[jboss-cvs] jboss/src/main/org/jboss/ejb/plugins ...
Anil Saldhana
anil.saldhana at jboss.com
Tue Jul 25 13:21:33 EDT 2006
User: asaldhana
Date: 06/07/25 13:21:33
Modified: src/main/org/jboss/ejb/plugins SecurityInterceptor.java
Log:
JBAS-3374: SecurityInterceptor now uses the Authorization Framework to make access decisions
Revision Changes Path
1.57 +149 -123 jboss/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
(In the diff below, changes in quantity of whitespace are not shown.)
Index: SecurityInterceptor.java
===================================================================
RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -b -r1.56 -r1.57
--- SecurityInterceptor.java 30 Oct 2005 00:04:08 -0000 1.56
+++ SecurityInterceptor.java 25 Jul 2006 17:21:33 -0000 1.57
@@ -23,18 +23,27 @@
import org.jboss.ejb.Container;
import org.jboss.invocation.Invocation;
-import org.jboss.invocation.InvocationType;
import org.jboss.metadata.ApplicationMetaData;
import org.jboss.metadata.AssemblyDescriptorMetaData;
import org.jboss.metadata.BeanMetaData;
import org.jboss.metadata.SecurityIdentityMetaData;
-import org.jboss.security.AnybodyPrincipal;
+import org.jboss.mx.util.MBeanProxyExt;
+import org.jboss.mx.util.MBeanServerLocator;
import org.jboss.security.AuthenticationManager;
+import org.jboss.security.AuthorizationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.Util;
+import org.jboss.security.authorization.AuthorizationContext;
+import org.jboss.security.authorization.EJBResource;
+import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.plugins.AuthorizationManagerServiceMBean;
import org.jboss.system.Registry;
+import java.security.CodeSource;
import java.security.Principal;
+import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.lang.reflect.Method;
@@ -49,7 +58,8 @@
* @author <a href="on at ibis.odessa.ua">Oleg Nitz</a>
* @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>.
* @author <a href="mailto:Thomas.Diesler at jboss.org">Thomas Diesler</a>.
- * @version $Revision: 1.56 $
+ * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
+ * @version $Revision: 1.57 $
*/
public class SecurityInterceptor extends AbstractInterceptor
{
@@ -82,6 +92,16 @@
protected AuthenticationObserver authenticationObserver;
/** The TimedObject.ejbTimeout callback */
protected Method ejbTimeout;
+ //Authorization Framework changes
+ protected String ejbName = null;
+ protected CodeSource ejbCS = null;
+ protected AuthorizationManagerServiceMBean authorizationManagerService = null;
+ /**
+ * Security Domain configured as part of the application
+ */
+ protected String appSecurityDomain = null;
+ //Fallback Security Domain
+ protected String defaultAuthorizationSecurityDomain = SecurityConstants.DEFAULT_EJB_APPLICATION_POLICY;
/** Called by the super class to set the container to which this interceptor
belongs. We obtain the security manager and runAs identity to use here.
