[jboss-cvs] JBossAS SVN: r71339 - projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Mar 27 01:25:55 EDT 2008
Author: anil.saldhana at jboss.com
Date: 2008-03-27 01:25:54 -0400 (Thu, 27 Mar 2008)
New Revision: 71339
Modified:
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityActions.java
projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityHelper.java
Log:
EJBTHREE-1236: get the security context establishment right in the authentication interceptor
Modified: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java 2008-03-27 05:15:05 UTC (rev 71338)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/Ejb3AuthenticationInterceptorv2.java 2008-03-27 05:25:54 UTC (rev 71339)
@@ -22,7 +22,6 @@
package org.jboss.ejb3.security;
import java.lang.reflect.Method;
-import java.security.Principal;
import javax.ejb.EJBAccessException;
import javax.security.auth.Subject;
@@ -34,8 +33,8 @@
import org.jboss.ejb3.EJBContainer;
import org.jboss.ejb3.annotation.SecurityDomain;
import org.jboss.logging.Logger;
+import org.jboss.security.RunAs;
import org.jboss.security.SecurityContext;
-import org.jboss.security.SecurityIdentity;
import org.jboss.security.SecurityUtil;
import org.jboss.security.integration.JNDIBasedSecurityManagement;
import org.jboss.security.integration.ejb.EJBAuthenticationHelper;
@@ -44,7 +43,7 @@
/**
* Authentication Interceptor
- * @author <a href="mailto:bill at jboss.org">Bill Burke</a>
+ * @author <a href="mailto:bill at jboss.org">Bill Burke</a>
* @author Anil.Saldhana at redhat.com
* @since Aug 16, 2007
* @version $Revision$
@@ -74,12 +73,11 @@
shelper.containsTimeoutAnnotation(container, method) ||
shelper.isMDB(container))
return invocation.invokeNext();
-
- SecurityIdentity si = null;
- SecurityContext sc = SecurityActions.getSecurityContext();
+
+ SecurityContext prevSC = SecurityActions.getSecurityContext();
SecurityContext invSC = (SecurityContext) invocation.getMetaData("security","context");
- SecurityDomain domain = (SecurityDomain)container.resolveAnnotation(SecurityDomain.class);
+ SecurityDomain domain = container.getAnnotation(SecurityDomain.class);
boolean domainExists = domain != null && domain.value() != null
&& domain.value().length() > 0;
@@ -89,45 +87,46 @@
* of a security domain, as per the configuration on the container
*/
if(domainExists)
- {
- Principal p = null;
- Object cred = null;
+ {
+ String domainValue = canonicalizeSecurityDomain(domain.value());
- //There is no security context at all
- if(sc == null && invSC == null)
- {
- sc = SecurityActions.createSecurityContext(domain.value());
- SecurityActions.setSecurityContext(sc);
- }
+ /* Need to establish the security context. For local calls, we pick the outgoing runas
+ * of the existing sc. For remote calls, we create a new security context with the information
+ * from the invocation sc
+ */
+ SecurityContext sc = null;
+
+ sc = SecurityActions.createSecurityContext(domainValue);
if(shelper.isLocalCall(mi))
{
- if(sc == null)
- throw new IllegalStateException("Security Context null on Local call");
- si = sc.getUtil().getSecurityIdentity();
- }
- else
- {
- if(invSC == null && sc == null)
- throw new IllegalStateException("Security Context is not available");
+ if(prevSC == null)
+ throw new IllegalStateException("Local Call: Security Context is null");
- //If there was a SecurityContext over the invocation, that takes preference
- if(invSC != null)
+ /**
+ * If the local security context is the same as what we need,
+ * duplicate the sc, except the incoming and outgoing need to be dealt with
+ */
+ if(prevSC.getSecurityDomain().equals(domainValue))
+ {
+ populateSecurityContext(sc, prevSC);
+ }
+ else
{
- sc = invSC;
- p = sc.getUtil().getUserPrincipal();
- cred = sc.getUtil().getCredential();
