[jboss-cvs] JBossAS SVN: r80851 - in trunk/server/src/main/org/jboss/ejb: plugins and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Nov 12 12:04:24 EST 2008
Author: anil.saldhana at jboss.com
Date: 2008-11-12 12:04:24 -0500 (Wed, 12 Nov 2008)
New Revision: 80851
Modified:
trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java
trunk/server/src/main/org/jboss/ejb/EntityContainer.java
trunk/server/src/main/org/jboss/ejb/SecurityActions.java
trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java
trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java
trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java
Log:
JBAS-5988: privileged blocks
Modified: trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java 2008-11-12 15:27:48 UTC (rev 80850)
+++ trunk/server/src/main/org/jboss/ejb/EnterpriseContext.java 2008-11-12 17:04:24 UTC (rev 80851)
@@ -23,7 +23,7 @@
import java.rmi.RemoteException;
import java.security.Identity;
-import java.security.Principal;
+import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Properties;
@@ -52,13 +52,13 @@
import org.jboss.logging.Logger;
import org.jboss.metadata.ApplicationMetaData;
-import org.jboss.metadata.BeanMetaData;
+import org.jboss.metadata.BeanMetaData;
import org.jboss.metadata.SecurityRoleRefMetaData;
-import org.jboss.security.RealmMapping;
-import org.jboss.security.SecurityContext;
+import org.jboss.security.RealmMapping;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SimplePrincipal;
import org.jboss.security.javaee.SecurityHelperFactory;
import org.jboss.security.javaee.SecurityRoleRef;
-import org.jboss.security.SimplePrincipal;
import org.jboss.tm.TransactionTimeoutConfiguration;
import org.jboss.tm.usertx.client.ServerVMClientUserTransaction;
@@ -539,7 +539,7 @@
try
{
- return SecurityHelperFactory.getEJBAuthorizationHelper(sc).isCallerInRole(roleName,
+ return SecurityActions.isCallerInRole(sc, roleName,
ejbName, principal, contextSubject,
container.getJaccContextID(), securityRoleRefs);
}
Modified: trunk/server/src/main/org/jboss/ejb/EntityContainer.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/EntityContainer.java 2008-11-12 15:27:48 UTC (rev 80850)
+++ trunk/server/src/main/org/jboss/ejb/EntityContainer.java 2008-11-12 17:04:24 UTC (rev 80851)
@@ -23,6 +23,8 @@
import java.lang.reflect.Method;
import java.rmi.RemoteException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashMap;
@@ -546,9 +548,16 @@
EntityEnterpriseContext ctx = (EntityEnterpriseContext)mi.getEnterpriseContext();
getPersistenceManager().removeEntity(ctx);
- Object pk = ctx.getId();
- removeTimerService(pk);
-
+ final Object pk = ctx.getId();
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ removeTimerService(pk);
+ return null;
+ }
+ });
+
// We signify "removed" with a null id
// There is no need to synchronize on the context since all the threads reaching here have
// gone through the InstanceInterceptor so the instance is locked and we only have one thread
Modified: trunk/server/src/main/org/jboss/ejb/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/SecurityActions.java 2008-11-12 15:27:48 UTC (rev 80850)
+++ trunk/server/src/main/org/jboss/ejb/SecurityActions.java 2008-11-12 17:04:24 UTC (rev 80851)
@@ -30,6 +30,7 @@
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import java.util.Set;
import javax.management.MBeanServer;
import javax.management.ObjectName;
@@ -40,6 +41,9 @@
import org.jboss.mx.util.MBeanProxy;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityContextAssociation;
+import org.jboss.security.javaee.AbstractEJBAuthorizationHelper;
+import org.jboss.security.javaee.SecurityHelperFactory;
+import org.jboss.security.javaee.SecurityRoleRef;
/** A collection of privileged actions for this package
*
@@ -416,4 +420,21 @@
}
});
}
+
+ static boolean isCallerInRole(final SecurityContext sc, final String roleName,
+ final String ejbName, final Principal principal, final Subject contextSubject,
+ final String jaccContextID, final Set<SecurityRoleRef> securityRoleRefs)
+ throws PrivilegedActionException
+ {
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<Boolean>()
+ {
+ public Boolean run() throws Exception
