[jboss-cvs] JBossAS SVN: r72051 - in projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3: security and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Apr 11 16:07:43 EDT 2008
Author: anil.saldhana at jboss.com
Date: 2008-04-11 16:07:43 -0400 (Fri, 11 Apr 2008)
New Revision: 72051
Removed:
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccHelper.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RunAsSecurityInterceptor.java
Modified:
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/embedded/EJB3StandaloneDeployment.java
Log:
EJBTHREE-1262: remove the classes that refer to aspects/security and also remove the JaccHelper class
Modified: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/embedded/EJB3StandaloneDeployment.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/embedded/EJB3StandaloneDeployment.java 2008-04-11 19:56:27 UTC (rev 72050)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/embedded/EJB3StandaloneDeployment.java 2008-04-11 20:07:43 UTC (rev 72051)
@@ -30,8 +30,7 @@
import org.jboss.ejb3.MCDependencyPolicy;
import org.jboss.ejb3.MCKernelAbstraction;
import org.jboss.ejb3.javaee.JavaEEApplication;
-import org.jboss.ejb3.javaee.JavaEEComponent;
-import org.jboss.ejb3.security.JaccHelper;
+import org.jboss.ejb3.javaee.JavaEEComponent;
import org.jboss.kernel.Kernel;
/**
@@ -75,7 +74,8 @@
protected PolicyConfiguration createPolicyConfiguration() throws Exception
{
- return JaccHelper.initialiseJacc(getJaccContextId());
+ return null;
+ //return JaccHelper.initialiseJacc(getJaccContextId());
}
/*
Deleted: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2008-04-11 19:56:27 UTC (rev 72050)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptor.java 2008-04-11 20:07:43 UTC (rev 72051)
@@ -1,150 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2006, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.jboss.ejb3.security;
-
-import java.security.GeneralSecurityException;
-import java.security.Principal;
-import java.util.Map;
-import java.util.Set;
-
-import javax.ejb.EJBAccessException;
-import javax.security.auth.Subject;
-
-import org.jboss.aop.joinpoint.Invocation;
-import org.jboss.aspects.security.AuthenticationInterceptor;
-import org.jboss.ejb3.Container;
-import org.jboss.ejb3.EJBContainer;
-import org.jboss.ejb3.annotation.SecurityDomain;
-import org.jboss.logging.Logger;
-import org.jboss.security.AuthenticationManager;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.SecurityAssociation;
-import org.jboss.security.SecurityContext;
-import org.jboss.security.SecurityRolesAssociation;
-import org.jboss.security.SimplePrincipal;
-import org.jboss.security.plugins.SecurityContextAssociation;
-
-/**
- * Authentication Interceptor
- *
- * @author <a href="mailto:bill at jboss.org">Bill Burke</a>
- * @author Anil.Saldhana at jboss.org
- * @version $Revision$
- */
-public class Ejb3AuthenticationInterceptor extends AuthenticationInterceptor
-{
- private static final Logger log = Logger.getLogger(Ejb3AuthenticationInterceptor.class);
-
- private EJBContainer container;
- protected RealmMapping realmMapping;
-
- /**
- * AuthenticationInterceptor which bypasses the AuthenticationManager, so
- * an unauthenticated principal won't be authenticated against an AuthenticationManager.
