[jboss-cvs] jboss/src/main/org/jboss/ejb ...
Anil Saldhana
anil.saldhana at jboss.com
Tue Jul 25 13:17:39 EDT 2006
User: asaldhana
Date: 06/07/25 13:17:39
Modified: src/main/org/jboss/ejb Container.java EjbModule.java
EnterpriseContext.java
Log:
JBAS-3419: EJBContext.isCallerInRole goes through the Authorization Framework
Revision Changes Path
1.180 +27 -1 jboss/src/main/org/jboss/ejb/Container.java
(In the diff below, changes in quantity of whitespace are not shown.)
Index: Container.java
===================================================================
RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/Container.java,v
retrieving revision 1.179
retrieving revision 1.180
diff -u -b -r1.179 -r1.180
--- Container.java 5 Jul 2006 18:26:58 -0000 1.179
+++ Container.java 25 Jul 2006 17:17:38 -0000 1.180
@@ -75,6 +75,7 @@
import org.jboss.naming.Util;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthenticationManager;
+import org.jboss.security.AuthorizationManager;
import org.jboss.security.RealmMapping;
import org.jboss.system.ServiceMBeanSupport;
import org.jboss.util.NestedError;
@@ -102,7 +103,7 @@
* @author <a href="bill at burkecentral.com">Bill Burke</a>
* @author <a href="mailto:d_jencks at users.sourceforge.net">David Jencks</a>
* @author <a href="mailto:christoph.jung at infor.de">Christoph G. Jung</a>
- * @version $Revision: 1.179 $
+ * @version $Revision: 1.180 $
*
* @jmx.mbean extends="org.jboss.system.ServiceMBean"
*/
@@ -174,6 +175,11 @@
/** This is the SecurityManager */
protected AuthenticationManager sm;
+ /**
+ * Authorization Manager
+ */
+ protected AuthorizationManager authorizationManager;
+
/** This is the realm mapping */
protected RealmMapping rm;
@@ -304,6 +310,26 @@
return sm;
}
+ /**
+ * Get the authorizationManager.
+ *
+ * @return the authorizationManager.
+ */
+ public AuthorizationManager getAuthorizationManager()
+ {
+ return authorizationManager;
+ }
+
+ /**
+ * Set the authorizationManager.
+ *
+ * @param authorizationManager The authorizationManager to set.
+ */
+ public void setAuthorizationManager(AuthorizationManager authorizationManager)
+ {
+ this.authorizationManager = authorizationManager;
+ }
+
public BeanLockManager getLockManager()
{
return lockManager;
1.75 +8 -5 jboss/src/main/org/jboss/ejb/EjbModule.java
(In the diff below, changes in quantity of whitespace are not shown.)
Index: EjbModule.java
===================================================================
RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/EjbModule.java,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -b -r1.74 -r1.75
--- EjbModule.java 19 Jul 2006 18:22:41 -0000 1.74
+++ EjbModule.java 25 Jul 2006 17:17:39 -0000 1.75
@@ -99,7 +99,7 @@
* @author <a href="mailto:Adrian.Brock at HappeningTimes.com">Adrian.Brock</a>
* @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>
* @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
- * @version $Revision: 1.74 $
+ * @version $Revision: 1.75 $
*
* @jmx:mbean extends="org.jboss.system.ServiceMBean"
*/
@@ -174,6 +174,10 @@
this.name = name;
this.tm = tm;
this.webServiceName = webServiceName;
+
+ this.authorizationManagerService = (AuthorizationManagerServiceMBean)
+ MBeanProxyExt.create(AuthorizationManagerServiceMBean.class,
+ AuthorizationManagerServiceMBean.OBJECT_NAME);
}
public Map getModuleDataMap()
@@ -313,10 +317,6 @@
ServiceControllerMBean.OBJECT_NAME,
server);
- authorizationManagerService = (AuthorizationManagerServiceMBean)
- MBeanProxyExt.create(AuthorizationManagerServiceMBean.class,
- AuthorizationManagerServiceMBean.OBJECT_NAME,
- server);
log.debug("createService, begin");
//Ask the ejb deployer whether we are call by value
@@ -572,6 +572,7 @@
con.setSecurityManager(null);
con.setRealmMapping(null);
con.setSecurityProxy(null);
+ con.setAuthorizationManager(null);
con.proxyFactories.clear();
}
@@ -813,6 +814,8 @@
RealmMapping rM = (RealmMapping) securityMgr;
container.setSecurityManager(ejbS);
container.setRealmMapping(rM);
+ String usd = org.jboss.security.Util.unprefixSecurityDomain(confSecurityDomain);
+ container.setAuthorizationManager(this.authorizationManagerService.getAuthorizationManager(usd));
}
catch (NamingException e)
{
1.88 +63 -88 jboss/src/main/org/jboss/ejb/EnterpriseContext.java
(In the diff below, changes in quantity of whitespace are not shown.)
