[jboss-cvs] JBossAS SVN: r61768 - in trunk/ejb3/src: main/org/jboss/ejb3/security and 2 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Mar 27 20:57:01 EDT 2007
Author: bdecoste
Date: 2007-03-27 20:57:01 -0400 (Tue, 27 Mar 2007)
New Revision: 61768
Modified:
trunk/ejb3/src/main/org/jboss/ejb3/BaseSessionContext.java
trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java
trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulBean.java
trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulTestBean.java
trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/unit/Tck5SecTestCase.java
Log:
fix and test for run-as-principal
Modified: trunk/ejb3/src/main/org/jboss/ejb3/BaseSessionContext.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/BaseSessionContext.java 2007-03-28 00:13:24 UTC (rev 61767)
+++ trunk/ejb3/src/main/org/jboss/ejb3/BaseSessionContext.java 2007-03-28 00:57:01 UTC (rev 61768)
@@ -180,13 +180,13 @@
{
Principal principal = null;
- RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(0);
+ RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(1);
log.info("--- getCallerPrincipal peek " + runAsIdentity);
// Don't use RunAsIdentity to establish the principal when the RunAsIdentity came
// from the current bean.
- if (runAsIdentity != null)
+/* if (runAsIdentity != null)
{
java.util.Set principals = runAsIdentity.getPrincipalsSet();
if (principals.size() > 0)
@@ -200,7 +200,7 @@
}
}
log.info("--- getCallerPrincipal RunAsIdentity " + principal);
- if (principal == null)
+ if (principal == null)*/
principal = SecurityAssociation.getCallerPrincipal();
log.info("--- getCallerPrincipal SecurityAssociation " + principal);
@@ -231,7 +231,7 @@
// Check the caller of this beans run-as identity
// todo use priveleged stuff in ejb class
RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(1);
-
+
if (principal == null && runAsIdentity == null)
return false;
@@ -261,16 +261,19 @@
// This is work in progress - currently, getRm().doesUserHaveRole(principal, set)
// and getRm().getUserRoles(principal) ignores the principal parameter and is not
// using the principal from the pushed RunAsIdentity
- boolean doesUserHaveRole;
- if (runAsIdentity == null)
- doesUserHaveRole = getRm().doesUserHaveRole(principal, set);
- else
+ boolean doesUserHaveRole = false;
+ if (runAsIdentity != null)
doesUserHaveRole = runAsIdentity.doesUserHaveRole(set);
+ log.info("--- isCallerInRole runAsIdentity " + runAsIdentity + " " + doesUserHaveRole);
+
+ if (!doesUserHaveRole)
+ doesUserHaveRole = getRm().doesUserHaveRole(principal, set);
+
java.util.Set roles = getRm().getUserRoles(principal);
- log.info("--- isCallerInRole roles " + roles);
+ log.info("--- isCallerInRole roles " + roles + " " + SecurityActions.getActiveSubject());
- log.info("--- isCallerInRole " + roleName + " " + principal + " " + doesUserHaveRole + " " + runAsIdentity);
+ log.info("--- isCallerInRole " + roleName + " " + principal + " " + doesUserHaveRole);
return doesUserHaveRole;
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java 2007-03-28 00:13:24 UTC (rev 61767)
+++ trunk/ejb3/src/main/org/jboss/ejb3/SecurityActions.java 2007-03-28 00:57:01 UTC (rev 61768)
@@ -23,7 +23,9 @@
import java.security.AccessController;
import java.security.PrivilegedAction;
+import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
+
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityAssociation;
@@ -67,6 +69,41 @@
return principal;
}
}
+
+ private static class GetSubjectAction implements PrivilegedAction
+ {