- */
- private AuthenticationInterceptor unauthenticatedAuthenticationInterceptor;
-
- public Ejb3AuthenticationInterceptor(final AuthenticationManager manager, Container container)
- {
- super(manager);
- this.container = (EJBContainer)container;
- this.realmMapping = (RealmMapping)manager;
- // TODO: can be optimized to only instantiate when securityDomain has an unauthenticatedPrincipal
- this.unauthenticatedAuthenticationInterceptor = new AuthenticationInterceptor(null)
- {
- @Override
- protected void authenticate(Invocation invocation) throws Exception
- {
- super.authenticate(invocation);
-
- // if we have a manager mimic run as stuff, so we end up with a Subject for JACC
- if(manager != null)
- {
- Principal principal = (Principal)invocation.getMetaData("security", "principal");
- Subject subject = new Subject();
- String securityDomain = manager.getSecurityDomain();
- SecurityContext sc = SecurityActions.createSecurityContext(principal, null, subject, securityDomain);
- SecurityContextAssociation.setSecurityContext(sc);
- }
- }
- };
- }
-
- protected void handleGeneralSecurityException(GeneralSecurityException gse)
- {
- log.debug("Authentication failure", gse);
- throw new EJBAccessException("Authentication failure");
- }
-
- public Object invoke(org.jboss.aop.joinpoint.Invocation invocation) throws Throwable
- {
- SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
-
- if (domain != null && domain.unauthenticatedPrincipal() != null && domain.unauthenticatedPrincipal().length() != 0)
- {
- Principal principal = (Principal)invocation.getMetaData("security", "principal");
- if (principal == null)
- principal = SecurityAssociation.getPrincipal();
-
- if (principal == null)
- {
- // we don't have a principal, but we do have an unauthenticatedPrincipal we can use
- principal = new TrustedPrincipal(domain.unauthenticatedPrincipal());
-
- // this will be picked up by the AuthenticationInterceptor
- invocation.getMetaData().addMetaData("security", "principal", principal);
- }
-
- // Either we got it from an earlier pass or we just instantiated it
- if(principal != null && principal instanceof TrustedPrincipal)
- {
- // call an AuthenticationInterceptor which doesn't authenticate
- return unauthenticatedAuthenticationInterceptor.invoke(invocation);
- }
- }
- try
- {
- //Set a map of principal-roles that may be configured at deployment level
- if(container.getAssemblyDescriptor() != null)
- {
- Map<String, Set<String>> securityRoles = null;
- //SecurityRolesAssociation.setSecurityRoles(container.getAssemblyDescriptor().getPrincipalVersusRolesMap());
- SecurityRolesAssociation.setSecurityRoles(securityRoles);
- }
- return super.invoke(invocation);
- }
- finally
- {
- SecurityRolesAssociation.setSecurityRoles(null);
- }
- }
-
- class TrustedPrincipal extends SimplePrincipal
- {
- private static final long serialVersionUID = 1L;
-
- public TrustedPrincipal(String name)
- {
- super(name);
- }
- }
-}
Deleted: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java 2008-04-11 19:56:27 UTC (rev 72050)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptor.java 2008-04-11 20:07:43 UTC (rev 72051)
@@ -1,130 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2006, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.jboss.ejb3.security;
-
-import java.lang.reflect.Method;
-import java.security.CodeSource;
-
-import javax.security.jacc.EJBMethodPermission;
-
-import org.jboss.aop.advice.Interceptor;
-import org.jboss.aop.joinpoint.Invocation;
-import org.jboss.aop.joinpoint.MethodInvocation;
-import org.jboss.logging.Logger;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.jacc.DelegatingPolicy;
-
-
-/**
- * This interceptor is where the JACC authorization is performed.
- *
- * @author <a href="mailto:Scott.Stark at jboss.org">Scott Stark</a>.
- * @version $Revision$
- */
-public class JaccAuthorizationInterceptor implements Interceptor
-{
- private static final Logger log = Logger.getLogger(JaccAuthorizationInterceptor.class);
-
- public static final String JACC = "JACC";
- public static final String CTX = "ctx";
-
- private String ejbName;
- private CodeSource ejbCS;
- private RealmMapping realmMapping;
-
- public JaccAuthorizationInterceptor(String ejbName, CodeSource cs)
- {
- this.ejbName = ejbName;
- this.ejbCS = cs;
- }
-
- public String getName()
- {
- return "JaccAuthorizationInterceptor";
- }
-
- public void setRealmMapping(RealmMapping ssm)
- {
- this.realmMapping = ssm;
- }
-
- public Object invoke(Invocation inv) throws Throwable
- {
- try
- {
- checkSecurityAssociation((MethodInvocation) inv);
- return inv.invokeNext();
- }
- catch (ClassCastException e)
- {
- throw new RuntimeException("Jacc authorization is only available for method invocations", e);
- }
- }
-
- /**
- * Authorize the caller's access to the method invocation
- */
- private void checkSecurityAssociation(MethodInvocation mi) throws Throwable
