[jboss-cvs] JBossAS SVN: r65665 - in branches/Branch_4_2/ejb3/src: main/org/jboss/ejb3/security and 4 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Sep 27 19:11:41 EDT 2007
Author: bdecoste
Date: 2007-09-27 19:11:40 -0400 (Thu, 27 Sep 2007)
New Revision: 65665
Added:
branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java
Modified:
branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java
branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java
branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java
branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java
branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java
branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java
branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java
Log:
[EJBTHREE-1027] [JBAS-4572] fix and updated tests for secure timeouts and getCallerPrincipal from within timeout
Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -22,6 +22,7 @@
package org.jboss.ejb3.mdb;
import org.jboss.annotation.ejb.ResourceAdapter;
+import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.AspectManager;
import org.jboss.aop.MethodInfo;
import org.jboss.aop.advice.Interceptor;
@@ -35,6 +36,8 @@
import org.jboss.jms.jndi.JMSProviderAdapter;
import org.jboss.logging.Logger;
import org.jboss.metadata.ActivationConfigPropertyMetaData;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SimplePrincipal;
import javax.ejb.*;
import javax.ejb.Timer;
@@ -47,6 +50,7 @@
import javax.naming.NamingException;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
+import java.security.Principal;
import java.util.*;
/**
@@ -265,7 +269,21 @@
public void callTimeout(Timer timer) throws Exception
{
Method timeout = callbackHandler.getTimeoutCallback();
- if (timeout == null) throw new EJBException("No method has been annotated with @Timeout");
+ if (timeout == null)
+ throw new EJBException("No method has been annotated with @Timeout");
+
+ // pop CallerPrincipal for timeout, set to unauthenticated identity if available
+ Principal oldPrincipal = SecurityAssociation.getCallerPrincipal();
+ SecurityDomain securityDomain = (SecurityDomain)resolveAnnotation(SecurityDomain.class);
+ if (securityDomain != null && securityDomain.unauthenticatedPrincipal().length() > 0)
+ {
+ SecurityAssociation.setPrincipal(new SimplePrincipal(securityDomain.unauthenticatedPrincipal()));
+ }
+ else
+ {
+ SecurityAssociation.setPrincipal(null);
+ }
+
Object[] args = {timer};
try
{
@@ -276,6 +294,10 @@
if (throwable instanceof Exception) throw (Exception) throwable;
throw new RuntimeException(throwable);
}
+ finally
+ {
+ SecurityAssociation.setPrincipal(oldPrincipal);
+ }
}
Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -103,7 +103,11 @@
{
SecurityRolesAssociation.setSecurityRoles(container.getAssemblyDescriptor().getPrincipalVersusRolesMap());
}
- return super.invoke(invocation);
+ Object ignoreFlag = invocation.getMetaData(RoleBasedAuthorizationInterceptor.AUTHORIZATION, RoleBasedAuthorizationInterceptor.IGNORE_AUTHORIZATION);
+ if (ignoreFlag != null)
+ return invocation.invokeNext();
+ else
+ return super.invoke(invocation);
}
finally
{
Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -51,6 +51,9 @@
{
private static final Logger log = Logger.getLogger(RoleBasedAuthorizationInterceptor.class);
+ public static final String AUTHORIZATION = "AUTHORIZATION";
+ public static final String IGNORE_AUTHORIZATION = "IGNORE_AUTHORIZATION";
+
private EJBContainer container;
public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping, Container container)
@@ -105,7 +108,11 @@
{
try
{
- return super.invoke(invocation);
+ Object ignoreFlag = invocation.getMetaData(RoleBasedAuthorizationInterceptor.AUTHORIZATION, RoleBasedAuthorizationInterceptor.IGNORE_AUTHORIZATION);
+ if (ignoreFlag != null)
+ return invocation.invokeNext();
+ else
+ return super.invoke(invocation);
}
catch (SecurityException throwable)
{
Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -23,6 +23,7 @@
import org.jboss.annotation.ejb.Management;
import org.jboss.annotation.ejb.Service;
+import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.AspectManager;
import org.jboss.aop.MethodInfo;
import org.jboss.aop.advice.Interceptor;
@@ -45,6 +46,8 @@
