[jboss-cvs] JBossAS SVN: r63184 - in trunk/security: src/main/org/jboss/security and 2 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue May 22 15:58:11 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-05-22 15:58:10 -0400 (Tue, 22 May 2007)
New Revision: 63184
Added:
trunk/security/src/main/org/jboss/security/integration/
trunk/security/src/main/org/jboss/security/integration/ejb/
trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java
trunk/security/src/main/org/jboss/security/integration/ejb/SecurityActions.java
Modified:
trunk/security/build.xml
Log:
add ejb authorization helper class
Modified: trunk/security/build.xml
===================================================================
--- trunk/security/build.xml 2007-05-22 13:52:00 UTC (rev 63183)
+++ trunk/security/build.xml 2007-05-22 19:58:10 UTC (rev 63184)
@@ -262,6 +262,7 @@
<patternset id="jbosssx-includes">
<include name="org/jboss/crypto/**"/>
<include name="org/jboss/security/auth/**"/>
+ <include name="org/jboss/security/integration/**"/>
<include name="org/jboss/security/jce/**"/>
<include name="org/jboss/security/jndi/**"/>
<include name="org/jboss/security/plugins/**"/>
Added: trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java
===================================================================
--- trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java (rev 0)
+++ trunk/security/src/main/org/jboss/security/integration/ejb/EJBAuthorizationHelper.java 2007-05-22 19:58:10 UTC (rev 63184)
@@ -0,0 +1,195 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.integration.ejb;
+
+import java.lang.reflect.Method;
+import java.security.CodeSource;
+import java.security.Principal;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import javax.security.auth.Subject;
+
+import org.jboss.logging.Logger;
+import org.jboss.security.AuthorizationManager;
+import org.jboss.security.RealmMapping;
+import org.jboss.security.RunAs;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.audit.AuditEvent;
+import org.jboss.security.audit.AuditLevel;
+import org.jboss.security.authorization.AuthorizationContext;
+import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.authorization.resources.EJBResource;
+
+//$Id$
+
+/**
+ * Helper class for EJB Authorization
+ * @author Anil.Saldhana at redhat.com
+ * @since May 18, 2007
+ * @version $Revision$
+ */
+public class EJBAuthorizationHelper
+{
+ private SecurityContext securityContext = null;
+ private static Logger log = Logger.getLogger(EJBAuthorizationHelper.class);
+
+ public EJBAuthorizationHelper(SecurityContext sc)
+ {
+ if(sc == null)
+ sc = SecurityActions.getSecurityContext();
+ if(sc == null)
+ throw new IllegalArgumentException("Security Context is null");
+ this.securityContext = sc;
+ }
+
+ /**
+ * Authorize an EJB Invocation
+ * @param ejbName Name of the EJB
+ * @param ejbMethod EJB Method
+ * @param ejbPrincipal Calling Principal
+ * @param invocationInterfaceString Invocation String("remote", "local")
+ * @param ejbCS EJB CodeSource
+ * @param callerSubject Authenticated Caller Subject
+ * @param callerRunAs Configured RunAs for the caller
+ * @param methodRoles a set of Principal objects authorized for the method
+ * @return true - if caller is authorized
+ */
+ public boolean authorize(String ejbName,
+ Method ejbMethod,
+ Principal ejbPrincipal,
+ String invocationInterfaceString,
+ CodeSource ejbCS,
+ Subject callerSubject,
+ RunAs callerRunAs,
+ Set<Principal> methodRoles )
+ {
+ AuthorizationManager am = securityContext.getAuthorizationManager();
+
+ HashMap<String,Object> map = new HashMap<String,Object>();
+ map.put(ResourceKeys.EJB_NAME , ejbName);
+ map.put(ResourceKeys.EJB_METHOD,ejbMethod);
+ map.put(ResourceKeys.EJB_PRINCIPAL, ejbPrincipal);
+ map.put(ResourceKeys.EJB_METHODINTERFACE, invocationInterfaceString);
+ map.put(ResourceKeys.EJB_CODESOURCE, ejbCS);
+ map.put(ResourceKeys.CALLER_SUBJECT, callerSubject);
+ map.put(ResourceKeys.AUTHORIZATION_MANAGER, am);
+ map.put(ResourceKeys.RUNASIDENTITY, callerRunAs);
+ map.put(ResourceKeys.EJB_METHODROLES, methodRoles);
+
+ EJBResource ejbResource = new EJBResource(map);
+ boolean isAuthorized = false;
+ try
+ {
+ int check = am.authorize(ejbResource);
+ isAuthorized = (check == AuthorizationContext.PERMIT);
+ authorizationAudit((isAuthorized ? AuditLevel.SUCCESS : AuditLevel.FAILURE)
+ ,ejbResource, null);
+ }
+ catch (Exception e)
+ {
+ isAuthorized = false;
+ if(log.isTraceEnabled())
+ log.trace("Error in authorization:",e);
+ authorizationAudit(AuditLevel.ERROR,ejbResource,e);
+ }
+
+ return isAuthorized;
+ }
+
+ public Principal getCallerPrincipal(RealmMapping rm)
+ {
+ /* Get the run-as user or authenticated user. The run-as user is
+ returned before any authenticated user.