Index: EnterpriseContext.java
===================================================================
RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/EnterpriseContext.java,v
retrieving revision 1.87
retrieving revision 1.88
diff -u -b -r1.87 -r1.88
--- EnterpriseContext.java 5 Jul 2006 18:26:58 -0000 1.87
+++ EnterpriseContext.java 25 Jul 2006 17:17:39 -0000 1.88
@@ -22,11 +22,9 @@
package org.jboss.ejb;
import java.rmi.RemoteException;
-import java.security.CodeSource;
import java.security.Identity;
-import java.security.Policy;
import java.security.Principal;
-import java.security.ProtectionDomain;
+import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
@@ -37,8 +35,6 @@
import javax.ejb.EJBHome;
import javax.ejb.EJBLocalHome;
import javax.ejb.TimerService;
-import javax.security.auth.Subject;
-import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyContextException;
import javax.transaction.HeuristicMixedException;
import javax.transaction.HeuristicRollbackException;
@@ -57,13 +53,18 @@
import org.jboss.metadata.ApplicationMetaData;
import org.jboss.metadata.BeanMetaData;
import org.jboss.metadata.SecurityRoleRefMetaData;
+import org.jboss.security.AuthorizationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityRoleRef;
import org.jboss.security.SimplePrincipal;
+import org.jboss.security.authorization.AuthorizationContext;
+import org.jboss.security.authorization.EJBResource;
+import org.jboss.security.authorization.ResourceKeys;
import org.jboss.tm.TransactionTimeoutConfiguration;
import org.jboss.tm.usertx.client.ServerVMClientUserTransaction;
-//$Id: EnterpriseContext.java,v 1.87 2006/07/05 18:26:58 asaldhana Exp $
+//$Id: EnterpriseContext.java,v 1.88 2006/07/25 17:17:39 asaldhana Exp $
/**
* The EnterpriseContext is used to associate EJB instances with
@@ -80,7 +81,7 @@
* @author <a href="mailto:osh at sparre.dk">Ole Husgaard</a>
* @author <a href="mailto:thomas.diesler at jboss.org">Thomas Diesler</a>
* @author <a href="mailto:anil.saldhana at jboss.org">Anil Saldhana</a>
- * @version $Revision: 1.87 $
+ * @version $Revision: 1.88 $
*/
public abstract class EnterpriseContext
implements AllowedOperationsFlags
@@ -501,56 +502,60 @@
*/
public boolean isCallerInRole(String roleName)
{
- //Check if JACC is installed
- if(con.isJaccEnabled())
- return this.isCallerInRoleCheckForJacc(roleName);
-
- // Check the caller of this beans run-as identity
- RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(1);
- if (principal == null && runAsIdentity == null)
- return false;
-
- RealmMapping rm = con.getRealmMapping();
- if (rm == null)
+ //Obtain the Authorization Manager
+ AuthorizationManager authzManager = getContainer().getAuthorizationManager();
+ if( authzManager == null)
{
String msg = "isCallerInRole() called with no security context. "
+ "Check that a security-domain has been set for the application.";
throw new IllegalStateException(msg);
}
+ //Check the caller of this beans run-as identity
+ RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(1);
+ if (principal == null && runAsIdentity == null)
+ return false;
- // Map the role name used by Bean Provider to the security role
- // link in the deployment descriptor. The EJB 1.1 spec requires
- // the security role refs in the descriptor but for backward
- // compability we're not enforcing this requirement.
