[jboss-cvs] JBossAS SVN: r63186 - in trunk/server/src/main/org/jboss/ejb: plugins and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue May 22 15:59:01 EDT 2007
Author: anil.saldhana at jboss.com
Date: 2007-05-22 15:59:01 -0400 (Tue, 22 May 2007)
New Revision: 63186
Modified:
trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java
trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
Log:
use the ejb authorization helper from security integration
Modified: trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java 2007-05-22 19:58:40 UTC (rev 63185)
+++ trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java 2007-05-22 19:59:01 UTC (rev 63186)
@@ -23,8 +23,7 @@
import java.rmi.RemoteException;
import java.security.Identity;
-import java.security.Principal;
-import java.util.HashMap;
+import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
@@ -54,18 +53,12 @@
import org.jboss.logging.Logger;
import org.jboss.metadata.ApplicationMetaData;
import org.jboss.metadata.BeanMetaData;
-import org.jboss.metadata.SecurityRoleRefMetaData;
-import org.jboss.security.AuthorizationManager;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.RunAs;
+import org.jboss.metadata.SecurityRoleRefMetaData;
+import org.jboss.security.RealmMapping;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRoleRef;
-import org.jboss.security.SimplePrincipal;
-import org.jboss.security.audit.AuditEvent;
-import org.jboss.security.audit.AuditLevel;
-import org.jboss.security.authorization.AuthorizationContext;
-import org.jboss.security.authorization.resources.EJBResource;
-import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.SimplePrincipal;
+import org.jboss.security.integration.ejb.EJBAuthorizationHelper;
import org.jboss.tm.TransactionTimeoutConfiguration;
import org.jboss.tm.usertx.client.ServerVMClientUserTransaction;
@@ -373,19 +366,10 @@
Principal getCallerPrincipalInternal()
{
if( beanPrincipal == null )
- {
- /* Get the run-as user or authenticated user. The run-as user is
- returned before any authenticated user.
- */
- Principal caller = SecurityActions.getCallerPrincipal(securityContext);
-
- //Principal caller = SecurityActions.getCallerPrincipal();
- RealmMapping rm = con.getRealmMapping();
- /* Apply any domain caller mapping. This should really only be
- done for non-run-as callers.
- */
- if (rm != null)
- caller = rm.getPrincipal(caller);
+ {
+ RealmMapping rm = con.getRealmMapping();
+ EJBAuthorizationHelper helper = new EJBAuthorizationHelper(securityContext);
+ Principal caller = helper.getCallerPrincipal(rm);
if( caller == null )
{
/* Try the incoming request principal. This is needed if a client
@@ -519,25 +503,7 @@
* or the current run-as principal.
*/
public boolean isCallerInRole(String roleName)
- {
- //Obtain the Authorization Manager
- AuthorizationManager authzManager = getContainer().getAuthorizationManager();
- if( authzManager == null)
- {
- String msg = "isCallerInRole() called with no security context. "
- + "Check that a security-domain has been set for the application.";
- throw new IllegalStateException(msg);
- }
- //Check the caller of this beans run-as identity
- RunAs runAsIdentity = null;
- if(securityContext != null )
- {
- runAsIdentity = securityContext.getUtil().getCallerRunAs();
- }
- //RunAsIdentity runAsIdentity = SecurityActions.peekRunAsIdentity(1);
- if (principal == null && runAsIdentity == null)
- return false;
-
+ {
//Generate the SecurityRoleRef set
Iterator it = getContainer().getBeanMetaData().getSecurityRoleReferences();
Set securityRoleRefs = new HashSet();
@@ -546,51 +512,23 @@
SecurityRoleRefMetaData meta = (SecurityRoleRefMetaData) it.next();
securityRoleRefs.add(new SecurityRoleRef(meta.getName(), meta.getLink(),meta.getDescription()));
}
- final HashMap map = new HashMap();
//Get the context subject
Subject contextSubject = null;
try
{
contextSubject = SecurityActions.getContextSubject();
if(contextSubject == null)
- log.error("Subject is null for isCallerInRole Check with role="+roleName);
- map.put(ResourceKeys.CALLER_SUBJECT, SecurityActions.getContextSubject());
+ log.error("Subject is null for isCallerInRole Check with role="+roleName);
}
catch (PolicyContextException pe)
{
if(log.isTraceEnabled())
log.trace("PolicyContextException in getting caller subject:",pe);
}
-
- boolean isAuthorized = false;
- if(contextSubject != null)
- {
- map.put(ResourceKeys.EJB_NAME ,getContainer().getBeanMetaData().getEjbName());
