[jboss-cvs] JBossAS SVN: r79152 - in trunk: server/src/main/org/jboss/ejb/plugins and 4 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Mon Oct 6 09:18:46 EDT 2008
Author: mmoyses
Date: 2008-10-06 09:18:46 -0400 (Mon, 06 Oct 2008)
New Revision: 79152
Added:
trunk/testsuite/src/main/org/jboss/test/security/test/EJBNullSecurityDomainUnitTestCase.java
trunk/testsuite/src/resources/security/ejb-null-security-domain/
trunk/testsuite/src/resources/security/ejb-null-security-domain/ejb-jar.xml
trunk/testsuite/src/resources/security/ejb-null-security-domain/jboss.xml
Modified:
trunk/server/src/main/org/jboss/ejb/EjbModule.java
trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
trunk/testsuite/imports/sections/security.xml
Log:
JBAS-5960: Empty security domain in DD should be set to default
Modified: trunk/server/src/main/org/jboss/ejb/EjbModule.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/EjbModule.java 2008-10-06 13:09:19 UTC (rev 79151)
+++ trunk/server/src/main/org/jboss/ejb/EjbModule.java 2008-10-06 13:18:46 UTC (rev 79152)
@@ -20,7 +20,7 @@
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.ejb;
-
+
import java.lang.reflect.Method;
import java.net.URL;
import java.security.Policy;
@@ -61,6 +61,7 @@
import org.jboss.metadata.EntityMetaData;
import org.jboss.metadata.InvokerProxyBindingMetaData;
import org.jboss.metadata.MetaData;
+import org.jboss.metadata.MethodMetaData;
import org.jboss.metadata.SessionMetaData;
import org.jboss.metadata.XmlLoadable;
import org.jboss.mx.util.MBeanProxyExt;
@@ -102,29 +103,35 @@
* @version $Revision$
*/
@SuppressWarnings("deprecation")
-public class EjbModule
- extends ServiceMBeanSupport
- implements EjbModuleMBean
+public class EjbModule extends ServiceMBeanSupport implements EjbModuleMBean
{
public static final String BASE_EJB_MODULE_NAME = "jboss.j2ee:service=EjbModule";
public static final ObjectName EJB_MODULE_QUERY_NAME = ObjectNameFactory.create(BASE_EJB_MODULE_NAME + ",*");
public static String DEFAULT_STATELESS_CONFIGURATION = "Default Stateless SessionBean";
+
public static String DEFAULT_STATEFUL_CONFIGURATION = "Default Stateful SessionBean";
+
public static String DEFAULT_ENTITY_BMP_CONFIGURATION = "Default BMP EntityBean";
+
public static String DEFAULT_ENTITY_CMP_CONFIGURATION = "Default CMP EntityBean";
+
public static String DEFAULT_MESSAGEDRIVEN_CONFIGURATION = "Default MesageDriven Bean";
// Constants uses with container interceptor configurations
public static final int BMT = 1;
+
public static final int CMT = 2;
+
public static final int ANY = 3;
static final String BMT_VALUE = "Bean";
+
static final String CMT_VALUE = "Container";
+
static final String ANY_VALUE = "Both";
-
+
/** The security management */
private ISecurityManagement securityManagement;
@@ -137,8 +144,10 @@
/** HashMap<ejbName, Container> the containers for this deployment unit. */
HashMap containers = new HashMap();
+
/** The containers in their ApplicationMetaData ordering */
LinkedList containerOrdering = new LinkedList();
+
/** HashMap<ejbName, EJBLocalHome> of local homes */
HashMap localHomes = new HashMap();
@@ -152,22 +161,23 @@
private ServiceControllerMBean serviceController;
- private final Map moduleData =
- Collections.synchronizedMap(new HashMap());
+ private final Map moduleData = Collections.synchronizedMap(new HashMap());
private ObjectName webServiceName;
private TransactionManagerFactory tmFactory;
+
private EJBTimerService timerService;
/** Whether we are call by value */
private boolean callByValue;
+
private ApplicationMetaData appMetaData;
/**
* Policy Registration Bean (Holder of Authorization Policies)
*/
- private PolicyRegistration policyRegistration = null;
+ private PolicyRegistration policyRegistration = null;
public EjbModule(final VFSDeploymentUnit unit, ApplicationMetaData metaData)
{
@@ -192,14 +202,14 @@
break;
temp = temp.getParent();
}
- if (flag != null )
- callByValue = flag.booleanValue();
+ if (flag != null)
+ callByValue = flag.booleanValue();
//Set the unauthenticated identity on the metadata if absent
- if(metaData.getUnauthenticatedPrincipal() == null)
+ if (metaData.getUnauthenticatedPrincipal() == null)
{
String unauthenticatedPrincipal = unit.getAttachment("EJB.unauthenticatedIdentity", String.class);
- if(unauthenticatedPrincipal == null)
+ if (unauthenticatedPrincipal == null)
unauthenticatedPrincipal = unit.getAttachment("EAR.unauthenticatedIdentity", String.class);
metaData.getJBossMetaData().setUnauthenticatedPrincipal(unauthenticatedPrincipal);
}
@@ -207,12 +217,11 @@
if (unit.getAttachment(ApplicationMetaData.class) == null)
unit.addAttachment(ApplicationMetaData.class, metaData);
}
-
+
/**
* @deprecated DeploymentInfo is obsolete
*/
- public EjbModule(final DeploymentInfo di, TransactionManager tm,
- ObjectName webServiceName)
+ public EjbModule(final DeploymentInfo di, TransactionManager tm, ObjectName webServiceName)
{
this.name = "deprecated";
}
@@ -226,7 +235,7 @@
{
this.securityManagement = sm;
}
-
+
public void setPolicyRegistration(PolicyRegistration policyRegistration)
{
this.policyRegistration = policyRegistration;
@@ -246,6 +255,7 @@
{
return webServiceName;
}
+
public void setWebServiceName(ObjectName webServiceName)
{
this.webServiceName = webServiceName;
@@ -276,13 +286,11 @@
*
* @param con
*/
- private void addContainer(Container con)
- throws DeploymentException
+ private void addContainer(Container con) throws DeploymentException
{
String ejbName = con.getBeanMetaData().getEjbName();
if (containers.containsKey(ejbName))
- throw new DeploymentException("Duplicate ejb-name. Container for "
- + ejbName + " already exists.");
+ throw new DeploymentException("Duplicate ejb-name. Container for " + ejbName + " already exists.");
containers.put(ejbName, con);
containerOrdering.add(con);
con.setEjbModule(this);
@@ -323,7 +331,7 @@
{
return callByValue;
}
-
+
/**
* Get a container from this deployment unit that corresponds to a given name
*
@@ -378,15 +386,13 @@
{
return appMetaData.getUrl();
}
-
+
// Service implementation ----------------------------------------
protected void createService() throws Exception
{
- serviceController = (ServiceControllerMBean)
- MBeanProxyExt.create(ServiceControllerMBean.class,
- ServiceControllerMBean.OBJECT_NAME,
- server);
+ serviceController = (ServiceControllerMBean) MBeanProxyExt.create(ServiceControllerMBean.class,
+ ServiceControllerMBean.OBJECT_NAME, server);
log.debug("createService, begin");
@@ -395,8 +401,8 @@
{
Iterator beans = appMetaData.getEnterpriseBeans();
String contextID = appMetaData.getJaccContextID();
- if( contextID == null )
- contextID = deploymentUnit.getSimpleName();
+ if (contextID == null)
+ contextID = deploymentUnit.getSimpleName();
//appMetaData.gsetJaccContextID(contextID);
/*PolicyConfiguration pc = null; */
while (beans.hasNext())
@@ -406,15 +412,15 @@
Container con = createContainer(bean, deploymentUnit);
addContainer(con);
//@todo support overriding the context id via metadata is needed
- con.setJaccContextID(contextID);
- }
+ con.setJaccContextID(contextID);
+ }
//only one iteration should be necessary, but we won't sweat it.