- {
- String contextID = (String) mi.getMetaData(JACC, CTX);
- SecurityActions.setContextID(contextID);
-
- if(log.isTraceEnabled())
- log.trace("permissions: " + DelegatingPolicy.getInstance().getPermissions(ejbCS));
-
- //EJBArgsPolicyContextHandler.setArgs(mi.getArguments());
-
- //Set custom JACC policy handlers - Following used in EJB 2, but just seems to be ignored
- //BeanMetaDataPolicyContextHandler.setMetaData(null);
-
- Method m = mi.getMethod();
-
- SecurityHelper shelper = new SecurityHelper();
-
- String iface = !shelper.isLocalCall(mi) ? "Remote" : "Local";
-
- EJBMethodPermission methodPerm = new EJBMethodPermission(ejbName, iface, m);
- if(realmMapping != null)
- {
- JaccHelper.checkPermission(ejbCS, methodPerm,realmMapping);
- }
- /*// Get the caller
- Subject caller = SecurityActions.getContextSubject();
-
- Principal[] principals = null;
- if( caller != null )
- {
- // Get the caller principals
- Set principalsSet = caller.getPrincipals();
- principals = new Principal[principalsSet.size()];
- principalsSet.toArray(principals);
- }
-
- ProtectionDomain pd = new ProtectionDomain (ejbCS, null, null, principals);
- if( policy.implies(pd, methodPerm) == false )
- {
- String msg = "Denied: "+methodPerm+", caller=" + caller;
- SecurityException e = new SecurityException(msg);
- throw e;
- }*/
- }
-}
Deleted: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2008-04-11 19:56:27 UTC (rev 72050)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccAuthorizationInterceptorFactory.java 2008-04-11 20:07:43 UTC (rev 72051)
@@ -1,59 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2006, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-
-package org.jboss.ejb3.security;
-
-import java.security.CodeSource;
-
-import org.jboss.aop.Advisor;
-import org.jboss.aop.advice.AspectFactory;
-import org.jboss.ejb3.EJBContainer;
-import org.jboss.security.RealmMapping;
-
-/**
- * JACC Authorization Interceptor factory
- * @author <a href="mailto:kabir.khan at jboss.org">Kabir Khan</a>
- * @author Anil.Saldhana at jboss.org
- * @version $Revision$
- */
-public class JaccAuthorizationInterceptorFactory extends PerClassAspectFactoryAdaptor
-implements AspectFactory
-{
- public Object createPerClass(Advisor advisor)
- {
- try
- {
- CodeSource ejbCS = advisor.getClazz().getProtectionDomain().getCodeSource();
-
- // Must be a separate line (EJBContainer cannot be dereferenced)
- EJBContainer container = EJBContainer.getEJBContainer(advisor);
- String ejbName = container.getEjbName();
- JaccAuthorizationInterceptor jai = new JaccAuthorizationInterceptor(ejbName, ejbCS);
- jai.setRealmMapping(container.getSecurityManager(RealmMapping.class));
- return jai;
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
- }
-}
\ No newline at end of file
Deleted: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccHelper.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccHelper.java 2008-04-11 19:56:27 UTC (rev 72050)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/JaccHelper.java 2008-04-11 20:07:43 UTC (rev 72051)
@@ -1,365 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2006, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-
-package org.jboss.ejb3.security;
-
-import java.lang.reflect.Method;
-import java.security.CodeSource;
-import java.security.Policy;
-import java.security.Principal;
-import java.security.ProtectionDomain;
-import java.util.Set;
-
-import javax.annotation.security.DeclareRoles;
-import javax.annotation.security.DenyAll;
-import javax.annotation.security.PermitAll;
-import javax.annotation.security.RolesAllowed;
-import javax.ejb.EJBAccessException;
-import javax.security.auth.Subject;
-import javax.security.jacc.EJBMethodPermission;
-import javax.security.jacc.EJBRoleRefPermission;
-import javax.security.jacc.PolicyConfiguration;
-import javax.security.jacc.PolicyConfigurationFactory;
-import javax.security.jacc.PolicyContextException;
-
-import org.jboss.aop.metadata.SimpleClassMetaDataBinding;
-import org.jboss.aop.metadata.SimpleClassMetaDataLoader;
-import org.jboss.deployers.structure.spi.DeploymentUnit;
-import org.jboss.deployment.DeploymentInfo;
-import org.jboss.ejb3.EJBContainer;
-import org.jboss.ejb3.annotation.SecurityDomain;
-import org.jboss.logging.Logger;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.RunAsIdentity;
-
-/**
- * JACC Helper class that created permissions as well as done the checks
- * @author <a href="mailto:kabir.khan at jboss.org">Kabir Khan</a>
- * @author Anil.Saldhana at jboss.com
- * @author adrian at jboss.org
- * @version $Revision$
- */
-public class JaccHelper
-{
- static Logger log = Logger.getLogger(JaccHelper.class);
-
- /**
- * Creates a new policy configuration on (re)deployment. Context ID used is based on
- * name of app, so we make sure we clean out any existing policy with that id.
