[JBoss JIRA] Created: (EJBTHREE-926) isCallerInRole() implementation should use EJBRoleRefPermissions when jacc is enabled
by Roland Räz (JIRA)
isCallerInRole() implementation should use EJBRoleRefPermissions when jacc is enabled
---------------------------------------------------------------------------------------
Key: EJBTHREE-926
URL: http://jira.jboss.com/jira/browse/EJBTHREE-926
Project: EJB 3.0
Issue Type: Bug
Components: Security
Affects Versions: EJB 3.0 RC9 - Patch 1
Reporter: Roland Räz
There are two issues regarding the isCallerInRole() jacc compliance:
1. isCallerInRole should use jacc when jacc is enabled
2. EJBRoleRefPermissions should be created
Here some hints to simplify resolving these issues. Please consider also not calling always Policy.getPolicy() to improve the performance when the security manager is enabled. In ejb 2.x the jaccEnabled flag is set by the JaccAuthorizationInterceptor, this is probably also a good idea for the ejb 3.0 implementation.
When fixing this issue, consider also fixing http://jira.jboss.com/jira/browse/EJBTHREE-704 (Missing privileged action to get Principal), it's an oneliner and in the same java class.
org.jboss.ejb3 .BaseSessionContext:
...
private Policy policy;
private boolean jaccEnabled;
public boolean isCallerInRole(String roleName)
{
if (jaccEnabled) {
return isCallerInRoleCheckForJacc(roleName);
}
...
// This code bases on code from org.jboss.ejb.EnterpriseContext
private boolean isCallerInRoleCheckForJacc(String roleName)
{
//This has to be the EJBRoleRefPermission
String ejbName = container.getEjbName();
EJBRoleRefPermission ejbRoleRefPerm = new EJBRoleRefPermission(ejbName,roleName);
//Get the caller
Subject caller;
try
{
caller = JPSecurityActions.getContextSubject();
}
catch (PolicyContextException e)
{
throw new RuntimeException(e);
}
Principal[] principals = null;
if( caller != null )
{
// Get the caller principals
Set principalsSet = caller.getPrincipals();
principals = new Principal[principalsSet.size()];
principalsSet.toArray(principals);
}
CodeSource ejbCS = container.getBeanClass().getProtectionDomain().getCodeSource();
ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
// getting the policy is checked by the security manager -> cache it lazy
if (policy == null) {
policy = Policy.getPolicy();
}
return policy.implies(pd, ejbRoleRefPerm);
}
public Principal getCallerPrincipal()
{
// @EJBTHREE-704:
//Principal principal = SecurityAssociation.getCallerPrincipal();
Principal principal = SecurityActions.getCallerPrincipal();
if (getRm() != null)
{
principal = getRm().getPrincipal(principal);
}
// This method never returns null.
if (principal == null)
throw new java.lang.IllegalStateException("No valid security context for the caller identity");
return principal;
}
org.jboss.ejb3.security.JaccHelper
// when the security manager is enabled, caching the policy is a good idea to improve the performace
static Policy policy = Policy.getPolicy();
public static void putJaccInService(PolicyConfiguration pc, DeploymentInfo di) throws Exception
{
...
// update the policy
policy = Policy.getPolicy();
}
...
private static void addPermissions(EJBContainer container, PolicyConfiguration pc) {
...
// TODO isn't there a meta data api which should do step 1, 2 and 3?
// key=role name used in the ejb, value = role link (role name in the security system)
Map<String,String> roleRefs = new HashMap<String,String>();
// 1. get declared roles fom the DeclareRoles annotation
DeclareRoles declareRolesAnnotation = (DeclareRoles) container.getBeanClass().getAnnotation(DeclareRoles.class);
if (declareRolesAnnotation != null) {
for (String role : declareRolesAnnotation.value()) {
roleRefs.put(role, role);
}
}
// 2. probably there are security-role's in the deployment descriptor (assembly-descriptor)
AssemblyDescriptor assemblyDescriptor = container.getAssemblyDescriptor();
if (assemblyDescriptor != null) {
List<SecurityRole> securityRoles = assemblyDescriptor.getSecurityRoles();
if (securityRoles != null) {
for (SecurityRole securityRole : securityRoles) {
roleRefs.put(securityRole.getRoleName(),securityRole.getRoleName());
}
}
}
// 3. probably there are security-role-ref in the deplyment descriptor for this bean, add them
// !!! security-role-ref currently not supported by an api, should be fixed in http://jira.jboss.com/jira/browse/EJBTHREE-808
// 4. add the EJBRoleRefPermission to the jacc provider
try {
for( Entry<String, String> roleRefEntry: roleRefs.entrySet() ){
EJBRoleRefPermission p = new EJBRoleRefPermission(ejbName, roleRefEntry.getKey());
pc.addToRole(roleRefEntry.getValue(), p);
}
} catch (PolicyContextException e) {
throw new RuntimeException(e);
}
}
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
19 years, 3 months
[JBoss JIRA] Created: (JBPORTAL-1278) CMS create content item fails on save
by Ian White (JIRA)
CMS create content item fails on save
-------------------------------------
Key: JBPORTAL-1278
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1278
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Portal CMS
Affects Versions: 2.6.Alpha2
Environment: AS 4.0.5.GA, XP
Reporter: Ian White
Assigned To: Roy Russo
In the CMS admin portlet, click to create a new file.
