[jboss-cvs] jboss/src/main/org/jboss/ejb ...

Anil Saldhana anil.saldhana at jboss.com
Tue Jul 25 13:17:39 EDT 2006


  User: asaldhana
  Date: 06/07/25 13:17:39

  Modified:    src/main/org/jboss/ejb    Container.java EjbModule.java
                        EnterpriseContext.java
  Log:
  JBAS-3419: EJBContext.isCallerInRole goes through the Authorization Framework
  
  Revision  Changes    Path
  1.180     +27 -1     jboss/src/main/org/jboss/ejb/Container.java
  
  (In the diff below, changes in quantity of whitespace are not shown.)
  
  Index: Container.java
  ===================================================================
  RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/Container.java,v
  retrieving revision 1.179
  retrieving revision 1.180
  diff -u -b -r1.179 -r1.180
  --- Container.java	5 Jul 2006 18:26:58 -0000	1.179
  +++ Container.java	25 Jul 2006 17:17:38 -0000	1.180
  @@ -75,6 +75,7 @@
   import org.jboss.naming.Util;
   import org.jboss.security.AnybodyPrincipal;
   import org.jboss.security.AuthenticationManager;
  +import org.jboss.security.AuthorizationManager;
   import org.jboss.security.RealmMapping;
   import org.jboss.system.ServiceMBeanSupport;
   import org.jboss.util.NestedError;
  @@ -102,7 +103,7 @@
    * @author <a href="bill at burkecentral.com">Bill Burke</a>
    * @author <a href="mailto:d_jencks at users.sourceforge.net">David Jencks</a>
    * @author <a href="mailto:christoph.jung at infor.de">Christoph G. Jung</a>
  - * @version $Revision: 1.179 $
  + * @version $Revision: 1.180 $
    *
    * @jmx.mbean extends="org.jboss.system.ServiceMBean"
    */
  @@ -174,6 +175,11 @@
      /** This is the SecurityManager */
      protected AuthenticationManager sm;
   
  +   /**
  +    * Authorization Manager
  +    */
  +   protected AuthorizationManager authorizationManager;
  +
      /** This is the realm mapping */
      protected RealmMapping rm;
   
  @@ -304,6 +310,26 @@
         return sm;
      }
   
  +   /**
  +    * Get the authorizationManager.
  +    * 
  +    * @return the authorizationManager.
  +    */
  +   public AuthorizationManager getAuthorizationManager()
  +   {
  +      return authorizationManager;
  +   }
  +
  +   /**
  +    * Set the authorizationManager.
  +    * 
  +    * @param authorizationManager The authorizationManager to set.
  +    */
  +   public void setAuthorizationManager(AuthorizationManager authorizationManager)
  +   {
  +      this.authorizationManager = authorizationManager;
  +   }
  +
      public BeanLockManager getLockManager()
      {
         return lockManager;
  
  
  
  1.75      +8 -5      jboss/src/main/org/jboss/ejb/EjbModule.java
  
  (In the diff below, changes in quantity of whitespace are not shown.)
  
  Index: EjbModule.java
  ===================================================================
  RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/EjbModule.java,v
  retrieving revision 1.74
  retrieving revision 1.75
  diff -u -b -r1.74 -r1.75
  --- EjbModule.java	19 Jul 2006 18:22:41 -0000	1.74
  +++ EjbModule.java	25 Jul 2006 17:17:39 -0000	1.75
  @@ -99,7 +99,7 @@
    * @author <a href="mailto:Adrian.Brock at HappeningTimes.com">Adrian.Brock</a>
    * @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>
    * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
  - * @version $Revision: 1.74 $
  + * @version $Revision: 1.75 $
    *
    * @jmx:mbean extends="org.jboss.system.ServiceMBean"
    */
  @@ -174,6 +174,10 @@
         this.name = name;
         this.tm = tm;
         this.webServiceName = webServiceName;
  +
  +      this.authorizationManagerService = (AuthorizationManagerServiceMBean)
  +         MBeanProxyExt.create(AuthorizationManagerServiceMBean.class,
  +                              AuthorizationManagerServiceMBean.OBJECT_NAME);
      }
   
      public Map getModuleDataMap()
  @@ -313,10 +317,6 @@
                                 ServiceControllerMBean.OBJECT_NAME,
                                 server);
   
  -      authorizationManagerService = (AuthorizationManagerServiceMBean)
  -         MBeanProxyExt.create(AuthorizationManagerServiceMBean.class,
  -                              AuthorizationManagerServiceMBean.OBJECT_NAME,
  -                              server);
         log.debug("createService, begin");
   
