[jboss-cvs] JBossAS SVN: r64736 - in trunk/ejb3: src/main/org/jboss/ejb3 and 11 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Aug 21 11:49:48 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-08-21 11:49:48 -0400 (Tue, 21 Aug 2007)
New Revision: 64736
Added:
trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
trunk/ejb3/src/main/org/jboss/ejb3/security/PerClassAspectFactoryAdaptor.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java
trunk/ejb3/src/resources/test/security5/
trunk/ejb3/src/resources/test/security5/META-INF/
trunk/ejb3/src/resources/test/security5/META-INF/jboss.xml
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/FirstBean.java
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SecondBean.java
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionBean.java
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionInterface.java
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleStatefulBean.java
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/unit/
trunk/ejb3/src/test/org/jboss/ejb3/test/security5/unit/Security5TestCase.java
Modified:
trunk/ejb3/build-test.xml
trunk/ejb3/build.xml
trunk/ejb3/src/main/org/jboss/ejb3/EJBContextImpl.java
trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java
trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EjbJarDDObjectFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EnterpriseBean.java
trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java
trunk/ejb3/src/main/org/jboss/ejb3/session/SessionContextImpl.java
trunk/ejb3/src/resources/test/log4j.xml
trunk/ejb3/src/resources/test/security/META-INF/ejb-jar.xml
trunk/ejb3/src/resources/test/securitydomain/roles.properties
trunk/ejb3/src/resources/test/securitydomain/users.properties
Log:
JBAS-4423:ejb3 security alignment
Modified: trunk/ejb3/build-test.xml
===================================================================
--- trunk/ejb3/build-test.xml 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/build-test.xml 2007-08-21 15:49:48 UTC (rev 64736)
@@ -1235,6 +1235,25 @@
</jar>
</target>
+ <target name="security5"
+ description="Builds all jar files."
+ depends="compile-classes">
+
+ <mkdir dir="${build.lib}"/>
+ <jar jarfile="${build.lib}/security5.jar">
+ <fileset dir="${build.classes}">
+ <include name="org/jboss/ejb3/test/security5/*.class"/>
+ </fileset>
+ <fileset dir="${resources}/test/security5">
+ <include name="META-INF/*.xml"/>
+ </fileset>
+ <fileset dir="${resources}/test/securitydomain">
+ <include name="users.properties"/>
+ <include name="roles.properties"/>
+ </fileset>
+ </jar>
+ </target>
+
<target name="securitydomain"
description="Builds all jar files."
depends="compile-classes">
@@ -3582,7 +3601,7 @@
ejbthree989, ejbthree1020, ejbthree1023,
jaxws,
aspectdomain, ejbcontext, schema, mail, scopedclassloader, dependency,
- securitydomain, enventry,
+ securitydomain, enventry, security5,
jms/managed, naming, bmt, jca/inflowmdb, pool, jms, security, reference21_30, factory, dd/web, txexceptions,
exception, dd/override, stateless, standalone-jar, dd/mdb, bank, dd, longlived, xmlcfg, hbm, pkg, regressionHHH275,
entityexception, asynchronous, consumer, clusteredentity, secondary, stateful, service, lob, cache, initial,
@@ -3665,7 +3684,10 @@
<sysproperty key="java.naming.provider.url" value="${test.jndi.url}"/>
+ <!--
<jvmarg line="${jvmargs}" />
+ <jvmarg line="-Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=/dt_socket,address=8787,server=y,suspend=y"/>
+ -->
<classpath>
<path refid="hibernate.hibernate.classpath"/>
@@ -4377,6 +4399,9 @@
<antcall target="test" inheritRefs="true">
<param name="test" value="securitydomain"/>
</antcall>
+ <antcall target="test" inheritRefs="true">
+ <param name="test" value="security5"/>
+ </antcall>
<antcall target="test" inheritRefs="true">
<param name="test" value="tck5sec"/>
</antcall>
Modified: trunk/ejb3/build.xml
===================================================================
--- trunk/ejb3/build.xml 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/build.xml 2007-08-21 15:49:48 UTC (rev 64736)
@@ -93,6 +93,7 @@
<path refid="junit.junit.classpath"/>
<path refid="jboss.remoting.classpath"/>
<path refid="apache.logging.classpath"/>
+ <path refid="jboss.jboss.jaspi.api.classpath"/>
<path refid="jboss.jboss.security.spi.classpath"/>
<path refid="jboss.jbosssx.classpath"/>
<path refid="jboss.security.int.classpath"/>
Modified: trunk/ejb3/src/main/org/jboss/ejb3/EJBContextImpl.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/EJBContextImpl.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/EJBContextImpl.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -26,6 +26,7 @@
import java.util.Collection;
import java.util.HashSet;
import java.util.Properties;
+import java.util.Set;
import javax.ejb.EJBContext;
import javax.ejb.EJBException;
@@ -39,20 +40,25 @@
import javax.transaction.TransactionManager;
import javax.transaction.UserTransaction;
+import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.Advisor;
+import org.jboss.ejb3.metamodel.EnterpriseBean;
import org.jboss.ejb3.tx.TxUtil;
import org.jboss.ejb3.tx.UserTransactionImpl;
import org.jboss.logging.Logger;
-import org.jboss.metamodel.descriptor.SecurityRoleRef;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContext;
import org.jboss.security.SimplePrincipal;
+import org.jboss.security.integration.ejb.EJBAuthorizationHelper;
+import org.jboss.security.plugins.SecurityContextAssociation;
/**
- * Comment
+ * EJB3 Enterprise Context Implementation
*
* @author <a href="mailto:bill at jboss.org">Bill Burke</a>
+ * @author Anil.Saldhana at redhat.com
* @version $Revision$
*/
public abstract class EJBContextImpl<T extends Container, B extends BeanContext<T>> implements EJBContext
@@ -116,7 +122,7 @@
throw new IllegalStateException("deprecated");
}
- public Principal getCallerPrincipal()
+ /*public Principal getCallerPrincipal()
{
Principal principal = null;
@@ -135,15 +141,73 @@
return principal;
}
+*/
+
+ public Principal getCallerPrincipal()
+ {
+ Principal principal = null;
+
+ RealmMapping rm = container.getSecurityManager(RealmMapping.class);
+
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ EJBAuthorizationHelper helper = new EJBAuthorizationHelper(sc);
+
+ principal = helper.getCallerPrincipal(rm);
+
+ if(principal == null)
+ {
+ //try the incoming principal
+ principal = sc.getUtil().getUserPrincipal();
+ if(rm != null)
+ principal = rm.getPrincipal(principal);
+ }
+
+ if(principal == null)
+ {
+ EJBContainer ec = (EJBContainer) container;
+ SecurityDomain domain =(SecurityDomain)ec.resolveAnnotation(SecurityDomain.class);
+ String unauth = domain.unauthenticatedPrincipal();
+ if(unauth != null && unauth.length() > 0)
+ if(domain.unauthenticatedPrincipal() != null)
+ principal = new SimplePrincipal(unauth);
+ }
+
+ // This method never returns null.
