Author: alessio.soldano(a)jboss.com
Date: 2012-10-19 06:02:32 -0400 (Fri, 19 Oct 2012)
New Revision: 16927
Modified:
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/WSLogger.java
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/deployers/WSIntegrationProcessorJAXWS_EJB.java
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/metadata/model/EJBEndpoint.java
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/AbstractSecurityMetaDataAccessorEJB.java
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/WebMetaDataCreator.java
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/util/DotNames.java
Log:
[JBPAPP-8545][AS7-5784] Fixing 711 ASIL
Modified:
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/WSLogger.java
===================================================================
---
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/WSLogger.java 2012-10-19
09:36:49 UTC (rev 16926)
+++
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/WSLogger.java 2012-10-19
10:02:32 UTC (rev 16927)
@@ -253,4 +253,9 @@
@LogMessage(level = ERROR)
@Message(id = 15592, value = "Cannot unregister record processor with JMX
server")
void cannotUnregisterRecordProcessor();
-}
+
+ @LogMessage(level = WARN)
+ @Message(id = 15596, value = "Multiple EJB3 endpoints in the same deployment
with different declared security roles; be aware this might be a security risk if
you're not controlling allowed roles (@RolesAllowed) on each ws endpoint
method.")
+ void multipleEndpointsWithDifferentDeclaredSecurityRoles();
+
+}
\ No newline at end of file
Modified:
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/deployers/WSIntegrationProcessorJAXWS_EJB.java
===================================================================
---
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/deployers/WSIntegrationProcessorJAXWS_EJB.java 2012-10-19
09:36:49 UTC (rev 16926)
+++
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/deployers/WSIntegrationProcessorJAXWS_EJB.java 2012-10-19
10:02:32 UTC (rev 16927)
@@ -25,6 +25,8 @@
import static org.jboss.as.webservices.util.ASHelper.getAnnotations;
import static org.jboss.as.webservices.util.ASHelper.getJaxwsDeployment;
import static org.jboss.as.webservices.util.ASHelper.getRequiredAttachment;
+import static org.jboss.as.webservices.util.DotNames.DECLARE_ROLES_ANNOTATION;
+import static org.jboss.as.webservices.util.DotNames.PERMIT_ALL_ANNOTATION;
import static org.jboss.as.webservices.util.DotNames.ROLES_ALLOWED_ANNOTATION;
import static org.jboss.as.webservices.util.DotNames.WEB_CONTEXT_ANNOTATION;
import static org.jboss.as.webservices.util.DotNames.WEB_SERVICE_ANNOTATION;
@@ -85,7 +87,7 @@
final String webServiceClassName = webServiceClassInfo.name().toString();
final List<ComponentDescription> componentDescriptions =
moduleDescription.getComponentsByClassName(webServiceClassName);
final List<SessionBeanComponentDescription> sessionBeans =
getSessionBeans(componentDescriptions);
- final Set<String> securityRoles = getSecurityRoles(unit,
webServiceClassInfo); // TODO: assembly processed for each endpoint!
+ final Set<String> securityRoles = getDeclaredSecurityRoles(unit,
webServiceClassInfo); // TODO: assembly processed for each endpoint!
