[jboss-cvs] JBossAS SVN: r79981 - in projects/security/security-jboss-sx/trunk: jbosssx/src/main/java/org/jboss/security and 3 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Oct 23 11:55:18 EDT 2008
Author: anil.saldhana at jboss.com
Date: 2008-10-23 11:55:18 -0400 (Thu, 23 Oct 2008)
New Revision: 79981
Modified:
projects/security/security-jboss-sx/trunk/.classpath
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/SecurityRoleRef.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java
projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
Log:
SECURITY-50: ejb xacml roleref checks
Modified: projects/security/security-jboss-sx/trunk/.classpath
===================================================================
--- projects/security/security-jboss-sx/trunk/.classpath 2008-10-23 15:53:10 UTC (rev 79980)
+++ projects/security/security-jboss-sx/trunk/.classpath 2008-10-23 15:55:18 UTC (rev 79981)
@@ -40,5 +40,8 @@
<classpathentry kind="var" path="M2_REPO/org/jboss/jboss-reflect/2.0.0.Beta12/jboss-reflect-2.0.0.Beta12.jar"/>
<classpathentry kind="var" path="M2_REPO/org/jboss/man/jboss-managed/2.0.0.Beta12/jboss-managed-2.0.0.Beta12.jar"/>
<classpathentry kind="var" path="M2_REPO/sun-opends/OpenDS/1.0.0/OpenDS-1.0.0.jar"/>
+ <classpathentry kind="var" path="M2_REPO/javax/xml/bind/jaxb-api/2.1/jaxb-api-2.1.jar"/>
+ <classpathentry kind="var" path="M2_REPO/sun-jaxb/jaxb-impl/2.1.4/jaxb-impl-2.1.4.jar"/>
+ <classpathentry kind="var" path="M2_REPO/javax/activation/activation/1.1/activation-1.1.jar"/>
<classpathentry kind="output" path="target/eclipse-classes"/>
</classpath>
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/SecurityRoleRef.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/SecurityRoleRef.java 2008-10-23 15:53:10 UTC (rev 79980)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/SecurityRoleRef.java 2008-10-23 15:55:18 UTC (rev 79981)
@@ -30,5 +30,19 @@
* @version $Revision$
*/
public class SecurityRoleRef extends org.jboss.security.javaee.SecurityRoleRef
-{
+{
+ public SecurityRoleRef()
+ {
+ super();
+ }
+
+ public SecurityRoleRef(String name, String link, String description)
+ {
+ super(name, link, description);
+ }
+
+ public SecurityRoleRef(String name, String link)
+ {
+ super(name, link);
+ }
}
\ No newline at end of file
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java 2008-10-23 15:53:10 UTC (rev 79980)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBJACCPolicyModuleDelegate.java 2008-10-23 15:55:18 UTC (rev 79981)
@@ -91,6 +91,7 @@
this.ejbName = ejbResource.getEjbName();
this.methodInterface = ejbResource.getEjbMethodInterface();
+ //isCallerInRole checks
this.roleName = (String)map.get(ResourceKeys.ROLENAME);
this.roleRefCheck = (Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK);
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java 2008-10-23 15:53:10 UTC (rev 79980)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBPolicyModuleDelegate.java 2008-10-23 15:55:18 UTC (rev 79981)
@@ -57,15 +57,15 @@
*/
public class EJBPolicyModuleDelegate extends AuthorizationModuleDelegate
{
- private String ejbName = null;
- private Method ejbMethod = null;
- private Principal ejbPrincipal = null;
+ protected String ejbName = null;
+ protected Method ejbMethod = null;
+ protected Principal ejbPrincipal = null;
private RoleGroup methodRoles = null;
private String methodInterface = null;
- private RunAs callerRunAs = null;
- private String roleName = null;
+ protected RunAs callerRunAs = null;
+ protected String roleName = null;
private Boolean roleRefCheck = Boolean.FALSE;
- private Set<SecurityRoleRef> securityRoleReferences = null;
+ protected Set<SecurityRoleRef> securityRoleReferences = null;
private final Role ANYBODY_ROLE = new SimpleRole(AnybodyPrincipal.ANYBODY);
@@ -195,7 +195,7 @@
return allowed ? AuthorizationContext.PERMIT : AuthorizationContext.DENY;
}
- private int checkRoleRef(RoleGroup principalRole)
+ protected int checkRoleRef(RoleGroup principalRole)
{
//AuthorizationManager am = (AuthorizationManager)policyRegistration;
//Check the caller of this beans run-as identity
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java 2008-10-23 15:53:10 UTC (rev 79980)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/main/java/org/jboss/security/authorization/modules/ejb/EJBXACMLPolicyModuleDelegate.java 2008-10-23 15:55:18 UTC (rev 79981)
@@ -21,8 +21,6 @@
*/
package org.jboss.security.authorization.modules.ejb;
-import java.lang.reflect.Method;
-import java.security.Principal;
import java.util.Map;
import javax.security.auth.Subject;
@@ -50,12 +48,9 @@
* @since Jul 6, 2006
* @version $Revision$
*/
-public class EJBXACMLPolicyModuleDelegate extends AuthorizationModuleDelegate
+public class EJBXACMLPolicyModuleDelegate extends EJBPolicyModuleDelegate
{
- private String ejbName = null;
- private Method ejbMethod = null;
- private Principal principal = null;
- private String policyContextID = null;
+ private String policyContextID;
public EJBXACMLPolicyModuleDelegate()
{
@@ -81,24 +76,30 @@
this.policyRegistration = (PolicyRegistration) map.get(ResourceKeys.POLICY_REGISTRATION);
if(this.policyRegistration == null)
throw new IllegalStateException("Policy Registration passed is null");
-
+
+ this.callerRunAs = ejbResource.getCallerRunAsIdentity();