//2 iterations are needed by cmp...jdbc/bridge/JDBCCMRFieldBridge which
//assumes persistence managers are all set up for every
//bean in the relationship!
ListIterator iter = containerOrdering.listIterator();
- while( iter.hasNext() )
+ while (iter.hasNext())
{
Container con = (Container) iter.next();
ObjectName jmxName = con.getJmxName();
@@ -425,7 +431,7 @@
//deploymentUnit.mbeans.add(jmxName);
BeanMetaData metaData = con.getBeanMetaData();
Collection<ObjectName> depends = new ArrayList<ObjectName>();
- for(String dependsName : metaData.getDepends())
+ for (String dependsName : metaData.getDepends())
{
depends.add(ObjectName.getInstance(dependsName));
}
@@ -460,17 +466,16 @@
}
//Register any available XACML Policies
- String securityDomain = SecurityUtil.unprefixSecurityDomain(appMetaData.getSecurityDomain());
- if(securityDomain == null)
+ String securityDomain = SecurityUtil.unprefixSecurityDomain(appMetaData.getSecurityDomain());
+ if (securityDomain == null)
securityDomain = SecurityConstants.DEFAULT_EJB_APPLICATION_POLICY; //Fallback
VirtualFile xacmlFile = deploymentUnit.getMetaDataFile("jboss-xacml-policy.xml");
- if(xacmlFile != null)
- {
- if(policyRegistration != null)
+ if (xacmlFile != null)
+ {
+ if (policyRegistration != null)
{
- policyRegistration.registerPolicy(contextID, PolicyRegistration.XACML,
- xacmlFile.toURL());
- }
+ policyRegistration.registerPolicy(contextID, PolicyRegistration.XACML, xacmlFile.toURL());
+ }
}
}
catch (Exception e)
@@ -493,17 +498,17 @@
{
// before EntityContainer returns from the startService, its PM should be usable
ListIterator iter = containerOrdering.listIterator();
- while( iter.hasNext() )
+ while (iter.hasNext())
{
Container con = (Container) iter.next();
- if(con.getBeanMetaData().isEntity())
+ if (con.getBeanMetaData().isEntity())
{
ClassLoader oldCl = SecurityActions.getContextClassLoader();
SecurityActions.setContextClassLoader(con.getClassLoader());
con.pushENC();
try
{
- ((EntityContainer)con).getPersistenceManager().start();
+ ((EntityContainer) con).getPersistenceManager().start();
}
finally
{
@@ -515,7 +520,7 @@
}
iter = containerOrdering.listIterator();
- while( iter.hasNext() )
+ while (iter.hasNext())
{
Container con = (Container) iter.next();
log.debug("startService, starting container: " + con.getBeanMetaData().getEjbName());
@@ -529,7 +534,7 @@
protected void stopService() throws Exception
{
ListIterator iter = containerOrdering.listIterator(containerOrdering.size());
- while( iter.hasPrevious() )
+ while (iter.hasPrevious())
{
Container con = (Container) iter.previous();
try
@@ -554,32 +559,30 @@
WebServiceMBean webServer = null;
if (webServiceName != null)
{
- webServer =
- (WebServiceMBean) MBeanProxyExt.create(WebServiceMBean.class,
- webServiceName);
+ webServer = (WebServiceMBean) MBeanProxyExt.create(WebServiceMBean.class, webServiceName);
}
ListIterator iter = containerOrdering.listIterator(containerOrdering.size());
// Unregister the permissions with the JACC layer
- String contextID = appMetaData.getJaccContextID();
+ String contextID = appMetaData.getJaccContextID();
//Unregister any xacml policies
- if(this.policyRegistration != null)
+ if (this.policyRegistration != null)
{
- policyRegistration.deRegisterPolicy(contextID, PolicyRegistration.XACML);
+ policyRegistration.deRegisterPolicy(contextID, PolicyRegistration.XACML);
}
-
- while ( iter.hasPrevious() )
+
+ while (iter.hasPrevious())
{
Container con = (Container) iter.previous();
ObjectName jmxName = con.getJmxName();
int conState = con.getState();
- boolean destroyContainer = true;
- log.debug("Looking to destroy container: " + jmxName
- + ", state: " + con.getStateString() + ", destroy: " + destroyContainer);
+ boolean destroyContainer = true;
+ log.debug("Looking to destroy container: " + jmxName + ", state: " + con.getStateString() + ", destroy: "
+ + destroyContainer);
// always unregister from Registry
int jmxHash = jmxName.hashCode();
Registry.unbind(new Integer(jmxHash));
-
+
// Unregister the web classloader
//Removing the wcl should probably be done in stop of the container,
// but I don't want to look for errors today.
@@ -600,42 +603,42 @@
}
// Only destroy containers that have been created or started
- if( destroyContainer )
+ if (destroyContainer)
{
try
{
- serviceController.destroy(jmxName);
- serviceController.remove(jmxName);
+ serviceController.destroy(jmxName);
+ serviceController.remove(jmxName);
log.info("Undeployed " + con.getBeanMetaData().getEjbName());
- if( server.isRegistered(jmxName) )
- server.unregisterMBean(jmxName);
+ if (server.isRegistered(jmxName))
+ server.unregisterMBean(jmxName);
}
catch (Throwable e)
{
log.error("unexpected exception destroying Container: " + jmxName, e);
} // end of try-catch
- }
+ }
// Destroy proxy factories
- if( destroyContainer )
+ if (destroyContainer)
{
- if(con.getBeanMetaData() != null && con.getBeanMetaData().getInvokerBindings() != null)
+ if (con.getBeanMetaData() != null && con.getBeanMetaData().getInvokerBindings() != null)
{
Iterator<String> invokerBindings = con.getBeanMetaData().getInvokerBindings();
- while(invokerBindings.hasNext())
+ while (invokerBindings.hasNext())
{
String invoker = (String) invokerBindings.next();
EJBProxyFactory ci = con.lookupProxyFactory(invoker);
- if(ci != null)
+ if (ci != null)
{
ci.setContainer(null);
ci.setInvokerBinding(null);
ci.setInvokerMetaData(null);
}
- }
+ }
}
}
-
+
// cleanup container
con.setBeanMetaData(null);
con.setWebClassLoader(null);
@@ -645,7 +648,7 @@
con.setTransactionManager(null);
con.setSecurityManager(null);
con.setRealmMapping(null);
- con.setSecurityProxy(null);
+ con.setSecurityProxy(null);
con.setSecurityManagement(null);
con.setPolicyRegistration(null);
con.proxyFactories.clear();
@@ -662,8 +665,7 @@
// Container Creation
// ******************
- private Container createContainer(BeanMetaData bean, VFSDeploymentUnit unit)
- throws Exception
+ private Container createContainer(BeanMetaData bean, VFSDeploymentUnit unit) throws Exception
{
Container container = null;
// Added message driven deployment
@@ -671,18 +673,20 @@
{
container = createMessageDrivenContainer(bean, unit);
}
- else if (bean.isSession()) // Is session?