- */
- public static PolicyConfiguration initialiseJacc(String contextID) throws Exception
- {
- log.trace("Initialising JACC Context for deployment: " + contextID);
- PolicyConfigurationFactory pcFactory = Ejb3PolicyConfigurationFactory.getPolicyConfigurationFactory();
- boolean removeExistingContext = true;
- PolicyConfiguration pc = pcFactory.getPolicyConfiguration(contextID, removeExistingContext);
-
- /*Set keys = PolicyContext.getHandlerKeys();
- if (!keys.contains(EnterpriseBeanPolicyContextHandler.EJB_CONTEXT_KEY))
- {
- EnterpriseBeanPolicyContextHandler beanHandler = new EnterpriseBeanPolicyContextHandler();
- PolicyContext.registerHandler(EnterpriseBeanPolicyContextHandler.EJB_CONTEXT_KEY,
- beanHandler, false);
- }
- */
- //Do I need this?
- /*BeanMetaDataPolicyContextHandler metadataHandler = new BeanMetaDataPolicyContextHandler();
- PolicyContext.registerHandler(BeanMetaDataPolicyContextHandler.METADATA_CONTEXT_KEY,
- metadataHandler, false);*/
- /*
- if (!keys.contains(EJBArgsPolicyContextHandler.EJB_ARGS_KEY))
- {
- EJBArgsPolicyContextHandler argsHandler = new EJBArgsPolicyContextHandler();
- PolicyContext.registerHandler(EJBArgsPolicyContextHandler.EJB_ARGS_KEY,
- argsHandler, false);
- }
- */
- return pc;
- }
-
- public static void putJaccInService(PolicyConfiguration pc, DeploymentUnit di) throws Exception
- {
- //TODO: How do we link this with the parent PC?
- DeploymentUnit parentUnit = di.getParent();
- if(parentUnit != null)
- {
- String parentContextId = parentUnit.getSimpleName();
- PolicyConfigurationFactory pcFactory = Ejb3PolicyConfigurationFactory.getPolicyConfigurationFactory();
- PolicyConfiguration parentpc = pcFactory.getPolicyConfiguration(parentContextId, false);
- if(parentpc != null)
- {
- parentpc.linkConfiguration(pc);
- pc.commit();
- log.trace("JACC Policy Configuration for deployment unit has been linked with parent");
- return;
- }
- }
- pc.commit();
- log.trace("JACC Policy Configuration for deployment unit has been put into service");
- }
-
- public static void putJaccInService(PolicyConfiguration pc, DeploymentInfo di) throws Exception
- {
- di.context.put("javax.security.jacc.PolicyConfiguration", pc);
-
- // Link this to the parent PC
- DeploymentInfo current = di;
- while (current.parent != null)
- {
- current = current.parent;
- }
-
- PolicyConfiguration parentPC = (PolicyConfiguration)
- current.context.get("javax.security.jacc.PolicyConfiguration");
-
- if (parentPC != null && parentPC != pc)
- {
- parentPC.linkConfiguration(pc);
- }
-
- pc.commit();
- log.trace("JACC Policy Configuration for deployment has been put in service");
- }
-
- public static void unregisterJacc(String contextID) throws Exception
- {
- PolicyConfigurationFactory pcFactory = Ejb3PolicyConfigurationFactory.getPolicyConfigurationFactory();
- PolicyConfiguration pc = pcFactory.getPolicyConfiguration(contextID, true);
- pc.delete();
- }
-
-
- public static void configureContainer(String jaccContextId, EJBContainer container)
- {
- try
- {
- addJaccContextToContainer(jaccContextId, container);
- PolicyConfigurationFactory pcFactory = Ejb3PolicyConfigurationFactory.getPolicyConfigurationFactory();
- PolicyConfiguration pc = pcFactory.getPolicyConfiguration(jaccContextId, false);
-
- addPermissions(container, pc);
- }
- catch (Exception e)
- {
- throw new RuntimeException(e);
- }
- }
-
