[jboss-cvs] JBossAS SVN: r58850 - trunk/ejb3/src/main/org/jboss/ejb3/security
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Dec 5 14:56:57 EST 2006
Author: anil.saldhana at jboss.com
Date: 2006-12-05 14:56:55 -0500 (Tue, 05 Dec 2006)
New Revision: 58850
Added:
trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityDomainManager.java
Modified:
trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java
trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java
Log:
merge from JEE_TCK branch
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -48,7 +48,7 @@
SecurityDomain securityAnnotation = (SecurityDomain) advisor.resolveAnnotation(SecurityDomain.class);
if (securityAnnotation != null)
{
- domain = ctx.lookup("java:/jaas/" + securityAnnotation.value());
+ domain = SecurityDomainManager.getSecurityManager(securityAnnotation.value(),ctx);
}
}
catch (NamingException e)
@@ -77,6 +77,6 @@
public String getName()
{
return getClass().getName();
- }
+ }
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -22,12 +22,8 @@
package org.jboss.ejb3.security;
import java.security.GeneralSecurityException;
-import java.security.Principal;
-import java.util.Set;
-import java.util.HashSet;
+import java.security.Principal;
-import javax.security.auth.Subject;
-
import javax.ejb.EJBAccessException;
import org.jboss.ejb3.Container;
@@ -40,15 +36,16 @@
import org.jboss.aspects.security.AuthenticationInterceptor;
import org.jboss.aspects.security.SecurityContext;
import org.jboss.security.AuthenticationManager;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.RunAsIdentity;
+import org.jboss.security.RealmMapping;
import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SimplePrincipal;
/**
- * Comment
+ * Authentication Interceptor
*
* @author <a href="mailto:bill at jboss.org">Bill Burke</a>
+ * @author Anil.Saldhana at jboss.org
* @version $Revision$
*/
public class Ejb3AuthenticationInterceptor extends AuthenticationInterceptor
@@ -98,7 +95,15 @@
}
}
}
-
- return super.invoke(invocation);
- }
+ try
+ {
+ //Set a map of principal-roles that may be configured at deployment level
+ SecurityRolesAssociation.setSecurityRoles(container.getAssemblyDescriptor().getPrincipalVersusRolesMap());
+ return super.invoke(invocation);
+ }
+ finally
+ {
+ SecurityRolesAssociation.setSecurityRoles(null);
+ }
+ }
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -29,6 +29,7 @@
import org.jboss.aop.joinpoint.MethodInvocation;
import org.jboss.aspects.remoting.InvokeRemoteInterceptor;
import org.jboss.remoting.InvokerLocator;
+import org.jboss.security.RealmMapping;
/**
@@ -44,6 +45,7 @@
private String ejbName;
private CodeSource ejbCS;
+ private RealmMapping realmMapping;
public JaccAuthorizationInterceptor(String ejbName, CodeSource cs)
{
@@ -55,6 +57,11 @@
{
return "JaccAuthorizationInterceptor";
}
+
+ public void setRealmMapping(RealmMapping ssm)
+ {
+ this.realmMapping = ssm;
+ }
public Object invoke(Invocation inv) throws Throwable
{
@@ -90,7 +97,7 @@
String iface = (locator != null) ? "Remote" : "Local";
EJBMethodPermission methodPerm = new EJBMethodPermission(ejbName, iface, m);
- JaccHelper.checkPermission(ejbCS, methodPerm);
+ JaccHelper.checkPermission(ejbCS, methodPerm,realmMapping);
/*// Get the caller
Subject caller = SecurityActions.getContextSubject();
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -23,14 +23,24 @@
package org.jboss.ejb3.security;
import java.security.CodeSource;
+
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.Advisor;
import org.jboss.aop.InstanceAdvisor;
import org.jboss.aop.advice.AspectFactory;
import org.jboss.aop.joinpoint.Joinpoint;
+import org.jboss.ejb3.Container;
import org.jboss.ejb3.EJBContainer;
+import org.jboss.security.AuthenticationManager;
+import org.jboss.security.RealmMapping;
+import org.jboss.security.SubjectSecurityManager;
/**
* @author <a href="mailto:kabir.khan at jboss.org">Kabir Khan</a>
+ * @author Anil.Saldhana at jboss.org
