public synchronized java.security.AccessControlContext | delegatedContext(java.security.AccessControlContext authenticatedACC, javax.security.auth.Subject delegatedSubject, boolean removeCallerContext)
/* Return the AccessControlContext appropriate to execute an
operation on behalf of the delegatedSubject. If the
authenticatedAccessControlContext does not have permission to
delegate to that subject, throw SecurityException. */
if (principalsCache == null || accCache == null) {
principalsCache = new CacheMap(PRINCIPALS_CACHE_SIZE);
accCache = new CacheMap(ACC_CACHE_SIZE);
}
// Retrieve the principals for the given
// delegated subject from the cache
//
Principal[] delegatedPrincipals = (Principal[])
principalsCache.get(delegatedSubject);
// Convert the set of principals stored in the
// delegated subject into an array of principals
// and store it in the cache
//
if (delegatedPrincipals == null) {
delegatedPrincipals = (Principal[])
delegatedSubject.getPrincipals().toArray(new Principal[0]);
principalsCache.put(delegatedSubject, delegatedPrincipals);
}
// Retrieve the access control context for the
// given delegated subject from the cache
//
AccessControlContext delegatedACC = (AccessControlContext)
accCache.get(delegatedSubject);
// Build the access control context to be used
// when executing code as the delegated subject
// and store it in the cache
//
if (delegatedACC == null) {
if (removeCallerContext) {
delegatedACC =
JMXSubjectDomainCombiner.getDomainCombinerContext(
delegatedSubject);
} else {
delegatedACC =
JMXSubjectDomainCombiner.getContext(delegatedSubject);
}
accCache.put(delegatedSubject, delegatedACC);
}
// Check if the subject delegation permission allows the
// authenticated subject to assume the identity of each
// principal in the delegated subject
//
final Principal[] dp = delegatedPrincipals;
PrivilegedAction action =
new PrivilegedAction() {
public Object run() {
for (int i = 0 ; i < dp.length ; i++) {
final String pname =
dp[i].getClass().getName() + "." + dp[i].getName();
Permission sdp =
new SubjectDelegationPermission(pname);
AccessController.checkPermission(sdp);
}
return null;
}
};
AccessController.doPrivileged(action, authenticatedACC);
return delegatedACC;
|