knox-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dillido...@apache.org
Subject git commit: KNOX-214 : ShiroSubjectIdentityAdapter needs to map ldap groups looked up by shiro to java subject principals
Date Tue, 03 Dec 2013 00:42:58 GMT
Updated Branches:
  refs/heads/master 88b31cf54 -> ad6a2aa76


KNOX-214 : ShiroSubjectIdentityAdapter needs to map ldap groups looked up by shiro to java
subject principals


Project: http://git-wip-us.apache.org/repos/asf/incubator-knox/repo
Commit: http://git-wip-us.apache.org/repos/asf/incubator-knox/commit/ad6a2aa7
Tree: http://git-wip-us.apache.org/repos/asf/incubator-knox/tree/ad6a2aa7
Diff: http://git-wip-us.apache.org/repos/asf/incubator-knox/diff/ad6a2aa7

Branch: refs/heads/master
Commit: ad6a2aa769e5184e1f6df92b5d303e045aba686b
Parents: 88b31cf
Author: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Authored: Mon Dec 2 16:41:52 2013 -0800
Committer: Dilli Dorai Arumugam <darumugam@hortonworks.com>
Committed: Mon Dec 2 16:41:52 2013 -0800

----------------------------------------------------------------------
 .../filter/ShiroSubjectIdentityAdapter.java     | 37 +++++++++++++++-----
 1 file changed, 28 insertions(+), 9 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/incubator-knox/blob/ad6a2aa7/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
----------------------------------------------------------------------
diff --git a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
index 44a01ce..7812056 100644
--- a/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
+++ b/gateway-provider-security-shiro/src/main/java/org/apache/hadoop/gateway/filter/ShiroSubjectIdentityAdapter.java
@@ -17,8 +17,12 @@
  */
 package org.apache.hadoop.gateway.filter;
 
-import org.apache.shiro.SecurityUtils;
-import org.apache.shiro.subject.Subject;
+import java.io.IOException;
+import java.security.Principal;
+import java.security.PrivilegedExceptionAction;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.concurrent.Callable;
 
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
@@ -26,16 +30,15 @@ import javax.servlet.FilterConfig;
 import javax.servlet.ServletException;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
-import java.io.IOException;
-import java.security.Principal;
-import java.security.PrivilegedExceptionAction;
-import java.util.HashSet;
-import java.util.Set;
-import java.util.concurrent.Callable;
 
+import org.apache.hadoop.gateway.security.GroupPrincipal;
 import org.apache.hadoop.gateway.security.PrimaryPrincipal;
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.subject.Subject;
 
 public class ShiroSubjectIdentityAdapter implements Filter {
+  
+  private static final String SUBJECT_USER_GROUPS = "subject.userGroups";
 
   @Override
   public void init( FilterConfig filterConfig ) throws ServletException {
@@ -46,7 +49,14 @@ public class ShiroSubjectIdentityAdapter implements Filter {
 
   public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)

       throws IOException, ServletException {
-    final String principalName = (String) SecurityUtils.getSubject().getPrincipal();
+    
+    Subject subject = SecurityUtils.getSubject();
+    
+    // trigger call to shiro authorization realm
+    // we use shiro authorization realm to look up groups
+    subject.hasRole("authenticatedUser");
+    
+    final String principalName = (String) subject.getPrincipal();
 
     CallableChain callableChain = new CallableChain(request, response, chain);
     SecurityUtils.getSubject().execute(callableChain);
@@ -79,6 +89,15 @@ public class ShiroSubjectIdentityAdapter implements Filter {
       Principal p = new PrimaryPrincipal(principal);
       principals.add(p);
       
+      // map ldap groups saved in session to Java Subject GroupPrincipal(s)
+      if (SecurityUtils.getSubject().getSession().getAttribute(SUBJECT_USER_GROUPS) != null)
{
+        Set<String> userRoles = (Set<String>)SecurityUtils.getSubject().getSession().getAttribute(SUBJECT_USER_GROUPS);
+        for (String userRole : userRoles) {
+          Principal gp = new GroupPrincipal(userRole);
+          principals.add(gp);
+        }
+      }
+      
       // TODO: add groups through extended JndiLdapRealm implementation once Jira KNOX-4
is resolved
       
 //      The newly constructed Sets check whether this Subject has been set read-only 


Mime
View raw message