Yes, writing a security valve is very simple since J2 uses standard javax.security.Subject for authorization. I have attached the code I use that builds a Subject from our home grown SSO application.
Hth, Scott > -----Original Message----- > From: Randy Watler [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 21, 2005 4:00 PM > To: Jetspeed Users List > Subject: Re: J2 Security Customization > > Santiago, > > There are multiple solutions to this common requirement. The easiest is > probably to implement your own SecurityValve. Just make sure you use the > existing o/a/j/security.impl.SecurityValveImpl.java as a template. Then > there is JAAS... > > Scott can probably comment in more detail. > > Randy > > Santiago Urrizola wrote: > > >Hi, i wan t to change a part of the security model of J2, to adapt they > on mi organization model. > >Basically i need to change the part where J2, > >1 - retrive users from de DataBase. (my own tables, not the default > tables of the j2), and obiously where save new/modified users > >2 - autenticate the passwords of login users > >3 - retrive all groups and roles, and users in a group role. > > > >I see the sources for a while, and see a lot of places where i can change > this, but i dont know where is the correct place (class or classes) to > change it. I see UserManager, and think its posible to create a new > UserManager, but this class dont have full control of the users, i know > tht i need to change the implementor of some interfaces in the *.xml in > the assembly director. > >But can some one tell me how classes i must modify (or create new > implementor for this interaces) ??? > >Thank you very very very very much > > > >Santiago > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED]
/* * Created on Jun 21, 2004 * * TODO To change the template for this generated file go to * Window - Preferences - Java - Code Generation - Code and Comments */ package com.ugs.it.jetspeed.valves; import java.io.IOException; import java.security.Principal; import java.util.ArrayList; import java.util.Collections; import java.util.HashSet; import java.util.Iterator; import java.util.List; import java.util.Set; import javax.security.auth.Subject; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.apache.commons.configuration.Configuration; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.jetspeed.pipeline.PipelineException; import org.apache.jetspeed.pipeline.valve.SecurityValve; import org.apache.jetspeed.pipeline.valve.ValveContext; import org.apache.jetspeed.request.RequestContext; import org.apache.jetspeed.security.SecurityHelper; import org.apache.jetspeed.security.UserPrincipal; import org.apache.jetspeed.security.impl.AbstractSecurityValve; import org.apache.jetspeed.security.impl.RolePrincipalImpl; import org.apache.jetspeed.security.impl.UserPrincipalImpl; import org.springframework.beans.BeansException; import org.springframework.beans.factory.BeanFactory; import org.springframework.beans.factory.BeanFactoryAware; import com.ugs.it.jetspeed.security.ProductPrincipal; import com.ugs.it.jetspeed.security.ZonePrincipal; import com.ugs.it.salescentre.user.MissingCookieException; import com.ugs.it.salescentre.user.MissingUserException; import com.ugs.it.salescentre.user.SalesCentreUser; import com.ugs.it.salescentre.util.spring.HttpServletRequestFactoryBean; /** * @author <a href="mailto:[EMAIL PROTECTED]">Scott T. Weaver </a> * */ public class WebKeySecurityValve extends AbstractSecurityValve implements SecurityValve, BeanFactoryAware { protected final String WEBKEY_COOKIE = "WEBKEY_SSO"; protected final Log log = LogFactory.getLog(WebKeySecurityValve.class); protected String webKeyServer; private Configuration config; private BeanFactory beanFactory; public WebKeySecurityValve(Configuration config) { this.config = config; } /** * <p> * invoke * </p> * * @see org.apache.jetspeed.pipeline.valve.Valve#invoke(org.apache.jetspeed.request.RequestContext, * org.apache.jetspeed.pipeline.valve.ValveContext) * @param arg0 * @param arg1 * @throws org.apache.jetspeed.pipeline.PipelineException */ public void invoke(RequestContext rc, ValveContext vc) throws PipelineException { HttpServletRequest request = rc.getRequest(); HttpServletResponse response = rc.getResponse(); HttpServletRequestFactoryBean requestFactoryBean = (HttpServletRequestFactoryBean) beanFactory .getBean("&HttpServletRequest"); requestFactoryBean.setRequest((HttpServletRequest) request); try { SalesCentreUser user = (SalesCentreUser) beanFactory .getBean("SalesCentreUser"); if (isAuthorized(user)) { super.invoke(rc, vc); } else { tellUserUnauthorized(request, response); } } catch (BeansException e) { if (e.getCause().getClass().equals(MissingCookieException.class) || e.getCause().getClass().equals(MissingUserException.class)) { doLogin(request, response); } } } /** * <p> * Notify the user that he is not authorized to access this application. * </p> * * @param request * @param