import org.jboss.ejb3.timerservice.TimerServiceFactory;
import org.jboss.injection.Injector;
import org.jboss.logging.Logger;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SimplePrincipal;
import javax.ejb.EJBException;
import javax.ejb.Handle;
@@ -62,6 +65,7 @@
import javax.management.ObjectName;
import javax.management.ReflectionException;
import java.lang.reflect.Method;
+import java.security.Principal;
import java.util.Hashtable;
/**
@@ -93,7 +97,21 @@
public void callTimeout(Timer timer) throws Exception
{
Method timeout = callbackHandler.getTimeoutCallback();
- if (timeout == null) throw new EJBException("No method has been annotated with @Timeout");
+ if (timeout == null)
+ throw new EJBException("No method has been annotated with @Timeout");
+
+ // pop CallerPrincipal for timeout, set to unauthenticated identity if available
+ Principal oldPrincipal = SecurityAssociation.getCallerPrincipal();
+ SecurityDomain securityDomain = (SecurityDomain)resolveAnnotation(SecurityDomain.class);
+ if (securityDomain != null && securityDomain.unauthenticatedPrincipal().length() > 0)
+ {
+ SecurityAssociation.setPrincipal(new SimplePrincipal(securityDomain.unauthenticatedPrincipal()));
+ }
+ else
+ {
+ SecurityAssociation.setPrincipal(null);
+ }
+
Object[] args = {timer};
AllowedOperationsAssociation.pushInMethodFlag(AllowedOperationsFlags.IN_EJB_TIMEOUT);
try
@@ -109,6 +127,8 @@
finally
{
AllowedOperationsAssociation.popInMethodFlag();
+
+ SecurityAssociation.setPrincipal(oldPrincipal);
}
}
Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -32,14 +32,18 @@
import javax.ejb.TimerService;
import javax.naming.NamingException;
+import java.security.Principal;
+
import org.jboss.annotation.ejb.LocalBinding;
import org.jboss.annotation.ejb.RemoteBinding;
import org.jboss.annotation.ejb.RemoteBindings;
+import org.jboss.annotation.security.SecurityDomain;
import org.jboss.aop.AspectManager;
import org.jboss.aop.MethodInfo;
import org.jboss.aop.joinpoint.Invocation;
import org.jboss.aop.joinpoint.InvocationResponse;
import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.aop.util.PayloadKey;
import org.jboss.aspects.asynch.FutureHolder;
import org.jboss.ejb.AllowedOperationsAssociation;
import org.jboss.ejb.AllowedOperationsFlags;
@@ -51,8 +55,12 @@
import org.jboss.ejb3.ProxyUtils;
import org.jboss.ejb3.SessionContainer;
import org.jboss.ejb3.interceptor.InterceptorInfoRepository;
+import org.jboss.ejb3.remoting.IsLocalInterceptor;
import org.jboss.ejb3.timerservice.TimedObjectInvoker;
import org.jboss.ejb3.timerservice.TimerServiceFactory;
+import org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SimplePrincipal;
import org.jboss.logging.Logger;
import org.jboss.proxy.ejb.handle.HomeHandleImpl;
import org.jboss.proxy.ejb.handle.StatelessHandleImpl;
@@ -136,7 +144,21 @@
public void callTimeout(Timer timer) throws Exception
{
Method timeout = callbackHandler.getTimeoutCallback();
- if (timeout == null) throw new EJBException("No method has been annotated with @Timeout");
+ if (timeout == null)
+ throw new EJBException("No method has been annotated with @Timeout");
+
+ // pop CallerPrincipal for timeout, set to unauthenticated identity if available
+ Principal oldPrincipal = SecurityAssociation.getCallerPrincipal();
+ SecurityDomain securityDomain = (SecurityDomain)resolveAnnotation(SecurityDomain.class);
+ if (securityDomain != null && securityDomain.unauthenticatedPrincipal().length() > 0)
+ {
+ SecurityAssociation.setPrincipal(new SimplePrincipal(securityDomain.unauthenticatedPrincipal()));
+ }
+ else
+ {
+ SecurityAssociation.setPrincipal(null);
+ }
+
Object[] args = {timer};
ClassLoader oldLoader = Thread.currentThread().getContextClassLoader();
try
@@ -148,6 +170,8 @@
EJBContainerInvocation nextInvocation = new EJBContainerInvocation(info);
nextInvocation.setAdvisor(this);
nextInvocation.setArguments(args);
+ // disable authentication for timers
+ nextInvocation.getMetaData().addMetaData(RoleBasedAuthorizationInterceptor.AUTHORIZATION, RoleBasedAuthorizationInterceptor.IGNORE_AUTHORIZATION, true, PayloadKey.AS_IS);
nextInvocation.invokeNext();
}
catch (Throwable throwable)
@@ -163,6 +187,8 @@
finally
{
Thread.currentThread().setContextClassLoader(oldLoader);
+
