SEC-1700: Allow for case where JAAS config is not a simple file, but may be a jar resource, for example.

This commit is contained in:
Luke Taylor 2011-04-20 14:35:09 +01:00
parent 1b2fdf8b02
commit 5a9aa6d1aa
1 changed files with 23 additions and 18 deletions

View File

@ -15,16 +15,6 @@
package org.springframework.security.authentication.jaas; package org.springframework.security.authentication.jaas;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.security.Security;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.logging.Log; import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory; import org.apache.commons.logging.LogFactory;
import org.springframework.core.io.Resource; import org.springframework.core.io.Resource;
@ -35,6 +25,15 @@ import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.security.Security;
/** /**
* An {@link AuthenticationProvider} implementation that retrieves user details from a JAAS login configuration. * An {@link AuthenticationProvider} implementation that retrieves user details from a JAAS login configuration.
@ -192,14 +191,20 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid
} }
private String convertLoginConfigToUrl() throws IOException { private String convertLoginConfigToUrl() throws IOException {
String loginConfigPath = loginConfig.getFile().getAbsolutePath(); String loginConfigPath;
loginConfigPath = loginConfigPath.replace(File.separatorChar, '/');
try {
loginConfigPath = loginConfig.getFile().getAbsolutePath().replace(File.separatorChar, '/');
if (!loginConfigPath.startsWith("/")) { if (!loginConfigPath.startsWith("/")) {
loginConfigPath = "/" + loginConfigPath; loginConfigPath = "/" + loginConfigPath;
} }
return new URL("file", "", loginConfigPath).toString(); return new URL("file", "", loginConfigPath).toString();
} catch (IOException e) {
// SEC-1700: May be inside a jar
return loginConfig.getURL().toString();
}
} }
/** /**
@ -233,7 +238,7 @@ public class JaasAuthenticationProvider extends AbstractJaasAuthenticationProvid
* If set, a call to {@code Configuration#refresh()} will be made by {@code #configureJaas(Resource) } * If set, a call to {@code Configuration#refresh()} will be made by {@code #configureJaas(Resource) }
* method. Defaults to {@code true}. * method. Defaults to {@code true}.
* *
* @see <a href="https://jira.springsource.org/browse/SEC-1320">SEC-1230</a> * @see <a href="https://jira.springsource.org/browse/SEC-1320">SEC-1320</a>
* *
* @param refresh set to {@code false} to disable reloading of the configuration. * @param refresh set to {@code false} to disable reloading of the configuration.
* May be useful in some environments. * May be useful in some environments.