[jboss-cvs] JBossAS SVN: r62676 - in trunk/server/src/main/org/jboss/ejb/plugins: security and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue May 1 00:20:57 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-05-01 00:20:56 -0400 (Tue, 01 May 2007)
New Revision: 62676
Added:
trunk/server/src/main/org/jboss/ejb/plugins/security/
trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java
trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java
Log:
JBAS-4317: move the security context establishment to a separate interceptor
Added: trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java (rev 0)
+++ trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java 2007-05-01 04:20:56 UTC (rev 62676)
@@ -0,0 +1,163 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb.plugins.security;
+
+import java.lang.reflect.Method;
+
+import javax.ejb.TimedObject;
+import javax.ejb.Timer;
+
+import org.jboss.ejb.Container;
+import org.jboss.ejb.plugins.AbstractInterceptor;
+import org.jboss.invocation.Invocation;
+import org.jboss.security.AuthenticationManager;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityIdentity;
+
+//$Id$
+
+/**
+ * Interceptor that performs the initialization required for
+ * the security interceptor. This interceptor performs
+ * Security Context establishment and other initialization required
+ * @author Anil.Saldhana at redhat.com
+ * @since Apr 30, 2007
+ * @version $Revision$
+ */
+public class PreSecurityInterceptor extends AbstractInterceptor
+{
+ private String securityDomain = SecurityConstants.DEFAULT_APPLICATION_POLICY;
+
+ private String timedObjectMethod = null;
+
+ @Override
+ public void setContainer(Container container)
+ {
+ super.setContainer(container);
+ if (container != null)
+ {
+ AuthenticationManager am = container.getSecurityManager();
+ if(am != null)
+ {
+ securityDomain = am.getSecurityDomain();
+ }
+ }
+ try
+ {
+ timedObjectMethod = TimedObject.class.getMethod("ejbTimeout", new Class[]{Timer.class})
+ .getName();
+ }
+ catch (Exception e)
+ {
+ log.trace("Exception in creating TimedObject method:",e);
+ }
+ }
+
+ @Override
+ public Object invoke(Invocation mi) throws Exception
+ {
+ SecurityIdentity si = null;
+ Method m = mi.getMethod();
+ boolean isEjbTimeOutMethod = m!= null && m.getName().equals(timedObjectMethod);
+ //For local ejb invocations
+ if(mi.isLocal() && !isEjbTimeOutMethod)
+ {
+ //Cache the security context
+ SecurityContext sc = SecurityActions.getSecurityContext();
+ if(sc != null)
+ si = sc.getUtil().getSecurityIdentity();
+ }
+ else
+ {
+ establishSecurityContext(mi);
+ }
+
+ try
+ {
+ //Establish the run-as on the SC as the caller SC
+ SecurityActions.pushCallerRunAsIdentity(SecurityActions.getSecurityContext().getRunAs());
+ Object returnValue = getNext().invoke(mi);
+ return returnValue;
+ }
+ finally
+ {
+ SecurityActions.popCallerRunAsIdentity();
+ if(mi.isLocal() && si != null)
+ SecurityActions.getSecurityContext().getUtil().setSecurityIdentity(si);
+ }
+ }
+
+ @Override
+ public Object invokeHome(Invocation mi) throws Exception
+ {
+ SecurityIdentity si = null;
+ Method m = mi.getMethod();
+ boolean isEjbTimeOutMethod = m!= null && m.getName().equals(timedObjectMethod);
+ //For local ejb invocations
+ if(mi.isLocal() && !isEjbTimeOutMethod)
+ {
+ //Cache the security context
+ SecurityContext sc = SecurityActions.getSecurityContext();
+ if(sc != null)
+ si = sc.getUtil().getSecurityIdentity();
+ }
+ else
+ {
+ establishSecurityContext(mi);
+ }
+ try
+ {
+ //Establish the run-as on the SC as the caller SC
+ SecurityActions.pushCallerRunAsIdentity(SecurityActions.getSecurityContext().getRunAs());
+ Object returnValue = getNext().invokeHome(mi);
+ return returnValue;
+ }
+ finally
+ {
+ SecurityActions.popCallerRunAsIdentity();
+ if(mi.isLocal() && si != null)
+ SecurityActions.getSecurityContext().getUtil().setSecurityIdentity(si);
+ }
+ }
+
+ private void establishSecurityContext(Invocation mi)
+ {
+ //For Local EJB invocations, the security context needs
+ //to be obtained from the thread local. For remote ejb
+ //invocations, the SC is obtained in the invocation
+ SecurityContext sc = mi.getSecurityContext();
+ SecurityContext newSC = SecurityActions.createAndSetSecurityContext(securityDomain);
+
+ if(sc != null)
+ {
+ //Get the run-as, principal, cred etc from the invocation and set it on the context
+ SecurityActions.setSecurityIdentity(newSC,
+ sc.getUtil().getSecurityIdentity());
+ }
+ else
+ {
+ //Local EJB Invocation or some one created the Invocation object on the server side
+ mi.setSecurityContext(newSC);
+ }
+ }
+}
Added: trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java (rev 0)
+++ trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java 2007-05-01 04:20:56 UTC (rev 62676)
@@ -0,0 +1,120 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb.plugins.security;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+import org.jboss.security.RunAs;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityIdentity;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.SecurityContextFactory;
+
+//$Id$
+
+/**
+ * Privileged Blocks
+ * @author Anil.Saldhana at redhat.com
+ * @since Apr 30, 2007
+ * @version $Revision$
+ */
+class SecurityActions
+{
+ public static SecurityContext createAndSetSecurityContext(final String domain)
+ {
+ return (SecurityContext) AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ SecurityContext sc = SecurityContextFactory.createSecurityContext(domain);
+ setSecurityContext(sc);
+ return sc;
+ }}
+ );
+ }
+
+ public static SecurityContext getSecurityContext()
+ {
+ return (SecurityContext) AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ return SecurityContextAssociation.getSecurityContext();
+ }}
+ );
+ }
+
+ static void pushCallerRunAsIdentity(final RunAs ra)
+ {
+ AccessController.doPrivileged(new PrivilegedAction(){
+ public Object run()
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc == null)
+ throw new IllegalStateException("Security Context is null");
+ sc.getUtil().setCallerRunAs(ra);
+ return null;
+ }
+ });
+ }
+
+
+ public static void popCallerRunAsIdentity()
+ {
+ AccessController.doPrivileged(new PrivilegedAction(){
+ public Object run()
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc == null)
+ throw new IllegalStateException("Security Context is null");
+ sc.getUtil().setCallerRunAs(null);
+ return null;
+ }
+ });
+ }
+
+ public static void setSecurityContext(final SecurityContext sc)
+ {
+ AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ SecurityContextAssociation.setSecurityContext(sc);
+ return null;
+ }}
+ );
+ }
+
+ public static void setSecurityIdentity(final SecurityContext sc,
+ final SecurityIdentity si)
+ {
+ AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ sc.getUtil().setSecurityIdentity(si);
+ return null;
+ }}
+ );
+ }
+}
More information about the jboss-cvs-commits
mailing list