[jboss-cvs] JBossAS SVN: r59051 - in trunk/server/src/main/org/jboss/ejb: . deployers
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Dec 14 11:55:44 EST 2006
Author: anil.saldhana at jboss.com
Date: 2006-12-14 11:55:42 -0500 (Thu, 14 Dec 2006)
New Revision: 59051
Added:
trunk/server/src/main/org/jboss/ejb/EJBPermissionMapping.java
Modified:
trunk/server/src/main/org/jboss/ejb/EjbModule.java
trunk/server/src/main/org/jboss/ejb/EjbModuleMBean.java
trunk/server/src/main/org/jboss/ejb/deployers/EjbDeployer.java
Log:
JBAS-3932: security deployer with permission creation delegated to JaccPolicy service bean and dependence of component deployers on JaccPolicy service bean
Added: trunk/server/src/main/org/jboss/ejb/EJBPermissionMapping.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/EJBPermissionMapping.java 2006-12-14 16:53:07 UTC (rev 59050)
+++ trunk/server/src/main/org/jboss/ejb/EJBPermissionMapping.java 2006-12-14 16:55:42 UTC (rev 59051)
@@ -0,0 +1,113 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2005, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb;
+
+import java.util.Iterator;
+import java.util.Set;
+
+import javax.security.jacc.EJBMethodPermission;
+import javax.security.jacc.EJBRoleRefPermission;
+import javax.security.jacc.PolicyConfiguration;
+import javax.security.jacc.PolicyContextException;
+
+import org.jboss.metadata.BeanMetaData;
+import org.jboss.metadata.MethodMetaData;
+import org.jboss.metadata.SecurityRoleRefMetaData;
+import org.jboss.metadata.SessionMetaData;
+
+//$Id$
+
+/**
+ * Utility class to create the EJB Permissions from the metadata available
+ * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
+ * @since Dec 12, 2006
+ * @version $Revision$
+ */
+public class EJBPermissionMapping
+{
+ public static void createPermissions(BeanMetaData bean, PolicyConfiguration pc)
+ throws PolicyContextException
+ {
+ // Process the method-permission MethodMetaData
+ Iterator iter = bean.getPermissionMethods();
+ while( iter.hasNext() )
+ {
+ MethodMetaData mmd = (MethodMetaData) iter.next();
+ String[] params = null;
+ if( mmd.isParamGiven() )
+ params = mmd.getMethodParams();
+ String methodName = mmd.getMethodName();
+ if( methodName != null && methodName.equals("*") )
+ methodName = null;
+ EJBMethodPermission p = new EJBMethodPermission(mmd.getEjbName(),
+ methodName, mmd.getInterfaceType(), params);
+ if( mmd.isUnchecked() )
+ {
+ pc.addToUncheckedPolicy(p);
+ }
+ else
+ {
+ Set roles = mmd.getRoles();
+ Iterator riter = roles.iterator();
+ while( riter.hasNext() )
+ {
+ String role = (String) riter.next();
+ pc.addToRole(role, p);
+ }
+ }
+ }
+ // Process the exclude-list MethodMetaData
+ iter = bean.getExcludedMethods();
+ while( iter.hasNext() )
+ {
+ MethodMetaData mmd = (MethodMetaData) iter.next();
+ String[] params = null;
+ if( mmd.isParamGiven() )
+ params = mmd.getMethodParams();
+ EJBMethodPermission p = new EJBMethodPermission(mmd.getEjbName(),
+ mmd.getMethodName(), mmd.getInterfaceType(), params);
+ pc.addToExcludedPolicy(p);
+ }
+ // Process the security-role-ref SecurityRoleRefMetaData
+ iter = bean.getSecurityRoleReferences();
+ while( iter.hasNext() )
+ {
+ SecurityRoleRefMetaData srrmd = (SecurityRoleRefMetaData) iter.next();
+ EJBRoleRefPermission p = new EJBRoleRefPermission(bean.getEjbName(), srrmd.getName());
+ pc.addToRole(srrmd.getLink(), p);
+ }
+ /* Special handling of stateful session bean getEJBObject due how the
+ stateful session handles acquire the proxy by sending an invocation to
+ the ejb container.