- private static void addPermissions(EJBContainer container, PolicyConfiguration pc)
- {
- SecurityDomain sd = (SecurityDomain) container.resolveAnnotation(SecurityDomain.class);
-
- PermitAll beanUnchecked = (PermitAll) container.resolveAnnotation(PermitAll.class);
- RolesAllowed beanPermissions = (RolesAllowed) container.resolveAnnotation(RolesAllowed.class);
-
- DeclareRoles beanDeclareRolesPerms = (DeclareRoles)container.resolveAnnotation(DeclareRoles.class);
-
- if (beanUnchecked != null && beanPermissions != null)
- {
- throw new RuntimeException("Cannot annotate a bean with both @Unchecked and @MethodPermissions");
- }
-
- String ejbName = container.getEjbName();
-
- //Add the security role references
- if(beanDeclareRolesPerms != null)
- {
- String[] rolerefs = beanDeclareRolesPerms.value();
- int len = rolerefs != null ? rolerefs.length : 0;
- for(int i=0; i < len; i++)
- {
- try
- {
- pc.addToRole(rolerefs[i], new EJBRoleRefPermission(ejbName, rolerefs[i]));
- }
- catch (PolicyContextException e)
- {
- throw new RuntimeException(e);
- }
- }
- }
-
- //Am I iterating over the right thing here? Should I be using the stuff from
- //Advisor.methodInterceptors instead?
- for(Method m : container.getBeanClass().getMethods())
- {
- EJBMethodPermission permission = new EJBMethodPermission(ejbName, null, m);
- log.trace("Creating permission: " + permission);
-
- PermitAll unchecked = (PermitAll) container.resolveAnnotation(m, PermitAll.class);
- RolesAllowed permissions = (RolesAllowed) container.resolveAnnotation(m, RolesAllowed.class);
- DenyAll exclude = (DenyAll) container.resolveAnnotation(m, DenyAll.class);
-
- int annotationCount = getAnnotationCount(unchecked, permissions, exclude);
-
- if (annotationCount == 0 && beanPermissions == null && beanUnchecked == null)
- {
- //continue;
- //EJBTHREE-755:Add to unchecked if there are no annotations
- try
- {
- pc.addToUncheckedPolicy(permission);
- }
- catch (PolicyContextException e)
- {
- throw new RuntimeException(e);
- }
- }
- else if (annotationCount > 1)
- {
- throw new RuntimeException("You can only use one of @PermitAll, @DenyAll or @RolesAllowed per method");
- }
-
- try
- {
- //Method level annotations override the bean level annotations
- if (unchecked != null)
- {
- pc.addToUncheckedPolicy(permission);
- log.trace("Adding permission to unchecked policy");
- continue;
- }
- if (permissions != null)
- {
- addToRole(pc, permission, permissions);
- continue;
- }
- if (exclude != null)
- {
- pc.addToExcludedPolicy(permission);
- log.trace("Adding permission to excluded policy");
- continue;
- }
-
- if (beanUnchecked != null)
- {
- pc.addToUncheckedPolicy(permission);
- log.trace("Adding permission to unchecked policy");
- continue;
- }
- if (beanPermissions != null)
- {
- addToRole(pc, permission, beanPermissions);
- continue;
- }
-
- //The default is unchecked
- pc.addToUncheckedPolicy(permission);
- log.trace("Adding permission to unchecked policy");
- }
- catch (PolicyContextException e)
- {
- throw new RuntimeException(e);
- }
- }
- }
-
- private static int getAnnotationCount(PermitAll u, RolesAllowed mp, DenyAll e)
- {
- int annotations = 0;
- if (u != null) annotations++;
- if (mp != null) annotations++;
- if (e != null) annotations++;
-
- return annotations;
- }
-
- private static void addToRole(PolicyConfiguration pc, EJBMethodPermission p, RolesAllowed mp) throws PolicyContextException
- {
