[jboss-cvs] JBossAS SVN: r65665 - in branches/Branch_4_2/ejb3/src: main/org/jboss/ejb3/security and 4 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Thu Sep 27 19:11:41 EDT 2007


Author: bdecoste
Date: 2007-09-27 19:11:40 -0400 (Thu, 27 Sep 2007)
New Revision: 65665

Added:
   branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java
Modified:
   branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java
   branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
   branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java
   branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java
   branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java
   branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java
   branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java
   branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java
Log:
[EJBTHREE-1027] [JBAS-4572] fix and updated tests for secure timeouts and getCallerPrincipal from within timeout

Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/mdb/MessagingContainer.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -22,6 +22,7 @@
 package org.jboss.ejb3.mdb;
 
 import org.jboss.annotation.ejb.ResourceAdapter;
+import org.jboss.annotation.security.SecurityDomain;
 import org.jboss.aop.AspectManager;
 import org.jboss.aop.MethodInfo;
 import org.jboss.aop.advice.Interceptor;
@@ -35,6 +36,8 @@
 import org.jboss.jms.jndi.JMSProviderAdapter;
 import org.jboss.logging.Logger;
 import org.jboss.metadata.ActivationConfigPropertyMetaData;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SimplePrincipal;
 
 import javax.ejb.*;
 import javax.ejb.Timer;
@@ -47,6 +50,7 @@
 import javax.naming.NamingException;
 import java.lang.reflect.Field;
 import java.lang.reflect.Method;
+import java.security.Principal;
 import java.util.*;
 
 /**
@@ -265,7 +269,21 @@
    public void callTimeout(Timer timer) throws Exception
    {
       Method timeout = callbackHandler.getTimeoutCallback();
-      if (timeout == null) throw new EJBException("No method has been annotated with @Timeout");
+      if (timeout == null)
+         throw new EJBException("No method has been annotated with @Timeout");
+      
+      // pop CallerPrincipal for timeout, set to unauthenticated identity if available
+      Principal oldPrincipal = SecurityAssociation.getCallerPrincipal();
+      SecurityDomain securityDomain = (SecurityDomain)resolveAnnotation(SecurityDomain.class);
+      if (securityDomain != null && securityDomain.unauthenticatedPrincipal().length() > 0)
+      {
+         SecurityAssociation.setPrincipal(new SimplePrincipal(securityDomain.unauthenticatedPrincipal()));
+      }
+      else
+      {
+         SecurityAssociation.setPrincipal(null);
+      }
+      
       Object[] args = {timer};
       try
       {
@@ -276,6 +294,10 @@
          if (throwable instanceof Exception) throw (Exception) throwable;
          throw new RuntimeException(throwable);
       }
+      finally
+      {
+         SecurityAssociation.setPrincipal(oldPrincipal);
+      }
    }
 
 

Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -103,7 +103,11 @@
          {
             SecurityRolesAssociation.setSecurityRoles(container.getAssemblyDescriptor().getPrincipalVersusRolesMap());
          }
-         return super.invoke(invocation);
+         Object ignoreFlag = invocation.getMetaData(RoleBasedAuthorizationInterceptor.AUTHORIZATION, RoleBasedAuthorizationInterceptor.IGNORE_AUTHORIZATION);
+         if (ignoreFlag != null)
+            return invocation.invokeNext();
+         else
+            return super.invoke(invocation);
       }
       finally
       { 

Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -51,6 +51,9 @@
 {
    private static final Logger log = Logger.getLogger(RoleBasedAuthorizationInterceptor.class);
    
+   public static final String AUTHORIZATION = "AUTHORIZATION";
+   public static final String IGNORE_AUTHORIZATION = "IGNORE_AUTHORIZATION";
+   
    private EJBContainer container;
    
    public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping, Container container)
@@ -105,7 +108,11 @@
    {
       try
       {
-         return super.invoke(invocation);
+         Object ignoreFlag = invocation.getMetaData(RoleBasedAuthorizationInterceptor.AUTHORIZATION, RoleBasedAuthorizationInterceptor.IGNORE_AUTHORIZATION);
+         if (ignoreFlag != null)
+            return invocation.invokeNext();
+         else
+            return super.invoke(invocation);
       }
       catch (SecurityException throwable)
       {

Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/service/ServiceContainer.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -23,6 +23,7 @@
 
 import org.jboss.annotation.ejb.Management;
 import org.jboss.annotation.ejb.Service;
+import org.jboss.annotation.security.SecurityDomain;
 import org.jboss.aop.AspectManager;
 import org.jboss.aop.MethodInfo;
 import org.jboss.aop.advice.Interceptor;
@@ -45,6 +46,8 @@
 import org.jboss.ejb3.timerservice.TimerServiceFactory;
 import org.jboss.injection.Injector;
 import org.jboss.logging.Logger;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SimplePrincipal;
 
 import javax.ejb.EJBException;
 import javax.ejb.Handle;
@@ -62,6 +65,7 @@
 import javax.management.ObjectName;
 import javax.management.ReflectionException;
 import java.lang.reflect.Method;
+import java.security.Principal;
 import java.util.Hashtable;
 