* @version $Revision$
*/
public class JaccAuthorizationInterceptorFactory implements AspectFactory
@@ -51,8 +61,9 @@
CodeSource ejbCS = advisor.getClazz().getProtectionDomain().getCodeSource();
String ejbName = ((EJBContainer)advisor).getEjbName();
-
- return new JaccAuthorizationInterceptor(ejbName, ejbCS);
+ JaccAuthorizationInterceptor jai = new JaccAuthorizationInterceptor(ejbName, ejbCS);
+ jai.setRealmMapping(getSecurityManager(advisor));
+ return jai;
}
catch (Exception e)
{
@@ -79,6 +90,26 @@
{
return getClass().getName();
}
+
+ public RealmMapping getSecurityManager(Advisor advisor)
+ {
+ Object domain = null;
+ Container container = (Container)advisor;
+ try
+ {
+ InitialContext ctx = container.getInitialContext();
+ SecurityDomain securityAnnotation = (SecurityDomain) advisor.resolveAnnotation(SecurityDomain.class);
+ if (securityAnnotation != null)
+ {
+ domain = SecurityDomainManager.getSecurityManager(securityAnnotation.value(),ctx);
+ }
+ }
+ catch (NamingException e)
+ {
+ throw new RuntimeException(e);
+ }
+ return (RealmMapping) domain;
+ }
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -28,12 +28,18 @@
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
+import java.util.ArrayList;
+import java.util.Iterator;
import java.util.Set;
+
+import javax.annotation.security.DeclareRoles;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
+import javax.ejb.EJBAccessException;
import javax.security.auth.Subject;
import javax.security.jacc.EJBMethodPermission;
+import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContextException;
@@ -44,9 +50,13 @@
import org.jboss.ejb3.EJBContainer;
import org.jboss.logging.Logger;
import org.jboss.deployers.spi.deployer.DeploymentUnit;
+import org.jboss.security.RealmMapping;
+import org.jboss.security.RunAsIdentity;
/**
+ * JACC Helper class that created permissions as well as done the checks
* @author <a href="mailto:kabir.khan at jboss.org">Kabir Khan</a>
+ * @author Anil.Saldhana at jboss.com
* @version $Revision$
*/
public class JaccHelper
@@ -89,8 +99,10 @@
public static void putJaccInService(PolicyConfiguration pc, DeploymentUnit di) throws Exception
{
-
+ //TODO: How do we link this with the parent PC?
+ pc.commit();
}
+
public static void putJaccInService(PolicyConfiguration pc, DeploymentInfo di) throws Exception
{
di.context.put("javax.security.jacc.PolicyConfiguration", pc);
@@ -133,25 +145,19 @@
addPermissions(container, pc);
}
catch (Exception e)
- {
- e.printStackTrace();
+ {
throw new RuntimeException(e);
}
}
private static void addPermissions(EJBContainer container, PolicyConfiguration pc)
{
- SecurityDomain sd = (SecurityDomain) container.resolveAnnotation(SecurityDomain.class);
+ SecurityDomain sd = (SecurityDomain) container.resolveAnnotation(SecurityDomain.class);
- if (sd == null)
- {
- log.debug(container.getEjbName() + " has no @SecurityDomain - skipping JACC configuration");
- return;
- }
- log.debug(container.getEjbName() + " has @SecurityDomain - peforming JACC configuration");
-
PermitAll beanUnchecked = (PermitAll) container.resolveAnnotation(PermitAll.class);
RolesAllowed beanPermissions = (RolesAllowed) container.resolveAnnotation(RolesAllowed.class);
+
+ DeclareRoles beanDeclareRolesPerms = (DeclareRoles)container.resolveAnnotation(DeclareRoles.class);
if (beanUnchecked != null && beanPermissions != null)
{
@@ -160,6 +166,24 @@
String ejbName = container.getEjbName();
+ //Add the security role references
+ if(beanDeclareRolesPerms != null)
+ {
+ String[] rolerefs = beanDeclareRolesPerms.value();
+ int len = rolerefs != null ? rolerefs.length : 0;
+ for(int i=0; i < len; i++)
+ {
+ try
+ {
+ pc.addToRole(rolerefs[i], new EJBRoleRefPermission(ejbName, rolerefs[i]));
+ }
+ catch (PolicyContextException e)
+ {
+ throw new RuntimeException(e);
+ }
+ }
+ }
+
//Am I iterating over the right thing here? Should I be using the stuff from
//Advisor.methodInterceptors instead?