+ if (principal == null)
+ throw new java.lang.IllegalStateException("No valid security context for the caller identity");
+ return principal;
+ }
+
+
@SuppressWarnings("deprecation")
public boolean isCallerInRole(Identity role)
{
throw new IllegalStateException("deprecated");
}
-
+
public boolean isCallerInRole(String roleName)
{
+ EJBContainer ejbc = (EJBContainer)container;
+ Set roleRefs = new HashSet();
+ EnterpriseBean eb = ejbc.getXml();
+ if(eb != null)
+ {
+ Collection srf = eb.getSecurityRoleRefs();
+ if(srf != null)
+ roleRefs.addAll(srf);
+ }
+ Principal principal = getCallerPrincipal();
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ EJBAuthorizationHelper helper = new EJBAuthorizationHelper(sc);
+ return helper.isCallerInRole(roleName,
+ ejbc.getEjbName(),
+ principal,
+ roleRefs);
+ }
+
+ /*public boolean isCallerInRole(String roleName)
+ {
// TODO revert to aspects.security.SecurityContext impl when JBoss AOP 1.1 is out.
Principal principal = getCallerPrincipal();
@@ -190,7 +254,7 @@
java.util.Set roles = getRm().getUserRoles(principal);
return doesUserHaveRole;
- }
+ }*/
public TimerService getTimerService() throws IllegalStateException
{
Modified: trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -28,6 +28,8 @@
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.plugins.SecurityContextAssociation;
/**
* A collection of privileged actions for this package
@@ -151,10 +153,50 @@
AccessController.doPrivileged(action);
}
+ public static void pushRunAs(final RunAsIdentity runAsIdentity)
+ {
+ AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ SecurityContext sc = getSecurityContext();
+ sc.setOutgoingRunAs(runAsIdentity);
+ return null;
+ }
+ });
+ }
+
+ public static SecurityContext getSecurityContext()
+ {
+ return (SecurityContext) AccessController.doPrivileged(new PrivilegedAction()
+ {
+
+ public Object run()
+ {
+ return SecurityContextAssociation.getSecurityContext();
+ }
+
+ });
+ }
+
public static RunAsIdentity popRunAsIdentity()
{
return (RunAsIdentity)AccessController.doPrivileged(PopRunAsIdentityAction.ACTION);
}
+
+ public static RunAsIdentity popRunAs()
+ {
+ return (RunAsIdentity)AccessController.doPrivileged(new PrivilegedAction()
+ {
+ public Object run()
+ {
+ SecurityContext sc = getSecurityContext();
+ RunAsIdentity ra = (RunAsIdentity) sc.getOutgoingRunAs();
+ sc.setOutgoingRunAs(null);
+ return ra;
+ }
+ });
+ }
interface TCLAction
{
Modified: trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EjbJarDDObjectFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EjbJarDDObjectFactory.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EjbJarDDObjectFactory.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -36,8 +36,8 @@
import org.jboss.metamodel.descriptor.ResourceEnvRef;
import org.jboss.metamodel.descriptor.ResourceRef;
import org.jboss.metamodel.descriptor.RunAs;
-import org.jboss.metamodel.descriptor.SecurityRole;
-import org.jboss.metamodel.descriptor.SecurityRoleRef;
+import org.jboss.metamodel.descriptor.SecurityRole;
+import org.jboss.security.SecurityRoleRef;
import org.jboss.util.StringPropertyReplacer;
import org.jboss.util.xml.JBossEntityResolver;
import org.jboss.wsf.spi.serviceref.ServiceRefMetaData;
@@ -1311,12 +1311,12 @@
public void setValue(SecurityRoleRef parent, UnmarshallingContext navigator, String namespaceURI, String localName, String value)
{
if (localName.equals("role-name"))
- {
- parent.setRoleName(value);
+ {
+ parent.setName(value);
}
else if (localName.equals("role-link"))
{
- parent.setRoleLink(value);
+ parent.setLink(value);
}
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EnterpriseBean.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EnterpriseBean.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/metamodel/EnterpriseBean.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -34,7 +34,7 @@
import org.jboss.metamodel.descriptor.MessageDestinationRef;
import org.jboss.metamodel.descriptor.ResourceEnvRef;
import org.jboss.metamodel.descriptor.ResourceRef;
-import org.jboss.metamodel.descriptor.SecurityRoleRef;
+import org.jboss.security.SecurityRoleRef;
/**
* Represents an EJB element of the ejb-jar.xml deployment descriptor for the
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/AuthenticationInterceptorFactory.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -22,48 +22,29 @@
package org.jboss.ejb3.security;
import org.jboss.aop.Advisor;
-import org.jboss.aop.InstanceAdvisor;
import org.jboss.aop.advice.AspectFactory;
-import org.jboss.aop.joinpoint.Joinpoint;
import org.jboss.ejb3.Container;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
-public class AuthenticationInterceptorFactory implements AspectFactory
+/**
+ * Authentication Interceptor Factory
+ * @author bill.burke at jboss.org
+ * @author Anil.Saldhana at redhat.com
+ */
+public class AuthenticationInterceptorFactory extends PerClassAspectFactoryAdaptor
+implements AspectFactory
{
private static final Logger log = Logger.getLogger(AuthenticationInterceptorFactory.class);
- public Object createPerVM()
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
public Object createPerClass(Advisor advisor)
{
Container container = (Container)advisor;
AuthenticationManager manager = container.getSecurityManager(AuthenticationManager.class);
log.debug("Creating interceptor with authentication manager '" + manager + "'" + (manager != null ? " (security domain '" + manager.getSecurityDomain() + "')" : ""));
- return new Ejb3AuthenticationInterceptor(manager, container);
- }
-
- public Object createPerInstance(Advisor advisor, InstanceAdvisor instanceAdvisor)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, InstanceAdvisor instanceAdvisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public String getName()
- {
- return getClass().getName();
+ //return new Ejb3AuthenticationInterceptor(manager, container);
+
+ return new Ejb3AuthenticationInterceptorv2(container);
