
+ this.groupResolver = groupResolver;
+ }
+
+ public void setPrincipalMapper( PrincipalMapper principalMapper ) {
+ this.principalMapper = principalMapper;
+ }
+
+ @Override
+ public boolean supports( AuthenticationToken token ) {
+ boolean result = token != null && token instanceof UsernamePasswordToken;
+ return result;
+ }
+
+ @Override
+ protected AuthenticationInfo doGetAuthenticationInfo( AuthenticationToken
token ) throws AuthenticationException {
+ UsernamePasswordToken upToken = (UsernamePasswordToken)token;
+ String uName = upToken.getUsername();
+ String pWord = new String( upToken.getPassword() );
+ if( pWord.equals( uName + "-password" ) ) {
+ SimplePrincipalCollection principals = new SimplePrincipalCollection(
uName, getName() );
+ principals.addAll( groupResolver.resolveGroups( uName, getName() ) );
+ PrincipalCollection mappedPrincipals = principalMapper.mapPrincipals(
principals );
+ return new SimpleAuthenticationInfo( mappedPrincipals,
upToken.getCredentials() );
+ } else {
+ throw new AuthenticationException();
+ }
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestLoginFilter.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestLoginFilter.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestLoginFilter.java
(revision )
@@ -0,0 +1,51 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.web.filter.authc.AuthenticatingFilter;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+
+// This is an example of a AuthenticatingFilter that can grab credentials from
somewhere and "login".
+// In this case the user.name query parameter is being used and "-password" is
added to it as the password.
+// In reality this would be something like a JWT or the hadoop.auth cookie.
+public class TestLoginFilter extends AuthenticatingFilter {
+
+ @Override
+ protected boolean onAccessDenied( ServletRequest request, ServletResponse
response ) throws Exception {
+ boolean result = executeLogin( request, response );
+ return result;
+ }
+
+ @Override
+ protected AuthenticationToken createToken( ServletRequest request,
ServletResponse response ) throws Exception {
+ final String METHOD = "createToken";
+ AuthenticationToken token = null;
+ if( request != null && request instanceof HttpServletRequest ) {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ String username = httpRequest.getParameter( "user.name" );
+ token = new UsernamePasswordToken( username, username + "-password" );
+ }
+ return token;
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAccessFilter.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAccessFilter.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestAccessFilter.java
(revision )
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.web.filter.authz.PermissionsAuthorizationFilter;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+// This simply creates a permission string based on the request.
+// Shiro then matches this against the permission returned by the
TestRolePermissionResolver
+public class TestAccessFilter extends PermissionsAuthorizationFilter {
+
+ @Override
+ public boolean isAccessAllowed( ServletRequest request, ServletResponse
response, Object mappedValue ) throws IOException {
+ HttpServletRequest httpRequest = (HttpServletRequest)request;
+ String permission = httpRequest.getMethod() + ":" +
httpRequest.getRequestURI();
+ String[] permissions = new String[]{ permission };
+ boolean result = super.isAccessAllowed( request, response, permissions );
+ return result;
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/PrincipalMapper.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/PrincipalMapper.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/PrincipalMapper.java
(revision )
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+// This is likely something that we would need to add to Shiro so that all
AuthenticatingRealms could do this.
+// This and GroupResolver are really the same thing but keeping them separate
allows for better composability.
+public interface PrincipalMapper {
+
+ PrincipalCollection mapPrincipals( PrincipalCollection principals );
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/GroupResolver.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/GroupResolver.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/GroupResolver.java
(revision )
@@ -0,0 +1,28 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+// This is likely something that we would need to add to Shiro so that all
AuthenticatingRealms could do this.
+// This and PrincipalMapper are really the same thing but keeping them
separate allows for better composability.
+public interface GroupResolver {
+
+ PrincipalCollection resolveGroups( String principal, String realmName );
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestRolePermissionResolver.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestRolePermissionResolver.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestRolePermissionResolver.java
(revision )
@@ -0,0 +1,40 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.authz.Permission;
+import org.apache.shiro.authz.permission.RolePermissionResolver;
+import org.apache.shiro.authz.permission.WildcardPermission;
+
+import java.util.Collection;
+import java.util.HashSet;
+
+// An example of a RolePermissionResolver.
+// This one hard codes a few HTTP methods and URLs.
+// In reality this would be driver from a config file where roles were mapped
to permissions.
+public class TestRolePermissionResolver implements RolePermissionResolver {
+
+ @Override
+ public Collection<Permission> resolvePermissionsInRole( String roleString ) {
+ HashSet<Permission> permissions = new HashSet<Permission>();
+ permissions.add( new WildcardPermission(
"GET:/gateway/sandbox/webhdfs/v1/" ) );
+ permissions.add( new WildcardPermission(
"GET:/gateway/sandbox/webhdfs/v1/user/guest" ) );
+ return permissions;
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/RoleResolver.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/RoleResolver.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/RoleResolver.java
(revision )
@@ -0,0 +1,29 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+import java.util.Set;
+
+// This is likely something that we would need to add to Shiro so that all
AuthorizingRealms could do this.
