ServiceSecurityGuard xref

View Javadoc

1   package org.astrogrid.security;
2   
3   import java.util.Set;
4   import javax.security.auth.Subject;
5   import org.apache.axis.MessageContext;
6   
7   
8   /***
9    * A SecurityGuard specialized for a web service. Objects of
10   * this class are used in the implementation methods of the
11   * service to get access to the credentials acquired and tested
12   * by the handler chain (q.v. {@link ServiceCredentialHandler}.
13   *
14   * The public, no-argument constructor creates a
15   * ServiceSecurityGuard with no credentials (i.e. with an
16   * empty JAAS subject). This is not very useful. A service
17   * should normal acquire a ServiceSecurityGuard by calling the
18   * static method {@link getInstanceFromContext} which
19   * initializes the guard from the JAX-RPC message context.
20   *
21   * If a client invokes a web-service method with no credentials,
22   * then the handler chain for authentication is not triggered.
23   * In this case the ServiceSecurityGuard has no credentials
24   * in its JAAS Subject. The convenience method
25   * {@link isAnonymous} on the ServiceSecurityGuard checks for
26   * this condition.
27   *
28   * If a client calls a service with invalid credentials, then
29   * authentication fails in the handler chain. In this case,
30   * the service implementation is never called and so the
31   * ServiceSecurityGuard does not have methods to deal with
32   * the condition.
33   *
34   * This class uses the Axis implementation of MessageContext
35   * to get the current context. It seems to be impossible to get
36   * the context of an operation inside a service - i.e. in the
37   * implementation of the operation rather than in the handler chain -
38   * using only the standard JAX-RPC interfaces.
39   *
40   * @author Guy Rixon
41   */
42  public class ServiceSecurityGuard extends SecurityGuard {
43  
44    /***
45     * Constructs a ServiceSecurityGuard with an empty JAAS subject.
46     */
47    public ServiceSecurityGuard () {
48      super();
49    }
50  
51    /***
52     * Constructs a ServiceSecurityGuard with a given JAAS subject.
53     */
54    public ServiceSecurityGuard (Subject s) {
55      super(s);
56    }
57  
58    /***
59     * Constructs a ServiceSecurityGuard and sets its credentials
60     * from the message context of the call to the web service.
61     */
62    public static ServiceSecurityGuard getInstanceFromContext () {
63      Subject s
64          = (Subject) MessageContext.getCurrentContext().getProperty("Subject");
65      if (s == null) {
66  	  System.out.println("ServiceSecurityGuard: no JAAS subject; access is anonymous");
67        return new ServiceSecurityGuard();
68      }
69      else {
70        return new ServiceSecurityGuard(s);
71      }
72    }
73  
74  
75    /***
76     * Tests whether the current call to the web service is
77     * anonymous. The call is considered anonymous if there
78     * are no JAAS principals in the JAAS Subject.
79     *
80     * @return true if the call is anonymous
81     */
82    public boolean isAnonymous () {
83      Set principals = this.getGridSubject().getPrincipals();
84      return (principals.size() == 0);
85    }
86  
87  }