+ {
+ AbstractEJBAuthorizationHelper helper = SecurityHelperFactory.getEJBAuthorizationHelper(sc);
+ return helper.isCallerInRole(roleName,
+ ejbName, principal, contextSubject,
+ jaccContextID, securityRoleRefs);
+ }
+ });
+ }
}
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java 2008-11-12 15:27:48 UTC (rev 80850)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java 2008-11-12 17:04:24 UTC (rev 80851)
@@ -21,21 +21,27 @@
*/
package org.jboss.ejb.plugins;
+import java.lang.reflect.Method;
+import java.lang.reflect.UndeclaredThrowableException;
+import java.security.AccessController;
+import java.security.CodeSource;
+import java.security.Principal;
import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
-import java.security.Principal;
-import java.security.AccessController;
-import java.security.PrivilegedActionException;
-import java.lang.reflect.UndeclaredThrowableException;
import javax.security.auth.Subject;
import javax.security.jacc.PolicyContext;
import javax.security.jacc.PolicyContextException;
-import org.jboss.security.RunAs;
-import org.jboss.security.SecurityContext;
+import org.jboss.security.ISecurityManagement;
+import org.jboss.security.RunAs;
+import org.jboss.security.SecurityContext;
+import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.SecurityContextFactory;
-import org.jboss.security.SecurityContextAssociation;
+import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.javaee.AbstractEJBAuthorizationHelper;
+import org.jboss.security.javaee.EJBAuthenticationHelper;
/** A collection of privileged actions for this package
@@ -414,6 +420,16 @@
}});
}
+ static RoleGroup getRolesFromSecurityContext(final SecurityContext sc)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<RoleGroup>(){
+ public RoleGroup run()
+ {
+ return sc.getUtil().getRoles();
+ }
+ });
+ }
+
static SecurityContext getSecurityContext()
{
return (SecurityContext)AccessController.doPrivileged(new PrivilegedAction(){
@@ -424,6 +440,27 @@
});
}
+ static ISecurityManagement getSecurityManagement(final SecurityContext sc)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<ISecurityManagement>(){
+ public ISecurityManagement run()
+ {
+ return sc.getSecurityManagement();
+ }
+ });
+ }
+
+ static void setSecurityManagement(final SecurityContext sc, final ISecurityManagement sm)
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>(){
+ public Object run()
+ {
+ sc.setSecurityManagement(sm);
+ return null;
+ }
+ });
+ }
+
static Exception getContextException()
{
return (Exception)AccessController.doPrivileged(new PrivilegedAction()
@@ -497,6 +534,33 @@
});
}
+ static boolean isValid(final EJBAuthenticationHelper helper, final Subject subject, final String methodName)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<Boolean>()
+ {
+ public Boolean run()
+ {
+ return helper.isValid(subject, methodName);
+ }} );
+ }
+
+ static boolean authorize(final AbstractEJBAuthorizationHelper helper, final String ejbName,
+ final Method ejbMethod, final Principal principal, final String interfaceString,
+ final CodeSource ejbCS, final Subject caller, final RunAs callerRunAsIdentity,
+ final String jaccContextID, final RoleGroup roleGroupOfMethodRoles
+ )
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<Boolean>()
+ {
+ public Boolean run()
+ {
+ return helper.authorize(ejbName, ejbMethod, principal, interfaceString,
+ ejbCS, caller, callerRunAsIdentity, jaccContextID,
+ roleGroupOfMethodRoles);
+ }
+ } );
+ }
+
static String trace(final SecurityContext sc)
{
return AccessController.doPrivileged(new PrivilegedAction<String>()
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2008-11-12 15:27:48 UTC (rev 80850)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2008-11-12 17:04:24 UTC (rev 80851)
@@ -311,7 +311,7 @@
{
// Check the security info from the method invocation
Subject subject = new Subject();
- if (helper.isValid(subject, m.getName()) == false)
+ if (SecurityActions.isValid(helper, subject, m.getName()) == false)
{
// Notify authentication observer
if (authenticationObserver != null)
@@ -352,18 +352,18 @@
Set<Principal> methodRoles = container.getMethodPermissions(ejbMethod, mi.getType());