Method[] methods = container.getBeanClass().getDeclaredMethods();
@@ -182,7 +206,16 @@
if (annotationCount == 0 && beanPermissions == null && beanUnchecked == null)
{
- continue;
+ //continue;
+ //EJBTHREE-755:Add to unchecked if there are no annotations
+ try
+ {
+ pc.addToUncheckedPolicy(permission);
+ }
+ catch (PolicyContextException e)
+ {
+ throw new RuntimeException(e);
+ }
}
else if (annotationCount > 1)
{
@@ -228,7 +261,7 @@
}
catch (PolicyContextException e)
{
- throw new RuntimeException(e); // TODO Auto-generated catch block
+ throw new RuntimeException(e);
}
}
}
@@ -266,28 +299,47 @@
container.addClassMetaData(jaccCtx);
}
- public static void checkPermission(CodeSource ejbCS, EJBMethodPermission methodPerm) throws SecurityException
+ public static void checkPermission(CodeSource ejbCS, EJBMethodPermission methodPerm,
+ RealmMapping realmMapping)
+ throws EJBAccessException
{
try
{
Policy policy = Policy.getPolicy();
// Get the caller
Subject caller = SecurityActions.getContextSubject();
+
+ RunAsIdentity rai = SecurityActions.peekRunAsIdentity();
Principal[] principals = null;
- if (caller != null)
+ if(rai != null)
{
- // Get the caller principals
- Set principalsSet = caller.getPrincipals();
- principals = new Principal[principalsSet.size()];
- principalsSet.toArray(principals);
+ Set runAsRoles = rai.getRunAsRoles();
+ principals = new Principal[runAsRoles.size()];
+ runAsRoles.toArray(principals);
}
-
+ else
+ {
+ /*if (caller != null)
+ {
+ // Get the caller principals
+ Set principalsSet = caller.getPrincipals();
+ principals = new Principal[principalsSet.size()];
+ principalsSet.toArray(principals);
+ }*/
+ //Get the current roles from the Authorization Manager
+ Principal callerP = SecurityActions.getCallerPrincipal();
+ Set principalSet = realmMapping.getUserRoles(callerP);
+ principals = new Principal[principalSet.size()];
+ principalSet.toArray(principals);
+ }
+
ProtectionDomain pd = new ProtectionDomain(ejbCS, null, null, principals);
if (policy.implies(pd, methodPerm) == false)
{
String msg = "Denied: " + methodPerm + ", caller=" + caller;
- SecurityException e = new SecurityException(msg);
+ //SecurityException e = new SecurityException(msg);
+ EJBAccessException e = new EJBAccessException(msg);
throw e;
}
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -46,7 +46,7 @@
{
InitialContext ctx = container.getInitialContext();
org.jboss.annotation.security.SecurityDomain securityAnnotation = (org.jboss.annotation.security.SecurityDomain) advisor.resolveAnnotation(org.jboss.annotation.security.SecurityDomain.class);
- domain = ctx.lookup("java:/jaas/" + securityAnnotation.value());
+ domain = SecurityDomainManager.getSecurityManager(securityAnnotation.value(), ctx);
}
catch (NamingException e)
{
@@ -76,6 +76,7 @@
public String getName()
{
return getClass().getName();
- }
+ }
+
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -20,21 +20,12 @@
* 02110-1301 USA, or see the FSF site: http://www.fsf.org.
*/
package org.jboss.ejb3.security;
-
-import java.util.Set;
-import java.util.HashSet;
-import java.util.Iterator;
-
-import java.security.Principal;
-
-import javax.annotation.security.RunAs;
-import org.jboss.aop.joinpoint.Invocation;
+
+import org.jboss.aop.joinpoint.Invocation;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
-import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
-import org.jboss.security.SimplePrincipal;
+import org.jboss.security.RunAsIdentity;
/**
* An interceptor that enforces the run-as identity declared by a bean.