response * @throws PipelineException */ protected void tellUserUnauthorized(HttpServletRequest request, HttpServletResponse response) throws PipelineException { log.info("User is not an authorized WebKey type, blocking access."); try { response.sendRedirect("unauthorized.jsp"); } catch (IOException e) { try { response.sendError(500, "Unauthorized access: " + e.toString()); } catch (IOException e1) { throw new PipelineException( "User is unauthorized, error redirecting: " + e1.toString()); } } } /** * <p> * Prompt the user to login to the application. * </p> * * @param request * @param response * @throws PipelineException */ protected void doLogin(HttpServletRequest request, HttpServletResponse response) throws PipelineException { try { log.debug("Redirecting client at " + request.getRemoteAddr() + " to WebKey login."); response.sendRedirect(webKeyServer + "?url=" + request.getRequestURL()); } catch (IOException e) { try { response.sendError(500, "Unable to redirect WebKey server: " + e.toString()); } catch (IOException e1) { throw new PipelineException( "Unable to send WebKey login error to the client: " + e1.toString()); } } } protected Subject buildSubject(SalesCentreUser scUser) throws MissingCookieException, MissingUserException { Set principals = new HashSet(); UserPrincipalImpl userPrincipal = new UserPrincipalImpl(scUser .getUserName()); principals.add(userPrincipal); addRole("user", principals); List zones = scUser.getZones(); if (zones != null && zones.size() > 0) { Iterator itr = zones.iterator(); while (itr.hasNext()) { String zone = (String) itr.next(); principals.add(new ZonePrincipal(zone)); } } if (scUser.isInternalUser()) { addRole("internal_user", principals); } if (scUser.isLicensedToSellEfactory()) { addProduct("efactory-reseller", principals); } if (scUser.isLicensedToSellMiscellaneous()) { addProduct("misc-reseller", principals); } if (scUser.isLicensedToSellNx()) { addProduct("nx-reseller", principals); } if (scUser.isLicensedToSellPlmComponents()) { addProduct("plm-components-reseller", principals); } if (scUser.isLicensedToSellSolidEdge()) { addProduct("solidedge-reseller", principals); } if (scUser.isLicensedToSellTeamcenter()) { addProduct("teamcenter-reseller", principals); } if (scUser.isExclusiveReseller()) { addRole("plm-exclusive-var-reseller", principals); } if (scUser.isReseller()) { addRole("reseller", principals); } if (scUser.isSolidEdgeOnlyReseller()) { addRole("solidedge-only-reseller", principals); } if(scUser.hasAccess("Admin")) { addRole("admin", principals); } Subject subject = new Subject(true, principals, Collections.EMPTY_SET, Collections.EMPTY_SET); return subject; } private void addRole(String roleName, Set principals) { principals.add(new RolePrincipalImpl(roleName)); } private void addProduct(String productName, Set principals) { principals.add(new ProductPrincipal(productName)); } /** * <p> * initialize * </p> * * @see org.apache.jetspeed.pipeline.valve.Valve#initialize() * @throws org.apache.jetspeed.pipeline.PipelineException */ public void initialize() throws PipelineException { webKeyServer = config.getString("com.ugs.webkey.server", "http://sso.ugs.com/WebkeyLogin/SCAuthenticate";); } /** * * <p> * getSubject * </p> * * @see org.apache.jetspeed.security.impl.AbstractSecurityValve#getSubject(org.apache.jetspeed.request.RequestContext) * @param request * @return */ protected final Subject getSubject(RequestContext request) throws Exception { Subject subject = getSubjectFromSession(request); if (subject == null) { SalesCentreUser user = (SalesCentreUser) beanFactory .getBean("SalesCentreUser"); subject = buildSubject(user); } return subject; } /** * * <p> * getUserPrincipal * </p> * * @see org.apache.jetspeed.security.impl.AbstractSecurityValve#getUserPrincipal(org.apache.jetspeed.request.RequestContext) * @param request * @return */ protected final Principal getUserPrincipal(RequestContext request) throws Exception { return SecurityHelper.getBestPrincipal(getSubject(request), UserPrincipal.class); } /** * <p> * setBeanFactory * </p> * * @see org.springframework.beans.factory.BeanFactoryAware#setBeanFactory(org.springframework.beans.factory.BeanFactory) * @param arg0 * @throws org.springframework.beans.BeansException */ public void setBeanFactory(BeanFactory beanFactory) throws BeansException { this.beanFactory = beanFactory; } /** * <p> * Check whether the user is authorized to access the application or not. * </p> * * @param user * @return boolean */ protected boolean isAuthorized(SalesCentreUser user) { List authorizedTypes = new ArrayList(); authorizedTypes.add("EMPL"); authorizedTypes.add("SDRCVR"); authorizedTypes.add("ALIANC"); authorizedTypes.add("RPRTNR"); authorizedTypes.add("CNTRTR"); for (Iterator iter = authorizedTypes.iterator(); iter.hasNext();) { String type = (String) iter.next(); if (type.equals(user.getType())) { return true; } } return false; } }
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
