dblevins/SpnegoSecurityService.java

## service-jar.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--

    Licensed to the Apache Software Foundation (ASF) under one or more
    contributor license agreements.  See the NOTICE file distributed with
    this work for additional information regarding copyright ownership.
    The ASF licenses this file to You under the Apache License, Version 2.0
    (the "License"); you may not use this file except in compliance with
    the License.  You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

    Unless required by applicable law or agreed to in writing, software
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
    limitations under the License.
-->
<ServiceJar>

  <!--

  This file should exist with the two classes in a jar

  For example:

    spnego-service.jar!/META-INF/spnego/service-jar.xml

  Drop this jar into openejb.war/lib/

  then in $tomcat.home/conf/openejb.xml you can declare the security service

  <SecurityService provider="spnego#SpnegoSecurityService">
     # any properties you put here will be dependency injected into
     # the SpnegoSecurityService instance if there is a matching setter

  </SecurityService>
  -->

  <ServiceProvider
          id="SpnegoSecurityService"
          service="SecurityService"
          types="SecurityService"
          class-name="org.superbiz.SpnegoSecurityService"/>

</ServiceJar>

## SpnegoSecurityService.java
import org.apache.openejb.BeanContext;
import org.apache.openejb.core.security.AbstractSecurityService;

import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import java.security.Principal;
import java.util.HashSet;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.Set;
import java.util.UUID;

public class SpnegoSecurityService extends AbstractSecurityService {
    static protected final ThreadLocal<LinkedList<Subject>> runAsStack = new ThreadLocal<LinkedList<Subject>>() {
        protected LinkedList<Subject> initialValue() {
            return new LinkedList<Subject>();
        }
    };

    public UUID login(String realmName, String username, String password) throws LoginException {
        throw new LoginException("username password authentication is not supported");
    }

    private Subject createSubject(Principal principal) {
        HashSet<Principal> principals = new HashSet<Principal>();
        principals.add(principal);

        Subject subject = new Subject(true, principals, new HashSet(), new HashSet());
        return subject;
    }

    public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
        LinkedHashSet<String> roles = new LinkedHashSet<String>(logicalRoles.size());
        for (String logicalRole : logicalRoles) {
            for (Principal principal : principals) {
                String name = principal.getName();
                if (logicalRole.equals(name)) {
                    roles.add(logicalRole);
                }
            }
        }
        return roles;
    }

    public Object enterWebApp(Principal principal, String runAs) {
        Identity newIdentity = null;
        if (principal != null) {
            Subject newSubject = createSubject(principal);
            newIdentity = new Identity(newSubject, null);
        }

        Identity oldIdentity = clientIdentity.get();
        WebAppState webAppState = new WebAppState(oldIdentity, runAs != null);
        clientIdentity.set(newIdentity);

        if (runAs != null) {
            Subject runAsSubject = createRunAsSubject(runAs);
            runAsStack.get().addFirst(runAsSubject);
        }

        return webAppState;
    }

    public void exitWebApp(Object state) {
        if (state instanceof WebAppState) {
            WebAppState webAppState = (WebAppState) state;
            clientIdentity.set(webAppState.oldIdentity);
            if (webAppState.hadRunAs) {
                runAsStack.get().removeFirst();
            }
        }
    }

    protected Subject getRunAsSubject(BeanContext callingBeanContext) {
        Subject runAsSubject = super.getRunAsSubject(callingBeanContext);
        if (runAsSubject != null) return runAsSubject;

        LinkedList<Subject> stack = runAsStack.get();
        if (stack.isEmpty()) {
            return null;
        }
        return stack.getFirst();
    }


    protected Subject createRunAsSubject(String role) {
        if (role == null) return null;

        RunAsRole runAsRole = new RunAsRole(role);

        HashSet<Principal> principals = new HashSet<Principal>();
        principals.add(runAsRole);

        return new Subject(true, principals, new HashSet(), new HashSet());
    }

    protected static class RunAsRole implements Principal {
        private final String name;

        public RunAsRole(String name) {
            if (name == null) throw new NullPointerException("name is null");
            this.name = name;
        }

        public String getName() {
            return name;
        }

        public String toString() {
            return "[RunAsRole: " + name + "]";
        }

        public boolean equals(Object o) {
            if (this == o) return true;
            if (o == null || getClass() != o.getClass()) return false;