@@ -50,7 +41,7 @@
public RunAsSecurityInterceptor(AuthenticationManager manager, RealmMapping realmMapping, RunAsIdentity id)
{
super(manager, realmMapping);
- this.runAsIdentity = id;
+ this.runAsIdentity = id;
}
protected RunAsIdentity getRunAsIdentity(Invocation invocation)
@@ -59,8 +50,8 @@
}
public Object invoke(Invocation invocation) throws Throwable
- {
- return super.invoke(invocation);
+ {
+ return super.invoke(invocation);
}
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -21,30 +21,26 @@
*/
package org.jboss.ejb3.security;
+import java.util.HashSet;
+
+import javax.annotation.security.RunAs;
import javax.naming.InitialContext;
import javax.naming.NamingException;
-import javax.annotation.security.RunAs;
+import org.jboss.annotation.security.RunAsPrincipal;
import org.jboss.aop.Advisor;
import org.jboss.aop.InstanceAdvisor;
import org.jboss.aop.advice.AspectFactory;
+import org.jboss.aop.advice.Interceptor;
import org.jboss.aop.joinpoint.Joinpoint;
-import org.jboss.aop.joinpoint.Invocation;
+import org.jboss.ejb3.EJBContainer;
+import org.jboss.ejb3.metamodel.AssemblyDescriptor;
+import org.jboss.ejb3.tx.NullInterceptor;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
-import org.jboss.ejb3.Container;
-import org.jboss.ejb3.EJBContainer;
-import org.jboss.ejb3.tx.NullInterceptor;
-import org.jboss.annotation.security.RunAsPrincipal;
-import java.security.Principal;
-import java.util.Set;
-import java.util.Iterator;
-import java.util.HashSet;
-
public class RunAsSecurityInterceptorFactory implements AspectFactory
{
private static final Logger log = Logger.getLogger(RunAsSecurityInterceptorFactory.class);
@@ -65,9 +61,17 @@
}
RunAsPrincipal rap = (RunAsPrincipal) container.resolveAnnotation(RunAsPrincipal.class);
String runAsPrincipal = null;
- if (rap != null) runAsPrincipal = rap.value();
+ if (rap != null)
+ runAsPrincipal = rap.value();
+ else
+ {
+ //Check if jboss.xml has it
+ runAsPrincipal = container.getXml().getSecurityIdentity().getRunAsPrincipal();
+ }
- HashSet extraRoles = new HashSet(); // todo get extra mapped roles.
+ HashSet extraRoles = new HashSet();
+ AssemblyDescriptor ad = container.getAssemblyDescriptor();
+ extraRoles.addAll(ad.getSecurityRolesGivenPrincipal(runAsPrincipal));
return new RunAsIdentity(runAs.value(), runAsPrincipal, extraRoles);
}
@@ -75,27 +79,37 @@
public Object createPerClass(Advisor advisor)
{
- Object domain = null;
EJBContainer container = (EJBContainer)advisor;
RunAsIdentity runAsIdentity = getRunAsIdentity(container);
- if (runAsIdentity == null)
+ /*if (runAsIdentity == null)
{
return new NullInterceptor();
- }
+ }*/
+
+ Object domain = null;
try
{
InitialContext ctx = container.getInitialContext();
- org.jboss.annotation.security.SecurityDomain securityAnnotation = (org.jboss.annotation.security.SecurityDomain) advisor.resolveAnnotation(org.jboss.annotation.security.SecurityDomain.class);
- domain = ctx.lookup("java:/jaas/" + securityAnnotation.value());
+ org.jboss.annotation.security.SecurityDomain anSecurityDomain = (org.jboss.annotation.security.SecurityDomain) advisor.resolveAnnotation(org.jboss.annotation.security.SecurityDomain.class);
+ if (anSecurityDomain != null)
+ {
+ String domainName = anSecurityDomain.value();
+ domain = SecurityDomainManager.getSecurityManager(domainName, ctx);
+ }
}
catch (NamingException e)
{
throw new RuntimeException(e);
}
- AuthenticationManager manager = (AuthenticationManager) domain;
- RealmMapping mapping = (RealmMapping) domain;
- if (manager == null) throw new RuntimeException("Unable to find Security Domain");
- return new RunAsSecurityInterceptor(manager, mapping, getRunAsIdentity(container));
+
+ Interceptor interceptor = new NullInterceptor();