}
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -23,8 +23,6 @@
import java.security.GeneralSecurityException;
import java.security.Principal;
-import java.util.HashSet;
-import java.util.Set;
import javax.ejb.EJBAccessException;
import javax.security.auth.Subject;
Added: trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java (rev 0)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,195 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.security;
+
+import java.security.Principal;
+
+import javax.ejb.EJBAccessException;
+import javax.security.auth.Subject;
+
+import org.jboss.annotation.security.SecurityDomain;
+import org.jboss.aop.advice.Interceptor;
+import org.jboss.aop.joinpoint.Invocation;
+import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.aspects.remoting.InvokeRemoteInterceptor;
+import org.jboss.ejb3.Container;
+import org.jboss.ejb3.EJBContainer;
+import org.jboss.logging.Logger;
+import org.jboss.remoting.InvokerLocator;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityIdentity;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.integration.ejb.EJBAuthenticationHelper;
+
+//$Id$
+
+/**
+ * Authentication Interceptor
+ * @author <a href="mailto:bill at jboss.org">Bill Burke</a>
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 16, 2007
+ * @version $Revision$
+ */
+public class Ejb3AuthenticationInterceptorv2 implements Interceptor
+{
+ protected Logger log = Logger.getLogger(this.getClass());
+ private EJBContainer container;
+
+ public Ejb3AuthenticationInterceptorv2(Container container)
+ {
+ this.container = (EJBContainer) container;
+ }
+
+ public String getName()
+ {
+ return getClass().getName();
+ }
+
+ public Object invoke(Invocation invocation) throws Throwable
+ {
+ SecurityIdentity si = null;
+ SecurityContext sc = null;
+
+ SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
+ /**
+ * TODO: Decide if you want to allow zero security based on non-availability
+ * of a security domain, as per the configuration on the container
+ */
+ if(domain != null)
+ {
+ SecurityContext existingSC = null;
+ Principal p = null;
+ Object cred = null;
+
+ if(isLocalCall((MethodInvocation) invocation))
+ {
+ existingSC = SecurityActions.getSecurityContext();
+ if(existingSC == null)
+ throw new IllegalStateException("Security Context null on Local call");
+ si = existingSC.getUtil().getSecurityIdentity();
+ }
+ else
+ {
+ existingSC = (SecurityContext) invocation.getMetaData("security","context");
+ if(existingSC == null)
+ throw new IllegalStateException("Security Context has not been set");
+
+ p = existingSC.getUtil().getUserPrincipal();
+ cred = existingSC.getUtil().getCredential();
+ sc = SecurityActions.createSecurityContext(p,
+ cred, null, domain.value());
+ //Set the security context
+ SecurityActions.setSecurityContext(sc);
+ }
+
+ sc = SecurityActions.getSecurityContext();
+
+ // SecurityContext sc = prepareSecurityContext((MethodInvocation) invocation, domain.value());
+
+ //Check if there is a RunAs configured and can be trusted
+ EJBAuthenticationHelper helper = new EJBAuthenticationHelper(sc);
+ boolean trustedCaller = helper.isTrusted();
+ if(!trustedCaller)
+ {
+ if(helper.isTrustDenied())
+ throw new EJBAccessException("Untrusted Caller");
+ Subject subject = new Subject();
+ /**
+ * Special Case: Invocation has no principal set,
+ * but an unauthenticatedPrincipal has been configured in JBoss DD
+ */
+ String unauthenticatedPrincipal = domain.unauthenticatedPrincipal();
+ if(sc.getUtil().getUserPrincipal() == null && unauthenticatedPrincipal !=null &&
+ unauthenticatedPrincipal.length() > 0)
+ {
+ Principal uPrincipal = new SimplePrincipal(unauthenticatedPrincipal);
+ sc.getSubjectInfo().setAuthenticationPrincipal(uPrincipal);
+ subject.getPrincipals().add(uPrincipal);
+ }
+ else
+ {
+ //Authenticate the caller now
+ if(!helper.isValid(subject))
+ throw new EJBAccessException("Invalid User");
+ }
+ helper.pushSubjectContext(subject);
+ }
+ else
+ {
+ //Trusted caller. No need for authentication. Straight to authorization
+ }
+ }
+ try
+ {
+ SecurityActions.pushCallerRunAsIdentity(sc.getOutgoingRunAs());
+
+ return invocation.invokeNext();
+ }
+ finally
+ {
+ if(isLocalCall((MethodInvocation) invocation) && si != null)
+ SecurityActions.getSecurityContext().getUtil().setSecurityIdentity(si);
+ }
+ }
+
+ private SecurityContext prepareSecurityContext(MethodInvocation mi, String secDomain)
+ {
+ SecurityContext sc = null;
+ Principal p = null;
+ Object cred = null;
+
+ InvokerLocator locator = (InvokerLocator) mi.getMetaData(InvokeRemoteInterceptor.REMOTING,
+ InvokeRemoteInterceptor.INVOKER_LOCATOR);
+
+ if(locator == null)
+ {
+ //Local Call
+ SecurityContext currentSc = SecurityActions.getSecurityContext();
+ if(currentSc == null)
+ throw new IllegalStateException("Security Context null on Local call");
+ p = currentSc.getUtil().getUserPrincipal();
+ cred = currentSc.getUtil().getCredential();
+ }
+ else
+ {
+ //Remote Call
+ SecurityContext invsc = (SecurityContext) mi.getMetaData("security","context");
+ if(invsc == null)
+ throw new IllegalStateException("Security Context has not been set");
+
+ p = invsc.getUtil().getUserPrincipal();
+ cred = invsc.getUtil().getCredential();
+ }
+ sc = SecurityActions.createSecurityContext(p, cred, null, secDomain);
+
+ //Set the security context
+ SecurityActions.setSecurityContext(sc);
+ return sc;
+ }
+
+ private boolean isLocalCall(MethodInvocation mi)
+ {
+ InvokerLocator locator = (InvokerLocator) mi.getMetaData(InvokeRemoteInterceptor.REMOTING,
+ InvokeRemoteInterceptor.INVOKER_LOCATOR);
+ return locator == null;
+ }
+}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -25,33 +25,26 @@
import java.security.CodeSource;
import org.jboss.aop.Advisor;
-import org.jboss.aop.InstanceAdvisor;
import org.jboss.aop.advice.AspectFactory;
-import org.jboss.aop.joinpoint.Joinpoint;