 /**
@@ -93,7 +97,21 @@
    public void callTimeout(Timer timer) throws Exception
    {
       Method timeout = callbackHandler.getTimeoutCallback();
-      if (timeout == null) throw new EJBException("No method has been annotated with @Timeout");
+      if (timeout == null)
+         throw new EJBException("No method has been annotated with @Timeout");
+      
+      // pop CallerPrincipal for timeout, set to unauthenticated identity if available
+      Principal oldPrincipal = SecurityAssociation.getCallerPrincipal();
+      SecurityDomain securityDomain = (SecurityDomain)resolveAnnotation(SecurityDomain.class);
+      if (securityDomain != null && securityDomain.unauthenticatedPrincipal().length() > 0)
+      {
+         SecurityAssociation.setPrincipal(new SimplePrincipal(securityDomain.unauthenticatedPrincipal()));
+      }
+      else
+      {
+         SecurityAssociation.setPrincipal(null);
+      }
+      
       Object[] args = {timer};
       AllowedOperationsAssociation.pushInMethodFlag(AllowedOperationsFlags.IN_EJB_TIMEOUT);
       try
@@ -109,6 +127,8 @@
       finally
       {
          AllowedOperationsAssociation.popInMethodFlag();
+         
+         SecurityAssociation.setPrincipal(oldPrincipal);
       }
    }
 

Modified: branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java
===================================================================
--- branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/main/org/jboss/ejb3/stateless/StatelessContainer.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -32,14 +32,18 @@
 import javax.ejb.TimerService;
 import javax.naming.NamingException;
 
+import java.security.Principal;
+
 import org.jboss.annotation.ejb.LocalBinding;
 import org.jboss.annotation.ejb.RemoteBinding;
 import org.jboss.annotation.ejb.RemoteBindings;
+import org.jboss.annotation.security.SecurityDomain;
 import org.jboss.aop.AspectManager;
 import org.jboss.aop.MethodInfo;
 import org.jboss.aop.joinpoint.Invocation;
 import org.jboss.aop.joinpoint.InvocationResponse;
 import org.jboss.aop.joinpoint.MethodInvocation;
+import org.jboss.aop.util.PayloadKey;
 import org.jboss.aspects.asynch.FutureHolder;
 import org.jboss.ejb.AllowedOperationsAssociation;
 import org.jboss.ejb.AllowedOperationsFlags;
@@ -51,8 +55,12 @@
 import org.jboss.ejb3.ProxyUtils;
 import org.jboss.ejb3.SessionContainer;
 import org.jboss.ejb3.interceptor.InterceptorInfoRepository;
+import org.jboss.ejb3.remoting.IsLocalInterceptor;
 import org.jboss.ejb3.timerservice.TimedObjectInvoker;
 import org.jboss.ejb3.timerservice.TimerServiceFactory;
+import org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor;
+import org.jboss.security.SecurityAssociation;
+import org.jboss.security.SimplePrincipal;
 import org.jboss.logging.Logger;
 import org.jboss.proxy.ejb.handle.HomeHandleImpl;
 import org.jboss.proxy.ejb.handle.StatelessHandleImpl;
@@ -136,7 +144,21 @@
    public void callTimeout(Timer timer) throws Exception
    {
       Method timeout = callbackHandler.getTimeoutCallback();
-      if (timeout == null) throw new EJBException("No method has been annotated with @Timeout");
+      if (timeout == null)
+         throw new EJBException("No method has been annotated with @Timeout");
+   
+      // pop CallerPrincipal for timeout, set to unauthenticated identity if available
+      Principal oldPrincipal = SecurityAssociation.getCallerPrincipal();
+      SecurityDomain securityDomain = (SecurityDomain)resolveAnnotation(SecurityDomain.class);
+      if (securityDomain != null && securityDomain.unauthenticatedPrincipal().length() > 0)
+      {
+         SecurityAssociation.setPrincipal(new SimplePrincipal(securityDomain.unauthenticatedPrincipal()));
+      }
+      else
+      {
+         SecurityAssociation.setPrincipal(null);
+      }
+      
       Object[] args = {timer};
       ClassLoader oldLoader = Thread.currentThread().getContextClassLoader();
       try
@@ -148,6 +170,8 @@
             EJBContainerInvocation nextInvocation = new EJBContainerInvocation(info);
             nextInvocation.setAdvisor(this);
             nextInvocation.setArguments(args);
+            // disable authentication for timers
+            nextInvocation.getMetaData().addMetaData(RoleBasedAuthorizationInterceptor.AUTHORIZATION, RoleBasedAuthorizationInterceptor.IGNORE_AUTHORIZATION, true, PayloadKey.AS_IS);
             nextInvocation.invokeNext();
          }
          catch (Throwable throwable)
@@ -163,6 +187,8 @@
       finally
       {
          Thread.currentThread().setContextClassLoader(oldLoader);
+         
+         SecurityAssociation.setPrincipal(oldPrincipal);
       }
    }
 

