[jboss-cvs] JBossAS SVN: r64790 - trunk/ejb3/src/main/org/jboss/ejb3/security.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Wed Aug 22 18:32:04 EDT 2007


Author: anil.saldhana at jboss.com
Date: 2007-08-22 18:32:04 -0400 (Wed, 22 Aug 2007)
New Revision: 64790

Modified:
   trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
   trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
   trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java
Log:
JBAS4423: fix run-as and authentication interceptor

Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java	2007-08-22 20:47:42 UTC (rev 64789)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java	2007-08-22 22:32:04 UTC (rev 64790)
@@ -67,7 +67,8 @@
    public Object invoke(Invocation invocation) throws Throwable
    { 
       SecurityIdentity si = null;
-      SecurityContext sc = null;
+      SecurityContext sc = SecurityActions.getSecurityContext();
+      SecurityContext invSC = (SecurityContext) invocation.getMetaData("security","context"); 
       
       SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
       /**
@@ -76,29 +77,32 @@
        */
       if(domain != null)
       { 
-         SecurityContext existingSC = null;
          Principal p = null;
          Object cred = null;
          
          if(isLocalCall((MethodInvocation) invocation))
          {
-            existingSC = SecurityActions.getSecurityContext();
-            if(existingSC == null)
+            if(sc == null)
                throw new IllegalStateException("Security Context null on Local call");
-            si = existingSC.getUtil().getSecurityIdentity();
+            si = sc.getUtil().getSecurityIdentity();
          }
          else
          {
-            existingSC = (SecurityContext) invocation.getMetaData("security","context"); 
-            if(existingSC == null)
-               throw new IllegalStateException("Security Context has not been set");
- 
-            p = existingSC.getUtil().getUserPrincipal();
-            cred = existingSC.getUtil().getCredential();
-            sc = SecurityActions.createSecurityContext(p, 
-                  cred, null, domain.value()); 
-            //Set the security context
-            SecurityActions.setSecurityContext(sc);
+            if(invSC == null && sc == null)
+               throw new IllegalStateException("Security Context is not available");
+            
+            //If there was a SecurityContext over the invocation, that takes preference
+            if(invSC != null)
+            {
+               sc = invSC;
+               p = sc.getUtil().getUserPrincipal();
+               cred = sc.getUtil().getCredential();
+               sc = SecurityActions.createSecurityContext(p, 
+                     cred, null, domain.value()); 
+               //Set the security context
+               SecurityActions.setSecurityContext(sc);
+               sc.getUtil().setSecurityIdentity(invSC.getUtil().getSecurityIdentity());
+            }
          }
          
          sc = SecurityActions.getSecurityContext();
@@ -132,10 +136,22 @@
             helper.pushSubjectContext(subject);
          }
          else
-         {
+         {  
             //Trusted caller. No need for authentication. Straight to authorization
          } 
       }
+      else
+      {
+         //domain == null
+         /**
+          * Special Case when a bean with no security domain defined comes with a security
+          * context attached.
+          */
+         if(invSC != null)
+         {
+            SecurityActions.setSecurityContext(invSC);
+         }
+      }
       try
       { 
          if(sc != null)

Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java	2007-08-22 20:47:42 UTC (rev 64789)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java	2007-08-22 22:32:04 UTC (rev 64790)
@@ -103,7 +103,7 @@
          RealmMapping mapping = (RealmMapping) domain;
          //interceptor = new RunAsSecurityInterceptor(manager, mapping, getRunAsIdentity(container));
          
-         interceptor = new RunAsSecurityInterceptorv2(getRunAsIdentity(container));
+         interceptor = new RunAsSecurityInterceptorv2(container, getRunAsIdentity(container));
       }
       return interceptor;
    }  

Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java	2007-08-22 20:47:42 UTC (rev 64789)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java	2007-08-22 22:32:04 UTC (rev 64790)
@@ -21,18 +21,17 @@
  */
 package org.jboss.ejb3.security;
  
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-
+import org.jboss.annotation.security.SecurityDomain;
 import org.jboss.aop.advice.Interceptor;
 import org.jboss.aop.joinpoint.Invocation;
 import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.ejb3.EJBContainer;
 import org.jboss.ejb3.SecurityActions;
 import org.jboss.logging.Logger;
 import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.SecurityContextFactory;
 
 /**
  * An interceptor that enforces the run-as identity declared by a bean.
@@ -45,10 +44,12 @@
 {
    private static final Logger log = Logger.getLogger(RunAsSecurityInterceptorv2.class);
    private RunAsIdentity runAsIdentity;
+   private EJBContainer container;
 
-   public RunAsSecurityInterceptorv2(RunAsIdentity id)
+   public RunAsSecurityInterceptorv2(EJBContainer container, RunAsIdentity id)
    {
       this.runAsIdentity = id; 
+      this.container = container;
    }
 
    protected RunAsIdentity getRunAsIdentity(Invocation invocation)
@@ -57,7 +58,7 @@
       return runAsIdentity;
    }
 
-   public Object invoke(Invocation invocation) throws Throwable
+   /*public Object invoke(Invocation invocation) throws Throwable
    { 
       Subject previousSubject = null;
       try
@@ -84,7 +85,42 @@
          SecurityActions.popRunAs();
       }
    }
+*/
+   
+   public Object invoke(Invocation invocation) throws Throwable
+   { 
+      SecurityContext sc = SecurityActions.getSecurityContext();
+      /**
+       * If Existing SecurityContext is null, it means that we have not gone
+       * through AuthenticationInterceptor. This is probably because
+       * we are an MDB. So create a new SecurityContext
+       */
+      if(sc == null)
+      {
+         SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
+         if(domain != null)
+         {
+            sc = SecurityContextFactory.createSecurityContext(domain.value());
+            SecurityContextAssociation.setSecurityContext(sc);
+         }  
+      }
+      
+      if(sc != null)
+      {
+         sc.setOutgoingRunAs(runAsIdentity);
+      } 
+      try
+      {
+         return invocation.invokeNext(); 
+      }
+      finally
+      {
+         if(sc != null)
+           SecurityActions.popRunAs();
+      }
+   }
 
+   
    public String getName()
    { 
       return getClass().getName();




More information about the jboss-cvs-commits mailing list