SecurityContext currentSC = SecurityActions.getSecurityContext();
- if (currentSC.getSecurityManagement() == null)
- currentSC.setSecurityManagement(securityManagement);
+ if (SecurityActions.getSecurityManagement(currentSC) == null)
+ SecurityActions.setSecurityManagement(currentSC, securityManagement);
AbstractEJBAuthorizationHelper authorizationHelper = SecurityHelperFactory.getEJBAuthorizationHelper(sc);
authorizationHelper.setPolicyRegistration(container.getPolicyRegistration());
- isAuthorized = authorizationHelper.authorize(ejbName, ejbMethod, mi.getPrincipal(), mi.getType()
- .toInterfaceString(), ejbCS, caller, callerRunAsIdentity, container.getJaccContextID(),
+ isAuthorized = SecurityActions.authorize(authorizationHelper, ejbName, ejbMethod, mi.getPrincipal(),
+ mi.getType().toInterfaceString(), ejbCS, caller, callerRunAsIdentity, container.getJaccContextID(),
new SimpleRoleGroup(methodRoles));
String msg = "Denied: caller with subject=" + caller + " and security context post-mapping roles="
- + currentSC.getUtil().getRoles() + ": ejbMethod=" + ejbMethod;
+ + SecurityActions.getRolesFromSecurityContext(currentSC) + ": ejbMethod=" + ejbMethod;
if (!isAuthorized)
throw new SecurityException(msg);
}
Modified: trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java 2008-11-12 15:27:48 UTC (rev 80850)
+++ trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java 2008-11-12 17:04:24 UTC (rev 80851)
@@ -87,8 +87,7 @@
boolean isInvoke = false;
return this.process(mi, isInvoke);
}
-
- @SuppressWarnings("deprecation")
+
private Object process(Invocation mi, boolean isInvoke) throws Exception
{
//No Security in the absence of SecurityDomain
@@ -111,9 +110,9 @@
//Cache the security context
SecurityContext sc = SecurityActions.getSecurityContext();
if(sc != null)
- si = sc.getUtil().getSecurityIdentity();
+ si = SecurityActions.getSecurityIdentity(sc);
- sc.setSecurityManagement(container.getSecurityManagement());
+ SecurityActions.setSecurityManagement(sc, container.getSecurityManagement());
log.trace("SecurityIdentity="+SecurityActions.trace(si));
//Set the security context on the invocation
@@ -140,7 +139,7 @@
{
SecurityActions.popCallerRunAsIdentity();
if(mi.isLocal() && si != null)
- SecurityActions.getSecurityContext().getUtil().setSecurityIdentity(si);
+ SecurityActions.setSecurityIdentity(SecurityActions.getSecurityContext(), si);
log.trace("Exit process():isInvoke="+isInvoke);
}
}
@@ -157,8 +156,7 @@
if(sc != null)
{
//Get the run-as, principal, cred etc from the invocation and set it on the context
- SecurityActions.setSecurityIdentity(newSC,
- sc.getUtil().getSecurityIdentity());
+ SecurityActions.setSecurityIdentity(newSC, SecurityActions.getSecurityIdentity(sc));
}
else
{
@@ -166,7 +164,7 @@
mi.setSecurityContext(newSC);
}
//Set the SecurityManagement on the context
- newSC.setSecurityManagement(container.getSecurityManagement());
+ SecurityActions.setSecurityManagement(newSC, container.getSecurityManagement());
log.trace("establishSecurityIdentity:SecCtx="+SecurityActions.trace(newSC));
}
}
Modified: trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java 2008-11-12 15:27:48 UTC (rev 80850)
+++ trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java 2008-11-12 17:04:24 UTC (rev 80851)
@@ -26,6 +26,7 @@
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
+import org.jboss.security.ISecurityManagement;
import org.jboss.security.RunAs;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityIdentity;
@@ -119,6 +120,29 @@
);
}
+ static SecurityIdentity getSecurityIdentity(final SecurityContext sc)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<SecurityIdentity>()
+ {
+ public SecurityIdentity run()
+ {
+ return sc.getUtil().getSecurityIdentity();
+ }
+ });
+ }
+
+ static void setSecurityManagement(final SecurityContext sc, final ISecurityManagement sm)
+ {
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
+ {
+ public Object run()
+ {
+ sc.setSecurityManagement(sm);
+ return null;
+ }}
+ );
+ }
+
static String trace(final SecurityContext sc)
{
return AccessController.doPrivileged(new PrivilegedAction<String>()
More information about the jboss-cvs-commits
mailing list