final WebContextAnnotationWrapper webCtx =
getWebContextWrapper(webServiceClassInfo);
final String authMethod = webCtx.getAuthMethod();
final boolean isSecureWsdlAccess = webCtx.isSecureWsdlAccess();
@@ -118,7 +120,7 @@
return sessionBeans;
}
- private static Set<String> getSecurityRoles(final DeploymentUnit unit, final
ClassInfo webServiceClassInfo) {
+ private static Set<String> getDeclaredSecurityRoles(final DeploymentUnit unit,
final ClassInfo webServiceClassInfo) {
final Set<String> securityRoles = new HashSet<String>();
// process assembly-descriptor DD section
@@ -140,12 +142,36 @@
// process @RolesAllowed annotation
if (webServiceClassInfo.annotations().containsKey(ROLES_ALLOWED_ANNOTATION)) {
- final AnnotationInstance allowedRoles =
webServiceClassInfo.annotations().get(ROLES_ALLOWED_ANNOTATION).get(0);
- for (final String roleName : allowedRoles.value().asStringArray()) {
- securityRoles.add(roleName);
+ final List<AnnotationInstance> allowedRoles =
webServiceClassInfo.annotations().get(ROLES_ALLOWED_ANNOTATION);
+ for (final AnnotationInstance allowedRole : allowedRoles) {
+ if (allowedRole.target().equals(webServiceClassInfo)) {
+ for (final String roleName : allowedRole.value().asStringArray()) {
+ securityRoles.add(roleName);
+ }
+ }
}
}
+ // process @DeclareRoles annotation
+ if (webServiceClassInfo.annotations().containsKey(DECLARE_ROLES_ANNOTATION)) {
+ final List<AnnotationInstance> declareRoles =
webServiceClassInfo.annotations().get(DECLARE_ROLES_ANNOTATION);
+ for (final AnnotationInstance declareRole : declareRoles) {
+ if (declareRole.target().equals(webServiceClassInfo)) {
+ for (final String roleName : declareRole.value().asStringArray()) {
+ securityRoles.add(roleName);
+ }
+ }
+ }
+ }
+
+ // process @PermitAll annotation
+ if (webServiceClassInfo.annotations().containsKey(PERMIT_ALL_ANNOTATION)) {
+ final AnnotationInstance permitAll =
webServiceClassInfo.annotations().get(PERMIT_ALL_ANNOTATION).iterator().next();
+ if (permitAll.target().equals(webServiceClassInfo)) {
+ securityRoles.add("*");
+ }
+ }
+
return (securityRoles.size() > 0) ? Collections.unmodifiableSet(securityRoles)
: Collections.<String>emptySet();
}
Modified:
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/metadata/model/EJBEndpoint.java
===================================================================
---
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/metadata/model/EJBEndpoint.java 2012-10-19
09:36:49 UTC (rev 16926)
+++
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/metadata/model/EJBEndpoint.java 2012-10-19
10:02:32 UTC (rev 16927)
@@ -35,16 +35,16 @@
public static final String EJB_COMPONENT_VIEW_NAME =
EJBEndpoint.class.getPackage().getName() + "EjbComponentViewName";
private final SessionBeanComponentDescription ejbMD;
private final ServiceName viewName;
- private final Set<String> securityRoles;
+ private final Set<String> declaredSecurityRoles;
private final String authMethod;
private final boolean secureWsdlAccess;
private final String transportGuarantee;
- public EJBEndpoint(final SessionBeanComponentDescription ejbMD, final ServiceName
viewName, final Set<String> securityRoles, final String authMethod, final boolean
secureWsdlAccess, final String transportGuarantee) {
+ public EJBEndpoint(final SessionBeanComponentDescription ejbMD, final ServiceName
viewName, final Set<String> declaredSecurityRoles, final String authMethod, final
boolean secureWsdlAccess, final String transportGuarantee) {
super(ejbMD.getComponentName(), ejbMD.getComponentClassName());
this.ejbMD = ejbMD;
this.viewName = viewName;
- this.securityRoles = securityRoles;
+ this.declaredSecurityRoles = declaredSecurityRoles;
this.authMethod = authMethod;
this.secureWsdlAccess = secureWsdlAccess;
this.transportGuarantee = transportGuarantee;
@@ -66,8 +66,8 @@
return ejbMD.getSecurityDomain();
}
- public Set<String> getSecurityRoles() {
- return securityRoles;
+ public Set<String> getDeclaredSecurityRoles() {
+ return declaredSecurityRoles;
}
public String getAuthMethod() {
Modified:
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/AbstractSecurityMetaDataAccessorEJB.java
===================================================================
---
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/AbstractSecurityMetaDataAccessorEJB.java 2012-10-19
09:36:49 UTC (rev 16926)
+++
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/AbstractSecurityMetaDataAccessorEJB.java 2012-10-19
10:02:32 UTC (rev 16927)
@@ -24,9 +24,11 @@
import static org.jboss.as.webservices.WSMessages.MESSAGES;
import java.util.List;
+import java.util.Set;
import org.jboss.as.ee.structure.Attachments;
import org.jboss.as.server.deployment.DeploymentUnit;
+import org.jboss.as.webservices.WSLogger;
import org.jboss.as.webservices.metadata.model.EJBEndpoint;
import org.jboss.metadata.ear.jboss.JBossAppMetaData;
import org.jboss.metadata.ear.spec.EarMetaData;
@@ -75,8 +77,16 @@
public SecurityRolesMetaData getSecurityRoles(final Deployment dep) {
final SecurityRolesMetaData securityRolesMD = new SecurityRolesMetaData();
+ Set<String> firstEndpointDeclaredSecurityRoles = null;
for (final EJBEndpoint ejbEndpoint : getEjbEndpoints(dep)) {
- for (final String roleName : ejbEndpoint.getSecurityRoles()) {
+ final Set<String> declaredSecurityRoles =
ejbEndpoint.getDeclaredSecurityRoles();
+ if (firstEndpointDeclaredSecurityRoles == null) {
+ firstEndpointDeclaredSecurityRoles = declaredSecurityRoles;
+ } else if (!firstEndpointDeclaredSecurityRoles.equals(declaredSecurityRoles))
{
+
WSLogger.ROOT_LOGGER.multipleEndpointsWithDifferentDeclaredSecurityRoles();
+ }
+ // union of declared security roles from all endpoints...
+ for (final String roleName : declaredSecurityRoles) {
final SecurityRoleMetaData securityRoleMD = new SecurityRoleMetaData();
securityRoleMD.setRoleName(roleName);
securityRolesMD.add(securityRoleMD);
Modified:
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/WebMetaDataCreator.java
===================================================================
---
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/WebMetaDataCreator.java 2012-10-19
09:36:49 UTC (rev 16926)
+++
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/tomcat/WebMetaDataCreator.java 2012-10-19
10:02:32 UTC (rev 16927)
@@ -302,7 +302,7 @@
if (hasAuthMethod) {
final SecurityMetaDataAccessorEJB ejbMDAccessor =
getEjbSecurityMetaDataAccessor(dep);
final SecurityRolesMetaData securityRolesMD =
ejbMDAccessor.getSecurityRoles(dep);
- final boolean hasSecurityRolesMD = securityRolesMD != null;
+ final boolean hasSecurityRolesMD = securityRolesMD != null &&
!securityRolesMD.isEmpty();
if (hasSecurityRolesMD) {
ROOT_LOGGER.creatingSecurityRoles();
Modified:
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/util/DotNames.java
===================================================================
---
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/util/DotNames.java 2012-10-19
09:36:49 UTC (rev 16926)
+++
container/jboss71/branches/jbossws-jboss711/server-integration/src/main/java/org/jboss/as/webservices/util/DotNames.java 2012-10-19
10:02:32 UTC (rev 16927)
@@ -22,6 +22,8 @@
package org.jboss.as.webservices.util;
+import javax.annotation.security.DeclareRoles;
+import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Singleton;
import javax.ejb.Stateless;
@@ -51,6 +53,8 @@
public static final DotName JAXWS_SERVICE_CLASS =
DotName.createSimple(Service.class.getName());
public static final DotName OBJECT_CLASS =
DotName.createSimple(Object.class.getName());
public static final DotName ROLES_ALLOWED_ANNOTATION =
DotName.createSimple(RolesAllowed.class.getName());
+ public static final DotName PERMIT_ALL_ANNOTATION =
DotName.createSimple(PermitAll.class.getName());
+ public static final DotName DECLARE_ROLES_ANNOTATION =
DotName.createSimple(DeclareRoles.class.getName());
public static final DotName SERVLET_CLASS =
DotName.createSimple(Servlet.class.getName());
public static final DotName SINGLETON_ANNOTATION =
DotName.createSimple(Singleton.class.getName());
public static final DotName STATELESS_ANNOTATION =
DotName.createSimple(Stateless.class.getName());