+ else if (bean.isSession()) // Is session?
{
- if (((SessionMetaData) bean).isStateless()) // Is stateless?
+ if (((SessionMetaData) bean).isStateless()) // Is stateless?
{
container = createStatelessSessionContainer((SessionMetaData) bean, unit);
}
- else // Stateful
+ else
+ // Stateful
{
container = createStatefulSessionContainer((SessionMetaData) bean, unit);
}
}
- else // Entity
+ else
+ // Entity
{
container = createEntityContainer(bean, unit);
}
@@ -692,9 +696,7 @@
return container;
}
- private MessageDrivenContainer createMessageDrivenContainer(BeanMetaData bean,
- DeploymentUnit unit)
- throws Exception
+ private MessageDrivenContainer createMessageDrivenContainer(BeanMetaData bean, DeploymentUnit unit) throws Exception
{
// get the container configuration for this bean
// a default configuration is now always provided
@@ -711,9 +713,8 @@
return container;
}
- private StatelessSessionContainer createStatelessSessionContainer(SessionMetaData bean,
- DeploymentUnit unit)
- throws Exception
+ private StatelessSessionContainer createStatelessSessionContainer(SessionMetaData bean, DeploymentUnit unit)
+ throws Exception
{
// get the container configuration for this bean
// a default configuration is now always provided
@@ -722,7 +723,7 @@
StatelessSessionContainer container = new StatelessSessionContainer();
int transType = bean.isContainerManagedTx() ? CMT : BMT;
initializeContainer(container, conf, bean, transType, unit);
- if (bean.getHome() != null || bean.getServiceEndpoint()!=null)
+ if (bean.getHome() != null || bean.getServiceEndpoint() != null)
{
createProxyFactories(bean, container);
}
@@ -731,9 +732,8 @@
return container;
}
- private StatefulSessionContainer createStatefulSessionContainer(SessionMetaData bean,
- DeploymentUnit unit)
- throws Exception
+ private StatefulSessionContainer createStatefulSessionContainer(SessionMetaData bean, DeploymentUnit unit)
+ throws Exception
{
// get the container configuration for this bean
// a default configuration is now always provided
@@ -742,7 +742,7 @@
StatefulSessionContainer container = new StatefulSessionContainer();
int transType = bean.isContainerManagedTx() ? CMT : BMT;
initializeContainer(container, conf, bean, transType, unit);
- if (bean.getHome() != null || bean.getServiceEndpoint()!=null)
+ if (bean.getHome() != null || bean.getServiceEndpoint() != null)
{
createProxyFactories(bean, container);
}
@@ -754,16 +754,15 @@
ip.importXml(conf.getContainerPoolConf());
container.setInstancePool(ip);
// Set persistence manager
- container.setPersistenceManager((StatefulSessionPersistenceManager) cl.loadClass(conf.getPersistenceManager()).newInstance());
+ container.setPersistenceManager((StatefulSessionPersistenceManager) cl.loadClass(conf.getPersistenceManager())
+ .newInstance());
//Set the bean Lock Manager
container.setLockManager(createBeanLockManager(container, false, conf.getLockClass(), cl));
return container;
}
- private EntityContainer createEntityContainer(BeanMetaData bean,
- DeploymentUnit unit)
- throws Exception
+ private EntityContainer createEntityContainer(BeanMetaData bean, DeploymentUnit unit) throws Exception
{
// get the container configuration for this bean
// a default configuration is now always provided
@@ -795,8 +794,7 @@
else
{
// CMP takes a manager and a store
- org.jboss.ejb.plugins.CMPPersistenceManager persistenceManager =
- new org.jboss.ejb.plugins.CMPPersistenceManager();
+ org.jboss.ejb.plugins.CMPPersistenceManager persistenceManager = new org.jboss.ejb.plugins.CMPPersistenceManager();
//Load the store from configuration
Class pmClass = cl.loadClass(conf.getPersistenceManager());
@@ -816,12 +814,8 @@
/**
* Perform the common steps to initializing a container.
*/
- private void initializeContainer(Container container,
- ConfigurationMetaData conf,
- BeanMetaData bean,
- int transType,
- DeploymentUnit unit)
- throws NamingException, DeploymentException
+ private void initializeContainer(Container container, ConfigurationMetaData conf, BeanMetaData bean, int transType,
+ DeploymentUnit unit) throws NamingException, DeploymentException
{
// Create local classloader for this container
// For loading resources that must come from the local jar. Not for loading classes!
@@ -844,19 +838,15 @@
}
catch (Exception e)
{
- throw new DeploymentException(
- "Failed to create WebClassLoader of class "
- + webClassLoaderName + ": ", e);
+ throw new DeploymentException("Failed to create WebClassLoader of class " + webClassLoaderName + ": ", e);
}
if (webServiceName != null)
{
- WebServiceMBean webServer =
- (WebServiceMBean) MBeanProxyExt.create(WebServiceMBean.class,
- webServiceName);
- URL[] codebase = {webServer.addClassLoader(wcl)};
+ WebServiceMBean webServer = (WebServiceMBean) MBeanProxyExt.create(WebServiceMBean.class, webServiceName);
+ URL[] codebase =
+ {webServer.addClassLoader(wcl)};
-
wcl.setWebURLs(codebase);
} // end of if ()
@@ -874,6 +864,11 @@
// Set security domain manager
String securityDomain = bean.getApplicationMetaData().getSecurityDomain();
+ // JBAS-5960: Set default security domain if there is security metadata
+ if (securityDomain == null && hasSecurityMetaData(bean))
+ {
+ securityDomain = SecurityConstants.DEFAULT_EJB_APPLICATION_POLICY;
+ }
String confSecurityDomain = conf.getSecurityDomain();
// Default the config security to the application security manager
if (confSecurityDomain == null)
@@ -884,7 +879,7 @@
confSecurityDomain = null;
if (confSecurityDomain != null)
- { // Either the application has a security domain or the container has security setup
+ { // Either the application has a security domain or the container has security setup
try
{
String unprefixed = SecurityUtil.unprefixSecurityDomain(confSecurityDomain);
@@ -892,16 +887,16 @@
String domainCtx = SecurityConstants.JAAS_CONTEXT_ROOT + "/" + unprefixed + "/domainContext";
SecurityDomainContext sdc = (SecurityDomainContext) iniCtx.lookup(domainCtx);
Object securityMgr = sdc.getSecurityManager();
-
+
//Object securityMgr = iniCtx.lookup(confSecurityDomain);
AuthenticationManager ejbS = (AuthenticationManager) securityMgr;
RealmMapping rM = (RealmMapping) securityMgr;
container.setSecurityManager(ejbS);
- container.setRealmMapping(rM);
-
+ container.setRealmMapping(rM);
+
container.setSecurityManagement(securityManagement);
container.setPolicyRegistration(policyRegistration);
-
+
container.setDefaultSecurityDomain((String) unit.getAttachment("EJB.defaultSecurityDomain"));
container.setSecurityContextClassName((String) unit.getAttachment("EJB.securityContextClassName"));
}
@@ -916,8 +911,8 @@
}
else
{
- log.warn("EJB Deployment has no configured security domain. " +
- "Security will be bypassed. Please verify if this is intended. Bean=" + bean.getEjbName() + " Deployment="+unit.getName());
+ log.warn("EJB configured to bypass security. Please verify if this is intended. Bean=" + bean.getEjbName()
+ + " Deployment=" + unit.getName());
}
// Load the security proxy instance if one was configured
@@ -933,8 +928,7 @@
}
catch (Exception e)
{
- throw new DeploymentException("Failed to create SecurityProxy of type: " +
- securityProxyClassName, e);
+ throw new DeploymentException("Failed to create SecurityProxy of type: " + securityProxyClassName, e);
}
}
@@ -945,9 +939,7 @@
/**
* Return the name of the WebClassLoader class for this ejb.