+ */
+ if( bean instanceof SessionMetaData )
+ {
+ SessionMetaData smd = (SessionMetaData) bean;
+ if( smd.isStateful() )
+ {
+ EJBMethodPermission p = new EJBMethodPermission(bean.getEjbName(),
+ "getEJBObject", "Home", null);
+ pc.addToUncheckedPolicy(p);
+ }
+ }
+ }
+}
Modified: trunk/server/src/main/org/jboss/ejb/EjbModule.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/EjbModule.java 2006-12-14 16:53:07 UTC (rev 59050)
+++ trunk/server/src/main/org/jboss/ejb/EjbModule.java 2006-12-14 16:55:42 UTC (rev 59051)
@@ -31,8 +31,7 @@
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
-import java.util.ListIterator;
-import java.util.Set;
+import java.util.ListIterator;
import java.util.HashSet;
import javax.ejb.EJBLocalHome;
@@ -42,15 +41,14 @@
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.EJBMethodPermission;
-import javax.security.jacc.PolicyContextException;
-import javax.security.jacc.EJBRoleRefPermission;
+import javax.security.jacc.PolicyContextException;
import javax.transaction.TransactionManager;
-import org.jboss.deployers.spi.deployer.DeploymentUnit;
-import org.jboss.deployers.spi.structure.DeploymentContext;
+import org.jboss.deployers.spi.deployer.DeploymentUnit;
import org.jboss.deployment.DeploymentException;
import org.jboss.deployment.DeploymentInfo;
-import org.jboss.deployment.EARDeployerMBean;
+import org.jboss.deployment.EARDeployerMBean;
+import org.jboss.deployment.security.JaccPolicyMBean;
import org.jboss.logging.Logger;
import org.jboss.metadata.ApplicationMetaData;
import org.jboss.metadata.BeanMetaData;
@@ -59,9 +57,7 @@
import org.jboss.metadata.InvokerProxyBindingMetaData;
import org.jboss.metadata.MetaData;
import org.jboss.metadata.SessionMetaData;
-import org.jboss.metadata.XmlLoadable;
-import org.jboss.metadata.MethodMetaData;
-import org.jboss.metadata.SecurityRoleRefMetaData;
+import org.jboss.metadata.XmlLoadable;
import org.jboss.mx.loading.RepositoryClassLoader;
import org.jboss.ejb.plugins.SecurityProxyInterceptor;
import org.jboss.ejb.plugins.StatefulSessionInstancePool;
@@ -162,6 +158,9 @@
/** Whether we are call by value */
private boolean callByValue;
private ApplicationMetaData appMetaData;
+
+ /** Top level Jacc Policy per top-level deployment */
+ private JaccPolicyMBean jaccPolicy;
public EjbModule(final DeploymentUnit unit, ApplicationMetaData metaData)
{
@@ -325,6 +324,17 @@
return appMetaData.getUrl();
}
+ public JaccPolicyMBean getJaccPolicy()
+ {
+ return jaccPolicy;
+ }
+
+ public void setJaccPolicy(JaccPolicyMBean jaccPolicy)
+ {
+ this.jaccPolicy = jaccPolicy;
+ }
+
+
// Service implementation ----------------------------------------
protected void createService() throws Exception
@@ -364,10 +374,11 @@
Iterator beans = appMetaData.getEnterpriseBeans();
String contextID = appMetaData.getJaccContextID();
if( contextID == null )
- contextID = shortNameFromDeploymentName(deploymentUnit.getSimpleName());
+ contextID = deploymentUnit.getSimpleName();
appMetaData.setJaccContextID(contextID);
- PolicyConfigurationFactory pcFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
- PolicyConfiguration pc = pcFactory.getPolicyConfiguration(contextID, true);
+ /*PolicyConfigurationFactory pcFactory = PolicyConfigurationFactory.getPolicyConfigurationFactory();
+ PolicyConfiguration pc = pcFactory.getPolicyConfiguration(contextID, true);*/
+ PolicyConfiguration pc = null;
while (beans.hasNext())
{