+ */
+ Principal caller = SecurityActions.getCallerPrincipal(securityContext);
+
+ /* Apply any domain caller mapping. This should really only be
+ done for non-run-as callers.
+ */
+ if (rm != null)
+ caller = rm.getPrincipal(caller);
+ return caller;
+ }
+
+ public boolean isCallerInRole(String roleName,String ejbName, Principal ejbPrincipal,Set securityRoleRefs )
+ {
+ boolean isAuthorized = false;
+ AuthorizationManager am = securityContext.getAuthorizationManager();
+
+ HashMap<String,Object> map = new HashMap<String,Object>();
+ map.put(ResourceKeys.EJB_NAME ,ejbName);
+ map.put(ResourceKeys.EJB_PRINCIPAL, ejbPrincipal);
+ map.put(ResourceKeys.AUTHORIZATION_MANAGER,am);
+ map.put(ResourceKeys.RUNASIDENTITY, securityContext.getUtil().getCallerRunAs());
+ map.put(ResourceKeys.SECURITY_ROLE_REFERENCES, securityRoleRefs);
+ map.put(ResourceKeys.ROLENAME, roleName);
+ map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
+
+ EJBResource ejbResource = new EJBResource(map);
+ try
+ {
+ int check = am.authorize(ejbResource);
+ isAuthorized = (check == AuthorizationContext.PERMIT);
+ }
+ catch (Exception e)
+ {
+ isAuthorized = false;
+ if(log.isTraceEnabled())
+ log.trace(roleName + "::isCallerInRole check failed:"+e.getLocalizedMessage());
+ authorizationAudit(AuditLevel.ERROR,ejbResource,e);
+ }
+ return isAuthorized;
+ }
+
+
+ //******************************************************
+ // Audit Methods
+ //******************************************************
+ public void audit(String level,
+ Map<String,Object> contextMap, Exception e)
+ {
+ contextMap.put("Source", getClass().getName());
+ AuditEvent ae = new AuditEvent(level,contextMap,e);
+ securityContext.getAuditManager().audit(ae);
+ }
+
+ public void authorizationAudit(String level, EJBResource resource, Exception e)
+ {
+ //Authorization Exception stacktrace is huge. Scale it down
+ //as the original stack trace can be seen in server.log (if needed)
+ String exceptionMessage = e != null ? e.getLocalizedMessage() : "";
+ Map<String,Object> cmap = new HashMap<String,Object>();
+ cmap.putAll(resource.getMap());
+ cmap.put("Exception:", exceptionMessage);
+ audit(level,cmap,null);
+ }
+
+ public Map<String,Object> getContextMap(Principal principal, String methodName)
+ {
+ Map<String,Object> cmap = new HashMap<String,Object>();
+ cmap.put("principal", principal);
+ cmap.put("method", methodName);
+ return cmap;
+ }
+}
Added: trunk/security/src/main/org/jboss/security/integration/ejb/SecurityActions.java
===================================================================
--- trunk/security/src/main/org/jboss/security/integration/ejb/SecurityActions.java (rev 0)
+++ trunk/security/src/main/org/jboss/security/integration/ejb/SecurityActions.java 2007-05-22 19:58:10 UTC (rev 63184)
@@ -0,0 +1,75 @@
+/*
+ * JBoss, Home of Professional Open Source
+ * Copyright 2007, JBoss Inc., and individual contributors as indicated
+ * by the @authors tag. See the copyright.txt in the distribution for a
+ * full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.integration.ejb;
+
+import java.security.AccessController;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+
+import org.jboss.security.SecurityContext;
+import org.jboss.security.plugins.SecurityContextAssociation;
+
+//$Id$
+
+/**
+ * Privileged Blocks
+ * @author Anil.Saldhana at redhat.com
+ * @since May 19, 2007
+ * @version $Revision$
+ */
+public class SecurityActions
+{
+
+ public static Principal getCallerPrincipal(final SecurityContext securityContext)
+ {
+ return (Principal)AccessController.doPrivileged(new PrivilegedAction()
+ {
+
+ public Object run()
+ {
+ Principal caller = null;
+
+ if(securityContext != null)
+ {
+ caller = securityContext.getUtil().getCallerRunAs();
+ //If there is no caller run as, use the call principal
+ if(caller == null)
+ caller = securityContext.getUtil().getUserPrincipal();
+ }
+ return caller;
+ }
+ });
+ }
+
+ public static SecurityContext getSecurityContext()
+ {
+ return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction()
+ {
+
+ public Object run()
+ {
+ return SecurityContextAssociation.getSecurityContext();
+ }
+ });
+ }
+
+}
More information about the jboss-cvs-commits
mailing list