*/
- private static String getWebClassLoader(ConfigurationMetaData conf,
- BeanMetaData bmd)
- throws DeploymentException
+ private static String getWebClassLoader(ConfigurationMetaData conf, BeanMetaData bmd) throws DeploymentException
{
String webClassLoader = null;
Iterator it = bmd.getInvokerBindings();
@@ -956,23 +948,19 @@
{
String invoker = (String) it.next();
ApplicationMetaData amd = bmd.getApplicationMetaData();
- InvokerProxyBindingMetaData imd =
- amd.getInvokerProxyBindingMetaDataByName(invoker);
+ InvokerProxyBindingMetaData imd = amd.getInvokerProxyBindingMetaDataByName(invoker);
if (imd == null)
{
- String msg = "Failed to find InvokerProxyBindingMetaData for: '"
- + invoker + "'. Check the invoker-proxy-binding-name to "
- + "invoker-proxy-binding/name mappings in jboss.xml";
+ String msg = "Failed to find InvokerProxyBindingMetaData for: '" + invoker
+ + "'. Check the invoker-proxy-binding-name to " + "invoker-proxy-binding/name mappings in jboss.xml";
throw new DeploymentException(msg);
}
Element proxyFactoryConfig = imd.getProxyFactoryConfig();
- String webCL = MetaData.getOptionalChildContent(proxyFactoryConfig,
- "web-class-loader");
+ String webCL = MetaData.getOptionalChildContent(proxyFactoryConfig, "web-class-loader");
if (webCL != null)
{
- log.debug("Invoker " + invoker
- + " specified WebClassLoader class" + webCL);
+ log.debug("Invoker " + invoker + " specified WebClassLoader class" + webCL);
webClassLoader = webCL;
count++;
}
@@ -980,13 +968,12 @@
if (count > 1)
{
log.warn(count + " invokers have WebClassLoader specifications.");
- log.warn("Using the last specification seen ("
- + webClassLoader + ").");
+ log.warn("Using the last specification seen (" + webClassLoader + ").");
}
else if (count == 0)
{
webClassLoader = conf.getWebClassLoader();
- if(webClassLoader == null)
+ if (webClassLoader == null)
webClassLoader = "org.jboss.web.WebClassLoader";
}
return webClassLoader;
@@ -1002,10 +989,7 @@
* @param element the container-interceptors element from the
* container-configuration.
*/
- private void addInterceptors(Container container,
- int transType,
- Element element)
- throws DeploymentException
+ private void addInterceptors(Container container, int transType, Element element) throws DeploymentException
{
// Get the interceptor stack(either jboss.xml or standardjboss.xml)
Iterator interceptorElements = MetaData.getChildrenByTagName(element, "interceptor");
@@ -1026,7 +1010,7 @@
if (transAttr == null || transAttr.length() == 0)
transAttr = ANY_VALUE;
if (transAttr.equalsIgnoreCase(ANY_VALUE) || transAttr.equalsIgnoreCase(transTypeString))
- { // The transaction type matches the container bean trans type
+ { // The transaction type matches the container bean trans type
String className = null;
try
@@ -1036,7 +1020,7 @@
Interceptor interceptor = (Interceptor) clazz.newInstance();
if (interceptor instanceof XmlLoadable)
{
- ((XmlLoadable)interceptor).importXml(ielement);
+ ((XmlLoadable) interceptor).importXml(ielement);
}
istack.add(interceptor);
}
@@ -1071,17 +1055,15 @@
container.addInterceptor(container.createContainerInterceptor());
}
-
-
/** Create any JACC permissions for the ejb methods that were not explicitly
* assigned method-permission or exclude-list mappings.
* @param con - the ejb container
* @param bean - the bean metadata
* @throws ClassNotFoundException
* @throws PolicyContextException
- */
- void createMissingPermissions(Container con, BeanMetaData bean)
- throws ClassNotFoundException, PolicyContextException
+ */
+ void createMissingPermissions(Container con, BeanMetaData bean) throws ClassNotFoundException,
+ PolicyContextException
{
String contextID = con.getJaccContextID();
PolicyConfigurationFactory pcFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
@@ -1090,29 +1072,29 @@
// If there is no security domain mark all methods as unchecked
boolean hasSecurityDomain = con.getSecurityManager() != null;
boolean exclude = hasSecurityDomain ? bean.isExcludeMissingMethods() : false;
-
- if( clazz != null )
+
+ if (clazz != null)
{
addMissingMethodPermissions(bean, exclude, clazz, InvocationType.HOME, pc);
}
clazz = con.getLocalHomeClass();
- if( clazz != null )
+ if (clazz != null)
{
addMissingMethodPermissions(bean, exclude, clazz, InvocationType.LOCALHOME, pc);
}
clazz = con.getLocalClass();
- if( clazz != null )
+ if (clazz != null)
{
addMissingMethodPermissions(bean, exclude, clazz, InvocationType.LOCAL, pc);
}
clazz = con.getRemoteClass();
- if( clazz != null )
+ if (clazz != null)
{
addMissingMethodPermissions(bean, exclude, clazz, InvocationType.REMOTE, pc);
}
-
- if(pc.inService() == false)
- pc.commit();
+
+ if (pc.inService() == false)
+ pc.commit();
// Allow the policy to incorporate the policy configs
Policy.getPolicy().refresh();
}
@@ -1121,37 +1103,36 @@
{
tmp.add(iface);
Class[] ifaces = iface.getInterfaces();
- for(int n = 0; n < ifaces.length; n ++)
+ for (int n = 0; n < ifaces.length; n++)
{
Class iface2 = ifaces[n];
tmp.add(iface2);
getInterfaces(iface2, tmp);
}
}
- private void addMissingMethodPermissions(BeanMetaData bean, boolean exclude,
- Class iface, InvocationType type, PolicyConfiguration pc)
- throws PolicyContextException
+
+ private void addMissingMethodPermissions(BeanMetaData bean, boolean exclude, Class iface, InvocationType type,
+ PolicyConfiguration pc) throws PolicyContextException
{
String ejbName = bean.getEjbName();
HashSet tmp = new HashSet();
getInterfaces(iface, tmp);
Class[] ifaces = new Class[tmp.size()];
tmp.toArray(ifaces);
- for(int n = 0; n < ifaces.length; n ++)
+ for (int n = 0; n < ifaces.length; n++)
{
- Class c = ifaces[n];
+ Class c = ifaces[n];
Method[] methods = c.getDeclaredMethods();
- for(int m = 0; m < methods.length; m ++)
+ for (int m = 0; m < methods.length; m++)
{
String methodName = methods[m].getName();
Class[] params = methods[m].getParameterTypes();
// See if there is a method-permission
- if( bean.hasMethodPermission(methodName, params, type) )
+ if (bean.hasMethodPermission(methodName, params, type))
continue;
