[jboss-cvs] JBossAS SVN: r64790 - trunk/ejb3/src/main/org/jboss/ejb3/security.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Aug 22 18:32:04 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-08-22 18:32:04 -0400 (Wed, 22 Aug 2007)
New Revision: 64790
Modified:
trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java
Log:
JBAS4423: fix run-as and authentication interceptor
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java 2007-08-22 20:47:42 UTC (rev 64789)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java 2007-08-22 22:32:04 UTC (rev 64790)
@@ -67,7 +67,8 @@
public Object invoke(Invocation invocation) throws Throwable
{
SecurityIdentity si = null;
- SecurityContext sc = null;
+ SecurityContext sc = SecurityActions.getSecurityContext();
+ SecurityContext invSC = (SecurityContext) invocation.getMetaData("security","context");
SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
/**
@@ -76,29 +77,32 @@
*/
if(domain != null)
{
- SecurityContext existingSC = null;
Principal p = null;
Object cred = null;
if(isLocalCall((MethodInvocation) invocation))
{
- existingSC = SecurityActions.getSecurityContext();
- if(existingSC == null)
+ if(sc == null)
throw new IllegalStateException("Security Context null on Local call");
- si = existingSC.getUtil().getSecurityIdentity();
+ si = sc.getUtil().getSecurityIdentity();
}
else
{
- existingSC = (SecurityContext) invocation.getMetaData("security","context");
- if(existingSC == null)
- throw new IllegalStateException("Security Context has not been set");
-
- p = existingSC.getUtil().getUserPrincipal();
- cred = existingSC.getUtil().getCredential();
- sc = SecurityActions.createSecurityContext(p,
- cred, null, domain.value());
- //Set the security context
- SecurityActions.setSecurityContext(sc);
+ if(invSC == null && sc == null)
+ throw new IllegalStateException("Security Context is not available");
+
+ //If there was a SecurityContext over the invocation, that takes preference
+ if(invSC != null)
+ {
+ sc = invSC;
+ p = sc.getUtil().getUserPrincipal();
+ cred = sc.getUtil().getCredential();
+ sc = SecurityActions.createSecurityContext(p,
+ cred, null, domain.value());
+ //Set the security context
+ SecurityActions.setSecurityContext(sc);
+ sc.getUtil().setSecurityIdentity(invSC.getUtil().getSecurityIdentity());
+ }
}
sc = SecurityActions.getSecurityContext();
@@ -132,10 +136,22 @@
helper.pushSubjectContext(subject);
}
else
- {
+ {
//Trusted caller. No need for authentication. Straight to authorization
}
}
+ else
+ {
+ //domain == null
+ /**
+ * Special Case when a bean with no security domain defined comes with a security
+ * context attached.
+ */
+ if(invSC != null)
+ {
+ SecurityActions.setSecurityContext(invSC);
+ }
+ }
try
{
if(sc != null)
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2007-08-22 20:47:42 UTC (rev 64789)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2007-08-22 22:32:04 UTC (rev 64790)
@@ -103,7 +103,7 @@
RealmMapping mapping = (RealmMapping) domain;
//interceptor = new RunAsSecurityInterceptor(manager, mapping, getRunAsIdentity(container));
- interceptor = new RunAsSecurityInterceptorv2(getRunAsIdentity(container));
+ interceptor = new RunAsSecurityInterceptorv2(container, getRunAsIdentity(container));
}
return interceptor;
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java 2007-08-22 20:47:42 UTC (rev 64789)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorv2.java 2007-08-22 22:32:04 UTC (rev 64790)
@@ -21,18 +21,17 @@
*/
package org.jboss.ejb3.security;
-import java.util.HashSet;
-import java.util.Set;
-
-import javax.security.auth.Subject;
-
+import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.advice.Interceptor;
import org.jboss.aop.joinpoint.Invocation;
import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.ejb3.EJBContainer;
import org.jboss.ejb3.SecurityActions;
import org.jboss.logging.Logger;
import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.plugins.SecurityContextAssociation;
+import org.jboss.security.plugins.SecurityContextFactory;
/**
* An interceptor that enforces the run-as identity declared by a bean.
@@ -45,10 +44,12 @@
{
private static final Logger log = Logger.getLogger(RunAsSecurityInterceptorv2.class);
private RunAsIdentity runAsIdentity;
+ private EJBContainer container;
- public RunAsSecurityInterceptorv2(RunAsIdentity id)
+ public RunAsSecurityInterceptorv2(EJBContainer container, RunAsIdentity id)
{
this.runAsIdentity = id;
+ this.container = container;
}
protected RunAsIdentity getRunAsIdentity(Invocation invocation)
@@ -57,7 +58,7 @@
return runAsIdentity;
}
- public Object invoke(Invocation invocation) throws Throwable
+ /*public Object invoke(Invocation invocation) throws Throwable
{
Subject previousSubject = null;
try
@@ -84,7 +85,42 @@
SecurityActions.popRunAs();
}
}
+*/
+
+ public Object invoke(Invocation invocation) throws Throwable
+ {
+ SecurityContext sc = SecurityActions.getSecurityContext();
+ /**
+ * If Existing SecurityContext is null, it means that we have not gone
+ * through AuthenticationInterceptor. This is probably because
+ * we are an MDB. So create a new SecurityContext
+ */
+ if(sc == null)
+ {
+ SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
+ if(domain != null)
+ {
+ sc = SecurityContextFactory.createSecurityContext(domain.value());
+ SecurityContextAssociation.setSecurityContext(sc);
+ }
+ }
+
+ if(sc != null)
+ {
+ sc.setOutgoingRunAs(runAsIdentity);
+ }
+ try
+ {
+ return invocation.invokeNext();
+ }
+ finally
+ {
+ if(sc != null)
+ SecurityActions.popRunAs();
+ }
+ }
+
public String getName()
{
return getClass().getName();
More information about the jboss-cvs-commits
mailing list