BeanMetaData bean = (BeanMetaData) beans.next();
@@ -377,18 +388,26 @@
//@todo support overriding the context id via metadata is needed
con.setJaccContextID(contextID);
// Register the permissions with the JACC layer
- createPermissions(bean, pc);
- deploymentUnit.addAttachment(PolicyConfiguration.class, pc);
+ /**createPermissions(bean, pc);*/
+ if(jaccPolicy != null)
+ pc = jaccPolicy.createPermissions(bean, contextID, pc);
+ //deploymentUnit.addAttachment(PolicyConfiguration.class, pc);
// Link this to the parent PC
- DeploymentContext current = deploymentUnit.getDeploymentContext();
+ /*DeploymentContext current = deploymentUnit.getDeploymentContext();
while (current.getParent() != null)
current = current.getParent();
PolicyConfiguration parentPC =
current.getTransientAttachments().getAttachment(PolicyConfiguration.class);
if (parentPC != null && parentPC != pc)
- parentPC.linkConfiguration(pc);
+ parentPC.linkConfiguration(pc); */
}
- pc.commit();
+
+ if(pc != null && jaccPolicy != null)
+ {
+ jaccPolicy.link(pc);
+ pc.commit();
+ }
+
//only one iteration should be necessary, but we won't sweat it.
//2 iterations are needed by cmp...jdbc/bridge/JDBCCMRFieldBridge which
@@ -1020,72 +1039,7 @@
container.addInterceptor(container.createContainerInterceptor());
}
- private void createPermissions(BeanMetaData bean, PolicyConfiguration pc)
- throws PolicyContextException
- {
- // Process the method-permission MethodMetaData
- Iterator iter = bean.getPermissionMethods();
- while( iter.hasNext() )
- {
- MethodMetaData mmd = (MethodMetaData) iter.next();
- String[] params = null;
- if( mmd.isParamGiven() )
- params = mmd.getMethodParams();
- String methodName = mmd.getMethodName();
- if( methodName != null && methodName.equals("*") )
- methodName = null;
- EJBMethodPermission p = new EJBMethodPermission(mmd.getEjbName(),
- methodName, mmd.getInterfaceType(), params);
- if( mmd.isUnchecked() )
- {
- pc.addToUncheckedPolicy(p);
- }
- else
- {
- Set roles = mmd.getRoles();
- Iterator riter = roles.iterator();
- while( riter.hasNext() )
- {
- String role = (String) riter.next();
- pc.addToRole(role, p);
- }
- }
- }
- // Process the exclude-list MethodMetaData
- iter = bean.getExcludedMethods();
- while( iter.hasNext() )
- {
- MethodMetaData mmd = (MethodMetaData) iter.next();
- String[] params = null;
- if( mmd.isParamGiven() )
- params = mmd.getMethodParams();
- EJBMethodPermission p = new EJBMethodPermission(mmd.getEjbName(),
- mmd.getMethodName(), mmd.getInterfaceType(), params);
- pc.addToExcludedPolicy(p);
- }
- // Process the security-role-ref SecurityRoleRefMetaData
- iter = bean.getSecurityRoleReferences();
- while( iter.hasNext() )
- {
- SecurityRoleRefMetaData srrmd = (SecurityRoleRefMetaData) iter.next();
- EJBRoleRefPermission p = new EJBRoleRefPermission(bean.getEjbName(), srrmd.getName());
- pc.addToRole(srrmd.getLink(), p);
- }
- /* Special handling of stateful session bean getEJBObject due how the
- stateful session handles acquire the proxy by sending an invocation to
- the ejb container.
- */
- if( bean instanceof SessionMetaData )
- {
- SessionMetaData smd = (SessionMetaData) bean;
- if( smd.isStateful() )
- {
- EJBMethodPermission p = new EJBMethodPermission(bean.getEjbName(),
- "getEJBObject", "Home", null);
- pc.addToUncheckedPolicy(p);
- }
- }
- }
+
/** Create any JACC permissions for the ejb methods that were not explicitly
* assigned method-permission or exclude-list mappings.