+ static PrivilegedAction ACTION = new GetSubjectAction();
+ public Object run()
+ {
+ Subject subject = SecurityAssociation.getSubject();
+ return subject;
+ }
+ }
+
+ private static class PopRunAsIdentityAction implements PrivilegedAction
+ {
+ static PrivilegedAction ACTION = new PopRunAsIdentityAction();
+ public Object run()
+ {
+ return SecurityAssociation.popRunAsIdentity();
+ }
+ }
+
+ private static class PushRunAsIdentityAction implements PrivilegedAction
+ {
+ RunAsIdentity runAsIdentity;
+
+ PushRunAsIdentityAction(RunAsIdentity runAsIdentity)
+ {
+ this.runAsIdentity = runAsIdentity;
+ }
+
+ public Object run()
+ {
+ SecurityAssociation.pushRunAsIdentity(runAsIdentity);
+ return null;
+ }
+ }
static ClassLoader getContextClassLoader()
{
@@ -101,6 +138,23 @@
RunAsIdentity principal = (RunAsIdentity) AccessController.doPrivileged(action);
return principal;
}
+
+ public static Subject getActiveSubject()
+ {
+ Subject subject = (Subject) AccessController.doPrivileged(GetSubjectAction.ACTION);
+ return subject;
+ }
+
+ public static void pushRunAsIdentity(RunAsIdentity runAsIdentity)
+ {
+ PrivilegedAction action = new PushRunAsIdentityAction(runAsIdentity);
+ AccessController.doPrivileged(action);
+ }
+
+ public static RunAsIdentity popRunAsIdentity()
+ {
+ return (RunAsIdentity)AccessController.doPrivileged(PopRunAsIdentityAction.ACTION);
+ }
interface TCLAction
{
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java 2007-03-28 00:13:24 UTC (rev 61767)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptor.java 2007-03-28 00:57:01 UTC (rev 61768)
@@ -21,12 +21,17 @@
*/
package org.jboss.ejb3.security;
-import org.jboss.aop.joinpoint.Invocation;
+import org.jboss.aop.joinpoint.Invocation;
+import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.ejb3.SecurityActions;
import org.jboss.logging.Logger;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RealmMapping;
import org.jboss.security.RunAsIdentity;
+import org.jboss.security.SecurityAssociation;
+import javax.security.auth.Subject;
+
/**
* An interceptor that enforces the run-as identity declared by a bean.
*
@@ -46,12 +51,39 @@
protected RunAsIdentity getRunAsIdentity(Invocation invocation)
{
+ MethodInvocation mi = (MethodInvocation)invocation;
+ log.info("--- getRunAsIdentity " + runAsIdentity + " " + mi.getActualMethod());
return runAsIdentity;
}
public Object invoke(Invocation invocation) throws Throwable
{
- return super.invoke(invocation);
+ Subject previousSubject = null;
+ try
+ {
+ RunAsIdentity runAsIdentity = getRunAsIdentity(invocation);
+ SecurityActions.pushRunAsIdentity(runAsIdentity);
+
+ runAsIdentity = SecurityActions.peekRunAsIdentity(1);
+ log.info("--- invoke " + runAsIdentity);
+ if (runAsIdentity != null)
+ {
+ previousSubject = SecurityActions.getActiveSubject();
+ java.util.Set newPrincipals = runAsIdentity.getPrincipalsSet();
+ log.info("--- invoke " + previousSubject + " " + newPrincipals);
+ Subject newSubject = new Subject(false, newPrincipals, new java.util.HashSet(), new java.util.HashSet());
+ SecurityAssociation.setSubject(newSubject);
+ }
+
+ return invocation.invokeNext();
+ }
+ finally
+ {
+ if (previousSubject != null)
+ SecurityAssociation.setSubject(previousSubject);
+
+ SecurityActions.popRunAsIdentity();
+ }
}
}
Modified: trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java
===================================================================
--- trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2007-03-28 00:13:24 UTC (rev 61767)
+++ trunk/ejb3/src/main/org/jboss/ejb3/security/RunAsSecurityInterceptorFactory.java 2007-03-28 00:57:01 UTC (rev 61768)