import org.jboss.ejb3.Container;
import org.jboss.ejb3.EJBContainer;
import org.jboss.security.RealmMapping;
/**
+ * JACC Authorization Interceptor factory
* @author <a href="mailto:kabir.khan at jboss.org">Kabir Khan</a>
* @author Anil.Saldhana at jboss.org
* @version $Revision$
*/
-public class JaccAuthorizationInterceptorFactory implements AspectFactory
-{
- public Object createPerVM()
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
+public class JaccAuthorizationInterceptorFactory extends PerClassAspectFactoryAdaptor
+implements AspectFactory
+{
public Object createPerClass(Advisor advisor)
{
try
{
String contextID = (String) advisor.getDefaultMetaData().getMetaData("JACC", "ctx");
-
- //TODO: Get codesource
-
+
CodeSource ejbCS = advisor.getClazz().getProtectionDomain().getCodeSource();
String ejbName = ((EJBContainer)advisor).getEjbName();
@@ -63,27 +56,7 @@
{
throw new RuntimeException(e);
}
- }
-
- public Object createPerInstance(Advisor advisor, InstanceAdvisor instanceAdvisor)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, InstanceAdvisor instanceAdvisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public String getName()
- {
- return getClass().getName();
- }
+ }
protected RealmMapping getSecurityManager(Advisor advisor)
{
Added: trunk/ejb3/src/main/org/jboss/ejb3/security/PerClassAspectFactoryAdaptor.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/PerClassAspectFactoryAdaptor.java (rev 0)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/PerClassAspectFactoryAdaptor.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,70 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.security;
+
+import org.jboss.aop.Advisor;
+import org.jboss.aop.InstanceAdvisor;
+import org.jboss.aop.advice.AspectFactory;
+import org.jboss.aop.joinpoint.Joinpoint;
+
+//$Id$
+
+/**
+ * Adaptor class that throws Runtime Exception
+ * for all Non_PerClass create requests
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 14, 2007
+ * @version $Revision$
+ */
+public abstract class PerClassAspectFactoryAdaptor implements AspectFactory
+{
+ private RuntimeException rte = new RuntimeException("Only PER_CLASS supported in " +
+ "this interceptor factory");
+
+ public abstract Object createPerClass(Advisor advisor);
+
+ public Object createPerInstance(Advisor advisor, InstanceAdvisor instanceAdvisor)
+ {
+ throw rte;
+ }
+
+ public Object createPerJoinpoint(Advisor advisor, Joinpoint jp)
+ {
+ throw rte;
+ }
+
+ public Object createPerJoinpoint(Advisor advisor,
+ InstanceAdvisor instanceAdvisor, Joinpoint jp)
+ {
+ throw rte;
+ }
+
+ public Object createPerVM()
+ {
+ throw rte;
+ }
+
+ public String getName()
+ {
+ return getClass().getName();
+ }
+}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorFactory.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -21,22 +21,28 @@
*/
package org.jboss.ejb3.security;
+import java.security.CodeSource;
+
import javax.naming.InitialContext;
import javax.naming.NamingException;
+
import org.jboss.aop.Advisor;
-import org.jboss.aop.InstanceAdvisor;
import org.jboss.aop.advice.AspectFactory;
-import org.jboss.aop.joinpoint.Joinpoint;
+import org.jboss.ejb3.Container;
+import org.jboss.ejb3.EJBContainer;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
-import org.jboss.ejb3.Container;
-public class RoleBasedAuthorizationInterceptorFactory implements AspectFactory
-{
- public Object createPerVM()
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
+/**
+ * Role Based AuthorizationInterceptor factory
+ * @author <a href="mailto:bill at jboss.org">Bill Burke</a>
+ * @author Anil.Saldhana at jboss.org
+ * @version $Revision$
+ *
+ */
+public class RoleBasedAuthorizationInterceptorFactory extends PerClassAspectFactoryAdaptor
+implements AspectFactory
+{
public Object createPerClass(Advisor advisor)
{
@@ -55,28 +61,10 @@
AuthenticationManager manager = (AuthenticationManager) domain;
RealmMapping mapping = (RealmMapping) domain;
if (manager == null) throw new RuntimeException("Unable to find Security Domain");
- return new RoleBasedAuthorizationInterceptor(manager, mapping, container);
- }
-
- public Object createPerInstance(Advisor advisor, InstanceAdvisor instanceAdvisor)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, InstanceAdvisor instanceAdvisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public String getName()
- {
- return getClass().getName();
+ //return new RoleBasedAuthorizationInterceptor(manager, mapping, container);
+ CodeSource ejbCS = advisor.getClazz().getProtectionDomain().getCodeSource();
+ String ejbName = ((EJBContainer)advisor).getEjbName();
+ return new RoleBasedAuthorizationInterceptorv2(container, ejbCS, ejbName);
}
-
}
Added: trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java (rev 0)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,179 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.security;
+
+import java.lang.reflect.Method;
+import java.security.CodeSource;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.annotation.security.DenyAll;
+import javax.annotation.security.PermitAll;
+import javax.annotation.security.RolesAllowed;
+import javax.ejb.EJBAccessException;
+
+import org.jboss.annotation.security.SecurityDomain;
+import org.jboss.aop.advice.Interceptor;
+import org.jboss.aop.joinpoint.Invocation;
+import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.aspects.remoting.InvokeRemoteInterceptor;
+import org.jboss.ejb3.Container;
+import org.jboss.ejb3.EJBContainer;
+import org.jboss.logging.Logger;
+import org.jboss.remoting.InvokerLocator;
+import org.jboss.security.AnybodyPrincipal;
+import org.jboss.security.NobodyPrincipal;
+import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.integration.ejb.EJBAuthorizationHelper;
+
+/**
+ * The RoleBasedAuthorizationInterceptor checks that the caller principal is
+ * authorized to call a method by verifing that it contains at least one
+ * of the required roled.