- String unprefixed = SecurityUtil.unprefixSecurityDomain(domain.value());
- sc = SecurityActions.createSecurityContext(p,
- cred, null, unprefixed);
-
- //Set the security context
- SecurityActions.setSecurityContext(sc);
- sc.getUtil().setSecurityIdentity(invSC.getUtil().getSecurityIdentity());
- }
+ SecurityActions.setIncomingRunAs(sc, prevSC.getOutgoingRunAs());
+ }
}
+ else
+ {
+ //Remote Invocation
+ if(invSC == null)
+ throw new IllegalStateException("Remote Call: Invocation Security Context is null");
+
+ populateSecurityContext(sc, invSC);
+ }
- sc = SecurityActions.getSecurityContext();
+ SecurityActions.setSecurityContext(sc);
+
//TODO: Need to get the SecurityManagement instance
sc.setSecurityManagement(new JNDIBasedSecurityManagement());
@@ -160,15 +159,23 @@
}
}
try
- {
- if(sc != null)
- SecurityActions.pushCallerRunAsIdentity(sc.getOutgoingRunAs());
+ {
return invocation.invokeNext();
}
finally
- {
- if(shelper.isLocalCall(mi) && si != null)
- SecurityActions.getSecurityContext().getUtil().setSecurityIdentity(si);
+ {
+ SecurityActions.setSecurityContext(prevSC);
}
- }
+ }
+
+ private String canonicalizeSecurityDomain(String securityDomain)
+ {
+ return SecurityUtil.unprefixSecurityDomain(securityDomain);
+ }
+
+ private void populateSecurityContext(SecurityContext to, SecurityContext from)
+ {
+ SecurityActions.setSubjectInfo(to, from.getSubjectInfo());
+ SecurityActions.setIncomingRunAs(to, from.getOutgoingRunAs());
+ }
}
\ No newline at end of file
Modified: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java 2008-03-27 05:15:05 UTC (rev 71338)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/RoleBasedAuthorizationInterceptorv2.java 2008-03-27 05:25:54 UTC (rev 71339)
@@ -45,7 +45,7 @@
import org.jboss.remoting.InvokerLocator;
import org.jboss.security.AnybodyPrincipal;
import org.jboss.security.NobodyPrincipal;
-import org.jboss.security.RunAsIdentity;
+import org.jboss.security.RunAs;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
import org.jboss.security.SimplePrincipal;
@@ -173,7 +173,7 @@
String iface = (locator != null) ? "Remote" : "Local";
- RunAsIdentity callerRunAs = SecurityActions.peekRunAsIdentity();
+ RunAs callerRunAs = SecurityActions.peekRunAs();
EJBAuthorizationHelper helper = new EJBAuthorizationHelper(sc);
boolean isAuthorized = helper.authorize(ejbName,
Modified: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityActions.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityActions.java 2008-03-27 05:15:05 UTC (rev 71338)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityActions.java 2008-03-27 05:25:54 UTC (rev 71339)
@@ -36,6 +36,7 @@
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextFactory;
+import org.jboss.security.SubjectInfo;
import org.jboss.security.plugins.SecurityContextAssociation;
@@ -246,9 +247,9 @@
static Principal getCallerPrincipal()
{
- return (Principal)AccessController.doPrivileged(new PrivilegedAction(){
+ return (Principal)AccessController.doPrivileged(new PrivilegedAction<Principal>(){
- public Object run()
+ public Principal run()
{
return SecurityAssociation.getCallerPrincipal();
}});
@@ -256,9 +257,9 @@
static SecurityContext createSecurityContext(final String domainName) throws PrivilegedActionException
{
- return (SecurityContext)AccessController.doPrivileged(new PrivilegedExceptionAction(){
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<SecurityContext>(){
- public Object run() throws Exception
+ public SecurityContext run() throws Exception
{
return SecurityContextFactory.createSecurityContext(domainName);
}
@@ -268,9 +269,9 @@
static SecurityContext createSecurityContext(final Principal p, final Object cred,
final Subject s, final String domainName) throws PrivilegedActionException
{