// Create a permission for the missing method-permission
- EJBMethodPermission p = new EJBMethodPermission(ejbName,
- type.toInterfaceString(), methods[m]);
- if( exclude )
+ EJBMethodPermission p = new EJBMethodPermission(ejbName, type.toInterfaceString(), methods[m]);
+ if (exclude)
pc.addToExcludedPolicy(p);
else
pc.addToUncheckedPolicy(p);
@@ -1164,12 +1145,12 @@
String transaction = ANY_VALUE;
switch (transType)
{
- case BMT:
- transaction = BMT_VALUE;
- break;
- case CMT:
- transaction = CMT_VALUE;
- break;
+ case BMT :
+ transaction = BMT_VALUE;
+ break;
+ case CMT :
+ transaction = CMT_VALUE;
+ break;
}
return transaction;
}
@@ -1177,12 +1158,11 @@
/**
* Create all proxy factories for this ejb
*/
- private static void createProxyFactories(BeanMetaData conf, Container container)
- throws Exception
+ private static void createProxyFactories(BeanMetaData conf, Container container) throws Exception
{
ClassLoader cl = container.getClassLoader();
Iterator it = conf.getInvokerBindings();
- boolean foundOne=false;
+ boolean foundOne = false;
while (it.hasNext())
{
String invoker = (String) it.next();
@@ -1204,23 +1184,23 @@
((XmlLoadable) ci).importXml(imd.getProxyFactoryConfig());
}
container.addProxyFactory(invoker, ci);
- foundOne=true;
+ foundOne = true;
}
catch (Exception e)
{
- log.warn("The Container Invoker "+invoker+" (in jboss.xml or standardjboss.xml) could not be created because of "+e+
- " We will ignore this error, but you may miss a transport for this bean.");
+ log.warn("The Container Invoker " + invoker
+ + " (in jboss.xml or standardjboss.xml) could not be created because of " + e
+ + " We will ignore this error, but you may miss a transport for this bean.");
}
}
- if(!foundOne) {
+ if (!foundOne)
+ {
throw new DeploymentException("Missing or invalid Container Invokers (in jboss.xml or standardjboss.xml).");
- }
+ }
}
-
private static BeanLockManager createBeanLockManager(Container container, boolean reentrant, String beanLock,
- ClassLoader cl)
- throws Exception
+ ClassLoader cl) throws Exception
{
// The bean lock manager
BeanLockManager lockManager = new BeanLockManager(container);
@@ -1228,13 +1208,14 @@
Class lockClass = null;
try
{
- if(beanLock == null)
+ if (beanLock == null)
beanLock = "org.jboss.ejb.plugins.lock.QueuedPessimisticEJBLock";
lockClass = cl.loadClass(beanLock);
}
catch (Exception e)
{
- throw new DeploymentException("Missing or invalid lock class (in jboss.xml or standardjboss.xml): " + beanLock + " - " + e);
+ throw new DeploymentException("Missing or invalid lock class (in jboss.xml or standardjboss.xml): " + beanLock
+ + " - " + e);
}
lockManager.setLockCLass(lockClass);
@@ -1243,9 +1224,7 @@
return lockManager;
}
- private static InstancePool createInstancePool(ConfigurationMetaData conf,
- ClassLoader cl)
- throws Exception
+ private static InstancePool createInstancePool(ConfigurationMetaData conf, ClassLoader cl) throws Exception
{
// Set instance pool
InstancePool ip = null;
@@ -1265,9 +1244,7 @@
return ip;
}
- private static InstanceCache createInstanceCache(ConfigurationMetaData conf,
- ClassLoader cl)
- throws Exception
+ private static InstanceCache createInstanceCache(ConfigurationMetaData conf, ClassLoader cl) throws Exception
{
// Set instance cache
InstanceCache ic = null;
@@ -1280,12 +1257,29 @@
{
throw new DeploymentException("Missing or invalid Instance Cache (in jboss.xml or standardjboss.xml)", e);
}
-
+
if (ic instanceof XmlLoadable)
((XmlLoadable) ic).importXml(conf.getContainerCacheConf());
return ic;
- }
+ }
+
+ private boolean hasSecurityMetaData(BeanMetaData bean)
+ {
+ boolean hasSecMetaData = false;
+ Iterator<MethodMetaData> iter = bean.getPermissionMethods();
+ while (iter.hasNext())
+ {
+ MethodMetaData method = iter.next();
+ if (!method.isUnchecked())
+ {
+ hasSecMetaData = true;
+ break;
+ }
+ }
+
+ return hasSecMetaData;
+ }
}
/*
vim:ts=3:sw=3:et
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2008-10-06 13:09:19 UTC (rev 79151)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2008-10-06 13:18:46 UTC (rev 79152)
@@ -71,12 +71,13 @@
public interface AuthenticationObserver
{
final String KEY = "SecurityInterceptor.AuthenticationObserver";
+
void authenticationFailed();
}
/** The authentication manager plugin
*/
- protected AuthenticationManager securityManager;
+ protected AuthenticationManager securityManager;
/** The authorization manager plugin
*/
@@ -87,38 +88,43 @@
// A map of SecurityRolesMetaData from jboss.xml
protected Map securityRoles;
-
+
//A map of principal versus roles from jboss-app.xml/jboss.xml
- protected Map<String,Set<String>> deploymentRoles;
+ protected Map<String, Set<String>> deploymentRoles;
// The observer to be notified when principal authentication fails.
// This is a hook for the CSIv2 code. The authenticationObserver may
// send out a ContextError message, as required by the CSIv2 protocol.
protected AuthenticationObserver authenticationObserver;
+
/** The TimedObject.ejbTimeout callback */
protected Method ejbTimeout;
+
//Authorization Framework changes
- protected String ejbName = null;
- protected CodeSource ejbCS = null;
+ protected String ejbName = null;
+
+ protected CodeSource ejbCS = null;
+
/**
* Security Domain configured as part of the application
*/
- protected String appSecurityDomain = null;
+ protected String appSecurityDomain = null;
+
//Fallback Security Domain
- protected String defaultAuthorizationSecurityDomain = DEFAULT_EJB_APPLICATION_POLICY;
-
+ protected String defaultAuthorizationSecurityDomain = DEFAULT_EJB_APPLICATION_POLICY;
+
/**
* Specify whether <use-caller-identity> is configured, mainly
* for the use case of caller identity coming with run-as
*/
protected boolean isUseCallerIdentity = false;
-
+
/**
* Represents the holder of the various security managers
* configured at the container level
*/
protected ISecurityManagement securityManagement = null;
-
+
/** Called by the super class to set the container to which this interceptor
belongs. We obtain the security manager and runAs identity to use here.