+ *
+ * @author <a href="bill at jboss.org">Bill Burke</a>
+ * @author Anil.Saldhana at redhat.com
+ * @version $Revision: 62539 $
+ */
+public final class RoleBasedAuthorizationInterceptorv2 implements Interceptor
+{
+ private static final Logger log = Logger.getLogger(RoleBasedAuthorizationInterceptorv2.class);
+
+ private EJBContainer container;
+
+ private CodeSource ejbCS;
+
+ private String ejbName;
+
+ public RoleBasedAuthorizationInterceptorv2(Container container,
+ CodeSource ejbCS, String ejbName)
+ {
+ this.container = (EJBContainer)container;
+ this.ejbCS = ejbCS;
+ this.ejbName = ejbName;
+ }
+
+ protected Set getRoleSet(Invocation invocation)
+ {
+ Method method = ((MethodInvocation)invocation).getActualMethod();
+
+ Class[] classes = new Class[]{DenyAll.class, PermitAll.class, RolesAllowed.class};
+
+ Object annotation = container.resolveAnnotation(method, classes);
+
+ int classIndex = 0;
+ while (annotation == null && classIndex < 3)
+ {
+ annotation = container.resolveAnnotation(classes[classIndex++]);
+ }
+
+ HashSet set = new HashSet();
+ if (annotation != null)
+ {
+ if (annotation instanceof DenyAll)
+ {
+ set.add(NobodyPrincipal.NOBODY_PRINCIPAL);
+ }
+ else if (annotation instanceof PermitAll)
+ {
+ set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
+ }
+ else if (annotation instanceof RolesAllowed)
+ {
+ RolesAllowed permissions = (RolesAllowed) annotation;
+ for (int i = 0; i < permissions.value().length; i++)
+ {
+ set.add(new SimplePrincipal(permissions.value()[i]));
+ }
+ }
+ else
+ set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
+ }
+ else
+ set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
+
+ return set;
+ }
+
+ public Object invoke(Invocation invocation) throws Throwable
+ {
+ MethodInvocation mi = (MethodInvocation)invocation;
+ try
+ {
+ SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
+
+ if(domain != null)
+ {
+ SecurityContext sc = SecurityActions.getSecurityContext();
+ if(sc == null)
+ throw new IllegalStateException("Security Context has not been set");
+ Set methodRoles = getRoleSet(invocation);
+ if (methodRoles == null)
+ {
+ /*
+ REVISIT: for better message
+ String message = "No method permissions assigned. to " +
+ "method=" + invocation.getMethod().getName() +
+ ", interface=" + invocation.getType();
+ */
+ String message = "No method permissions assigned.";
+ log.error(message);
+ throw new SecurityException(message);
+ }
+
+ InvokerLocator locator = (InvokerLocator) invocation.getMetaData(InvokeRemoteInterceptor.REMOTING,
+ InvokeRemoteInterceptor.INVOKER_LOCATOR);
+
+ String iface = (locator != null) ? "Remote" : "Local";
+
+
+ RunAsIdentity callerRunAs = SecurityActions.peekRunAsIdentity();
+
+ EJBAuthorizationHelper helper = new EJBAuthorizationHelper(sc);
+ boolean isAuthorized = helper.authorize(ejbName,
+ mi.getMethod(),
+ sc.getUtil().getUserPrincipal(),
+ iface,
+ ejbCS,
+ sc.getUtil().getSubject(),
+ callerRunAs,
+ methodRoles);
+ if(!isAuthorized)
+ throw new EJBAccessException("Caller unauthorized");
+ }
+ return invocation.invokeNext();
+ }
+ catch (SecurityException throwable)
+ {
+ log.debug("Authorization failure", throwable);
+ throw new EJBAccessException("Authorization failure");
+ } finally {
+ }
+ }
+
+ public String getName()
+ {
+ return getClass().getName();
+ }
+}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -30,10 +30,8 @@
import org.jboss.annotation.security.RunAsPrincipal;
import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.Advisor;
-import org.jboss.aop.InstanceAdvisor;
import org.jboss.aop.advice.AspectFactory;
import org.jboss.aop.advice.Interceptor;
-import org.jboss.aop.joinpoint.Joinpoint;
import org.jboss.ejb3.EJBContainer;
import org.jboss.ejb3.metamodel.AssemblyDescriptor;
import org.jboss.ejb3.tx.NullInterceptor;
@@ -42,16 +40,17 @@
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
-public class RunAsSecurityInterceptorFactory implements AspectFactory
+/**
+ * RunAs interceptor factory
+ * @author <a href="mailto:bill at jboss.org">Bill Burke</a>
+ * @author Anil.Saldhana at jboss.org
+ * @version $Revision$
+ */
+public class RunAsSecurityInterceptorFactory extends PerClassAspectFactoryAdaptor
+implements AspectFactory
{
private static final Logger log = Logger.getLogger(RunAsSecurityInterceptorFactory.class);
-
- public Object createPerVM()
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
-
+
protected RunAsIdentity getRunAsIdentity(EJBContainer container)
{
RunAs runAs = (RunAs) container.resolveAnnotation(RunAs.class);
@@ -102,29 +101,11 @@
{
AuthenticationManager manager = (AuthenticationManager) domain;
RealmMapping mapping = (RealmMapping) domain;
- interceptor = new RunAsSecurityInterceptor(manager, mapping, getRunAsIdentity(container));
+ //interceptor = new RunAsSecurityInterceptor(manager, mapping, getRunAsIdentity(container));
+
+ interceptor = new RunAsSecurityInterceptorv2(getRunAsIdentity(container));
}
return interceptor;
- }
-
- public Object createPerInstance(Advisor advisor, InstanceAdvisor instanceAdvisor)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public Object createPerJoinpoint(Advisor advisor, InstanceAdvisor instanceAdvisor, Joinpoint jp)
- {
- throw new RuntimeException("PER_VM not supported for this interceptor factory, only PER_CLASS");
- }
-
- public String getName()
- {
- return getClass().getName();
- }
+ }
}
Added: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java (rev 0)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,92 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.security;