Use the WYSIWYG editor ...
Try to save the new file by clicking "create".
You get the error: Cannot mark the content as "Live"
javax.servlet.ServletException
org.jboss.portal.server.servlet.PortalServlet.service(Unknown Source)
javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
root cause
java.lang.IllegalStateException
org.apache.catalina.connector.ResponseFacade.sendError(ResponseFacade.java:418)
org.jboss.portal.core.controller.classic.AbstractResponseHandler.sendStatusCode(Unknown Source)
org.jboss.portal.core.controller.portlet.PortletResponseHandler.handleResponse(Unknown Source)
org.jboss.portal.core.controller.classic.ClassicController.handleResponse(Unknown Source)
...
01:17:22,540 ERROR [STDERR] Caused by: org.jboss.portal.cms.CMSException: Cannot mark the content as "Live"
01:17:22,540 ERROR [STDERR] at org.jboss.portal.cms.impl.jcr.util.VersionUtil.createContentVersion(VersionUtil.java:91)
01:17:22,540 ERROR [STDERR] at org.jboss.portal.cms.impl.jcr.util.VersionUtil.createVersion(VersionUtil.java:63)
01:17:22,540 ERROR [STDERR] at org.jboss.portal.cms.impl.jcr.command.ContentCreateNewVersionCommand.execute(ContentCreateNewVersionCommand.java:117)
01:17:22,540 ERROR [STDERR] ... 246 more
01:17:22,540 ERROR [org_jboss_portal_core_cms_ui_admin_CMSAdminPortlet] The portlet threw an exception
java.lang.RuntimeException: org.jboss.portal.cms.CMSException: Cannot mark the content as "Live"
at org.jboss.portal.cms.impl.jcr.command.ContentCreateNewVersionCommand.execute(ContentCreateNewVersionCommand.java:127)
at org.jboss.portal.cms.impl.jcr.JCRCompositeCommand.execute(JCRCompositeCommand.java:49)
at org.jboss.portal.cms.impl.jcr.JCRCMS$1.invoke(JCRCMS.java:115)
at org.jboss.portal.common.invocation.Invocation.invokeNext(Unknown Source)
at org.jboss.portal.cms.impl.interceptors.ApprovalWorkflowInterceptor.invoke(ApprovalWorkflowInterceptor.java:87)
at org.jboss.portal.cms.CMSInterceptor.invoke(CMSInterceptor.java:36)
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
19 years, 3 months
[JBoss JIRA] Created: (JBPORTAL-1327) a wrong comment
by Luca Stancapiano (JIRA)
a wrong comment
---------------
Key: JBPORTAL-1327
URL: http://jira.jboss.com/jira/browse/JBPORTAL-1327
Project: JBoss Portal
Issue Type: Bug
Security Level: Public (Everyone can see)
Affects Versions: 2.6.Beta1
Environment: any
Reporter: Luca Stancapiano
Fix For: 2.6.Beta1
hi......there is a little bug about comment into /src/resources/portal-forums-war/WEB-INF/subSilver/jsp/profile_view_body.jsp into the row 10 :
<!---> <a href="${n:out("U_VIEW_CATEGORY")}" class="nav">${n:out("CATEGORY_NAME")}</a>
-> <a href="${n:out("U_VIEW_FORUM")}" class="nav">${n:out("FORUM_NAME")}</a>-->
the first comment should to be so:
<!-- -> <a href="${n:out("U_VIEW_CATEGORY")}" class="nav">${n:out("CATEGORY_NAME")}</a>
-> <a href="${n:out("U_VIEW_FORUM")}" class="nav">${n:out("FORUM_NAME")}</a>-->
otherwise we see a uuuuugly sign as this : "-> -->"
I send you the patch...bye
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
19 years, 3 months
[JBoss JIRA] Created: (JBMICROCONT-161) jars in subdirs are not being deployed
by Scott M Stark (JIRA)
jars in subdirs are not being deployed
--------------------------------------
Key: JBMICROCONT-161
URL: http://jira.jboss.com/jira/browse/JBMICROCONT-161
Project: JBoss MicroContainer
Issue Type: Bug
Components: Deployment
Affects Versions: JBossMC_2_0_0 Beta3
Reporter: Scott M Stark
Assigned To: Scott M Stark
An ear like the following:
[starksm@succubus testsuite]$ jar -tf output/lib/jbosstest-web.ear
META-INF/
META-INF/MANIFEST.MF
META-INF/jboss-app.xml
jbosstest-web-ejbs.jar
jbosstest-web.war
lib/
lib/util.jar
root-web.war
wars/
wars/notjbosstest-web.war
websubdir/
websubdir/relative.jar
cts.jar
scripts/
scripts/security-config-service.xml
scripts/security-config.xml
META-INF/application.xml
produces a structural parse that recognizes websubdir/relative.jar as a jar, but when this is translated into DeploymentContexts its not being picked up. It could be that the jbossas EARStructure should override this to be an immediate child ContextInfo of the ear, but first need to see why its not being picked up.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
19 years, 3 months