[jboss-cvs] JBossAS SVN: r57796 - projects/security/trunk/src/main/org/jboss/security/authorization/modules/ejb
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Oct 24 12:44:15 EDT 2006
Author: anil.saldhana at jboss.com
Date: 2006-10-24 12:44:14 -0400 (Tue, 24 Oct 2006)
New Revision: 57796
Modified:
projects/security/trunk/src/main/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java
Log:
use the security context roles plus slight refactor
Modified: projects/security/trunk/src/main/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java
===================================================================
--- projects/security/trunk/src/main/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java 2006-10-24 16:43:19 UTC (rev 57795)
+++ projects/security/trunk/src/main/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java 2006-10-24 16:44:14 UTC (rev 57796)
@@ -23,9 +23,13 @@
import java.lang.reflect.Method;
import java.security.CodeSource;
+import java.security.Permission;
import java.security.Policy;
import java.security.Principal;
import java.security.ProtectionDomain;
+import java.security.acl.Group;
+import java.util.Enumeration;
+import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@@ -34,6 +38,9 @@
import javax.security.jacc.EJBRoleRefPermission;
import org.jboss.logging.Logger;
+import org.jboss.security.AuthorizationManager;
+import org.jboss.security.SecurityConstants;
+import org.jboss.security.SimpleGroup;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.PolicyRegistration;
import org.jboss.security.authorization.Resource;
@@ -57,8 +64,9 @@
private Subject callerSubject = null;
private String methodInterface = null;
private CodeSource ejbCS = null;
- private String roleName = null;
+ private String roleName = null;
private Boolean roleRefCheck = Boolean.FALSE;
+ private Group securityContextRoles = null;
public EJBJACCPolicyModuleDelegate()
{
@@ -88,6 +96,14 @@
this.ejbName = (String)map.get(ResourceKeys.EJB_NAME);
this.methodInterface = (String)map.get(ResourceKeys.EJB_METHODINTERFACE);
this.roleName = (String)map.get(ResourceKeys.ROLENAME);
+ //Get the Security Context Roles
+ AuthorizationManager am = (AuthorizationManager)map.get(ResourceKeys.AUTHORIZATION_MANAGER);
+ if(am != null)
+ {
+ Principal ejbPrincipal = (Principal)map.get(ResourceKeys.EJB_PRINCIPAL);
+ Set<Principal> roleset = am.getUserRoles(ejbPrincipal);
+ this.securityContextRoles = getGroupFromRoleSet(roleset);
+ }
this.roleRefCheck = (Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK);
if(this.roleRefCheck == Boolean.TRUE)
return checkRoleRef();
@@ -114,17 +130,7 @@
{
EJBMethodPermission methodPerm =
new EJBMethodPermission(ejbName, methodInterface, ejbMethod);
- Principal[] principals = null;
- if( callerSubject != null )
- {
- // Get the caller principals
- Set principalsSet = callerSubject.getPrincipals();
- principals = new Principal[principalsSet.size()];
- principalsSet.toArray(principals);
- }
- ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
- Policy policy = Policy.getPolicy();
- boolean policyDecision = policy.implies(pd, methodPerm);
+ boolean policyDecision = checkWithPolicy(methodPerm);
if( policyDecision == false )
{
String msg = "Denied: "+methodPerm+", caller=" + callerSubject;
@@ -135,22 +141,61 @@
}
private int checkRoleRef()
- {
- boolean allowed = false;
-
+ {
//This has to be the EJBRoleRefPermission
EJBRoleRefPermission ejbRoleRefPerm = new EJBRoleRefPermission(ejbName,roleName);
- Principal[] principals = null;
- if( this.callerSubject != null )
- {
- // Get the caller principals
- Set principalsSet = callerSubject.getPrincipals();
- principals = new Principal[principalsSet.size()];
- principalsSet.toArray(principals);
+ boolean policyDecision = checkWithPolicy(ejbRoleRefPerm);
+ if( policyDecision == false )
+ {
+ String msg = "Denied: "+ejbRoleRefPerm+", caller=" + callerSubject;
+ if(trace)
+ log.trace("EJB Jacc Delegate:"+msg);
}
- ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
- allowed = Policy.getPolicy().implies(pd, ejbRoleRefPerm);
-
- return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
+ return policyDecision ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
}
+
+ private Principal[] getPrincipalSet()
+ {
+ Principal[] principals = null;
+ /*if( callerSubject != null )
+ {
+ // Get the caller principals
+ Set principalsSet = callerSubject.getPrincipals();
+ principals = new Principal[principalsSet.size()];
+ principalsSet.toArray(principals);
+ }*/
+ /**
+ * Previously, we relied on the principals in the Subject that contained
+ * the roles. Now we just rely on the roles from the Security Context
+ */
+ if(trace)
+ log.trace("Roles used for checking from the context:" + securityContextRoles);
+ if(securityContextRoles != null )
+ {
+ Set principalsSet = new HashSet();
+ Enumeration en = securityContextRoles.members();
+ while(en.hasMoreElements())
+ principalsSet.add((Principal)en.nextElement());
+ principals = new Principal[principalsSet.size()];
+ principalsSet.toArray(principals);
+ }
+ return principals;
+ }
+
+ private boolean checkWithPolicy(Permission ejbPerm)
+ {
+ Principal[] principals = getPrincipalSet();
+ ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
+ return Policy.getPolicy().implies(pd, ejbPerm);
+ }
+
+ private Group getGroupFromRoleSet(Set<Principal> roleset)
+ {
+ Group gp = new SimpleGroup(SecurityConstants.ROLES_IDENTIFIER);
+ for(Principal p: roleset)
+ {
+ gp.addMember(p);
+ }
+ return gp;
+ }
}
More information about the jboss-cvs-commits
mailing list