@@ -118,6 +138,10 @@
catch (NoSuchMethodException ignore)
{
}
+ //Authorization Framework changes
+ appSecurityDomain = applicationMetaData.getSecurityDomain();
+ ejbName = beanMetaData.getEjbName();
+ ejbCS = container.getBeanClass().getProtectionDomain().getCodeSource();
}
}
@@ -237,60 +261,62 @@
SecurityActions.dupSubjectContext();
}
- // Get the method permissions
- InvocationType iface = mi.getType();
- Set methodRoles = container.getMethodPermissions(mi.getMethod(), iface);
- if (methodRoles == null)
- {
- String method = mi.getMethod().getName();
- String msg = "No method permissions assigned to method=" + method
- + ", interface=" + iface;
- SecurityException e = new SecurityException(msg);
- throw e;
- }
- else if (trace)
- {
- log.trace("method=" + mi.getMethod() + ", interface=" + iface
- + ", requiredRoles=" + methodRoles);
- }
+ Method ejbMethod = mi.getMethod();
+ // Ignore internal container calls
+ if( ejbMethod== null )
+ return;
+ // Get the caller
+ Subject caller = SecurityActions.getContextSubject();
- // Check if the caller is allowed to access the method
- if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
- {
- // The caller is using a the caller identity
- if (callerRunAsIdentity == null)
+ AuthorizationManager authzManager = this.getAuthorizationManager();
+ final HashMap map = new HashMap();
+ map.put(ResourceKeys.EJB_NAME ,this.ejbName);
+ map.put(ResourceKeys.EJB_METHOD,ejbMethod);
+ map.put(ResourceKeys.EJB_PRINCIPAL, mi.getPrincipal());
+ map.put(ResourceKeys.EJB_METHODINTERFACE, mi.getType().toInterfaceString());
+ map.put(ResourceKeys.EJB_CODESOURCE, ejbCS);
+ map.put(ResourceKeys.CALLER_SUBJECT, caller);
+ map.put(ResourceKeys.AUTHORIZATION_MANAGER,authzManager);
+ map.put(ResourceKeys.RUNASIDENTITY, SecurityActions.peekRunAsIdentity());
+ map.put(ResourceKeys.EJB_METHODROLES, container.getMethodPermissions(ejbMethod, mi.getType()));
+ EJBResource ejbResource = new EJBResource(map);
+ boolean isAuthorized = false;
+ try
{
- // Now actually check if the current caller has one of the required method roles
- if (realmMapping.doesUserHaveRole(principal, methodRoles) == false)
+ int check = authzManager.authorize(ejbResource);
+ isAuthorized = (check == AuthorizationContext.PERMIT);
+ }
+ catch (Exception e)
{
- Set userRoles = realmMapping.getUserRoles(principal);
- String method = mi.getMethod().getName();
- BeanMetaData beanMetaData = container.getBeanMetaData();
- String msg = "Insufficient method permissions, principal=" + principal
- + ", ejbName=" + beanMetaData.getEjbName()
- + ", method=" + method + ", interface=" + iface
- + ", requiredRoles=" + methodRoles + ", principalRoles=" + userRoles;
- SecurityException e = new SecurityException(msg);
- throw e;
+ isAuthorized = false;
+ if(trace)
+ log.trace("Error in authorization:",e);
+ else
+ log.error("Error in authorization:"+e.getLocalizedMessage());
}
+ String msg = "Denied: caller=" + caller;
+ if(!isAuthorized)
+ throw new SecurityException(msg);
}
- // The caller is using a run-as identity
- else
- {
- // Check that the run-as role is in the set of method roles
- if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
+ /**
+ * Get the Authorization Manager for the security domain
+ * @see SecurityConstants#DEFAULT_EJB_APPLICATION_POLICY
+ * @return authorization manager
+ * @throws Exception
+ */
+ private AuthorizationManager getAuthorizationManager() throws Exception
{
- String method = mi.getMethod().getName();
- BeanMetaData beanMetaData = container.getBeanMetaData();
- String msg = "Insufficient method permissions, principal=" + principal
- + ", ejbName=" + beanMetaData.getEjbName()
- + ", method=" + method + ", interface=" + iface
- + ", requiredRoles=" + methodRoles + ", runAsRoles=" + callerRunAsIdentity.getRunAsRoles();
- SecurityException e = new SecurityException(msg);
- throw e;
- }
- }
- }
+ String tempSecurityDomain = appSecurityDomain != null ? Util.unprefixSecurityDomain(appSecurityDomain) :
+ defaultAuthorizationSecurityDomain;
+ if(authorizationManagerService == null)
+ authorizationManagerService = (AuthorizationManagerServiceMBean)
+ MBeanProxyExt.create(AuthorizationManagerServiceMBean.class,
+ AuthorizationManagerServiceMBean.OBJECT_NAME,
+ MBeanServerLocator.locateJBoss());
+ AuthorizationManager am = authorizationManagerService.getAuthorizationManager(tempSecurityDomain);
+ if(log.isTraceEnabled())
+ log.trace(am.toString());
+ return am;
}
}
More information about the jboss-cvs-commits
mailing list