- return (SecurityContext)AccessController.doPrivileged(new PrivilegedExceptionAction()
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<SecurityContext>()
{
- public Object run() throws Exception
+ public SecurityContext run() throws Exception
{
return SecurityContextFactory.createSecurityContext(p, cred,s,domainName);
}});
@@ -279,9 +280,9 @@
static SecurityContext getSecurityContext()
{
- return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction(){
+ return AccessController.doPrivileged(new PrivilegedAction<SecurityContext>(){
- public Object run()
+ public SecurityContext run()
{
return SecurityContextAssociation.getSecurityContext();
}});
@@ -289,7 +290,7 @@
static void setSecurityContext(final SecurityContext sc)
{
- AccessController.doPrivileged(new PrivilegedAction(){
+ AccessController.doPrivileged(new PrivilegedAction<Object>(){
public Object run()
{
@@ -300,7 +301,7 @@
static void pushSubjectContext(final Principal p, final Object cred, final Subject s)
{
- AccessController.doPrivileged(new PrivilegedAction(){
+ AccessController.doPrivileged(new PrivilegedAction<Object>(){
public Object run()
{
@@ -313,9 +314,23 @@
);
}
+ static RunAs peekRunAs()
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<RunAs>()
+ {
+ public RunAs run()
+ {
+ SecurityContext sc = SecurityContextAssociation.getSecurityContext();
+ if(sc == null)
+ throw new IllegalStateException("Security Context is null");
+ return sc.getIncomingRunAs();
+ }
+ });
+
+ }
static void pushCallerRunAsIdentity(final RunAs ra)
{
- AccessController.doPrivileged(new PrivilegedAction(){
+ AccessController.doPrivileged(new PrivilegedAction<Object>(){
public Object run()
{
SecurityContext sc = SecurityContextAssociation.getSecurityContext();
@@ -328,9 +343,9 @@
}
- public static void popCallerRunAsIdentity()
+ static void popCallerRunAsIdentity()
{
- AccessController.doPrivileged(new PrivilegedAction(){
+ AccessController.doPrivileged(new PrivilegedAction<Object>(){
public Object run()
{
SecurityContext sc = SecurityContextAssociation.getSecurityContext();
@@ -341,4 +356,40 @@
}
});
}
+
+ static void setIncomingRunAs(final SecurityContext sc, final RunAs incoming)
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ sc.setIncomingRunAs(incoming);
+ return null;
+ }
+ });
+ }
+
+ static void setOutgoingRunAs(final SecurityContext sc, final RunAs outgoing)
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ sc.setOutgoingRunAs(outgoing);
+ return null;
+ }
+ });
+ }
+
+ static void setSubjectInfo(final SecurityContext sc, final SubjectInfo info)
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ sc.setSubjectInfo(info);
+ return null;
+ }
+ });
+ }
}
Modified: projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityHelper.java
===================================================================
--- projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityHelper.java 2008-03-27 05:15:05 UTC (rev 71338)
+++ projects/ejb3/trunk/core/src/main/java/org/jboss/ejb3/security/SecurityHelper.java 2008-03-27 05:25:54 UTC (rev 71339)
@@ -32,6 +32,8 @@
import org.jboss.ejb3.EJBContainer;
import org.jboss.ejb3.mdb.MessagingContainer;
import org.jboss.ejb3.remoting.IsLocalInterceptor;
+import org.jboss.remoting.InvokerLocator;
+import org.jboss.aspects.remoting.InvokeRemoteInterceptor;
//$Id$
@@ -50,7 +52,9 @@
*/
public boolean isLocalCall(MethodInvocation mi)
{
- return mi.getMetaData(IsLocalInterceptor.IS_LOCAL,IsLocalInterceptor.IS_LOCAL) != null;
+ InvokerLocator locator = (InvokerLocator) mi.getMetaData(InvokeRemoteInterceptor.REMOTING, InvokeRemoteInterceptor.INVOKER_LOCATOR);
+ return locator == null ||
+ mi.getMetaData(IsLocalInterceptor.IS_LOCAL,IsLocalInterceptor.IS_LOCAL) != null;
}
/**
More information about the jboss-cvs-commits
mailing list