@@ -1293,28 +1247,7 @@
((XmlLoadable) ic).importXml(conf.getContainerCacheConf());
return ic;
- }
-
- /**
- * A utility method that takes a deployment unit name and strips it down to the base jar
- * name without the .jar suffix.
- * @param name - the DeploymentUnit name.
- */
- public static String shortNameFromDeploymentName(String name)
- {
- String shortName = name.trim();
- String[] parts = name.split("/|\\.|\\!");
- if( parts.length > 1 )
- {
- // If it ends in .war, use the previous part
- if( parts[parts.length-1].equals("jar") )
- shortName = parts[parts.length-2];
- // else use the last part
- else
- shortName = parts[parts.length-1];
- }
- return shortName;
- }
+ }
}
/*
vim:ts=3:sw=3:et
Modified: trunk/server/src/main/org/jboss/ejb/EjbModuleMBean.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/EjbModuleMBean.java 2006-12-14 16:53:07 UTC (rev 59050)
+++ trunk/server/src/main/org/jboss/ejb/EjbModuleMBean.java 2006-12-14 16:55:42 UTC (rev 59051)
@@ -23,6 +23,7 @@
import javax.management.ObjectName;
+import org.jboss.deployment.security.JaccPolicyMBean;
import org.jboss.tm.TransactionManagerFactory;
/**
@@ -39,6 +40,8 @@
java.util.Collection getContainers() ;
void setTransactionManagerFactory(TransactionManagerFactory tmFactory);
+ void setJaccPolicy(JaccPolicyMBean jp);
+ JaccPolicyMBean getJaccPolicy();
public ObjectName getWebServiceName();
public void setWebServiceName(ObjectName webServiceName);
}
Modified: trunk/server/src/main/org/jboss/ejb/deployers/EjbDeployer.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/deployers/EjbDeployer.java 2006-12-14 16:53:07 UTC (rev 59050)
+++ trunk/server/src/main/org/jboss/ejb/deployers/EjbDeployer.java 2006-12-14 16:55:42 UTC (rev 59051)
@@ -29,7 +29,8 @@
import org.jboss.deployers.plugins.deployers.helpers.AbstractSimpleRealDeployer;
import org.jboss.deployers.spi.DeploymentException;
-import org.jboss.deployers.spi.deployer.DeploymentUnit;
+import org.jboss.deployers.spi.deployer.DeploymentUnit;
+import org.jboss.deployment.security.JaccPolicyUtil;
import org.jboss.ejb.EjbModule;
import org.jboss.metadata.ApplicationMetaData;
import org.jboss.mx.util.ObjectNameConverter;
@@ -55,7 +56,7 @@
/** The CachedConnectionManager service used by the CachedConnectionInterceptor */
private String ccmServiceName;
/** The ejb timer service */
- private String timerServiceName;
+ private String timerServiceName;
public EjbDeployer()
{
@@ -109,6 +110,12 @@
{
// TODO: use BeanVerifier to validate the metadata in the DDs
if (deployment.getEjbVersion() > 2) return; // let EJB3 deployer handle this
+
+ /**
+ * Ignore the jacc policy service bean
+ */
+ if(unit.getName().startsWith("jboss:") && unit.getName().contains("id="))
+ return;
ServiceMetaData ejbModule = new ServiceMetaData();
ejbModule.setCode(EjbModule.class.getName());
@@ -169,6 +176,12 @@
wsDepends.setDependency(getWebServiceName());
ws.setValue(wsDepends);
attrs.add(ws);
+
+ //Add a dependence on the jacc policy only if we are not the top-level deployment
+ if(!JaccPolicyUtil.isTopLevelDeployment(unit))
+ {
+ attrs.add(JaccPolicyUtil.getServiceAttributeMetaData(unit));
+ }
ejbModule.setAttributes(attrs);
List<ServiceDependencyMetaData> dependencies = new ArrayList<ServiceDependencyMetaData>();
More information about the jboss-cvs-commits
mailing list