         //Ask the ejb deployer whether we are call by value
  @@ -572,6 +572,7 @@
            con.setSecurityManager(null);
            con.setRealmMapping(null);
            con.setSecurityProxy(null);
  +         con.setAuthorizationManager(null);
            con.proxyFactories.clear();
         }
   
  @@ -813,6 +814,8 @@
               RealmMapping rM = (RealmMapping) securityMgr;
               container.setSecurityManager(ejbS);
               container.setRealmMapping(rM);
  +            String usd = org.jboss.security.Util.unprefixSecurityDomain(confSecurityDomain);
  +            container.setAuthorizationManager(this.authorizationManagerService.getAuthorizationManager(usd));
            }
            catch (NamingException e)
            {
  
  
  
  1.88      +63 -88    jboss/src/main/org/jboss/ejb/EnterpriseContext.java
  
  (In the diff below, changes in quantity of whitespace are not shown.)
  
  Index: EnterpriseContext.java
  ===================================================================
  RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/EnterpriseContext.java,v
  retrieving revision 1.87
  retrieving revision 1.88
  diff -u -b -r1.87 -r1.88
  --- EnterpriseContext.java	5 Jul 2006 18:26:58 -0000	1.87
  +++ EnterpriseContext.java	25 Jul 2006 17:17:39 -0000	1.88
  @@ -22,11 +22,9 @@
   package org.jboss.ejb;
   
   import java.rmi.RemoteException;
  -import java.security.CodeSource;
   import java.security.Identity;
  -import java.security.Policy;
   import java.security.Principal;
  -import java.security.ProtectionDomain;
  +import java.util.HashMap;
   import java.util.HashSet;
   import java.util.Iterator;
   import java.util.Properties;
  @@ -37,8 +35,6 @@
   import javax.ejb.EJBHome;
   import javax.ejb.EJBLocalHome;
   import javax.ejb.TimerService;
  -import javax.security.auth.Subject;
  -import javax.security.jacc.EJBRoleRefPermission;
   import javax.security.jacc.PolicyContextException;
   import javax.transaction.HeuristicMixedException;
   import javax.transaction.HeuristicRollbackException;
  @@ -57,13 +53,18 @@
   import org.jboss.metadata.ApplicationMetaData;
   import org.jboss.metadata.BeanMetaData;
   import org.jboss.metadata.SecurityRoleRefMetaData;
  +import org.jboss.security.AuthorizationManager;
   import org.jboss.security.RealmMapping;
   import org.jboss.security.RunAsIdentity;
  +import org.jboss.security.SecurityRoleRef;
   import org.jboss.security.SimplePrincipal;
  +import org.jboss.security.authorization.AuthorizationContext;
  +import org.jboss.security.authorization.EJBResource;
  +import org.jboss.security.authorization.ResourceKeys; 
   import org.jboss.tm.TransactionTimeoutConfiguration;
   import org.jboss.tm.usertx.client.ServerVMClientUserTransaction;
   
  -//$Id: EnterpriseContext.java,v 1.87 2006/07/05 18:26:58 asaldhana Exp $
  +//$Id: EnterpriseContext.java,v 1.88 2006/07/25 17:17:39 asaldhana Exp $
   
   /**
    * The EnterpriseContext is used to associate EJB instances with
  @@ -80,7 +81,7 @@
    * @author <a href="mailto:osh at sparre.dk">Ole Husgaard</a>
    * @author <a href="mailto:thomas.diesler at jboss.org">Thomas Diesler</a>
    * @author <a href="mailto:anil.saldhana at jboss.org">Anil Saldhana</a>
  - * @version $Revision: 1.87 $
  + * @version $Revision: 1.88 $
    */
   public abstract class EnterpriseContext
   implements AllowedOperationsFlags
  @@ -501,56 +502,60 @@
          */
         public boolean isCallerInRole(String roleName)
         {
  -         //Check if JACC is installed 
  -         if(con.isJaccEnabled()) 
  -            return this.isCallerInRoleCheckForJacc(roleName); 
  -         
  -         // Check the caller of this beans run-as identity
  -         RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(1);
  -         if (principal == null && runAsIdentity == null)
  -            return false;
  -
  -         RealmMapping rm = con.getRealmMapping();
  -         if (rm == null)
  +         //Obtain the Authorization Manager 
  +         AuthorizationManager authzManager = getContainer().getAuthorizationManager();
  +         if( authzManager == null)
            {
               String msg = "isCallerInRole() called with no security context. "
               + "Check that a security-domain has been set for the application.";
               throw new IllegalStateException(msg);
            }
  +         //Check the caller of this beans run-as identity
  +         RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(1);
  +         if (principal == null && runAsIdentity == null)
  +            return false;
   