            RunAsRole runAsRole = (RunAsRole) o;

            return name.equals(runAsRole.name);
        }

        public int hashCode() {
            return name.hashCode();
        }
    }

    private static class WebAppState {
        private final Identity oldIdentity;
        private final boolean hadRunAs;


        public WebAppState(Identity oldIdentity, boolean hadRunAs) {
            this.oldIdentity = oldIdentity;
            this.hadRunAs = hadRunAs;
        }
    }
}

## SpnegoSecurityServiceFilter.java
import org.apache.openejb.loader.SystemInstance;
import org.apache.openejb.spi.SecurityService;

import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import java.io.IOException;

/**
 * @version $Rev$ $Date$
 */
public class SpnegoSecurityServiceFilter implements Filter {

    private final SpnegoSecurityService securityService;

    public SpnegoSecurityServiceFilter() {
        securityService = getSecurityService();
    }

    @Override
    public void init(FilterConfig filterConfig) throws ServletException {
    }

    @Override
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        final HttpServletRequest request = (HttpServletRequest) servletRequest;

        if (securityService != null && request.getUserPrincipal() != null) {
            Object oldState = securityService.enterWebApp(request.getUserPrincipal(), null);
            try {
                filterChain.doFilter(servletRequest, servletResponse);
            } finally {
                securityService.exitWebApp(oldState);
            }
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
    }

    @Override
    public void destroy() {
    }

    private SpnegoSecurityService getSecurityService() {
        SecurityService securityService = SystemInstance.get().getComponent(SecurityService.class);
        if (securityService instanceof SpnegoSecurityService) {
            return (SpnegoSecurityService) securityService;
        }
        return null;
    }
}
	<?xml version="1.0" encoding="UTF-8"?>
	<!--

	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->
	<ServiceJar>

	<!--

	This file should exist with the two classes in a jar

	For example:

	spnego-service.jar!/META-INF/spnego/service-jar.xml

	Drop this jar into openejb.war/lib/

	then in $tomcat.home/conf/openejb.xml you can declare the security service

	<SecurityService provider="spnego#SpnegoSecurityService">
	# any properties you put here will be dependency injected into
	# the SpnegoSecurityService instance if there is a matching setter

	</SecurityService>
	-->

	<ServiceProvider
	id="SpnegoSecurityService"
	service="SecurityService"
	types="SecurityService"
	class-name="org.superbiz.SpnegoSecurityService"/>

	</ServiceJar>
	import org.apache.openejb.BeanContext;
	import org.apache.openejb.core.security.AbstractSecurityService;

	import javax.security.auth.Subject;
	import javax.security.auth.login.LoginException;
	import java.security.Principal;
	import java.util.HashSet;
	import java.util.LinkedHashSet;
	import java.util.LinkedList;
	import java.util.Set;
	import java.util.UUID;

	public class SpnegoSecurityService extends AbstractSecurityService {
	static protected final ThreadLocal<LinkedList<Subject>> runAsStack = new ThreadLocal<LinkedList<Subject>>() {
	protected LinkedList<Subject> initialValue() {
	return new LinkedList<Subject>();
	}
	};

	public UUID login(String realmName, String username, String password) throws LoginException {
	throw new LoginException("username password authentication is not supported");
	}

	private Subject createSubject(Principal principal) {
	HashSet<Principal> principals = new HashSet<Principal>();
	principals.add(principal);

	Subject subject = new Subject(true, principals, new HashSet(), new HashSet());
	return subject;
	}

	public Set<String> getLogicalRoles(Principal[] principals, Set<String> logicalRoles) {
	LinkedHashSet<String> roles = new LinkedHashSet<String>(logicalRoles.size());
	for (String logicalRole : logicalRoles) {
	for (Principal principal : principals) {
	String name = principal.getName();
	if (logicalRole.equals(name)) {
	roles.add(logicalRole);
	}
	}
	}
	return roles;
	}

	public Object enterWebApp(Principal principal, String runAs) {
	Identity newIdentity = null;
	if (principal != null) {
	Subject newSubject = createSubject(principal);
	newIdentity = new Identity(newSubject, null);
	}

