[jboss-cvs] JBossAS SVN: r60859 - branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Fri Feb 23 16:15:59 EST 2007 

Author: anil.saldhana at jboss.com
Date: 2007-02-23 16:15:59 -0500 (Fri, 23 Feb 2007)
New Revision: 60859

Added:
   branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java
Modified:
   branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java
   branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
Log:
JBAS-4149:extension of the jacc authorization interceptor to check deployment level role mappings

Added: branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java	                        (rev 0)
+++ branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/ExtendedJaccAuthorizationInterceptor.java	2007-02-23 21:15:59 UTC (rev 60859)
@@ -0,0 +1,108 @@
+/*
+  * JBoss, Home of Professional Open Source
+  * Copyright 2006, JBoss Inc., and individual contributors as indicated
+  * by the @authors tag. See the copyright.txt in the distribution for a
+  * full listing of individual contributors.
+  *
+  * This is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU Lesser General Public License as
+  * published by the Free Software Foundation; either version 2.1 of
+  * the License, or (at your option) any later version.
+  *
+  * This software is distributed in the hope that it will be useful,
+  * but WITHOUT ANY WARRANTY; without even the implied warranty of
+  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  * Lesser General Public License for more details.
+  *
+  * You should have received a copy of the GNU Lesser General Public
+  * License along with this software; if not, write to the Free
+  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+  */
+package org.jboss.ejb.plugins;
+
+import java.lang.reflect.Method;
+import java.security.Principal;
+import java.util.ArrayList;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.jacc.EJBMethodPermission;
+
+import org.jboss.ejb.Container;
+import org.jboss.invocation.Invocation;
+import org.jboss.metadata.ApplicationMetaData;
+import org.jboss.metadata.AssemblyDescriptorMetaData;
+import org.jboss.metadata.BeanMetaData; 
+import org.jboss.security.SimplePrincipal;
+
+//$Id$
+
+/**
+ *  JBAS-4149: : Jacc Authorization Interceptor that checks for deployment level 
+ *  role mappings before using the roles provided in the jaas based
+ *  subject
+ *  @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
+ *  @since  Feb 23, 2007 
+ *  @version $Revision$
+ */
+public class ExtendedJaccAuthorizationInterceptor extends JaccAuthorizationInterceptor
+{  
+   //Deployment level principal to roles mapping
+   protected Map<String,Set<String>> deploymentRoleMap = null;
+    
+   public void setContainer(Container container)
+   { 
+      super.setContainer(container);
+      if(container != null)
+      {
+         BeanMetaData beanMetaData = container.getBeanMetaData();
+         ApplicationMetaData applicationMetaData = beanMetaData.getApplicationMetaData();
+         AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData.getAssemblyDescriptor();
+         
+         //Check for any deployment level mapping
+         deploymentRoleMap = assemblyDescriptor.getPrincipalVersusRolesMap();
+      }
+   }
+ 
+   protected void checkSecurityAssociation(Invocation mi) throws Exception
+   { 
+      Method m = mi.getMethod();
+      // Ignore internal container calls
+      if( m == null  )
+         return;
+      String iface = mi.getType().toInterfaceString();
+      EJBMethodPermission methodPerm = new EJBMethodPermission(ejbName, iface, m);
+
+      //Check if there is caller RAI
+      if(SecurityActions.peekRunAsIdentity(1) == null)
+      {
+         if(deploymentRoleMap != null && deploymentRoleMap.size() > 0)
+         {
+            Principal[] principals = null;
+            Principal principal = mi.getPrincipal();
+            if(principal != null)
+            {
+               Set<String> roles = deploymentRoleMap.get(principal.getName());
+               if(roles != null)
+               {
+                  ArrayList<Principal> al = new ArrayList<Principal>();
+                  for(String rolename: roles)
+                  {
+                     al.add(new SimplePrincipal(rolename));
+                  }
+                  principals = new Principal[al.size()];
+                  al.toArray(principals);
+                  if(log.isTraceEnabled())
+                     log.trace("Principal=" + principal.getName() + "::roles=" + principals);
+               }
+
+               checkPolicy(principals, methodPerm, SecurityActions.getContextSubject());
+               return;
+            }
+         }  
+      }
+      //For RAI as well as the non-availability of deployment level role mapping
+      super.checkSecurityAssociation(mi);
+   } 
+}

Modified: branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java	2007-02-23 21:13:44 UTC (rev 60858)
+++ branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/JaccAuthorizationInterceptor.java	2007-02-23 21:15:59 UTC (rev 60859)
@@ -42,9 +42,9 @@
  */
 public class JaccAuthorizationInterceptor extends AbstractInterceptor
 {
-   private Policy policy;
-   private String ejbName;
-   private CodeSource ejbCS; 
+   protected Policy policy;
+   protected String ejbName;
+   protected CodeSource ejbCS; 
 
    /** Called by the super class to set the container to which this interceptor
     belongs. We obtain the security manager and runAs identity to use here.
@@ -88,7 +88,7 @@
 
    /** Authorize the caller's access to the method invocation
     */
-   private void checkSecurityAssociation(Invocation mi)
+   protected void checkSecurityAssociation(Invocation mi)
       throws Exception
    {
       Method m = mi.getMethod();
@@ -108,6 +108,12 @@
          principals = new Principal[principalsSet.size()];
          principalsSet.toArray(principals);      
       }
+      checkPolicy(principals, methodPerm, caller);
+   }  
+   
+   protected void checkPolicy(Principal[] principals, 
+         EJBMethodPermission methodPerm, Subject caller)
+   {
       ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
       if( policy.implies(pd, methodPerm) == false )
       {
@@ -115,5 +121,5 @@
          SecurityException e = new SecurityException(msg);
          throw e;
       }
-   } 
+   }
 }

Modified: branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java	2007-02-23 21:13:44 UTC (rev 60858)
+++ branches/Branch_4_2/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java	2007-02-23 21:15:59 UTC (rev 60859)
@@ -180,7 +180,7 @@
     2. Validate access to the method by checking the principal's roles against
     those required to access the method.
     */
-   private void checkSecurityAssociation(Invocation mi)
+   protected void checkSecurityAssociation(Invocation mi)
       throws Exception
    {
       Principal principal = mi.getPrincipal();

More information about the jboss-cvs-commits mailing list