@@ -54,11 +54,14 @@
protected RunAsIdentity getRunAsIdentity(EJBContainer container)
{
RunAs runAs = (RunAs) container.resolveAnnotation(RunAs.class);
- if (runAs == null) return null;
+ if (runAs == null)
+ return null;
+
if (container.getXml() != null && container.getXml().getSecurityIdentity() != null)
{
if (container.getXml().getSecurityIdentity().isUseCallerIdentity()) return null;
}
+
RunAsPrincipal rap = (RunAsPrincipal) container.resolveAnnotation(RunAsPrincipal.class);
String runAsPrincipal = null;
if (rap != null)
Modified: trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulBean.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulBean.java 2007-03-28 00:13:24 UTC (rev 61767)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulBean.java 2007-03-28 00:57:01 UTC (rev 61768)
@@ -49,26 +49,29 @@
@RolesAllowed({"Manager"})
public boolean EjbSecRoleRef(String role)
{
+ boolean isCallerInRole = sessionContext.isCallerInRole(role);
log.info("isCallerInRole(" + role + ") = "
- + sessionContext.isCallerInRole(role));
- return sessionContext.isCallerInRole(role);
+ + isCallerInRole);
+ return isCallerInRole;
}
@RolesAllowed( { "Administrator", "Manager", "VP", "Employee" })
public boolean EjbOverloadedSecRoleRefs(String role1)
{
- log.info("isCallerInRole(" + role1 + ") = "
- + sessionContext.isCallerInRole(role1));
+ boolean isCallerInRole = sessionContext.isCallerInRole(role1);
+ log.info("isCallerInRole(" + role1 + ") = " + isCallerInRole);
return sessionContext.isCallerInRole(role1);
}
@RolesAllowed( { "Administrator", "Manager", "VP", "Employee" })
public boolean EjbOverloadedSecRoleRefs(String role1, String role2)
{
+ boolean isCallerInRole1 = sessionContext.isCallerInRole(role1);
+ boolean isCallerInRole2 = sessionContext.isCallerInRole(role2);
log.info("isCallerInRole(" + role1 + ")= "
- + sessionContext.isCallerInRole(role1) + "isCallerInRole(" + role2
- + ")= " + sessionContext.isCallerInRole(role2));
- return sessionContext.isCallerInRole(role1)
- && sessionContext.isCallerInRole(role2);
+ + isCallerInRole1 + "isCallerInRole(" + role2
+ + ")= " + isCallerInRole2);
+ return isCallerInRole1
+ && isCallerInRole2;
}
}
Modified: trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulTestBean.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulTestBean.java 2007-03-28 00:13:24 UTC (rev 61767)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/StatefulTestBean.java 2007-03-28 00:57:01 UTC (rev 61768)
@@ -75,7 +75,7 @@
log.info("Starting Overloaded security role references test");
log.info("isCallerInRole(" + role1 + ")= "
- + sessionContext.isCallerInRole(role1) + "isCallerInRole(" + role2
+ + sessionContext.isCallerInRole(role1) + " isCallerInRole(" + role2
+ ")= " + sessionContext.isCallerInRole(role2));
try
Modified: trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/unit/Tck5SecTestCase.java
===================================================================
--- trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/unit/Tck5SecTestCase.java 2007-03-28 00:13:24 UTC (rev 61767)
+++ trunk/ejb3/src/test/org/jboss/ejb3/test/tck5sec/unit/Tck5SecTestCase.java 2007-03-28 00:57:01 UTC (rev 61768)
@@ -68,7 +68,7 @@
assertTrue(success);
}
- public void atest3() throws Exception
+ public void test3() throws Exception
{
AppCallbackHandler handler = new AppCallbackHandler("j2ee", "j2ee".toCharArray());
LoginContext lc = new LoginContext("spec-test", handler);
More information about the jboss-cvs-commits
mailing list