+ SecurityAssociation.setPrincipal(oldPrincipal);
}
}
Modified: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -60,7 +60,7 @@
}
- private void reset()
+ protected void reset()
{
timerCalled = false;
timer = null;
Added: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java (rev 0)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -0,0 +1,32 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.timer;
+
+import java.util.Date;
+
+/**
+ * @author <a href="mailto:bdecoste at jboss.com">William DeCoste</a>
+ */
+public interface SecuredTimerTester extends TimerTester
+{
+ boolean getCallerPrincipalCalled();
+}
Modified: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -37,20 +37,39 @@
*
*/
@Stateless
- at Remote(TimerTester.class)
+ at Remote(SecuredTimerTester.class)
@SecurityDomain("other")
-public class SecuredTimerTesterBean extends BaseTimerTesterBean
+public class SecuredTimerTesterBean extends BaseTimerTesterBean implements SecuredTimerTester
{
private static final Logger log = Logger.getLogger(SecuredTimerTesterBean.class);
+ protected static boolean getCallerPrincipalCalled = false;
+
@Timeout
@PermitAll
public void timeoutHandler(Timer timer)
{
- // We should never get here, because we don't have a principal (unauthenticatedIdentity is not set)
log.info("EJB TIMEOUT!!!!");
- log.info("caller principal = " + ctx.getCallerPrincipal());
timerCalled = true;
+
+ // This should fail, because we don't have a principal (unauthenticatedIdentity is not set)
+ try
+ {
+ log.info("caller principal = " + ctx.getCallerPrincipal());
+ getCallerPrincipalCalled = true;
+ }
+ catch (Exception e){}
+
//timer.cancel();
}
+
+ public boolean getCallerPrincipalCalled()
+ {
+ return getCallerPrincipalCalled;
+ }
+
+ protected void reset()
+ {
+ getCallerPrincipalCalled = false;
+ }
}
Modified: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java 2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java 2007-09-27 23:11:40 UTC (rev 65665)
@@ -26,6 +26,7 @@
import javax.management.MBeanServerConnection;
import javax.management.ObjectName;
+import org.jboss.ejb3.test.timer.SecuredTimerTester;
import org.jboss.ejb3.test.timer.TimerTester;
import org.jboss.ejb3.test.timer.LifecycleRemote;
import org.jboss.security.SecurityAssociation;
@@ -86,31 +87,35 @@
SecurityAssociation.setPrincipal(new SimplePrincipal("somebody"));
SecurityAssociation.setCredential("password".toCharArray());
- TimerTester test = (TimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
+ SecuredTimerTester test = (SecuredTimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
test.startTimer(5000);
test.accessTimer();
Thread.sleep(6000);
- assertFalse("EJBTHREE-1027: timer should not have been called", test.isTimerCalled());
- test.startTimerViaEJBContext(5000);
+ assertTrue("EJBTHREE-1027: timer should be called", test.isTimerCalled());
+ assertFalse("EJBTHREE-1027: timer getCallerPrincipal should have failed", test.getCallerPrincipalCalled());
+ test.startTimerViaEJBContext(3000);
test.accessTimer();
Thread.sleep(6000);
- assertFalse("EJBTHREE-1027: timer should not have been called", test.isTimerCalled());
+ assertTrue("EJBTHREE-1027: timer should be called", test.isTimerCalled());
+ assertFalse("EJBTHREE-1027: timer getCallerPrincipal should have failed", test.getCallerPrincipalCalled());
}
// EJBTHREE-1027
public void testSecurityWithPersistence() throws Exception
{
- TimerTester test = (TimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
+ SecuredTimerTester test = (SecuredTimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
long when = System.currentTimeMillis() + 5000;
test.setTimer(new Date(when));
redeploy("timer-test.jar");
- test = (TimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
+ test = (SecuredTimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
long wait = 1000 + (when - System.currentTimeMillis());
if(wait > 0)
Thread.sleep(wait);
- assertFalse("EJBTHREE-1027: timer should not have been called", test.isTimerCalled());
+
+ assertTrue("EJBTHREE-1027: timer should be called", test.isTimerCalled());
+ assertFalse("EJBTHREE-1027: timer getCallerPrincipal should have failed", test.getCallerPrincipalCalled());
}
public void testService() throws Exception
More information about the jboss-cvs-commits
mailing list