1. /* 

  2.  * @(#)SubjectDelegator.java	1.3 04/05/27

  3.  * 

  4.  * Copyright 2004 Sun Microsystems, Inc. All rights reserved.

  5.  * SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.

  6.  */ 

  7. 

  8. package com.sun.jmx.remote.security;

  9. 

  10. import java.security.AccessController;

  11. import java.security.AccessControlContext;

  12. import java.security.Permission;

  13. import java.security.Principal;

  14. import java.security.PrivilegedAction;

  15. import javax.security.auth.Subject;

  16. 

  17. import javax.management.remote.SubjectDelegationPermission;

  18. 

  19. import com.sun.jmx.remote.util.CacheMap;

  20. 

  21. public class SubjectDelegator {

  22.     private static final int PRINCIPALS_CACHE_SIZE = 10;

  23.     private static final int ACC_CACHE_SIZE = 10;

  24. 

  25.     private CacheMap principalsCache;

  26.     private CacheMap accCache;

  27. 

  28.     /* Return the AccessControlContext appropriate to execute an

  29.        operation on behalf of the delegatedSubject.  If the

  30.        authenticatedAccessControlContext does not have permission to

  31.        delegate to that subject, throw SecurityException.  */

  32.     public synchronized AccessControlContext

  33. 	delegatedContext(AccessControlContext authenticatedACC,

  34. 			 Subject delegatedSubject)

  35. 	    throws SecurityException {

  36. 

  37. 	if (principalsCache == null || accCache == null) {

  38. 	    principalsCache = new CacheMap(PRINCIPALS_CACHE_SIZE);

  39. 	    accCache = new CacheMap(ACC_CACHE_SIZE);

  40. 	}

  41. 

  42. 	// Retrieve the principals for the given

  43. 	// delegated subject from the cache

  44. 	//

  45. 	Principal[] delegatedPrincipals = (Principal[])

  46. 	    principalsCache.get(delegatedSubject);

  47. 

  48. 	// Convert the set of principals stored in the

  49. 	// delegated subject into an array of principals

  50. 	// and store it in the cache

  51. 	//

  52. 	if (delegatedPrincipals == null) {

  53. 	    delegatedPrincipals = (Principal[])

  54. 		delegatedSubject.getPrincipals().toArray(new Principal[0]);

  55. 	    principalsCache.put(delegatedSubject, delegatedPrincipals);

  56. 	}

  57. 

  58. 	// Retrieve the access control context for the

  59. 	// given delegated subject from the cache

  60. 	//

  61. 	AccessControlContext delegatedACC = (AccessControlContext)

  62. 	    accCache.get(delegatedSubject);

  63. 

  64. 	// Build the access control context to be used

  65. 	// when executing code as the delegated subject

  66. 	// and store it in the cache

  67. 	//

  68. 	if (delegatedACC == null) {

  69. 	    delegatedACC =

  70. 		JMXSubjectDomainCombiner.getContext(delegatedSubject);

  71. 	    accCache.put(delegatedSubject, delegatedACC);

  72. 	}

  73. 

  74. 	// Check if the subject delegation permission allows the

  75. 	// authenticated subject to assume the identity of each

  76. 	// principal in the delegated subject

  77. 	//

  78. 	final Principal[] dp = delegatedPrincipals;

  79. 	PrivilegedAction action =

  80. 	    new PrivilegedAction() {

  81. 		public Object run() {

  82. 		    for (int i = 0 ; i < dp.length ; i++) {

  83. 			final String pname =

  84. 			    dp[i].getClass().getName() + "." + dp[i].getName();

  85. 			Permission sdp =

  86. 			    new SubjectDelegationPermission(pname);

  87. 			AccessController.checkPermission(sdp);

  88. 		    }

  89. 		    return null;

  90. 		}

  91. 	    };

  92. 	AccessController.doPrivileged(action, authenticatedACC);

  93. 

  94. 	return delegatedACC;

  95.     }

  96. }