SEC-1320: JaasAuthenticationProvider can not find jaas realm defined inside service archive. Added flag to control refresh of configuration on startup.

core/src/main/java/org/springframework/security/authentication/jaas/JaasAuthenticationProvider.java

@@ -56,7 +56,7 @@ import org.springframework.util.Assert;
  * org.springframework.security.authentication.UsernamePasswordAuthenticationToken} requests contain the correct username and
  * password.</p>
  * <p>This implementation is backed by a <a
- * href="http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html">JAAS</a> configuration. The
+ * href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">JAAS</a> configuration. The
  * loginConfig property must be set to a given JAAS configuration file. This setter accepts a Spring {@link
  * org.springframework.core.io.Resource} instance. It should point to a JAAS configuration file containing an index
  * matching the {@link #setLoginContextName(java.lang.String) loginContextName} property.
@@ -83,9 +83,9 @@ import org.springframework.util.Assert;
  * </pre>
  * </p>
  *  <p>When using JAAS login modules as the authentication source, sometimes the
- * <a href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/login/LoginContext.html">LoginContext</a> will
+ * <a href="http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/LoginContext.html">LoginContext</a> will
  * require <i>CallbackHandler</i>s. The JaasAuthenticationProvider uses an internal
- * <a href="http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/callback/CallbackHandler.html">CallbackHandler
+ * <a href="http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/callback/CallbackHandler.html">CallbackHandler
  * </a> to wrap the {@link JaasAuthenticationCallbackHandler}s configured in the ApplicationContext.
  * When the LoginContext calls the internal CallbackHandler, control is passed to each
  * {@link JaasAuthenticationCallbackHandler} for each Callback passed.
@@ -140,6 +140,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
     private AuthorityGranter[] authorityGranters;
     private JaasAuthenticationCallbackHandler[] callbackHandlers;
     private ApplicationEventPublisher applicationEventPublisher;
+    private boolean refreshConfigurationOnStartup = true;
 
     //~ Methods ========================================================================================================
 
@@ -225,7 +226,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
     }
 
     /**
-     * Hook method for configuring Jaas
+     * Hook method for configuring Jaas. If {@code
      *
      * @param loginConfig URL to Jaas login configuration
      *
@@ -234,8 +235,10 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
     protected void configureJaas(Resource loginConfig) throws IOException {
         configureJaasUsingLoop();
 
-        // Overcome issue in SEC-760
-        Configuration.getConfiguration().refresh();
+        if (refreshConfigurationOnStartup) {
+            // Overcome issue in SEC-760
+            Configuration.getConfiguration().refresh();
+        }
     }
 
     /**
@@ -249,7 +252,7 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
         boolean alreadySet = false;
 
         int n = 1;
-        String prefix = "login.config.url.";
+        final String prefix = "login.config.url.";
         String existing = null;
 
         while ((existing = Security.getProperty(prefix + n)) != null) {
@@ -269,41 +272,6 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
         }
     }
 
-    /**
-     * Returns the AuthorityGrannter array that was passed to the {@link
-     * #setAuthorityGranters(AuthorityGranter[])} method, or null if it none were ever set.
-     *
-     * @return The AuthorityGranter array, or null
-     *
-     * @see #setAuthorityGranters(AuthorityGranter[])
-     */
-    public AuthorityGranter[] getAuthorityGranters() {
-        return authorityGranters;
-    }
-
-    /**
-     * Returns the current JaasAuthenticationCallbackHandler array, or null if none are set.
-     *
-     * @return the JAASAuthenticationCallbackHandlers.
-     *
-     * @see #setCallbackHandlers(JaasAuthenticationCallbackHandler[])
-     */
-    public JaasAuthenticationCallbackHandler[] getCallbackHandlers() {
-        return callbackHandlers;
-    }
-
-    public Resource getLoginConfig() {
-        return loginConfig;
-    }
-
-    public String getLoginContextName() {
-        return loginContextName;
-    }
-
-    public LoginExceptionResolver getLoginExceptionResolver() {
-        return loginExceptionResolver;
-    }
-
     /**
      * Handles the logout by getting the SecurityContext for the session that was destroyed. <b>MUST NOT use
      * SecurityContextHolder as we are logging out a session that is not related to the current user.</b>
@@ -367,6 +335,18 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
         }
     }
 
+    /**
+     * Returns the AuthorityGrannter array that was passed to the {@link
+     * #setAuthorityGranters(AuthorityGranter[])} method, or null if it none were ever set.
+     *
+     * @return The AuthorityGranter array, or null
+     *
+     * @see #setAuthorityGranters(AuthorityGranter[])
+     */
+    AuthorityGranter[] getAuthorityGranters() {
+        return authorityGranters;
+    }
+
     /**
      * Set the AuthorityGranters that should be consulted for role names to be granted to the Authentication.
      *
@@ -378,6 +358,17 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
         this.authorityGranters = authorityGranters;
     }
 
+    /**
+     * Returns the current JaasAuthenticationCallbackHandler array, or null if none are set.
+     *
+     * @return the JAASAuthenticationCallbackHandlers.
+     *
+     * @see #setCallbackHandlers(JaasAuthenticationCallbackHandler[])
+     */
+    JaasAuthenticationCallbackHandler[] getCallbackHandlers() {
+        return callbackHandlers;
+    }
+
     /**
      * Set the JAASAuthentcationCallbackHandler array to handle callback objects generated by the
      * LoginContext.login method.
@@ -388,19 +379,25 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
         this.callbackHandlers = callbackHandlers;
     }
 
+    public Resource getLoginConfig() {
+        return loginConfig;
+    }
+
     /**
      * Set the JAAS login configuration file.
      *
-     * @param loginConfig <a
-     *        href="http://www.springframework.org/docs/api/org/springframework/core/io/Resource.html">Spring
-     *        Resource</a>
+     * @param loginConfig
      *
-     * @see <a href="http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/JAASRefGuide.html">JAAS Reference</a>
+     * @see <a href="http://java.sun.com/j2se/1.5.0/docs/guide/security/jaas/JAASRefGuide.html">JAAS Reference</a>
      */
     public void setLoginConfig(Resource loginConfig) {
         this.loginConfig = loginConfig;
     }
 
+    String getLoginContextName() {
+        return loginContextName;
+    }
+
     /**
      * Set the loginContextName, this name is used as the index to the configuration specified in the
      * loginConfig property.
@@ -411,10 +408,27 @@ public class JaasAuthenticationProvider implements AuthenticationProvider, Appli
         this.loginContextName = loginContextName;
     }
 
+    LoginExceptionResolver getLoginExceptionResolver() {
+        return loginExceptionResolver;
+    }
+
     public void setLoginExceptionResolver(LoginExceptionResolver loginExceptionResolver) {
         this.loginExceptionResolver = loginExceptionResolver;
     }
 
+    /**
+     * If set, a call to {@code Configuration#refresh()} will be made by {@code #configureJaas(Resource) }
+     * method. Defaults to {@literal true}.
+     *
+     * @see <a href="https://jira.springsource.org/browse/SEC-1320">SEC-1230</a>
+     *
+     * @param refreshConfigurationOnStartup set to {@literal false} to disable reloading of the configuration.
+     * May be useful in some environments.
+     */
+    public void setRefreshConfigurationOnStartup(boolean refresh) {
+        this.refreshConfigurationOnStartup = refresh;
+    }
+
     public boolean supports(Class<? extends Object> aClass) {
         return UsernamePasswordAuthenticationToken.class.isAssignableFrom(aClass);
     }