File Doc Category Size Date Package
SubjectDelegator.java API Doc Java SE 6 API 4369 Tue Jun 10 00:22:04 BST 2008 com.sun.jmx.remote.security

SubjectDelegator

java.lang.Object

public class SubjectDelegator extends Object

Fields Summary
private static final int
PRINCIPALS_CACHE_SIZE
private static final int
ACC_CACHE_SIZE
private com.sun.jmx.remote.util.CacheMap
principalsCache
private com.sun.jmx.remote.util.CacheMap
accCache
Constructors Summary
Methods Summary
public static synchronized boolean checkRemoveCallerContext(javax.security.auth.Subject subject)
Check if the connector server creator can assume the identity of each principal in the authenticated subject, i.e. check if the connector server creator codebase contains a subject delegation permission for each principal present in the authenticated subject.
return
{@code true} if the connector server creator can delegate to all the authenticated principals in the subject. Otherwise, {@code false}.
try { final Principal[] dp = (Principal[]) subject.getPrincipals().toArray(new Principal[0]); for (int i = 0 ; i < dp.length ; i++) { final String pname = dp[i].getClass().getName() + "." + dp[i].getName(); final Permission sdp = new SubjectDelegationPermission(pname); AccessController.checkPermission(sdp); } } catch (SecurityException e) { return false; } return true;
public synchronized java.security.AccessControlContext delegatedContext(java.security.AccessControlContext authenticatedACC, javax.security.auth.Subject delegatedSubject, boolean removeCallerContext)
/* Return the AccessControlContext appropriate to execute an operation on behalf of the delegatedSubject. If the authenticatedAccessControlContext does not have permission to delegate to that subject, throw SecurityException. */ if (principalsCache == null || accCache == null) { principalsCache = new CacheMap(PRINCIPALS_CACHE_SIZE); accCache = new CacheMap(ACC_CACHE_SIZE); } // Retrieve the principals for the given // delegated subject from the cache // Principal[] delegatedPrincipals = (Principal[]) principalsCache.get(delegatedSubject); // Convert the set of principals stored in the // delegated subject into an array of principals // and store it in the cache // if (delegatedPrincipals == null) { delegatedPrincipals = (Principal[]) delegatedSubject.getPrincipals().toArray(new Principal[0]); principalsCache.put(delegatedSubject, delegatedPrincipals); } // Retrieve the access control context for the // given delegated subject from the cache // AccessControlContext delegatedACC = (AccessControlContext) accCache.get(delegatedSubject); // Build the access control context to be used // when executing code as the delegated subject // and store it in the cache // if (delegatedACC == null) { if (removeCallerContext) { delegatedACC = JMXSubjectDomainCombiner.getDomainCombinerContext( delegatedSubject); } else { delegatedACC = JMXSubjectDomainCombiner.getContext(delegatedSubject); } accCache.put(delegatedSubject, delegatedACC); } // Check if the subject delegation permission allows the // authenticated subject to assume the identity of each // principal in the delegated subject // final Principal[] dp = delegatedPrincipals; PrivilegedAction action = new PrivilegedAction() { public Object run() { for (int i = 0 ; i < dp.length ; i++) { final String pname = dp[i].getClass().getName() + "." + dp[i].getName(); Permission sdp = new SubjectDelegationPermission(pname); AccessController.checkPermission(sdp); } return null; } }; AccessController.doPrivileged(action, authenticatedACC); return delegatedACC;