*/
@@ -132,22 +138,22 @@
AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData.getAssemblyDescriptor();
securityRoles = assemblyDescriptor.getSecurityRoles();
deploymentRoles = assemblyDescriptor.getPrincipalVersusRolesMap();
-
+
SecurityIdentityMetaData secMetaData = beanMetaData.getSecurityIdentityMetaData();
if (secMetaData != null && secMetaData.getUseCallerIdentity() == false)
{
String roleName = secMetaData.getRunAsRoleName();
String principalName = secMetaData.getRunAsPrincipalName();
-
+
//Special Case: if RunAsPrincipal is not configured, then we use unauthenticatedIdentity
- if(principalName == null)
+ if (principalName == null)
principalName = applicationMetaData.getUnauthenticatedPrincipal();
// the run-as principal might have extra roles mapped in the assembly-descriptor
Set extraRoleNames = assemblyDescriptor.getSecurityRoleNamesByPrincipal(principalName);
runAsIdentity = new RunAsIdentity(roleName, principalName, extraRoleNames);
}
-
+
if (secMetaData != null && secMetaData.getUseCallerIdentity())
this.isUseCallerIdentity = true;
@@ -158,17 +164,18 @@
try
{
// Get the timeout method
- ejbTimeout = TimedObject.class.getMethod("ejbTimeout", new Class[]{Timer.class});
+ ejbTimeout = TimedObject.class.getMethod("ejbTimeout", new Class[]
+ {Timer.class});
}
catch (NoSuchMethodException ignore)
{
}
- if(securityManager != null)
+ if (securityManager != null)
{
- appSecurityDomain = securityManager.getSecurityDomain();
- appSecurityDomain = SecurityUtil.unprefixSecurityDomain(appSecurityDomain);
- }
- ejbName = beanMetaData.getEjbName();
+ appSecurityDomain = securityManager.getSecurityDomain();
+ appSecurityDomain = SecurityUtil.unprefixSecurityDomain(appSecurityDomain);
+ }
+ ejbName = beanMetaData.getEjbName();
ejbCS = container.getBeanClass().getProtectionDomain().getCodeSource();
securityManagement = (ISecurityManagement) container.getSecurityManagement();
}
@@ -178,34 +185,32 @@
public void start() throws Exception
{
super.start();
- authenticationObserver =
- (AuthenticationObserver) Registry.lookup(AuthenticationObserver.KEY);
-
+ authenticationObserver = (AuthenticationObserver) Registry.lookup(AuthenticationObserver.KEY);
+
//Take care of hot deployed security domains
- if(container != null)
+ if (container != null)
{
securityManager = container.getSecurityManager();
- if(securityManager != null)
+ if (securityManager != null)
{
- appSecurityDomain = securityManager.getSecurityDomain();
- appSecurityDomain = SecurityUtil.unprefixSecurityDomain(appSecurityDomain);
- }
+ appSecurityDomain = securityManager.getSecurityDomain();
+ appSecurityDomain = SecurityUtil.unprefixSecurityDomain(appSecurityDomain);
+ }
}
}
public Object invokeHome(Invocation mi) throws Exception
- {
+ {
boolean isInvoke = false;
- return process(mi, isInvoke);
+ return process(mi, isInvoke);
}
-
public Object invoke(Invocation mi) throws Exception
- {
+ {
boolean isInvoke = true;
- return process(mi, isInvoke);
- }
-
+ return process(mi, isInvoke);
+ }
+
/**
* Process the invocation
* @param mi
@@ -215,175 +220,167 @@
*/
private Object process(Invocation mi, boolean isInvoke) throws Exception
{
- if(this.shouldBypassSecurity(mi))
+ if (this.shouldBypassSecurity(mi))
{
- log.trace("Bypass security for invoke or invokeHome");
- if(isInvoke)
+ if (log.isTraceEnabled())
+ log.trace("Bypass security for invoke or invokeHome");
+ if (isInvoke)
return getNext().invoke(mi);
else
return getNext().invokeHome(mi);
}
-
- SecurityContext sc = SecurityActions.getSecurityContext();
- if( sc == null)
- throw new IllegalStateException("Security Context is null");
-
- RunAs callerRunAsIdentity = sc.getIncomingRunAs();
- log.trace("Caller RunAs="+callerRunAsIdentity + ": useCallerIdentity="+this.isUseCallerIdentity);
+
+ SecurityContext sc = SecurityActions.getSecurityContext();
+ if (sc == null)
+ throw new IllegalStateException("Security Context is null");
+
+ RunAs callerRunAsIdentity = sc.getIncomingRunAs();
+ if (log.isTraceEnabled())
+ log.trace("Caller RunAs=" + callerRunAsIdentity + ": useCallerIdentity=" + this.isUseCallerIdentity);
// Authenticate the subject and apply any declarative security checks
try
{
- checkSecurityContext(mi, callerRunAsIdentity);
- }
- catch(Exception e)
+ checkSecurityContext(mi, callerRunAsIdentity);
+ }
+ catch (Exception e)
{
- log.error("Error in Security Interceptor",e);
+ log.error("Error in Security Interceptor", e);
throw e;
}
-
+
/**
* Special case: if <use-caller-identity> configured and
* the caller is arriving with a run-as, we need to push that run-as
*/
- if(callerRunAsIdentity != null && this.isUseCallerIdentity)
+ if (callerRunAsIdentity != null && this.isUseCallerIdentity)
this.runAsIdentity = callerRunAsIdentity;
-
+
/* If a run-as role was specified, push it so that any calls made
by this bean will have the runAsRole available for declarative
security checks.
*/
- SecurityActions.pushRunAsIdentity(runAsIdentity);
+ SecurityActions.pushRunAsIdentity(runAsIdentity);
try
{
- if(isInvoke)
+ if (isInvoke)
return getNext().invoke(mi);
else
return getNext().invokeHome(mi);
}
finally
- {
- SecurityActions.popRunAsIdentity();
- SecurityActions.popSubjectContext();
- }
+ {
+ SecurityActions.popRunAsIdentity();
+ SecurityActions.popSubjectContext();
+ }
}
-
+
/** The EJB 2.0 declarative security algorithm:
- 1. Authenticate the caller using the principal and credentials in the MethodInfocation
+ 1. Authenticate the caller using the principal and credentials in the MethodInvocation
2. Validate access to the method by checking the principal's roles against
those required to access the method.
