[jboss-cvs] jboss/src/main/org/jboss/ejb/plugins ...

Anil Saldhana anil.saldhana at jboss.com
Thu Jul 27 16:17:31 EDT 2006 

  User: asaldhana
  Date: 06/07/27 16:17:31

  Modified:    src/main/org/jboss/ejb/plugins  SecurityInterceptor.java
  Log:
  JBAS-3374: Get the context caller subject as per the behavior with the split JaasAuthenticationInterceptor and JaccAuthorizationInterceptor
  
  Revision  Changes    Path
  1.59      +34 -9     jboss/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
  
  (In the diff below, changes in quantity of whitespace are not shown.)
  
  Index: SecurityInterceptor.java
  ===================================================================
  RCS file: /cvsroot/jboss/jboss/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java,v
  retrieving revision 1.58
  retrieving revision 1.59
  diff -u -b -r1.58 -r1.59
  --- SecurityInterceptor.java	26 Jul 2006 02:26:10 -0000	1.58
  +++ SecurityInterceptor.java	27 Jul 2006 20:17:31 -0000	1.59
  @@ -44,6 +44,7 @@
   import java.util.Set;
   import java.lang.reflect.Method;
   import javax.security.auth.Subject;
  +import javax.security.jacc.PolicyContextException;
   import javax.ejb.TimedObject;
   import javax.ejb.Timer;
   
  @@ -55,7 +56,7 @@
    * @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>.
    * @author <a href="mailto:Thomas.Diesler at jboss.org">Thomas Diesler</a>.
    * @author <a href="mailto:Anil.Saldhana at jboss.org">Anil Saldhana</a>
  - * @version $Revision: 1.58 $
  + * @version $Revision: 1.59 $
    */
   public class SecurityInterceptor extends AbstractInterceptor
   {
  @@ -264,7 +265,7 @@
        if( ejbMethod== null  )
           return; 
        // Get the caller
  -     Subject caller = SecurityActions.getContextSubject(); 
  +     Subject caller = getContextCallerSubject(); 
         
        final HashMap map =  new HashMap();
        map.put(ResourceKeys.EJB_NAME ,this.ejbName);
  @@ -274,7 +275,7 @@
        map.put(ResourceKeys.EJB_CODESOURCE, ejbCS);
        map.put(ResourceKeys.CALLER_SUBJECT, caller);
        map.put(ResourceKeys.AUTHORIZATION_MANAGER,authorizationManager); 
  -     map.put(ResourceKeys.RUNASIDENTITY, SecurityActions.peekRunAsIdentity());
  +     map.put(ResourceKeys.RUNASIDENTITY, callerRunAsIdentity);
        map.put(ResourceKeys.EJB_METHODROLES, container.getMethodPermissions(ejbMethod, mi.getType()));
        EJBResource ejbResource = new EJBResource(map); 
        boolean isAuthorized = false;
  @@ -295,4 +296,28 @@
        if(!isAuthorized)
           throw new SecurityException(msg); 
     } 
  +  
  +  /**
  +   * Context caller subject is used by the Jacc layer. Since the 
  +   * PolicyContext.getContext(Subject_Key) checks the RunAs threadlocal
  +   * stack in the Security Association at a depth of 1, there is a need to
  +   * push/pop the current runAsIdentity surrounding the getContextSubject
  +   * call on SecurityActions
  +   * 
  +   * @return
  +   * @throws PolicyContextException
  +   */
  +  private Subject getContextCallerSubject() throws PolicyContextException
  +  {
  +     /**
  +      * There is a need for current RunAsIdentity on the stack due to 
  +      * PolicyContext.getContext(Subject_Key) check at a depth of 1
  +      * (Get the same behavior as split JaasAuthenticationInterceptor
  +      * and JaccAuthorizationInterceptor)
  +      */
  +     SecurityActions.pushRunAsIdentity(runAsIdentity);
  +     Subject caller = SecurityActions.getContextSubject(); 
  +     SecurityActions.popRunAsIdentity();
  +     return caller;
  +  }
   }

More information about the jboss-cvs-commits mailing list