- map.put(ResourceKeys.EJB_PRINCIPAL, principal);
- map.put(ResourceKeys.AUTHORIZATION_MANAGER,authzManager);
- map.put(ResourceKeys.RUNASIDENTITY, runAsIdentity);
- map.put(ResourceKeys.SECURITY_ROLE_REFERENCES, securityRoleRefs);
- map.put(ResourceKeys.ROLENAME, roleName);
- map.put(ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
-
- EJBResource ejbResource = new EJBResource(map);
- try
- {
- int check = authzManager.authorize(ejbResource);
- isAuthorized = (check == AuthorizationContext.PERMIT);
- }
- catch (Exception e)
- {
- isAuthorized = false;
- if(log.isTraceEnabled())
- log.trace(roleName + "::isCallerInRole check failed:"+e.getLocalizedMessage());
- if(securityContext != null )
- {
- securityContext.getAuditManager().audit(new AuditEvent(AuditLevel.FAILURE, map, e));
- }
- }
- }
- return isAuthorized;
+
+ EJBAuthorizationHelper helper = new EJBAuthorizationHelper(securityContext);
+ String ejbName = getContainer().getBeanMetaData().getEjbName();
+ return helper.isCallerInRole(roleName, ejbName, principal, securityRoleRefs);
}
public UserTransaction getUserTransaction()
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2007-05-22 19:58:40 UTC (rev 63185)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2007-05-22 19:59:01 UTC (rev 63186)
@@ -38,11 +38,8 @@
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SecurityUtil;
import org.jboss.security.audit.AuditEvent;
-import org.jboss.security.audit.AuditLevel;
-import org.jboss.security.audit.AuditManager;
-import org.jboss.security.authorization.AuthorizationContext;
-import org.jboss.security.authorization.resources.EJBResource;
-import org.jboss.security.authorization.ResourceKeys;
+import org.jboss.security.audit.AuditLevel;
+import org.jboss.security.integration.ejb.EJBAuthorizationHelper;
import org.jboss.system.Registry;
import java.security.CodeSource;
@@ -351,37 +348,25 @@
return;
// Get the caller
Subject caller = SecurityActions.getContextSubject();
+ if(caller == null)
+ throw new IllegalStateException("Authenticated User. But caller subject is null");
//Establish the deployment rolename-principalset custom mapping(if available)
SecurityRolesAssociation.setSecurityRoles(this.deploymentRoles);
-
- final HashMap<String,Object> map = new HashMap<String,Object>();
- map.put(ResourceKeys.EJB_NAME ,this.ejbName);
- map.put(ResourceKeys.EJB_METHOD,ejbMethod);
- map.put(ResourceKeys.EJB_PRINCIPAL, mi.getPrincipal());
- map.put(ResourceKeys.EJB_METHODINTERFACE, mi.getType().toInterfaceString());
- map.put(ResourceKeys.EJB_CODESOURCE, ejbCS);
- map.put(ResourceKeys.CALLER_SUBJECT, caller);
- map.put(ResourceKeys.AUTHORIZATION_MANAGER,authorizationManager);
- map.put(ResourceKeys.RUNASIDENTITY, callerRunAsIdentity);
- map.put(ResourceKeys.EJB_METHODROLES, container.getMethodPermissions(ejbMethod, mi.getType()));
- EJBResource ejbResource = new EJBResource(map);
- boolean isAuthorized = false;
- try
- {
- int check = authorizationManager.authorize(ejbResource);
- isAuthorized = (check == AuthorizationContext.PERMIT);
- authorizationAudit((isAuthorized ? AuditLevel.SUCCESS : AuditLevel.FAILURE)
- ,ejbResource, null);
- }
- catch (Exception e)
- {
- isAuthorized = false;
- if(trace)
- log.trace("Error in authorization:",e);
- authorizationAudit(AuditLevel.ERROR,ejbResource,e);
- }
+ boolean isAuthorized = false;
+ Set<Principal> methodRoles = container.getMethodPermissions(ejbMethod, mi.getType());
+
+ EJBAuthorizationHelper eah = new EJBAuthorizationHelper(SecurityActions.getSecurityContext());
+ isAuthorized = eah.authorize(ejbName,
+ ejbMethod,
+ mi.getPrincipal(),
+ mi.getType().toInterfaceString(),
+ ejbCS,
+ caller,
+ callerRunAsIdentity,
+ methodRoles) ;
+
String msg = "Denied: caller=" + caller;
if(!isAuthorized)
throw new SecurityException(msg);
@@ -416,17 +401,6 @@
{
sc.getAuditManager().audit(ae);
}
- }
-
- private void authorizationAudit(String level, EJBResource resource, Exception e)
- {
- //Authorization Exception stacktrace is huge. Scale it down
- //as the original stack trace can be seen in server.log (if needed)
- String exceptionMessage = e != null ? e.getLocalizedMessage() : "";
- Map<String,Object> cmap = new HashMap<String,Object>();
- cmap.putAll(resource.getMap());
- cmap.put("Exception:", exceptionMessage);
- audit(level,cmap,null);
}
private Map<String,Object> getContextMap(Principal principal, String methodName)
More information about the jboss-cvs-commits
mailing list