  -         // Map the role name used by Bean Provider to the security role
  -         // link in the deployment descriptor. The EJB 1.1 spec requires
  -         // the security role refs in the descriptor but for backward
  -         // compability we're not enforcing this requirement.
  -         //
  -         // TODO (2.3): add a conditional check using jboss.xml <enforce-ejb-restrictions> element
  -         //             which will throw an exception in case no matching
  -         //             security ref is found.
  +         //Generate the SecurityRoleRef set
            Iterator it = getContainer().getBeanMetaData().getSecurityRoleReferences();
  -         boolean matchFound = false;
  -
  -         while (it.hasNext())
  +         Set securityRoleRefs = new HashSet();
  +         while(it.hasNext())
            {
               SecurityRoleRefMetaData meta = (SecurityRoleRefMetaData) it.next();
  -            if (meta.getName().equals(roleName))
  +            securityRoleRefs.add(new SecurityRoleRef(meta.getName(), meta.getLink(),meta.getDescription()));
  +         } 
  +         final HashMap map =  new HashMap();
  +         map.put(ResourceKeys.EJB_NAME ,getContainer().getBeanMetaData().getEjbName()); 
  +         map.put(ResourceKeys.EJB_PRINCIPAL, principal); 
  +         map.put(ResourceKeys.AUTHORIZATION_MANAGER,authzManager); 
  +         map.put(ResourceKeys.RUNASIDENTITY, SecurityActions.peekRunAsIdentity(1));
  +         map.put(ResourceKeys.SECURITY_ROLE_REFERENCES, securityRoleRefs);
  +         map.put(ResourceKeys.ROLENAME, roleName);
  +         map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
  +         try
               {
  -               roleName = meta.getLink();
  -               matchFound = true;
  -               break;
  +            map.put(ResourceKeys.CALLER_SUBJECT, SecurityActions.getContextSubject());
               }
  +         catch (PolicyContextException pe)
  +         {
  +           if(log.isTraceEnabled())
  +              log.trace("PolicyContextException in getting caller subject:",pe);
            }
  -
  -         if (!matchFound)
  -            log.warn("no match found for security role " + roleName +
  -            " in the deployment descriptor for ejb " + getContainer().getBeanMetaData().getEjbName());
  -
  -         HashSet set = new HashSet();
  -         set.add(new SimplePrincipal(roleName));
  -
  -         if (runAsIdentity == null)
  -            return rm.doesUserHaveRole(principal, set);
  +         EJBResource ejbResource = new EJBResource(map);
  +         boolean isAuthorized = false;
  +         try
  +         {
  +            int check = authzManager.authorize(ejbResource);
  +            isAuthorized = (check == AuthorizationContext.PERMIT);
  +         } 
  +         catch (Exception e)
  +         {
  +            isAuthorized = false;
  +            if(log.isTraceEnabled())
  +               log.trace("Error in authorization:",e);
            else
  -            return runAsIdentity.doesUserHaveRole(set);
  +               log.error("isCallerInRole check failed:"+e.getLocalizedMessage());
  +         }
  +         return isAuthorized;
         }
   
         public UserTransaction getUserTransaction()
  @@ -568,36 +573,6 @@
   
            return userTransaction;
         }
  -      
  -      //Private Methods for the inner class - EJBContextImpl 
  -      private boolean isCallerInRoleCheckForJacc(String roleName) 
  -      { 
  -         SimplePrincipal rolePrincipal = new SimplePrincipal(roleName); 
  -         //This has to be the EJBRoleRefPermission 
  -         String ejbName = con.getBeanMetaData().getEjbName(); 
  -         EJBRoleRefPermission ejbRoleRefPerm = new EJBRoleRefPermission(ejbName,roleName); 
  -         //Get the caller 
  -         Subject caller; 
  -         try 
  -         { 
  -            caller = SecurityActions.getContextSubject(); 
  -         } 
  -         catch (PolicyContextException e) 
  -         { 
  -            throw new RuntimeException(e); 
  -         } 
  -         Principal[] principals = null; 
  -         if( caller != null ) 
  -         { 
  -            // Get the caller principals 
  -            Set principalsSet = caller.getPrincipals(); 
  -            principals = new Principal[principalsSet.size()]; 
  -            principalsSet.toArray(principals);       
  -         } 
  -         CodeSource ejbCS = con.getBeanClass().getProtectionDomain().getCodeSource(); 
  -         ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals); 
  -         return Policy.getPolicy().implies(pd, ejbRoleRefPerm);   
  -      } 
      }
   
      // Inner classes -------------------------------------------------
  
  
  



More information about the jboss-cvs-commits mailing list