[jboss-cvs] JBossAS SVN: r60859 - branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Feb 23 16:15:59 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-02-23 16:15:59 -0500 (Fri, 23 Feb 2007)
New Revision: 60859
Added:
branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java
Modified:
branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java
branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
Log:
JBAS-4149:extension of the jacc authorization interceptor to check deployment level role mappings
Added: branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java (rev 0)
+++ branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java 2007-02-23 21:15:59 UTC (rev 60859)
@@ -0,0 +1,108 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2006, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb.plugins;
+
+import java.lang.reflect.Method;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.jacc.EJBMethodPermission;
+
+import org.jboss.ejb.Container;
+import org.jboss.invocation.Invocation;
+import org.jboss.metadata.ApplicationMetaData;
+import org.jboss.metadata.AssemblyDescriptorMetaData;
+import org.jboss.metadata.BeanMetaData;
+import org.jboss.security.SimplePrincipal;
+
+//$Id$
+
+/**
+ * JBAS-4149: : Jacc Authorization Interceptor that checks for deployment level
+ * role mappings before using the roles provided in the jaas based
+ * subject
+ * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
+ * @since Feb 23, 2007
+ * @version $Revision$
+ */
+public class ExtendedJaccAuthorizationInterceptor extends JaccAuthorizationInterceptor
+{
+ //Deployment level principal to roles mapping
+ protected Map<String,Set<String>> deploymentRoleMap = null;
+
+ public void setContainer(Container container)
+ {
+ super.setContainer(container);
+ if(container != null)
+ {
+ BeanMetaData beanMetaData = container.getBeanMetaData();
+ ApplicationMetaData applicationMetaData = beanMetaData.getApplicationMetaData();
+ AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData.getAssemblyDescriptor();
+
+ //Check for any deployment level mapping
+ deploymentRoleMap = assemblyDescriptor.getPrincipalVersusRolesMap();
+ }
+ }
+
+ protected void checkSecurityAssociation(Invocation mi) throws Exception
+ {
+ Method m = mi.getMethod();
+ // Ignore internal container calls
+ if( m == null )
+ return;
+ String iface = mi.getType().toInterfaceString();
+ EJBMethodPermission methodPerm = new EJBMethodPermission(ejbName, iface, m);
+
+ //Check if there is caller RAI
+ if(SecurityActions.peekRunAsIdentity(1) == null)
+ {
+ if(deploymentRoleMap != null && deploymentRoleMap.size() > 0)
+ {
+ Principal[] principals = null;
+ Principal principal = mi.getPrincipal();
+ if(principal != null)
+ {
+ Set<String> roles = deploymentRoleMap.get(principal.getName());
+ if(roles != null)
+ {
+ ArrayList<Principal> al = new ArrayList<Principal>();
+ for(String rolename: roles)
+ {
+ al.add(new SimplePrincipal(rolename));
+ }
+ principals = new Principal[al.size()];
+ al.toArray(principals);
+ if(log.isTraceEnabled())
+ log.trace("Principal=" + principal.getName() + "::roles=" + principals);
+ }
+
+ checkPolicy(principals, methodPerm, SecurityActions.getContextSubject());
+ return;
+ }
+ }
+ }
+ //For RAI as well as the non-availability of deployment level role mapping
+ super.checkSecurityAssociation(mi);
+ }
+}
Modified: branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java 2007-02-23 21:13:44 UTC (rev 60858)
+++ branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java 2007-02-23 21:15:59 UTC (rev 60859)
@@ -42,9 +42,9 @@
*/
public class JaccAuthorizationInterceptor extends AbstractInterceptor
{
- private Policy policy;
- private String ejbName;
- private CodeSource ejbCS;
+ protected Policy policy;
+ protected String ejbName;
+ protected CodeSource ejbCS;
/** Called by the super class to set the container to which this interceptor
belongs. We obtain the security manager and runAs identity to use here.
@@ -88,7 +88,7 @@
/** Authorize the caller's access to the method invocation
*/
- private void checkSecurityAssociation(Invocation mi)
+ protected void checkSecurityAssociation(Invocation mi)
throws Exception
{
Method m = mi.getMethod();
@@ -108,6 +108,12 @@
principals = new Principal[principalsSet.size()];
principalsSet.toArray(principals);
}
+ checkPolicy(principals, methodPerm, caller);
+ }
+
+ protected void checkPolicy(Principal[] principals,
+ EJBMethodPermission methodPerm, Subject caller)
+ {
ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
if( policy.implies(pd, methodPerm) == false )
{
@@ -115,5 +121,5 @@
SecurityException e = new SecurityException(msg);
throw e;
}
- }
+ }
}
Modified: branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2007-02-23 21:13:44 UTC (rev 60858)
+++ branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2007-02-23 21:15:59 UTC (rev 60859)
@@ -180,7 +180,7 @@
2. Validate access to the method by checking the principal's roles against
those required to access the method.
*/
- private void checkSecurityAssociation(Invocation mi)
+ protected void checkSecurityAssociation(Invocation mi)
throws Exception
{
Principal principal = mi.getPrincipal();
More information about the jboss-cvs-commits
mailing list