*/
- private void checkSecurityContext(Invocation mi, RunAs callerRunAsIdentity)
- throws Exception
- {
- Principal principal = mi.getPrincipal();
- Object credential = mi.getCredential();
-
- boolean trace = log.isTraceEnabled();
-
- // If there is not a security manager then there is no authentication required
- Method m = mi.getMethod();
- boolean containerMethod = m == null || m.equals(ejbTimeout);
- if ( containerMethod == true || securityManager == null || container == null )
- {
- // Allow for the progatation of caller info to other beans
- SecurityActions.pushSubjectContext(principal, credential, null);
- return;
- }
-
- if (realmMapping == null)
- {
- throw new SecurityException("Role mapping manager has not been set");
- }
-
- SecurityContext sc = SecurityActions.getSecurityContext();
-
- EJBAuthenticationHelper helper = SecurityHelperFactory.getEJBAuthenticationHelper(sc);
- boolean isTrusted = helper.isTrusted();
-
- if (!isTrusted)
- {
- // Check the security info from the method invocation
- Subject subject = new Subject();
- if(helper.isValid(subject, m.getName()) == false)
- {
- // Notify authentication observer
- if (authenticationObserver != null)
- authenticationObserver.authenticationFailed();
- // Else throw a generic SecurityException
- String msg = "Authentication exception, principal=" + principal;
- throw new SecurityException(msg);
- }
- else
- {
- SecurityActions.pushSubjectContext(principal, credential, subject);
- if (trace)
- {
- log.trace("Authenticated principal=" + principal + " in security domain=" + sc.getSecurityDomain());
- }
- }
- }
- else
- {
- // Duplicate the current subject context on the stack since
- //SecurityActions.dupSubjectContext();
- SecurityActions.pushRunAsIdentity(callerRunAsIdentity);
- }
-
- Method ejbMethod = mi.getMethod();
- // Ignore internal container calls
- if( ejbMethod== null )
- return;
- // Get the caller
- Subject caller = SecurityActions.getContextSubject();
- if(caller == null)
- throw new IllegalStateException("Authenticated User. But caller subject is null");
-
- //Establish the deployment rolename-principalset custom mapping(if available)
- SecurityRolesAssociation.setSecurityRoles(this.deploymentRoles);
-
- boolean isAuthorized = false;
- Set<Principal> methodRoles = container.getMethodPermissions(ejbMethod, mi.getType());
-
- SecurityContext currentSC = SecurityActions.getSecurityContext();
- if(currentSC.getSecurityManagement() == null)
- currentSC.setSecurityManagement(securityManagement);
-
- AbstractEJBAuthorizationHelper authorizationHelper = SecurityHelperFactory.getEJBAuthorizationHelper(sc);
- authorizationHelper.setPolicyRegistration(container.getPolicyRegistration());
-
- isAuthorized = authorizationHelper.authorize(ejbName,
- ejbMethod,
- mi.getPrincipal(),
- mi.getType().toInterfaceString(),
- ejbCS,
- caller,
- callerRunAsIdentity,
- container.getJaccContextID(),
- new SimpleRoleGroup(methodRoles)) ;
-
- String msg = "Denied: caller with subject=" + caller
- + " and security context post-mapping roles=" +
- currentSC.getUtil().getRoles() +
- ": ejbMethod="+ejbMethod;
- if(!isAuthorized)
- throw new SecurityException(msg);
- }
-
- private boolean shouldBypassSecurity(Invocation mi) throws Exception
- {
- // If there is not a security manager then there is no authentication required
- Method m = mi.getMethod();
- boolean containerMethod = m == null || m.equals(ejbTimeout);
- if ( containerMethod == true || securityManager == null || container == null )
- {
- // Allow for the propagation of caller info to other beans
- SecurityActions.createAndSetSecurityContext(mi.getPrincipal(),
- mi.getCredential(), "BYPASSED-SECURITY");
- if(this.runAsIdentity != null)
- SecurityActions.pushRunAsIdentity(runAsIdentity);
- return true;
- }
- return false;
- }
+ private void checkSecurityContext(Invocation mi, RunAs callerRunAsIdentity) throws Exception
+ {
+ Principal principal = mi.getPrincipal();
+ Object credential = mi.getCredential();
+
+ boolean trace = log.isTraceEnabled();
+
+ // If there is not a security manager then there is no authentication required
+ Method m = mi.getMethod();
+ boolean containerMethod = m == null || m.equals(ejbTimeout);
+ if (containerMethod == true || securityManager == null || container == null)
+ {
+ // Allow for the propagation of caller info to other beans
+ SecurityActions.pushSubjectContext(principal, credential, null);
+ return;
+ }
+
+ if (realmMapping == null)
+ {
+ throw new SecurityException("Role mapping manager has not been set");
+ }
+
+ SecurityContext sc = SecurityActions.getSecurityContext();
+
+ EJBAuthenticationHelper helper = SecurityHelperFactory.getEJBAuthenticationHelper(sc);
+ boolean isTrusted = helper.isTrusted();
+
+ if (!isTrusted)
+ {
+ // Check the security info from the method invocation
+ Subject subject = new Subject();
+ if (helper.isValid(subject, m.getName()) == false)
+ {
+ // Notify authentication observer
+ if (authenticationObserver != null)
+ authenticationObserver.authenticationFailed();
+ // Else throw a generic SecurityException
+ String msg = "Authentication exception, principal=" + principal;
+ throw new SecurityException(msg);
+ }
+ else
+ {
+ SecurityActions.pushSubjectContext(principal, credential, subject);
+ if (trace)
+ {
+ log.trace("Authenticated principal=" + principal + " in security domain=" + sc.getSecurityDomain());
+ }
+ }
+ }
+ else
+ {
+ // Duplicate the current subject context on the stack since
+ //SecurityActions.dupSubjectContext();
+ SecurityActions.pushRunAsIdentity(callerRunAsIdentity);
+ }
+
+ Method ejbMethod = mi.getMethod();
+ // Ignore internal container calls
+ if (ejbMethod == null)
+ return;
+ // Get the caller
+ Subject caller = SecurityActions.getContextSubject();
+ if (caller == null)
+ throw new IllegalStateException("Authenticated User. But caller subject is null");
+
+ //Establish the deployment rolename-principalset custom mapping(if available)
+ SecurityRolesAssociation.setSecurityRoles(this.deploymentRoles);
+
+ boolean isAuthorized = false;
+ Set<Principal> methodRoles = container.getMethodPermissions(ejbMethod, mi.getType());
+
+ SecurityContext currentSC = SecurityActions.getSecurityContext();
+ if (currentSC.getSecurityManagement() == null)
+ currentSC.setSecurityManagement(securityManagement);
+
+ AbstractEJBAuthorizationHelper authorizationHelper = SecurityHelperFactory.getEJBAuthorizationHelper(sc);
+ authorizationHelper.setPolicyRegistration(container.getPolicyRegistration());
+
+ isAuthorized = authorizationHelper.authorize(ejbName, ejbMethod, mi.getPrincipal(), mi.getType()
+ .toInterfaceString(), ejbCS, caller, callerRunAsIdentity, container.getJaccContextID(),
+ new SimpleRoleGroup(methodRoles));
+
+ String msg = "Denied: caller with subject=" + caller + " and security context post-mapping roles="
+ + currentSC.getUtil().getRoles() + ": ejbMethod=" + ejbMethod;
+ if (!isAuthorized)
+ throw new SecurityException(msg);
+ }
+
+ private boolean shouldBypassSecurity(Invocation mi) throws Exception
+ {
+ // If there is not a security manager then there is no authentication required
+ Method m = mi.getMethod();
+ boolean containerMethod = m == null || m.equals(ejbTimeout);
+ if (containerMethod == true || securityManager == null || container == null)
+ {
+ // Allow for the propagation of caller info to other beans
+ SecurityActions.createAndSetSecurityContext(mi.getPrincipal(), mi.getCredential(), "BYPASSED-SECURITY");
+ if (this.runAsIdentity != null)
+ SecurityActions.pushRunAsIdentity(runAsIdentity);
+ return true;
+ }
+ return false;
+ }
}
\ No newline at end of file
Modified: trunk/testsuite/imports/sections/security.xml
===================================================================
--- trunk/testsuite/imports/sections/security.xml 2008-10-06 13:09:19 UTC (rev 79151)
+++ trunk/testsuite/imports/sections/security.xml 2008-10-06 13:18:46 UTC (rev 79152)
@@ -368,5 +368,17 @@
</fileset>
</jar>
+ <!-- ejb-null-security-domain.jar -->
+ <jar destfile="${build.lib}/ejb-null-security-domain.jar">
+ <metainf dir="${build.resources}/security/ejb-null-security-domain">
+ <include name="ejb-jar.xml" />
+ <include name="jboss.xml" />
+ </metainf>
+ <fileset dir="${build.classes}">
+ <include name="org/jboss/test/security/ejb/StatelessSessionBean.*"/>
+ <include name="org/jboss/test/security/interfaces/StatelessSession*"/>
+ </fileset>
+ </jar>
+
</target>
</project>
Added: trunk/testsuite/src/main/org/jboss/test/security/test/EJBNullSecurityDomainUnitTestCase.java
===================================================================
--- trunk/testsuite/src/main/org/jboss/test/security/test/EJBNullSecurityDomainUnitTestCase.java (rev 0)
+++ trunk/testsuite/src/main/org/jboss/test/security/test/EJBNullSecurityDomainUnitTestCase.java 2008-10-06 13:18:46 UTC (rev 79152)
@@ -0,0 +1,109 @@
+/*
+* JBoss, Home of Professional Open Source
+* Copyright 2005, JBoss Inc., and individual contributors as indicated
+* by the @authors tag. See the copyright.txt in the distribution for a
+* full listing of individual contributors.