+public interface RoleResolver {
+
+ Set<String> resolveRoles( PrincipalCollection principals, String realmName );
+
+}
Index: gateway-release/home/deployments/sandbox.xml
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- gateway-release/home/deployments/sandbox.xml (revision
ef58c3d655893884f32502044a62039851e78462)
+++ gateway-release/home/deployments/sandbox.xml (revision )
@@ -23,35 +23,23 @@
<role>authentication</role>
<name>ShiroProvider</name>
<enabled>true</enabled>
- <param>
- <!--
- session timeout in minutes, this is really idle timeout,
- defaults to 30mins, if the property value is not defined,,
- current client authentication would expire if client idles
contiuosly for more than this value
- -->
- <name>sessionTimeout</name>
- <value>30</value>
- </param>
- <param>
- <name>main.ldapRealm</name>
- <value>org.apache.shiro.realm.ldap.JndiLdapRealm</value>
- </param>
- <param>
- <name>main.ldapRealm.userDnTemplate</name>
- <value>uid={0},ou=people,dc=hadoop,dc=apache,dc=org</value>
- </param>
- <param>
- <name>main.ldapRealm.contextFactory.url</name>
- <value>ldap://localhost:33389</value>
- </param>
- <param>
-
<name>main.ldapRealm.contextFactory.authenticationMechanism</name>
- <value>simple</value>
- </param>
- <param>
- <name>urls./**</name>
- <value>authcBasic</value>
- </param>
+
+
<param><name>main.testGroupResolver</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestGroupResolver</value></param>
+
<param><name>main.testPrincipalMapper</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestPrincipalMapper</value></param>
+
<param><name>main.testAuthenticator</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestAuthenticator</value></param>
+
<param><name>main.testAuthenticator.groupResolver</name><value>$testGroupResolver</value></param>
+
<param><name>main.testAuthenticator.principalMapper</name><value>$testPrincipalMapper</value></param>
+
+
<param><name>main.testRoleResolver</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestRoleResolver</value></param>
+
<param><name>main.testRolePermissionResolver</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestRolePermissionResolver</value></param>
+
<param><name>main.testAuthorizer</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestAuthorizer</value></param>
+
<param><name>main.testAuthorizer.roleResolver</name><value>$testRoleResolver</value></param>
+
<param><name>main.testAuthorizer.rolePermissionResolver</name><value>$testRolePermissionResolver</value></param>
+
+
<param><name>main.testLoginFilter</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestLoginFilter</value></param>
+
<param><name>main.testAccessFilter</name><value>org.apache.hadoop.gateway.security.shiro.realm.TestAccessFilter</value></param>
+
+
<param><name>urls./**</name><value>testLoginFilter,testAccessFilter</value></param>
</provider>
<provider>
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestPrincipalMapper.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestPrincipalMapper.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestPrincipalMapper.java
(revision )
@@ -0,0 +1,31 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+// An example implementation of a PrincipalMapper.
+// This one does nothing and returns the input.
+public class TestPrincipalMapper implements PrincipalMapper {
+
+ @Override
+ public PrincipalCollection mapPrincipals( PrincipalCollection principals ) {
+ return principals;
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestRoleResolver.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestRoleResolver.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/TestRoleResolver.java
(revision )
@@ -0,0 +1,57 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import org.apache.shiro.subject.PrincipalCollection;
+
+import java.security.Principal;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+
+// An example of a RoleResolver.
+// In this case it simply adds a role with "-role" to the every principal name.
+// In reality this would either be driven from a config file or not necessary
as all if the AuthenticatingRealm supported groups.
+public class TestRoleResolver implements RoleResolver {
+
+ @Override
+ public Set<String> resolveRoles( PrincipalCollection principals, String
realmName ) {
+ Set<String> roles = new HashSet<String>();
+ Iterator i = principals.iterator();
+ while( i.hasNext() ) {
+ Object o = i.next();
+ String n = toPrincipalName( o );
+ String r = n + "-role";
+ roles.add( r );
+ }
+ return roles;
+ }
+
+ private String toPrincipalName( Object o ) {
+ if( o == null ) {
+ return null;
+ } else if ( o instanceof String ) {
+ return (String)o;
+ } else if ( o instanceof Principal ) {
+ return ((Principal)o).getName();
+ } else {
+ return o.toString();
+ }
+ }
+
+}
Index:
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/GroupPrincipal.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
---
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/GroupPrincipal.java
(revision )
+++
gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/security/shiro/realm/GroupPrincipal.java
(revision )
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.hadoop.gateway.security.shiro.realm;
+
+import java.security.Principal;
+
+// This is just used as a way to keep user principals separate from group
principals.
+// The Shiro docs seem to suggest prefixing this type of principal with
something like "group:".
+// This approach seems more in line with java.security.
+public class GroupPrincipal implements Principal {
+
+ private String name;
+
+ public GroupPrincipal( String name ) {
+ this.name = name;
+ }
+
+ @Override
+ public String getName() {
+ return name;
+ }
+
+}