+
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.jboss.aop.advice.Interceptor;
+import org.jboss.aop.joinpoint.Invocation;
+import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.ejb3.SecurityActions;
+import org.jboss.logging.Logger;
+import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityAssociation;
+
+/**
+ * An interceptor that enforces the run-as identity declared by a bean.
+ *
+ * @author <a href="mailto:bill at jboss.org">Bill Burke</a>.
+ * @author Anil.Saldhana at redhat.com
+ * @version $Revision: 61914 $
+ */
+public class RunAsSecurityInterceptorv2 implements Interceptor
+{
+ private static final Logger log = Logger.getLogger(RunAsSecurityInterceptorv2.class);
+ private RunAsIdentity runAsIdentity;
+
+ public RunAsSecurityInterceptorv2(RunAsIdentity id)
+ {
+ this.runAsIdentity = id;
+ }
+
+ protected RunAsIdentity getRunAsIdentity(Invocation invocation)
+ {
+ MethodInvocation mi = (MethodInvocation)invocation;
+ return runAsIdentity;
+ }
+
+ public Object invoke(Invocation invocation) throws Throwable
+ {
+ Subject previousSubject = null;
+ try
+ {
+ RunAsIdentity runAsIdentity = getRunAsIdentity(invocation);
+ SecurityActions.pushRunAs(runAsIdentity);
+
+ runAsIdentity = SecurityActions.peekRunAsIdentity(1);
+ if (runAsIdentity != null)
+ {
+ previousSubject = SecurityActions.getActiveSubject();
+ Set newPrincipals = runAsIdentity.getPrincipalsSet();
+ Subject newSubject = new Subject(false, newPrincipals, new HashSet(), new HashSet());
+ SecurityAssociation.setSubject(newSubject);
+ }
+
+ return invocation.invokeNext();
+ }
+ finally
+ {
+ if (previousSubject != null)
+ SecurityAssociation.setSubject(previousSubject);
+
+ SecurityActions.popRunAs();
+ }
+ }
+
+ public String getName()
+ {
+ return getClass().getName();
+ }
+}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/SecurityActions.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -31,8 +31,12 @@
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
+import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.SecurityContextFactory;
/**
@@ -249,4 +253,91 @@
return SecurityAssociation.getCallerPrincipal();
}});
}
+
+ static SecurityContext createSecurityContext(final String domainName)
+ {
+ return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ return SecurityContextFactory.createSecurityContext(domainName);
+ }});
+ }
+
+ static SecurityContext createSecurityContext(final Principal p, final Object cred,
+ final Subject s, final String domainName)
+ {
+ return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ return SecurityContextFactory.createSecurityContext(p, cred,s,domainName);
+ }});
+ }
+
+
+ static SecurityContext getSecurityContext()
+ {
+ return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ return SecurityContextAssociation.getSecurityContext();
+ }});
+ }
+
+ static void setSecurityContext(final SecurityContext sc)
+ {
+ AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ SecurityContextAssociation.setSecurityContext(sc);
+ return null;
+ }});
+ }
+
+ static void pushSubjectContext(final Principal p, final Object cred, final Subject s)
+ {
+ AccessController.doPrivileged(new PrivilegedAction(){
+
+ public Object run()
+ {
+ SecurityContext sc = getSecurityContext();
+ if(sc == null)
+ throw new IllegalStateException("Security Context is null");
+ sc.getUtil().createSubjectInfo(p, cred, s);
+ return null;
+ }}
+ );
+ }
+
+ static void pushCallerRunAsIdentity(final RunAs ra)
+ {
+ AccessController.doPrivileged(new PrivilegedAction(){
+ public Object run()
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc == null)
+ throw new IllegalStateException("Security Context is null");
+ sc.setIncomingRunAs(ra);
+ return null;
+ }
+ });
+ }
+
+
+ public static void popCallerRunAsIdentity()
+ {
+ AccessController.doPrivileged(new PrivilegedAction(){
+ public Object run()
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc == null)
+ throw new IllegalStateException("Security Context is null");
+ sc.setIncomingRunAs(null);
+ return null;
+ }
+ });
+ }
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/session/SessionContextImpl.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/session/SessionContextImpl.java 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/main/org/jboss/ejb3/session/SessionContextImpl.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -68,7 +68,6 @@
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimplePrincipal;
-import org.jboss.metamodel.descriptor.SecurityRoleRef;
/**
* Comment
Modified: trunk/ejb3/src/resources/test/log4j.xml
===================================================================
--- trunk/ejb3/src/resources/test/log4j.xml 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/resources/test/log4j.xml 2007-08-21 15:49:48 UTC (rev 64736)
@@ -140,6 +140,10 @@
</category>
-->
+ <category name="org.jboss.security">
+ <priority value="TRACE" class="org.jboss.logging.XLevel"/>
+ </category>
+
<category name="org.jboss.tm">
<priority value="TRACE" class="org.jboss.logging.XLevel"/>
</category>
Modified: trunk/ejb3/src/resources/test/security/META-INF/ejb-jar.xml
===================================================================
--- trunk/ejb3/src/resources/test/security/META-INF/ejb-jar.xml 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/resources/test/security/META-INF/ejb-jar.xml 2007-08-21 15:49:48 UTC (rev 64736)
@@ -1,14 +1,17 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
-<ejb-jar
- xmlns="http://java.sun.com/xml/ns/javaee"
+xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"
