[jboss-cvs] JBossAS SVN: r57803 - branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Oct 24 13:17:19 EDT 2006
Author: anil.saldhana at jboss.com
Date: 2006-10-24 13:17:18 -0400 (Tue, 24 Oct 2006)
New Revision: 57803
Modified:
branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java
branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java
branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java
Log:
EJBTHREE-755:Unchecked Permissions EJBTHREE-759:roles from JBoss Security Manager
Modified: branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java
===================================================================
--- branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java 2006-10-24 17:12:40 UTC (rev 57802)
+++ branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java 2006-10-24 17:17:18 UTC (rev 57803)
@@ -29,6 +29,7 @@
import org.jboss.aop.joinpoint.MethodInvocation;
import org.jboss.aspects.remoting.InvokeRemoteInterceptor;
import org.jboss.remoting.InvokerLocator;
+import org.jboss.security.RealmMapping;
/**
@@ -44,6 +45,7 @@
private String ejbName;
private CodeSource ejbCS;
+ private RealmMapping realmMapping;
public JaccAuthorizationInterceptor(String ejbName, CodeSource cs)
{
@@ -55,6 +57,11 @@
{
return "JaccAuthorizationInterceptor";
}
+
+ public void setRealmMapping(RealmMapping ssm)
+ {
+ this.realmMapping = ssm;
+ }
public Object invoke(Invocation inv) throws Throwable
{
@@ -90,7 +97,7 @@
String iface = (locator != null) ? "Remote" : "Local";
EJBMethodPermission methodPerm = new EJBMethodPermission(ejbName, iface, m);
- JaccHelper.checkPermission(ejbCS, methodPerm);
+ JaccHelper.checkPermission(ejbCS, methodPerm,realmMapping);
/*// Get the caller
Subject caller = SecurityActions.getContextSubject();
Modified: branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
===================================================================
--- branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2006-10-24 17:12:40 UTC (rev 57802)
+++ branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2006-10-24 17:17:18 UTC (rev 57803)
@@ -23,14 +23,24 @@
package org.jboss.ejb3.security;
import java.security.CodeSource;
+
+import javax.naming.InitialContext;
+import javax.naming.NamingException;
+
+import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.Advisor;
import org.jboss.aop.InstanceAdvisor;
import org.jboss.aop.advice.AspectFactory;
import org.jboss.aop.joinpoint.Joinpoint;
+import org.jboss.ejb3.Container;
import org.jboss.ejb3.EJBContainer;
+import org.jboss.security.AuthenticationManager;
+import org.jboss.security.RealmMapping;
+import org.jboss.security.SubjectSecurityManager;
/**
* @author <a href="mailto:kabir.khan at jboss.org">Kabir Khan</a>
+ * @author Anil.Saldhana at jboss.org
* @version $Revision$
*/
public class JaccAuthorizationInterceptorFactory implements AspectFactory
@@ -51,8 +61,9 @@
CodeSource ejbCS = advisor.getClazz().getProtectionDomain().getCodeSource();
String ejbName = ((EJBContainer)advisor).getEjbName();
-
- return new JaccAuthorizationInterceptor(ejbName, ejbCS);
+ JaccAuthorizationInterceptor jai = new JaccAuthorizationInterceptor(ejbName, ejbCS);
+ jai.setRealmMapping(getSecurityManager(advisor));
+ return jai;
}
catch (Exception e)
{
@@ -79,6 +90,26 @@
{
return getClass().getName();
}
+
+ public RealmMapping getSecurityManager(Advisor advisor)
+ {
+ Object domain = null;
+ Container container = (Container)advisor;
+ try
+ {
+ InitialContext ctx = container.getInitialContext();
+ SecurityDomain securityAnnotation = (SecurityDomain) advisor.resolveAnnotation(SecurityDomain.class);
+ if (securityAnnotation != null)
+ {
+ domain = SecurityDomainManager.getSecurityManager(securityAnnotation.value(),ctx);
+ }
+ }
+ catch (NamingException e)
+ {
+ throw new RuntimeException(e);
+ }
+ return (RealmMapping) domain;
+ }
}
Modified: branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java
===================================================================
--- branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java 2006-10-24 17:12:40 UTC (rev 57802)
+++ branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/JaccHelper.java 2006-10-24 17:17:18 UTC (rev 57803)