- String[] roles = mp.value();
- for (int i = 0; i < roles.length; i++)
- {
- pc.addToRole(roles[i], p);
- log.trace("Adding permission to role: " + roles[i]);
- }
- }
-
- private static void addJaccContextToContainer(String jaccContextId, EJBContainer container)
- {
- SimpleClassMetaDataLoader loader = SimpleClassMetaDataLoader.singleton;
- String name = container.getBeanClassName();
- SimpleClassMetaDataBinding jaccCtx =
- new SimpleClassMetaDataBinding(loader, name, JaccAuthorizationInterceptor.JACC, container.getBeanClassName());
-
- jaccCtx.addDefaultMetaData(JaccAuthorizationInterceptor.JACC,
- JaccAuthorizationInterceptor.CTX, jaccContextId);
-
- container.getAdvisor().addClassMetaData(jaccCtx);
- }
-
- public static void checkPermission(CodeSource ejbCS, EJBMethodPermission methodPerm,
- RealmMapping realmMapping)
- throws EJBAccessException
- {
- try
- {
- Policy policy = Policy.getPolicy();
- // Get the caller
- Subject caller = SecurityActions.getContextSubject();
-
- RunAsIdentity rai = SecurityActions.peekRunAsIdentity();
-
- Principal[] principals = null;
- if(rai != null)
- {
- Set runAsRoles = rai.getRunAsRoles();
- principals = new Principal[runAsRoles.size()];
- runAsRoles.toArray(principals);
- }
- else
- {
- /*if (caller != null)
- {
- // Get the caller principals
- Set principalsSet = caller.getPrincipals();
- principals = new Principal[principalsSet.size()];
- principalsSet.toArray(principals);
- }*/
- //Get the current roles from the Authorization Manager
- Principal callerP = SecurityActions.getCallerPrincipal();
- Set<Principal> principalSet = realmMapping.getUserRoles(callerP);
- if(principalSet == null)
- {
- principals = new Principal[0];
- }
- else
- {
- principals = new Principal[principalSet.size()];
- principalSet.toArray(principals);
- }
- }
-
- ProtectionDomain pd = new ProtectionDomain(ejbCS, null, null, principals);
- if (policy.implies(pd, methodPerm) == false)
- {
- String msg = "Denied: " + methodPerm + ", caller=" + caller;
- //SecurityException e = new SecurityException(msg);
- EJBAccessException e = new EJBAccessException(msg);
- throw e;
- }
- }
- catch (PolicyContextException e)
- {
- throw new RuntimeException(e);
- }
- }
-}
Deleted: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java 2008-04-11 19:56:27 UTC (rev 72050)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptor.java 2008-04-11 20:07:43 UTC (rev 72051)
@@ -1,118 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2006, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.jboss.ejb3.security;
-
-import java.lang.reflect.Method;
-import java.util.HashSet;
-import java.util.Set;
-import javax.annotation.security.DenyAll;
-import javax.annotation.security.PermitAll;
-import javax.annotation.security.RolesAllowed;
-import javax.ejb.EJBAccessException;
-import org.jboss.aop.joinpoint.Invocation;
-import org.jboss.aop.joinpoint.MethodInvocation;
-import org.jboss.ejb3.Container;
-import org.jboss.ejb3.EJBContainer;
-import org.jboss.logging.Logger;
-import org.jboss.security.AnybodyPrincipal;
-import org.jboss.security.AuthenticationManager;
-import org.jboss.security.NobodyPrincipal;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.SimplePrincipal;
-
-/**
- * The RoleBasedAuthorizationInterceptor checks that the caller principal is
- * authorized to call a method by verifing that it contains at least one
- * of the required roled.