+ if (domain != null)
+ {
+ AuthenticationManager manager = (AuthenticationManager) domain;
+ RealmMapping mapping = (RealmMapping) domain;
+ interceptor = new RunAsSecurityInterceptor(manager, mapping, getRunAsIdentity(container));
+ }
+ return interceptor;
}
public Object createPerInstance(Advisor advisor, InstanceAdvisor instanceAdvisor)
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java 2006-12-05 19:54:06 UTC (rev 58849)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java 2006-12-05 19:56:55 UTC (rev 58850)
@@ -23,12 +23,16 @@
import java.lang.reflect.UndeclaredThrowableException;
import java.security.AccessController;
+import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
+
+import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityAssociation;
/**
@@ -41,6 +45,7 @@
* @author Scott.Stark at jboss.org
* @author <a href="mailto:alex at jboss.org">Alexey Loubyansky</a>
* @author <a href="mailto:kabir.khan at jboss.org">Kabir Khan</a>
+ * @author Anil.Saldhana at jboss.org
* @version $Revison: 1.1$
*/
class SecurityActions
@@ -108,7 +113,77 @@
Subject getContextSubject()
throws PolicyContextException;
}
+
+ interface RunAsIdentityActions
+ {
+ RunAsIdentityActions PRIVILEGED = new RunAsIdentityActions()
+ {
+ private final PrivilegedAction peekAction = new PrivilegedAction()
+ {
+ public Object run()
+ {
+ return SecurityAssociation.peekRunAsIdentity();
+ }
+ };
+ private final PrivilegedAction popAction = new PrivilegedAction()
+ {
+ public Object run()
+ {
+ return SecurityAssociation.popRunAsIdentity();
+ }
+ };
+
+ public RunAsIdentity peek()
+ {
+ return (RunAsIdentity)AccessController.doPrivileged(peekAction);
+ }
+
+ public void push(final RunAsIdentity id)
+ {
+ AccessController.doPrivileged(
+ new PrivilegedAction()
+ {
+ public Object run()
+ {
+ SecurityAssociation.pushRunAsIdentity(id);
+ return null;
+ }
+ }
+ );
+ }
+
+ public RunAsIdentity pop()
+ {
+ return (RunAsIdentity)AccessController.doPrivileged(popAction);
+ }
+ };
+
+ RunAsIdentityActions NON_PRIVILEGED = new RunAsIdentityActions()
+ {
+ public RunAsIdentity peek()
+ {
+ return SecurityAssociation.peekRunAsIdentity();
+ }
+
+ public void push(RunAsIdentity id)
+ {
+ SecurityAssociation.pushRunAsIdentity(id);
+ }
+
+ public RunAsIdentity pop()
+ {
+ return SecurityAssociation.popRunAsIdentity();
+ }
+ };
+
+ RunAsIdentity peek();
+
+ void push(RunAsIdentity id);
+
+ RunAsIdentity pop();
+ }
+
static Subject getContextSubject()
throws PolicyContextException
{
@@ -128,4 +203,50 @@
String previousID = (String) AccessController.doPrivileged(action);
return previousID;
}
+
+ static RunAsIdentity peekRunAsIdentity()
+ {
+ if(System.getSecurityManager() == null)
+ {
+ return RunAsIdentityActions.NON_PRIVILEGED.peek();
+ }
+ else
+ {
+ return RunAsIdentityActions.PRIVILEGED.peek();
+ }
+ }
+
+ static void pushRunAsIdentity(RunAsIdentity principal)
+ {
+ if(System.getSecurityManager() == null)
+ {
+ RunAsIdentityActions.NON_PRIVILEGED.push(principal);
+ }
+ else
+ {
+ RunAsIdentityActions.PRIVILEGED.push(principal);
+ }
+ }
+
+ static RunAsIdentity popRunAsIdentity()
+ {
+ if(System.getSecurityManager() == null)
+ {
+ return RunAsIdentityActions.NON_PRIVILEGED.pop();
+ }
+ else
+ {
+ return RunAsIdentityActions.PRIVILEGED.pop();
+ }
+ }
+
+ static Principal getCallerPrincipal()
+ {
+ return (Principal)AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ return SecurityAssociation.getCallerPrincipal();
+ }});
+ }
}
Copied: trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityDomainManager.java (from rev 58846, branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/SecurityDomainManager.java)
More information about the jboss-cvs-commits
mailing list