SecurityGuard xref

View Javadoc

1   package org.astrogrid.security;
2   
3   import java.util.Set;
4   import java.security.Principal;
5   import javax.security.auth.Subject;
6   
7   
8   /***
9    * Access to the security credentials pertaining web-service operations.
10   *
11   * This is a Java-bean class in which the properties are various
12   * credentials for secured messaging. It is a standard way, within its
13   * package, of passing credentials within the same JVM.
14   *
15   * Applications may use this class directly, but are more likely to
16   * use one of the two subclasses {@link ClientSecurityGuard} and
17   * {@link ServiceSecurityGuard}. The latter two classes add methods
18   * to interact with JAX-RPC handler-chains and thus to use the
19   * credentials in SOAP messages.
20   *
21   * The SecurityGuard maintains two sets of credentials: "single-sign-on"
22   * (SSO) and "grid".  The SSO credentials are used to sign on to the
23   * grid via some portal that manages user accounts. The grid credentials
24   * are used to authenticate messages to services in the grid. A user
25   * obtains the grid credentials by signing on with the SSO credentials.
26   *
27   * The two sets of credentials are stored in a pair of JAAS Subjects.
28   * These are available to applications as the properties ssoSubject and
29   * gridSubject. Note that this property may be got but not set; a
30   * caller is not allowed to impose a complete new subject or to make
31   * a subject null.  However, a caller may get a reference to one of the
32   * subjects and change that subject's contents.
33   *
34   * @see {@link ClientSecurityGuard}
35   * @see {@link ServiceSecurityGuard}
36   *
37   * @author Guy Rixon
38   */
39  public class SecurityGuard {
40  
41    /***
42     * The JAAS subject for grid credentials.
43     */
44    protected Subject gridSubject;
45  
46    /***
47     * The JAAS subject for single-sign-on credentials.
48     */
49    protected Subject ssoSubject;
50  
51  
52    /***
53     * Constructs a SecurityGuard with empty
54     * JAAS subjects.
55     */
56    public SecurityGuard () {
57      this.gridSubject = new Subject();
58      this.ssoSubject  = new Subject();
59    }
60  
61  
62    /***
63     * Constructs a SecurityGuard with a
64     * given JAAS subject for grid credentials.
65     * No SSO credentials are set.
66     */
67    public SecurityGuard (Subject s) {
68      this.gridSubject = s;
69      this.ssoSubject  = new Subject();
70    }
71  
72  
73    /***
74     * Returns the JAAS Subject for grid credentials.
75     * The Subject contains the credentials and "principals"
76     * (i.e. identities) already set on the SecurityGuard.
77     * If this method is called immediately after construction
78     * then an empty Subject is returned. Note that altering
79     * the returned subject alters the information
80     * inside the SecurityGuard.
81     *
82     * @return the subject (never null)
83     */
84    public Subject getGridSubject () {
85      return this.gridSubject;
86    }
87  
88    /***
89     * Returns the JAAS Subject for single-sign-on credentials.
90     * The Subject contains the credentials and "principals"
91     * (i.e. identities) already set on the SecurityGuard.
92     * If this method is called immediately after construction
93     * then an empty Subject is returned. Note that altering
94     * the returned subject alters the information
95     * inside the SecurityGuard.
96     *
97     * @return the subject (never null)
98     */
99    public Subject getSsoSubject () {
100     return this.ssoSubject;
101   }
102 
103 
104   /***
105    * Sets the username property.
106    *
107    * @param name the user-name
108    */
109   public void setUsername (String name) {
110     AccountName account = new AccountName(name);
111     this.gridSubject.getPrincipals().add(account);
112   }
113 
114   /***
115    * Returns the username property.
116    *
117    * @return the user-name (may be null if the property is not set)
118    */
119   public String getUsername () {
120     Set names = this.gridSubject.getPrincipals();
121     if (names.size() == 0) {
122       return null;
123     }
124     else {
125       return ((Principal) names.iterator().next()).getName();
126     }
127   }
128 
129 
130   /***
131    * Sets the password property.
132    */
133   public void setPassword (String word) {
134     try {
135       Password p = new Password(word, false);
136       this.gridSubject.getPrivateCredentials().add(p);
137     }
138     catch (Exception e) {
139       // Ignore the exception for now.
140       // This is a horrible kludge; needs refactoring out.
141     }
142   }
143 
144   /***
145    * Returns the password property.
146    *
147    * @return the password (may be null if the property is not set)
148    */
149    public String getPassword () {
150      Set passwords = this.gridSubject.getPrivateCredentials(Password.class);
151      if (passwords.size() == 0) {
152        return null;
153      }
154      else {
155        return ((Password) passwords.iterator().next()).getPlainPassword();
156      }
157    }
158 
159 
160   /***
161    * Sets an AstroGrid security token.  The token as a
162    * whole is set as a private credential and the
163    * account name derivd from the token is set as
164    * a Principal.
165    */
166   public void setNonceToken(NonceToken t) {
167     this.gridSubject.getPrivateCredentials().add(t);
168     AccountName n = new AccountName(t.getAccount());
169     this.gridSubject.getPrincipals().add(n);
170   }
171 
172 
173   /***
174    * Returns an AstroGrid scurity token.
175    *
176    * @return the token (null if no token is set)
177    */
178   public NonceToken getNonceToken () {
179     Set tokens = this.gridSubject.getPrivateCredentials(NonceToken.class);
180     if (tokens.size() > 0) {
181       return (NonceToken) tokens.iterator().next();
182     }
183     else {
184       return null;
185     }
186   }
187 
188 
189   /***
190    * Sets the account name for single sign on.
191    * This account name is used when the user first
192    * signs on to the grid. It may be different to the
193    * account name used in authenticating to services
194    * within the grid.
195    *
196    * @Todo store this name in a separate SSO Subject.
197    *
198    * @param name the account name
199    */
200   public void setSsoUsername (String name) {
201     this.setUsername(name);
202   }
203 
204   /***
205    * Retrieves the account name for single sign on.
206    * This account name is used when the user first
207    * signs on to the grid. It may be different to the
208    * account name used in authenticating to services
209    * within the grid.
210    *
211    * @Todo store this name in a separate SSO Subject.
212    *
213    * @return the account name
214    */
215   public String getSsoUsername () {
216     return this.getUsername();
217   }
218 
219 
220   /***
221    * Sets the password for single sign on.
222    * This password is used when the user first
223    * signs on to the grid. It may be different to the
224    * account name used in authenticating to services
225    * within the grid.
226    *
227    * @Todo store this password in a separate SSO Subject.
228    *
229    * @param word the password
230    */
231   public void setSsoPassword (String word) {
232     this.setPassword(word);
233   }
234 
235   /***
236    * Retrieves the password for single sign on.
237    * This password is used when the user first
238    * signs on to the grid. It may be different to the
239    * account name used in authenticating to services
240    * within the grid.
241    *
242    * @Todo store this name in a separate SSO Subject.
243    *
244    * @return the password
245    */
246   public String getSsoPassword () {
247     return this.getPassword();
248   }
249 
250 }