@@ -29,12 +29,15 @@
import java.security.Principal;
import java.security.ProtectionDomain;
import java.util.Set;
+
+import javax.annotation.security.DeclareRoles;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJBAccessException;
import javax.security.auth.Subject;
import javax.security.jacc.EJBMethodPermission;
+import javax.security.jacc.EJBRoleRefPermission;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyConfigurationFactory;
import javax.security.jacc.PolicyContextException;
@@ -44,6 +47,7 @@
import org.jboss.deployment.DeploymentInfo;
import org.jboss.ejb3.EJBContainer;
import org.jboss.logging.Logger;
+import org.jboss.security.RealmMapping;
/**
* JACC Helper class that created permissions as well as done the checks
@@ -131,8 +135,7 @@
addPermissions(container, pc);
}
catch (Exception e)
- {
- e.printStackTrace();
+ {
throw new RuntimeException(e);
}
}
@@ -143,6 +146,8 @@
PermitAll beanUnchecked = (PermitAll) container.resolveAnnotation(PermitAll.class);
RolesAllowed beanPermissions = (RolesAllowed) container.resolveAnnotation(RolesAllowed.class);
+
+ DeclareRoles beanDeclareRolesPerms = (DeclareRoles)container.resolveAnnotation(DeclareRoles.class);
if (beanUnchecked != null && beanPermissions != null)
{
@@ -151,6 +156,24 @@
String ejbName = container.getEjbName();
+ //Add the security role references
+ if(beanDeclareRolesPerms != null)
+ {
+ String[] rolerefs = beanDeclareRolesPerms.value();
+ int len = rolerefs != null ? rolerefs.length : 0;
+ for(int i=0; i < len; i++)
+ {
+ try
+ {
+ pc.addToRole(rolerefs[i], new EJBRoleRefPermission(ejbName, rolerefs[i]));
+ }
+ catch (PolicyContextException e)
+ {
+ throw new RuntimeException(e);
+ }
+ }
+ }
+
//Am I iterating over the right thing here? Should I be using the stuff from
//Advisor.methodInterceptors instead?
Method[] methods = container.getBeanClass().getDeclaredMethods();
@@ -173,7 +196,16 @@
if (annotationCount == 0 && beanPermissions == null && beanUnchecked == null)
{
- continue;
+ //continue;
+ //EJBTHREE-755:Add to unchecked if there are no annotations
+ try
+ {
+ pc.addToUncheckedPolicy(permission);
+ }
+ catch (PolicyContextException e)
+ {
+ throw new RuntimeException(e);
+ }
}
else if (annotationCount > 1)
{
@@ -219,7 +251,7 @@
}
catch (PolicyContextException e)
{
- throw new RuntimeException(e); // TODO Auto-generated catch block
+ throw new RuntimeException(e);
}
}
}
@@ -257,7 +289,8 @@
container.addClassMetaData(jaccCtx);
}
- public static void checkPermission(CodeSource ejbCS, EJBMethodPermission methodPerm)
+ public static void checkPermission(CodeSource ejbCS, EJBMethodPermission methodPerm,
+ RealmMapping realmMapping)
throws EJBAccessException
{
try
@@ -267,13 +300,19 @@
Subject caller = SecurityActions.getContextSubject();
Principal[] principals = null;
- if (caller != null)
+ /*if (caller != null)
{
// Get the caller principals
Set principalsSet = caller.getPrincipals();
principals = new Principal[principalsSet.size()];
principalsSet.toArray(principals);
- }
+ }*/
+
+ //Get the current roles from the Authorization Manager
+ Principal callerP = SecurityActions.getCallerPrincipal();
+ Set principalSet = realmMapping.getUserRoles(callerP);
+ principals = new Principal[principalSet.size()];
+ principalSet.toArray(principals);
ProtectionDomain pd = new ProtectionDomain(ejbCS, null, null, principals);
if (policy.implies(pd, methodPerm) == false)
Modified: branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java
===================================================================
--- branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java 2006-10-24 17:12:40 UTC (rev 57802)
+++ branches/JEE5_TCK/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java 2006-10-24 17:17:18 UTC (rev 57803)
@@ -23,6 +23,7 @@
import java.lang.reflect.UndeclaredThrowableException;
import java.security.AccessController;
+import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
@@ -225,4 +226,14 @@
return RunAsIdentityActions.PRIVILEGED.pop();
}
}
+
+ static Principal getCallerPrincipal()
+ {
+ return (Principal)AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ return SecurityAssociation.getCallerPrincipal();
+ }});
+ }
}
More information about the jboss-cvs-commits
mailing list