- version="3.0">
+ version="3.0"
+
<display-name>SecurityTests</display-name>
<enterprise-beans>
<session>
<ejb-name>CallerBean</ejb-name>
+ <ejb-class>org.jboss.ejb3.test.security.CallerBean</ejb-class>
+ <session-type>Stateless</session-type>
+ <transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>EchoCaller</role-name>
<role-link>Echo</role-link>
@@ -16,6 +19,9 @@
</session>
<session>
<ejb-name>CallerBean2</ejb-name>
+ <ejb-class>org.jboss.ejb3.test.security.CallerBean2</ejb-class>
+ <session-type>Stateless</session-type>
+ <transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>EchoCaller</role-name>
<role-link>Echo</role-link>
@@ -23,10 +29,18 @@
</session>
<session>
<ejb-name>CallerFacadeTargetSFSB</ejb-name>
+ <ejb-class>org.jboss.ejb3.test.security.CallerFacadeBean</ejb-class>
+ <session-type>Stateless</session-type>
+ <transaction-type>Container</transaction-type>
<security-role-ref>
<role-name>EchoCaller</role-name>
<role-link>Echo</role-link>
</security-role-ref>
</session>
- </enterprise-beans>
+ </enterprise-beans>
+ <assembly-descriptor>
+ <security-role>
+ <role-name>Echo</role-name>
+ </security-role>
+ </assembly-descriptor>
</ejb-jar>
Added: trunk/ejb3/src/resources/test/security5/META-INF/jboss.xml
===================================================================
--- trunk/ejb3/src/resources/test/security5/META-INF/jboss.xml (rev 0)
+++ trunk/ejb3/src/resources/test/security5/META-INF/jboss.xml 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,3 @@
+<jboss>
+ <security-domain>other</security-domain>
+</jboss>
Modified: trunk/ejb3/src/resources/test/securitydomain/roles.properties
===================================================================
--- trunk/ejb3/src/resources/test/securitydomain/roles.properties 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/resources/test/securitydomain/roles.properties 2007-08-21 15:49:48 UTC (rev 64736)
@@ -1 +1,2 @@
-somebody=allowed
\ No newline at end of file
+somebody=allowed
+scott=Echo
Modified: trunk/ejb3/src/resources/test/securitydomain/users.properties
===================================================================
--- trunk/ejb3/src/resources/test/securitydomain/users.properties 2007-08-21 15:31:21 UTC (rev 64735)
+++ trunk/ejb3/src/resources/test/securitydomain/users.properties 2007-08-21 15:49:48 UTC (rev 64736)
@@ -1 +1,2 @@
somebody=password
+scott=echoman
Added: trunk/ejb3/src/test/org/jboss/ejb3/test/security5/FirstBean.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/security5/FirstBean.java (rev 0)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/security5/FirstBean.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.security5;
+
+import javax.annotation.security.RolesAllowed;
+import javax.annotation.security.RunAs;
+import javax.ejb.Local;
+import javax.ejb.Stateless;
+import javax.naming.InitialContext;
+
+
+//$Id$
+
+/**
+ * First Level Bean that defines runAs on some methods
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 20, 2007
+ * @version $Revision$
+ */
+
+ at Stateless
+ at Local(SimpleSessionInterface.class)
+ at RunAs("InternalRole")
+public class FirstBean extends SimpleSessionBean
+{
+ private InitialContext context = null;
+
+ @RolesAllowed({"InternalRole"})
+ public String echo(String arg)
+ {
+ SimpleSessionInterface ssi = null;
+ try
+ {
+ context = new InitialContext();
+ String jndiName = "SecondBean/local";
+ ssi = (SimpleSessionInterface)context.lookup(jndiName);
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+ String str = ssi.echo(arg);
+ System.out.println("RESPONSE FROM SECOND BEAN="+str);
+ if(str.equals(arg) == false)
+ throw new IllegalStateException("Second Bean returned:"+str);
+ return arg;
+ }
+}
Added: trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SecondBean.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SecondBean.java (rev 0)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SecondBean.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,48 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.security5;
+
+import javax.annotation.security.RolesAllowed;
+import javax.ejb.Local;
+import javax.ejb.Stateless;
+import javax.naming.InitialContext;
+
+//$Id$
+
+/**
+ * Second Bean that is invoked by the First Bean
+ * via run-as
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 20, 2007
+ * @version $Revision$
+ */
+ at Local(SimpleSessionInterface.class)
+ at RolesAllowed({"InternalRole"})
+ at Stateless
+public class SecondBean extends SimpleSessionBean
+{
+ @RolesAllowed({"InternalRole"})
+ public String echo(String arg)
+ {
+ return arg;
+ }
+}
Added: trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionBean.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionBean.java (rev 0)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionBean.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,78 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.security5;
+
+import java.security.Principal;
+
+import javax.annotation.Resource;
+import javax.annotation.security.RolesAllowed;
+import javax.annotation.security.RunAs;
+import javax.ejb.Remote;
+import javax.ejb.SessionContext;
+import javax.ejb.Stateless;
+import javax.naming.InitialContext;
+
+//$Id$
+
+/**
+ * EJB3 Session Bean
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 16, 2007
+ * @version $Revision$
+ */
+ at Stateless(name="SimpleStatelessBean")
+ at Remote
+ at RunAs("InternalRole")
+public class SimpleSessionBean implements SimpleSessionInterface
+{
+ @Resource SessionContext sessionContext;