Modified: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/BaseTimerTesterBean.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -60,7 +60,7 @@
       
    }
    
-   private void reset()
+   protected void reset()
    {
       timerCalled = false;
       timer = null;

Added: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java	                        (rev 0)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTester.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -0,0 +1,32 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.ejb3.test.timer;
+
+import java.util.Date;
+
+/**
+ * @author <a href="mailto:bdecoste at jboss.com">William DeCoste</a>
+ */
+public interface SecuredTimerTester extends TimerTester
+{
+   boolean getCallerPrincipalCalled();
+}

Modified: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/SecuredTimerTesterBean.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -37,20 +37,39 @@
  *
  */
 @Stateless
- at Remote(TimerTester.class)
+ at Remote(SecuredTimerTester.class)
 @SecurityDomain("other")
-public class SecuredTimerTesterBean extends BaseTimerTesterBean
+public class SecuredTimerTesterBean extends BaseTimerTesterBean implements SecuredTimerTester
 {
    private static final Logger log = Logger.getLogger(SecuredTimerTesterBean.class);
    
+   protected static boolean getCallerPrincipalCalled = false;
+   
    @Timeout
    @PermitAll
    public void timeoutHandler(Timer timer)
    {
-      // We should never get here, because we don't have a principal (unauthenticatedIdentity is not set)
       log.info("EJB TIMEOUT!!!!");
-      log.info("caller principal = " + ctx.getCallerPrincipal());
       timerCalled = true;
+
+      // This should fail, because we don't have a principal (unauthenticatedIdentity is not set)
+      try
+      {
+         log.info("caller principal = " + ctx.getCallerPrincipal());
+         getCallerPrincipalCalled = true;
+      }
+      catch (Exception e){}
+    
       //timer.cancel();
    }
+   
+   public boolean getCallerPrincipalCalled()
+   {
+      return getCallerPrincipalCalled;
+   }
+   
+   protected void reset()
+   {
+      getCallerPrincipalCalled = false;
+   }
 }

Modified: branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java
===================================================================
--- branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java	2007-09-27 22:16:29 UTC (rev 65664)
+++ branches/Branch_4_2/ejb3/src/test/org/jboss/ejb3/test/timer/unit/RemoteUnitTestCase.java	2007-09-27 23:11:40 UTC (rev 65665)
@@ -26,6 +26,7 @@
 import javax.management.MBeanServerConnection;
 import javax.management.ObjectName;
 
+import org.jboss.ejb3.test.timer.SecuredTimerTester;
 import org.jboss.ejb3.test.timer.TimerTester;
 import org.jboss.ejb3.test.timer.LifecycleRemote;
 import org.jboss.security.SecurityAssociation;
@@ -86,31 +87,35 @@
       SecurityAssociation.setPrincipal(new SimplePrincipal("somebody"));
       SecurityAssociation.setCredential("password".toCharArray());
       
-      TimerTester test = (TimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
+      SecuredTimerTester test = (SecuredTimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
       test.startTimer(5000);
       test.accessTimer();
       Thread.sleep(6000);
-      assertFalse("EJBTHREE-1027: timer should not have been called", test.isTimerCalled());
-      test.startTimerViaEJBContext(5000);
+      assertTrue("EJBTHREE-1027: timer should be called", test.isTimerCalled());
+      assertFalse("EJBTHREE-1027: timer getCallerPrincipal should have failed", test.getCallerPrincipalCalled());
+      test.startTimerViaEJBContext(3000);
       test.accessTimer();
       Thread.sleep(6000);
-      assertFalse("EJBTHREE-1027: timer should not have been called", test.isTimerCalled());
+      assertTrue("EJBTHREE-1027: timer should be called", test.isTimerCalled());
+      assertFalse("EJBTHREE-1027: timer getCallerPrincipal should have failed", test.getCallerPrincipalCalled());
    }
    
    // EJBTHREE-1027
    public void testSecurityWithPersistence() throws Exception
    {
-      TimerTester test = (TimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
+      SecuredTimerTester test = (SecuredTimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
       long when = System.currentTimeMillis() + 5000;
       test.setTimer(new Date(when));
       
       redeploy("timer-test.jar");
       
-      test = (TimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
+      test = (SecuredTimerTester) getInitialContext().lookup("SecuredTimerTesterBean/remote");
       long wait = 1000 + (when - System.currentTimeMillis());
       if(wait > 0)
          Thread.sleep(wait);
-      assertFalse("EJBTHREE-1027: timer should not have been called", test.isTimerCalled());
+      
+      assertTrue("EJBTHREE-1027: timer should be called", test.isTimerCalled());
+      assertFalse("EJBTHREE-1027: timer getCallerPrincipal should have failed", test.getCallerPrincipalCalled());
    }
    
    public void testService() throws Exception




More information about the jboss-cvs-commits mailing list