+*
+* This is free software; you can redistribute it and/or modify it
+* under the terms of the GNU Lesser General Public License as
+* published by the Free Software Foundation; either version 2.1 of
+* the License, or (at your option) any later version.
+*
+* This software is distributed in the hope that it will be useful,
+* but WITHOUT ANY WARRANTY; without even the implied warranty of
+* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+* Lesser General Public License for more details.
+*
+* You should have received a copy of the GNU Lesser General Public
+* License along with this software; if not, write to the Free
+* Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+*/
+package org.jboss.test.security.test;
+
+import javax.rmi.PortableRemoteObject;
+import javax.security.auth.login.Configuration;
+
+import junit.extensions.TestSetup;
+import junit.framework.Test;
+import junit.framework.TestSuite;
+
+import org.jboss.security.auth.login.XMLLoginConfigImpl;
+import org.jboss.test.JBossTestCase;
+import org.jboss.test.JBossTestSetup;
+import org.jboss.test.security.interfaces.StatelessSession;
+import org.jboss.test.security.interfaces.StatelessSessionHome;
+
+/**
+ * Test for assignment of default security domain for an EJB with no security domain provided in jboss.xml.
+ *
+ * @author <a href="mmoyses at redhat.com">Marcus Moyses</a>
+ * @version $Revision: 1.0 $
+ */
+public class EJBNullSecurityDomainUnitTestCase extends JBossTestCase
+{
+
+ public EJBNullSecurityDomainUnitTestCase(String name)
+ {
+ super(name);
+ }
+
+ public void testEJBNullSecurityDomain() throws Exception
+ {
+ log.debug("+++ testEJBNullSecurityDomain");
+ Object obj = getInitialContext().lookup("null.StatelessSession");
+ obj = PortableRemoteObject.narrow(obj, StatelessSessionHome.class);
+ StatelessSessionHome home = (StatelessSessionHome) obj;
+ log.debug("Found null.StatelessSession Home");
+ StatelessSession bean = null;
+ try
+ {
+ bean = home.create();
+ }
+ catch (Exception e)
+ {
+ Throwable t = e.getCause();
+ if (t instanceof SecurityException)
+ {
+ log.debug("Invoking create() was correctly denied by a SecurityException:", e);
+ return;
+ }
+ else
+ {
+ log.debug("Invoking create() failed by an unexpected reason:", e);
+ fail("Unexpected exception");
+ }
+ }
+ fail("Invoking create() should fail");
+ }
+
+ /**
+ * Setup the test suite.
+ */
+ public static Test suite() throws Exception
+ {
+ TestSuite suite = new TestSuite();
+ suite.addTest(new TestSuite(EJBNullSecurityDomainUnitTestCase.class));
+
+ // Create an initializer for the test suite
+ TestSetup wrapper = new JBossTestSetup(suite)
+ {
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ Configuration.setConfiguration(XMLLoginConfigImpl.getInstance());
+ redeploy("ejb-null-security-domain.jar");
+ flushAuthCache();
+ }
+
+ @Override
+ protected void tearDown() throws Exception
+ {
+ undeploy("ejb-null-security-domain.jar");
+ super.tearDown();
+ }
+ };
+ return wrapper;
+ }
+}
Added: trunk/testsuite/src/resources/security/ejb-null-security-domain/ejb-jar.xml
===================================================================
--- trunk/testsuite/src/resources/security/ejb-null-security-domain/ejb-jar.xml (rev 0)
+++ trunk/testsuite/src/resources/security/ejb-null-security-domain/ejb-jar.xml 2008-10-06 13:18:46 UTC (rev 79152)
@@ -0,0 +1,74 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE ejb-jar PUBLIC
+ "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN"
+ "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
+
+<ejb-jar>
+ <display-name>SecurityTests</display-name>
+ <enterprise-beans>
+ <session>
+ <description>A secured trival echo session bean</description>
+ <ejb-name>StatelessSession</ejb-name>
+ <home>org.jboss.test.security.interfaces.StatelessSessionHome</home>
+ <remote>org.jboss.test.security.interfaces.StatelessSession</remote>
+ <local-home>org.jboss.test.security.interfaces.StatelessSessionLocalHome</local-home>
+ <local>org.jboss.test.security.interfaces.StatelessSessionLocal</local>
+ <ejb-class>org.jboss.test.security.ejb.StatelessSessionBean</ejb-class>
+ <session-type>Stateless</session-type>
+ <transaction-type>Container</transaction-type>
+ <security-role-ref>
+ <role-name>EchoCaller</role-name>
+ <role-link>Echo</role-link>
+ </security-role-ref>
+ </session>
+ </enterprise-beans>
+
+ <assembly-descriptor>
+ <security-role>
+ <description>The role required to invoke the echo method</description>
+ <role-name>Echo</role-name>
+ </security-role>
+
+ <!-- Methods anyone can access -->
+ <method-permission>
+ <unchecked/>
+ <method>
+ <ejb-name>StatelessSession</ejb-name>
+ <method-name>unchecked</method-name>
+ </method>
+ <method>
+ <ejb-name>StatelessSession</ejb-name>
+ <method-name>create</method-name>
+ </method>
+ <method>
+ <ejb-name>StatelessSession</ejb-name>
+ <method-name>remove</method-name>
+ </method>
+ </method-permission>
+
+ <!-- The methods the Echo role can access -->
+ <method-permission>
+ <role-name>Echo</role-name>
+ <method>
+ <ejb-name>StatelessSession</ejb-name>
+ <method-name>echo</method-name>
+ </method>
+ <method>
+ <ejb-name>StatelessSession</ejb-name>
+ <method-name>npeError</method-name>
+ </method>
+ </method-permission>
+
+ <!-- No one can access the excluded() method of the
+ StatelessSession and StatelessSession2 beans -->
+ <exclude-list>
+ <description>A method that no one can access in this deployment</description>
+ <method>
+ <ejb-name>StatelessSession</ejb-name>
+ <method-name>excluded</method-name>
+ </method>
+ </exclude-list>
+
+ </assembly-descriptor>
+
+</ejb-jar>
Added: trunk/testsuite/src/resources/security/ejb-null-security-domain/jboss.xml
===================================================================
--- trunk/testsuite/src/resources/security/ejb-null-security-domain/jboss.xml (rev 0)
+++ trunk/testsuite/src/resources/security/ejb-null-security-domain/jboss.xml 2008-10-06 13:18:46 UTC (rev 79152)
@@ -0,0 +1,20 @@
+<?xml version="1.0"?>
+<!DOCTYPE jboss PUBLIC
+ "-//JBoss//DTD JBOSS 4.0//EN"
+ "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
+
+<!-- The jboss.xml descriptor for the ejb-null-security-domain.jar ejb unit.
+This descriptor redefines the JNDI names of the beans in the ejb-jar.xml
+descriptor so that there is no conflict with the security.jar deployment.
+-->
+<jboss>
+ <unauthenticated-principal>nobody</unauthenticated-principal>
+
+ <enterprise-beans>
+ <session>
+ <ejb-name>StatelessSession</ejb-name>
+ <jndi-name>null.StatelessSession</jndi-name>
+ </session>
+ </enterprise-beans>
+
+</jboss>
More information about the jboss-cvs-commits
mailing list