[jboss-cvs] JBossAS SVN: r67589 - projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Nov 28 22:33:51 EST 2007
Author: anil.saldhana at jboss.com
Date: 2007-11-28 22:33:50 -0500 (Wed, 28 Nov 2007)
New Revision: 67589
Modified:
projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
Log:
use RunAs
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java 2007-11-29 03:32:50 UTC (rev 67588)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java 2007-11-29 03:33:50 UTC (rev 67589)
@@ -31,6 +31,7 @@
import org.jboss.logging.Logger;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.AuthorizationManager;
+import org.jboss.security.RunAs;
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityRoleRef;
import org.jboss.security.SimplePrincipal;
@@ -58,7 +59,7 @@
private Principal ejbPrincipal = null;
private Set<Principal> methodRoles = null;
private String methodInterface = null;
- private RunAsIdentity callerRunAsIdentity = null;
+ private RunAs callerRunAs = null;
private String roleName = null;
private Boolean roleRefCheck = Boolean.FALSE;
private Set<SecurityRoleRef> securityRoleReferences = null;
@@ -101,7 +102,7 @@
this.roleName = (String)map.get(ResourceKeys.ROLENAME);
this.roleRefCheck = (Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK);
- this.callerRunAsIdentity = ejbResource.getCallerRunAsIdentity();
+ this.callerRunAs = ejbResource.getCallerRunAsIdentity();
this.ejbMethod = ejbResource.getEjbMethod();
this.ejbName = ejbResource.getEjbName();
this.ejbPrincipal = ejbResource.getPrincipal();
@@ -148,7 +149,7 @@
if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
{
// The caller is using a the caller identity
- if (callerRunAsIdentity == null)
+ if (callerRunAs == null)
{
AuthorizationManager am = (AuthorizationManager)policyRegistration;
@@ -173,19 +174,24 @@
// The caller is using a run-as identity
else
{
- // Check that the run-as role is in the set of method roles
- if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
+ if(callerRunAs instanceof RunAsIdentity)
{
- String method = this.ejbMethod.getName();
- String msg = "Insufficient method permissions, principal=" + ejbPrincipal
- + ", ejbName=" + this.ejbName
- + ", method=" + method + ", interface=" + this.methodInterface
- + ", requiredRoles=" + methodRoles + ", runAsRoles="
- + callerRunAsIdentity.getRunAsRoles();
- if(trace)
- log.trace("Exception:"+msg);
- allowed = false;
+ RunAsIdentity callerRunAsIdentity = (RunAsIdentity) callerRunAs;
+ // Check that the run-as role is in the set of method roles
+ if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
+ {
+ String method = this.ejbMethod.getName();
+ String msg = "Insufficient method permissions, principal=" + ejbPrincipal
+ + ", ejbName=" + this.ejbName
+ + ", method=" + method + ", interface=" + this.methodInterface
+ + ", requiredRoles=" + methodRoles + ", runAsRoles="
+ + callerRunAsIdentity.getRunAsRoles();
+ if(trace)
+ log.trace("Exception:"+msg);
+ allowed = false;
+ }
}
+
}
}
return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
@@ -195,7 +201,7 @@
{
AuthorizationManager am = (AuthorizationManager)policyRegistration;
//Check the caller of this beans run-as identity
- if (ejbPrincipal == null && callerRunAsIdentity == null)
+ if (ejbPrincipal == null && callerRunAs == null)
{
if(trace)
log.trace("ejbPrincipal = null,callerRunAsIdentity = null => DENY" );
@@ -231,11 +237,16 @@
set.add(new SimplePrincipal(roleName));
boolean allowed = false;
- if (callerRunAsIdentity == null)
+ if (callerRunAs == null)
allowed = am.doesUserHaveRole(ejbPrincipal, set);
else
- allowed = this.callerRunAsIdentity.doesUserHaveRole(set);
-
+ {
+ if(callerRunAs instanceof RunAsIdentity)
+ {
+ RunAsIdentity callerRunAsIdentity = (RunAsIdentity) callerRunAs;
+ allowed = callerRunAsIdentity.doesUserHaveRole(set);
+ }
+ }
return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
}
}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list