	Identity oldIdentity = clientIdentity.get();
	WebAppState webAppState = new WebAppState(oldIdentity, runAs != null);
	clientIdentity.set(newIdentity);

	if (runAs != null) {
	Subject runAsSubject = createRunAsSubject(runAs);
	runAsStack.get().addFirst(runAsSubject);
	}

	return webAppState;
	}

	public void exitWebApp(Object state) {
	if (state instanceof WebAppState) {
	WebAppState webAppState = (WebAppState) state;
	clientIdentity.set(webAppState.oldIdentity);
	if (webAppState.hadRunAs) {
	runAsStack.get().removeFirst();
	}
	}
	}

	protected Subject getRunAsSubject(BeanContext callingBeanContext) {
	Subject runAsSubject = super.getRunAsSubject(callingBeanContext);
	if (runAsSubject != null) return runAsSubject;

	LinkedList<Subject> stack = runAsStack.get();
	if (stack.isEmpty()) {
	return null;
	}
	return stack.getFirst();
	}


	protected Subject createRunAsSubject(String role) {
	if (role == null) return null;

	RunAsRole runAsRole = new RunAsRole(role);

	HashSet<Principal> principals = new HashSet<Principal>();
	principals.add(runAsRole);

	return new Subject(true, principals, new HashSet(), new HashSet());
	}

	protected static class RunAsRole implements Principal {
	private final String name;

	public RunAsRole(String name) {
	if (name == null) throw new NullPointerException("name is null");
	this.name = name;
	}

	public String getName() {
	return name;
	}

	public String toString() {
	return "[RunAsRole: " + name + "]";
	}

	public boolean equals(Object o) {
	if (this == o) return true;
	if (o == null \|\| getClass() != o.getClass()) return false;

	RunAsRole runAsRole = (RunAsRole) o;

	return name.equals(runAsRole.name);
	}

	public int hashCode() {
	return name.hashCode();
	}
	}

	private static class WebAppState {
	private final Identity oldIdentity;
	private final boolean hadRunAs;


	public WebAppState(Identity oldIdentity, boolean hadRunAs) {
	this.oldIdentity = oldIdentity;
	this.hadRunAs = hadRunAs;
	}
	}
	}
	import org.apache.openejb.loader.SystemInstance;
	import org.apache.openejb.spi.SecurityService;

	import javax.servlet.Filter;
	import javax.servlet.FilterChain;
	import javax.servlet.FilterConfig;
	import javax.servlet.ServletException;
	import javax.servlet.ServletRequest;
	import javax.servlet.ServletResponse;
	import javax.servlet.http.HttpServletRequest;
	import java.io.IOException;

	/**
	* @version $Rev$ $Date$
	*/
	public class SpnegoSecurityServiceFilter implements Filter {

	private final SpnegoSecurityService securityService;

	public SpnegoSecurityServiceFilter() {
	securityService = getSecurityService();
	}

	@Override
	public void init(FilterConfig filterConfig) throws ServletException {
	}

	@Override
	public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
	final HttpServletRequest request = (HttpServletRequest) servletRequest;

	if (securityService != null && request.getUserPrincipal() != null) {
	Object oldState = securityService.enterWebApp(request.getUserPrincipal(), null);
	try {
	filterChain.doFilter(servletRequest, servletResponse);
	} finally {
	securityService.exitWebApp(oldState);
	}
	} else {
	filterChain.doFilter(servletRequest, servletResponse);
	}
	}

	@Override
	public void destroy() {
	}

	private SpnegoSecurityService getSecurityService() {
	SecurityService securityService = SystemInstance.get().getComponent(SecurityService.class);
	if (securityService instanceof SpnegoSecurityService) {
	return (SpnegoSecurityService) securityService;
	}
	return null;
	}
	}