[jboss-cvs] JBossAS SVN: r80007 - in projects/security/security-jboss-sx/trunk/jbosssx/src: main/java/org/jboss/security/authorization/resources and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Oct 23 15:58:19 EDT 2008
Author: anil.saldhana at jboss.com
Date: 2008-10-23 15:58:19 -0400 (Thu, 23 Oct 2008)
New Revision: 80007
Modified:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java
Log:
SECURITY-294: enforce ejb1.1 isCallerInRole strict semantics
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java 2008-10-23 19:55:34 UTC (rev 80006)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java 2008-10-23 19:58:19 UTC (rev 80007)
@@ -69,6 +69,8 @@
private final Role ANYBODY_ROLE = new SimpleRole(AnybodyPrincipal.ANYBODY);
+ protected boolean ejbRestrictions = false;
+
public EJBPolicyModuleDelegate()
{
log = Logger.getLogger(getClass());
@@ -102,6 +104,7 @@
this.methodInterface = ejbResource.getEjbMethodInterface();
this.methodRoles = ejbResource.getEjbMethodRoles();
this.securityRoleReferences = ejbResource.getSecurityRoleReferences();
+ this.ejbRestrictions = ejbResource.isEnforceEJBRestrictions();
if(this.roleRefCheck == Boolean.TRUE)
return checkRoleRef(role);
@@ -210,10 +213,10 @@
// link in the deployment descriptor. The EJB 1.1 spec requires
// the security role refs in the descriptor but for backward
// compability we're not enforcing this requirement.
+ // To enforce, you need to use the jboss.xml setting
+ // <enforce-ejb-restrictions>
//
- // TODO (2.3): add a conditional check using jboss.xml <enforce-ejb-restrictions> element
- // which will throw an exception in case no matching
- // security ref is found.
+
boolean matchFound = false;
Iterator<SecurityRoleRef> it = this.securityRoleReferences.iterator();
while ( it.hasNext())
@@ -226,10 +229,21 @@
break;
}
}
-
- if (!matchFound)
- log.trace("no match found for security role " + roleName +
- " in the deployment descriptor for ejb " + this.ejbName);
+
+ if(!matchFound)
+ {
+ // A conditional check using jboss.xml <enforce-ejb-restrictions> element
+ // which will throw an exception in case no matching
+ // security ref is found.
+ if(this.ejbRestrictions)
+ throw new RuntimeException("No matching role found in the deployment descriptor"+
+ " for "+this.roleName);
+ else
+ {
+ log.trace("no match found for security role " + roleName +
+ " in the deployment descriptor for ejb " + this.ejbName);
+ }
+ }
Role deploymentrole = new SimpleRole(roleName);
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java 2008-10-23 19:55:34 UTC (rev 80006)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java 2008-10-23 19:58:19 UTC (rev 80007)
@@ -44,6 +44,12 @@
private RoleGroup ejbMethodRoles = null;
/**
+ * EJB 1.1 mandates that the security role in the
+ * role ref checks has to be present in the descriptors
+ */
+ private boolean enforceEJBRestrictions = false;
+
+ /**
* Create a new EJBResource.
*
* @param map
@@ -131,8 +137,27 @@
public void setEjbMethodRoles(RoleGroup ejbMethodRoles)
{
this.ejbMethodRoles = ejbMethodRoles;
+ }
+
+ /**
+ * Specify the EJB1.1 role ref restriction that
+ * the rolename has to be present in the DD
+ * @return true if enforcement is needed
+ */
+ public boolean isEnforceEJBRestrictions()
+ {
+ return enforceEJBRestrictions;
}
+ /**
+ * @see #isEnforceEJBRestrictions()
+ * @param enforceEJBRestrictions
+ */
+ public void setEnforceEJBRestrictions(boolean enforceEJBRestrictions)
+ {
+ this.enforceEJBRestrictions = enforceEJBRestrictions;
+ }
+
public String toString()
{
StringBuffer buf = new StringBuffer();
@@ -145,6 +170,8 @@
.append(":securityRoleReferences=").append(this.securityRoleReferences)
.append(":callerSubject=").append(this.callerSubject)
.append(":callerRunAs=").append(this.callerRunAsIdentity)
+ .append(":callerRunAs=").append(this.callerRunAsIdentity)
+ .append(":ejbRestrictionEnforcement=").append(this.enforceEJBRestrictions)
.append("]");
return buf.toString();
}
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java 2008-10-23 19:55:34 UTC (rev 80006)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java 2008-10-23 19:58:19 UTC (rev 80007)
@@ -71,7 +71,7 @@
assertEquals(AuthorizationContext.PERMIT,epmd.authorize(resource,