- //
- // TODO (2.3): add a conditional check using jboss.xml <enforce-ejb-restrictions> element
- // which will throw an exception in case no matching
- // security ref is found.
+ //Generate the SecurityRoleRef set
Iterator it = getContainer().getBeanMetaData().getSecurityRoleReferences();
- boolean matchFound = false;
-
- while (it.hasNext())
+ Set securityRoleRefs = new HashSet();
+ while(it.hasNext())
{
SecurityRoleRefMetaData meta = (SecurityRoleRefMetaData) it.next();
- if (meta.getName().equals(roleName))
+ securityRoleRefs.add(new SecurityRoleRef(meta.getName(), meta.getLink(),meta.getDescription()));
+ }
+ final HashMap map = new HashMap();
+ map.put(ResourceKeys.EJB_NAME ,getContainer().getBeanMetaData().getEjbName());
+ map.put(ResourceKeys.EJB_PRINCIPAL, principal);
+ map.put(ResourceKeys.AUTHORIZATION_MANAGER,authzManager);
+ map.put(ResourceKeys.RUNASIDENTITY, SecurityActions.peekRunAsIdentity(1));
+ map.put(ResourceKeys.SECURITY_ROLE_REFERENCES, securityRoleRefs);
+ map.put(ResourceKeys.ROLENAME, roleName);
+ map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
+ try
{
- roleName = meta.getLink();
- matchFound = true;
- break;
+ map.put(ResourceKeys.CALLER_SUBJECT, SecurityActions.getContextSubject());
}
+ catch (PolicyContextException pe)
+ {
+ if(log.isTraceEnabled())
+ log.trace("PolicyContextException in getting caller subject:",pe);
}
-
- if (!matchFound)
- log.warn("no match found for security role " + roleName +
- " in the deployment descriptor for ejb " + getContainer().getBeanMetaData().getEjbName());
-
- HashSet set = new HashSet();
- set.add(new SimplePrincipal(roleName));
-
- if (runAsIdentity == null)
- return rm.doesUserHaveRole(principal, set);
+ EJBResource ejbResource = new EJBResource(map);
+ boolean isAuthorized = false;
+ try
+ {
+ int check = authzManager.authorize(ejbResource);
+ isAuthorized = (check == AuthorizationContext.PERMIT);
+ }
+ catch (Exception e)
+ {
+ isAuthorized = false;
+ if(log.isTraceEnabled())
+ log.trace("Error in authorization:",e);
else
- return runAsIdentity.doesUserHaveRole(set);
+ log.error("isCallerInRole check failed:"+e.getLocalizedMessage());
+ }
+ return isAuthorized;
}
public UserTransaction getUserTransaction()
@@ -568,36 +573,6 @@
return userTransaction;
}
-
- //Private Methods for the inner class - EJBContextImpl
- private boolean isCallerInRoleCheckForJacc(String roleName)
- {
- SimplePrincipal rolePrincipal = new SimplePrincipal(roleName);
- //This has to be the EJBRoleRefPermission
- String ejbName = con.getBeanMetaData().getEjbName();
- EJBRoleRefPermission ejbRoleRefPerm = new EJBRoleRefPermission(ejbName,roleName);
- //Get the caller
- Subject caller;
- try
- {
- caller = SecurityActions.getContextSubject();
- }
- catch (PolicyContextException e)
- {
- throw new RuntimeException(e);
- }
- Principal[] principals = null;
- if( caller != null )
- {
- // Get the caller principals
- Set principalsSet = caller.getPrincipals();
- principals = new Principal[principalsSet.size()];
- principalsSet.toArray(principals);
- }
- CodeSource ejbCS = con.getBeanClass().getProtectionDomain().getCodeSource();
- ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
- return Policy.getPolicy().implies(pd, ejbRoleRefPerm);
- }
}
// Inner classes -------------------------------------------------
More information about the jboss-cvs-commits
mailing list