- *
- * @author <a href="bill at jboss.org">Bill Burke</a>
- * @version $Revision$
- */
-public final class RoleBasedAuthorizationInterceptor extends org.jboss.aspects.security.RoleBasedAuthorizationInterceptor
-{
- private static final Logger log = Logger.getLogger(RoleBasedAuthorizationInterceptor.class);
-
- private EJBContainer container;
-
- public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping, Container container)
- {
- super(manager, realmMapping);
- this.container = (EJBContainer)container;
- }
-
- protected Set getRoleSet(Invocation invocation)
- {
- Method method = ((MethodInvocation)invocation).getActualMethod();
-
- Class[] classes = new Class[]{DenyAll.class, PermitAll.class, RolesAllowed.class};
-
- Object annotation = container.resolveAnnotation(method, classes);
-
- int classIndex = 0;
- while (annotation == null && classIndex < 3)
- {
- annotation = container.resolveAnnotation(classes[classIndex++]);
- }
-
- HashSet set = new HashSet();
- if (annotation != null)
- {
- if (annotation instanceof DenyAll)
- {
- set.add(NobodyPrincipal.NOBODY_PRINCIPAL);
- }
- else if (annotation instanceof PermitAll)
- {
- set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
- }
- else if (annotation instanceof RolesAllowed)
- {
- RolesAllowed permissions = (RolesAllowed) annotation;
- for (int i = 0; i < permissions.value().length; i++)
- {
- set.add(new SimplePrincipal(permissions.value()[i]));
- }
- }
- else
- set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
- }
- else
- set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
-
- return set;
- }
-
- public Object invoke(Invocation invocation) throws Throwable
- {
- try
- {
- return super.invoke(invocation);
- }
- catch (SecurityException throwable)
- {
- log.debug("Authorization failure", throwable);
- throw new EJBAccessException("Authorization failure");
- } finally {
- }
- }
-
-}
Deleted: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RunAsSecurityInterceptor.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RunAsSecurityInterceptor.java 2008-04-11 19:56:27 UTC (rev 72050)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RunAsSecurityInterceptor.java 2008-04-11 20:07:43 UTC (rev 72051)
@@ -1,86 +0,0 @@
-/*
- * JBoss, Home of Professional Open Source.
- * Copyright 2006, Red Hat Middleware LLC, and individual contributors
- * as indicated by the @author tags. See the copyright.txt file in the
- * distribution for a full listing of individual contributors.
- *
- * This is free software; you can redistribute it and/or modify it
- * under the terms of the GNU Lesser General Public License as
- * published by the Free Software Foundation; either version 2.1 of
- * the License, or (at your option) any later version.
- *
- * This software is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- * Lesser General Public License for more details.
- *
- * You should have received a copy of the GNU Lesser General Public
- * License along with this software; if not, write to the Free
- * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
- * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
- */
-package org.jboss.ejb3.security;
-
-import org.jboss.aop.joinpoint.Invocation;
-import org.jboss.aop.joinpoint.MethodInvocation;
-import org.jboss.ejb3.SecurityActions;
-import org.jboss.logging.Logger;
-import org.jboss.security.AuthenticationManager;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.RunAsIdentity;
-import org.jboss.security.SecurityAssociation;
-
-import javax.security.auth.Subject;
-
-/**
- * An interceptor that enforces the run-as identity declared by a bean.
- *
- * @author <a href="mailto:bill at jboss.org">Bill Burke</a>.
- * @version $Revision$
- */
-public class RunAsSecurityInterceptor extends org.jboss.aspects.security.RunAsSecurityInterceptor
-{
- private static final Logger log = Logger.getLogger(RunAsSecurityInterceptor.class);
- private RunAsIdentity runAsIdentity;
-
- public RunAsSecurityInterceptor(AuthenticationManager manager, RealmMapping realmMapping, RunAsIdentity id)
- {
- super(manager, realmMapping);
- this.runAsIdentity = id;
- }
-
- protected RunAsIdentity getRunAsIdentity(Invocation invocation)
- {
- MethodInvocation mi = (MethodInvocation)invocation;
- return runAsIdentity;
- }
-
- public Object invoke(Invocation invocation) throws Throwable
- {
- Subject previousSubject = null;
- try
- {
- RunAsIdentity runAsIdentity = getRunAsIdentity(invocation);
- SecurityActions.pushRunAsIdentity(runAsIdentity);
-
- runAsIdentity = SecurityActions.peekRunAsIdentity(1);
- if (runAsIdentity != null)
- {
- previousSubject = SecurityActions.getActiveSubject();
- java.util.Set newPrincipals = runAsIdentity.getPrincipalsSet();
- Subject newSubject = new Subject(false, newPrincipals, new java.util.HashSet(), new java.util.HashSet());
- SecurityAssociation.setSubject(newSubject);
- }
-
- return invocation.invokeNext();
- }
- finally
- {
- if (previousSubject != null)
- SecurityAssociation.setSubject(previousSubject);
-
- SecurityActions.popRunAsIdentity();
- }
- }
-
-}
More information about the jboss-cvs-commits
mailing list