new Subject(),
- getRoleGroup(new String[]{"gooduser", "validuser" })) );;
+ getRoleGroup(new String[]{"gooduser", "validuser" })) );
}
/**
@@ -92,7 +92,7 @@
int res = epmd.authorize(resource, new Subject(), getRoleGroup(new String[]{"baduser"}));
- assertEquals(AuthorizationContext.DENY, res);;
+ assertEquals(AuthorizationContext.DENY, res);
}
/**
@@ -112,7 +112,7 @@
resource.setEjbMethodRoles( getRoleGroup(new String[] {AnybodyPrincipal.ANYBODY}) );
int res = epmd.authorize(resource, new Subject(), getRoleGroup(new String[]{"baduser"}));
- assertEquals(AuthorizationContext.PERMIT, res);;
+ assertEquals(AuthorizationContext.PERMIT, res);
}
/**
@@ -131,9 +131,12 @@
resource.setEjbName(DummyClass.class.getCanonicalName());
int res = epmd.authorize(resource, new Subject(), getRoleGroup(new String[]{"baduser"}));
- assertEquals(AuthorizationContext.DENY, res);;
+ assertEquals(AuthorizationContext.DENY, res);
}
+ /**
+ * Test EJBContext.isCallerInRole (Success Case)
+ */
public void testIsCallerInRoleValid()
{
EJBPolicyModuleDelegate epmd = new EJBPolicyModuleDelegate();
@@ -158,9 +161,12 @@
new Subject(),
getRoleGroup(new String[]{"gooduser", "validuser" }));
- assertEquals(AuthorizationContext.PERMIT, result);;
+ assertEquals(AuthorizationContext.PERMIT, result);
}
+ /**
+ * Test EJBContext.isCallerInRole (Failure Case)
+ */
public void testIsCallerInRoleInvalid()
{
EJBPolicyModuleDelegate epmd = new EJBPolicyModuleDelegate();
@@ -185,9 +191,80 @@
new Subject(),
getRoleGroup(new String[]{"gooduser", "validuser" }));
- assertEquals(AuthorizationContext.DENY, result);;
+ assertEquals(AuthorizationContext.DENY, result);
}
+
/**
+ * Test EJB 1.1 EJBContext.isCallerInRole case
+ */
+ public void testIsCallerInRoleValidEJB11()
+ {
+ EJBPolicyModuleDelegate epmd = new EJBPolicyModuleDelegate();
+
+ //Create a context map
+ Map<String,Object> cmap = new HashMap<String,Object>();
+
+ cmap.put(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ cmap.put(ResourceKeys.ROLENAME, "employee");
+
+ EJBResource resource = new EJBResource(cmap);
+ resource.setPrincipal(new SimplePrincipal("AuthenticatedPrincipal"));
+ resource.setEjbMethod(DummyClass.class.getDeclaredMethods()[0]);
+ resource.setEjbName(DummyClass.class.getCanonicalName());
+ resource.setEjbMethodRoles( getRoleGroup(new String[] {"gooduser"}) );
+ resource.setEnforceEJBRestrictions(true); //Enforce EJB 1.1
+
+ Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
+ roleRefSet.add(new SecurityRoleRef("employee", "gooduser"));
+ resource.setSecurityRoleReferences(roleRefSet);
+
+ int result = epmd.authorize(resource,
+ new Subject(),
+ getRoleGroup(new String[]{"gooduser", "validuser" }));
+ assertEquals(AuthorizationContext.PERMIT, result);
+ }
+
+ /**
+ * Test EJB 1.1 EJBContext.isCallerInRole case
+ */
+ public void testIsCallerInRoleInvalidEJB11()
+ {
+ EJBPolicyModuleDelegate epmd = new EJBPolicyModuleDelegate();
+
+ //Create a context map
+ Map<String,Object> cmap = new HashMap<String,Object>();
+
+ cmap.put(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ cmap.put(ResourceKeys.ROLENAME, "impostor");
+
+ EJBResource resource = new EJBResource(cmap);
+ resource.setPrincipal(new SimplePrincipal("AuthenticatedPrincipal"));
+ resource.setEjbMethod(DummyClass.class.getDeclaredMethods()[0]);
+ resource.setEjbName(DummyClass.class.getCanonicalName());
+ resource.setEjbMethodRoles( getRoleGroup(new String[] {"gooduser"}) );
+ resource.setEnforceEJBRestrictions(true); //Enforce EJB 1.1
+
+ Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
+ roleRefSet.add(new SecurityRoleRef("employee", "baduser")); //Bad user
+ resource.setSecurityRoleReferences(roleRefSet);
+
+ try
+ {
+ epmd.authorize(resource,
+ new Subject(),
+ getRoleGroup(new String[]{"gooduser", "validuser" }));
+ fail("Should have thrown a RuntimeException due to ejb 1.1 restrictions");
+ }
+ catch(RuntimeException e)
+ { //pass
+ }
+ catch(Exception e)
+ {
+ fail("Test failed to obtain a run time exception, "+ e.getLocalizedMessage());
+ }
+ }
+
+ /**
* Create a RoleGroup given a set of roles
* @param roles
* @return
More information about the jboss-cvs-commits
mailing list