[jboss-cvs] JBossAS SVN: r67589 - projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Wed Nov 28 22:33:51 EST 2007 

Author: anil.saldhana at jboss.com
Date: 2007-11-28 22:33:50 -0500 (Wed, 28 Nov 2007)
New Revision: 67589

Modified:
   projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
Log:
use RunAs

Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java	2007-11-29 03:32:50 UTC (rev 67588)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java	2007-11-29 03:33:50 UTC (rev 67589)
@@ -31,6 +31,7 @@
 import org.jboss.logging.Logger;
 import org.jboss.security.AnybodyPrincipal;
 import org.jboss.security.AuthorizationManager;
+import org.jboss.security.RunAs;
 import org.jboss.security.RunAsIdentity;
 import org.jboss.security.SecurityRoleRef;
 import org.jboss.security.SimplePrincipal;
@@ -58,7 +59,7 @@
    private Principal ejbPrincipal = null;
    private Set<Principal> methodRoles = null; 
    private String methodInterface = null; 
-   private RunAsIdentity callerRunAsIdentity = null;
+   private RunAs callerRunAs = null;
    private String roleName = null; 
    private Boolean roleRefCheck = Boolean.FALSE;
    private Set<SecurityRoleRef> securityRoleReferences = null;
@@ -101,7 +102,7 @@
       this.roleName = (String)map.get(ResourceKeys.ROLENAME);
       this.roleRefCheck = (Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK); 
       
-      this.callerRunAsIdentity = ejbResource.getCallerRunAsIdentity();
+      this.callerRunAs = ejbResource.getCallerRunAsIdentity();
       this.ejbMethod = ejbResource.getEjbMethod();
       this.ejbName = ejbResource.getEjbName();
       this.ejbPrincipal = ejbResource.getPrincipal();
@@ -148,7 +149,7 @@
       if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
       {
          // The caller is using a the caller identity
-         if (callerRunAsIdentity == null)
+         if (callerRunAs == null)
          { 
             AuthorizationManager am = (AuthorizationManager)policyRegistration;
             
@@ -173,19 +174,24 @@
          // The caller is using a run-as identity
          else
          {
-            // Check that the run-as role is in the set of method roles
-            if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
+            if(callerRunAs instanceof RunAsIdentity)
             {
-               String method = this.ejbMethod.getName(); 
-               String msg = "Insufficient method permissions, principal=" + ejbPrincipal
-               + ", ejbName=" + this.ejbName
-               + ", method=" + method + ", interface=" + this.methodInterface
-               + ", requiredRoles=" + methodRoles + ", runAsRoles=" 
-               + callerRunAsIdentity.getRunAsRoles();
-               if(trace)
-                  log.trace("Exception:"+msg); 
-               allowed = false;
+               RunAsIdentity callerRunAsIdentity = (RunAsIdentity) callerRunAs;
+               // Check that the run-as role is in the set of method roles
+               if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
+               {
+                  String method = this.ejbMethod.getName(); 
+                  String msg = "Insufficient method permissions, principal=" + ejbPrincipal
+                  + ", ejbName=" + this.ejbName
+                  + ", method=" + method + ", interface=" + this.methodInterface
+                  + ", requiredRoles=" + methodRoles + ", runAsRoles=" 
+                  + callerRunAsIdentity.getRunAsRoles();
+                  if(trace)
+                     log.trace("Exception:"+msg); 
+                  allowed = false;
+               }   
             }
+            
          }
       } 
       return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
@@ -195,7 +201,7 @@
    {
       AuthorizationManager am = (AuthorizationManager)policyRegistration;
       //Check the caller of this beans run-as identity 
-      if (ejbPrincipal == null && callerRunAsIdentity == null)
+      if (ejbPrincipal == null && callerRunAs == null)
       {
          if(trace)
             log.trace("ejbPrincipal = null,callerRunAsIdentity = null => DENY" );
@@ -231,11 +237,16 @@
       set.add(new SimplePrincipal(roleName));
 
       boolean allowed = false;
-      if (callerRunAsIdentity == null)
+      if (callerRunAs == null)
          allowed = am.doesUserHaveRole(ejbPrincipal, set);
       else
-         allowed = this.callerRunAsIdentity.doesUserHaveRole(set);
-      
+      {
+         if(callerRunAs instanceof RunAsIdentity)
+         {
+            RunAsIdentity callerRunAsIdentity = (RunAsIdentity) callerRunAs;
+            allowed = callerRunAsIdentity.doesUserHaveRole(set);
+         }
+      }
       return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
    }
 }
\ No newline at end of file

More information about the jboss-cvs-commits mailing list