+
+ @RolesAllowed({"Echo"})
+ public String echo(String arg)
+ {
+ SimpleSessionInterface ssi = null;
+ try
+ {
+ InitialContext context = new InitialContext();
+ String jndiName = "FirstBean/local";
+ ssi = (SimpleSessionInterface)context.lookup(jndiName);
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+ String str = ssi.echo(arg);
+ if(str.equals(arg) == false)
+ throw new IllegalStateException("First Bean returned:"+str);
+ return arg;
+ }
+
+ public Principal echoCallerPrincipal()
+ {
+ return sessionContext.getCallerPrincipal();
+ }
+
+ public boolean isCallerInRole(String roleName)
+ {
+ return sessionContext.isCallerInRole(roleName);
+ }
+}
Added: trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionInterface.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionInterface.java (rev 0)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleSessionInterface.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,39 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.security5;
+
+import java.security.Principal;
+
+//$Id$
+
+/**
+ * Interface for session bean
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 16, 2007
+ * @version $Revision$
+ */
+public interface SimpleSessionInterface
+{
+ public String echo(String arg);
+ public Principal echoCallerPrincipal();
+ public boolean isCallerInRole(String roleName);
+}
Added: trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleStatefulBean.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleStatefulBean.java (rev 0)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/security5/SimpleStatefulBean.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.security5;
+
+import java.security.Principal;
+
+import javax.annotation.Resource;
+import javax.annotation.security.RolesAllowed;
+import javax.annotation.security.RunAs;
+import javax.ejb.Remote;
+import javax.ejb.SessionContext;
+import javax.ejb.Stateful;
+import javax.naming.InitialContext;
+
+//$Id$
+
+/**
+ * EJB3 Session Bean
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 16, 2007
+ * @version $Revision$
+ */
+ at Stateful(name="SimpleStatefulBean")
+ at Remote
+ at RunAs("InternalRole")
+public class SimpleStatefulBean implements SimpleSessionInterface
+{
+ @Resource SessionContext sessionContext;
+
+ @RolesAllowed({"Echo"})
+ public String echo(String arg)
+ {
+ try
+ {
+ InitialContext context = new InitialContext();
+ String jndiName = "FirstBean/local";
+ SimpleSessionInterface ssi = (SimpleSessionInterface)context.lookup(jndiName);
+ String str = ssi.echo(arg);
+ if(str.equals(arg) == false)
+ throw new IllegalStateException("First Bean returned:"+str);
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+ return arg;
+ }
+
+ public Principal echoCallerPrincipal()
+ {
+ return sessionContext.getCallerPrincipal();
+ }
+
+ public boolean isCallerInRole(String roleName)
+ {
+ return sessionContext.isCallerInRole(roleName);
+ }
+}
Added: trunk/ejb3/src/test/org/jboss/ejb3/test/security5/unit/Security5TestCase.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/security5/unit/Security5TestCase.java (rev 0)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/security5/unit/Security5TestCase.java 2007-08-21 15:49:48 UTC (rev 64736)
@@ -0,0 +1,110 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.security5.unit;
+
+import javax.ejb.EJBAccessException;
+import javax.naming.InitialContext;
+
+import junit.framework.Test;
+
+import org.jboss.ejb3.test.security5.SimpleSessionInterface;
+import org.jboss.security.auth.callback.AppCallbackHandler;
+import org.jboss.security.client.SecurityClient;
+import org.jboss.security.client.SecurityClientFactory;
+import org.jboss.test.JBossTestCase;
+
+//$Id$
+
+/**
+ * Test case for JBoss Security
+ *
+ * No JBoss Specific annotations are used.
+ * Customization to be done via jboss.xml
+ *
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 16, 2007
+ * @version $Revision$
+ */
+public class Security5TestCase extends JBossTestCase
+{
+ private InitialContext context = null;
+ private SecurityClient client = null;
+
+ @Override
+ protected void setUp() throws Exception
+ {
+ super.setUp();
+ client = SecurityClientFactory.getSecurityClient();
+ context = new InitialContext();
+ }
+
+ public Security5TestCase(String name)
+ {
+ super(name);
+ }
+
+ public void testStateless() throws Exception
+ {
+ String jndiName = "SimpleStatelessBean/remote";
+ checkSessionBean((SimpleSessionInterface)context.lookup(jndiName));
+ }
+
+ public void testStateful() throws Exception
+ {
+ String jndiName = "SimpleStatefulBean/remote";
+ checkSessionBean((SimpleSessionInterface)context.lookup(jndiName));
+ }
+
+ private void checkSessionBean(SimpleSessionInterface ssi) throws Exception
+ {
+ client.logout();
+ AppCallbackHandler acbh = new AppCallbackHandler("scott","echoman".toCharArray());
+ client.setJAAS("simple", acbh);
+ client.login();
+ assertEquals("echo==hi", "hi", ssi.echo("hi"));
+ assertEquals("CallerPrincipal==scott", "scott", ssi.echoCallerPrincipal().getName());
+ assertEquals("CallerRole==Echo", true, ssi.isCallerInRole("Echo"));
+ client.logout();
+ try
+ {
+ ssi.echo("hi again");
+ fail("Should not have reached here");
+ }
+ catch(Exception e)
+ {
+ if(e instanceof EJBAccessException == false)
+ fail("Wrong exception:"+e.getLocalizedMessage());
+ }
+ }
+
+ public static Test suite() throws Exception
+ {
+ try
+ {
+ return getDeploySetup(Security5TestCase.class, "security5.jar");
+ }
+ catch (Exception e)
+ {
+ throw e;
+ }
+ }
+}
More information about the jboss-cvs-commits
mailing list