this.ejbName = ejbResource.getEjbName();
this.ejbMethod = ejbResource.getEjbMethod();
- this.principal = ejbResource.getPrincipal();
+ this.ejbPrincipal = ejbResource.getPrincipal();
this.policyContextID = ejbResource.getPolicyContextID();
if(policyContextID == null)
- throw new IllegalStateException("Context ID is null");
+ throw new IllegalStateException("Context ID is null");
+ this.securityRoleReferences = ejbResource.getSecurityRoleReferences();
+
+ //isCallerInRole checks
+ this.roleName = (String)map.get(ResourceKeys.ROLENAME);
+
Boolean roleRefCheck = checkBooleanValue((Boolean)map.get(ResourceKeys.ROLEREF_PERM_CHECK));
if(roleRefCheck)
- throw new IllegalStateException("SECURITY-50:Role Ref checks not implemented");
+ return checkRoleRef(role); //Base class handles this
return process(role);
}
//Private Methods
/**
- * Process the web request
+ * Process the ejb request
* @param request
* @param sc
* @return
@@ -110,7 +111,7 @@
try
{
RequestContext requestCtx = util.createXACMLRequest(this.ejbName,
- this.ejbMethod.getName(),this.principal, callerRoles);
+ this.ejbMethod.getName(),this.ejbPrincipal, callerRoles);
PolicyDecisionPoint pdp = util.getPDP(policyRegistration, this.policyContextID);
if(pdp == null)
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java 2008-10-23 15:53:10 UTC (rev 79980)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/ejb/EJBPolicyModuleDelegateUnitTestCase.java 2008-10-23 15:55:18 UTC (rev 79981)
@@ -22,8 +22,10 @@
package org.jboss.test.authorization.ejb;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import javax.security.auth.Subject;
@@ -33,15 +35,16 @@
import org.jboss.security.SecurityConstants;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.authorization.AuthorizationContext;
+import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate;
import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.identity.Role;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRole;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
+import org.jboss.security.javaee.SecurityRoleRef;
+
-//$Id$
-
/**
* Unit Test for the EJB Policy Module Delegate
* @author Anil.Saldhana at redhat.com
@@ -131,6 +134,59 @@
assertEquals(AuthorizationContext.DENY, res);;
}
+ public void testIsCallerInRoleValid()
+ {
+ EJBPolicyModuleDelegate epmd = new EJBPolicyModuleDelegate();
+
+ //Create a context map
+ Map<String,Object> cmap = new HashMap<String,Object>();
+
+ cmap.put(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ cmap.put(ResourceKeys.ROLENAME, "employee");
+
+ EJBResource resource = new EJBResource(cmap);
+ resource.setPrincipal(new SimplePrincipal("AuthenticatedPrincipal"));
+ resource.setEjbMethod(DummyClass.class.getDeclaredMethods()[0]);
+ resource.setEjbName(DummyClass.class.getCanonicalName());
+ resource.setEjbMethodRoles( getRoleGroup(new String[] {"gooduser"}) );
+
+ Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
+ roleRefSet.add(new SecurityRoleRef("employee", "gooduser"));
+ resource.setSecurityRoleReferences(roleRefSet);
+
+ int result = epmd.authorize(resource,
+ new Subject(),
+ getRoleGroup(new String[]{"gooduser", "validuser" }));
+
+ assertEquals(AuthorizationContext.PERMIT, result);;
+ }
+
+ public void testIsCallerInRoleInvalid()
+ {
+ EJBPolicyModuleDelegate epmd = new EJBPolicyModuleDelegate();
+
+ //Create a context map
+ Map<String,Object> cmap = new HashMap<String,Object>();
+
+ cmap.put(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ cmap.put(ResourceKeys.ROLENAME, "employee");
+
+ EJBResource resource = new EJBResource(cmap);
+ resource.setPrincipal(new SimplePrincipal("AuthenticatedPrincipal"));
+ resource.setEjbMethod(DummyClass.class.getDeclaredMethods()[0]);
+ resource.setEjbName(DummyClass.class.getCanonicalName());
+ resource.setEjbMethodRoles( getRoleGroup(new String[] {"gooduser"}) );
+
+ Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
+ roleRefSet.add(new SecurityRoleRef("employee", "baduser")); //Bad user
+ resource.setSecurityRoleReferences(roleRefSet);
+
+ int result = epmd.authorize(resource,
+ new Subject(),
+ getRoleGroup(new String[]{"gooduser", "validuser" }));
+
+ assertEquals(AuthorizationContext.DENY, result);;
+ }
/**
* Create a RoleGroup given a set of roles
* @param roles
Modified: projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
===================================================================
--- projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2008-10-23 15:53:10 UTC (rev 79980)
+++ projects/security/security-jboss-sx/trunk/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2008-10-23 15:55:18 UTC (rev 79981)
@@ -24,12 +24,14 @@
import java.io.InputStream;
import java.security.Principal;
import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Set;
import javax.security.auth.Subject;
import junit.framework.TestCase;
-import org.jboss.security.SecurityConstants;
+import org.jboss.security.SecurityConstants;
import org.jboss.security.SimplePrincipal;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.PolicyRegistration;
@@ -41,6 +43,7 @@
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRole;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
+import org.jboss.security.javaee.SecurityRoleRef;
import org.jboss.security.plugins.JBossPolicyRegistration;
/**
@@ -56,9 +59,7 @@
protected void setUp() throws Exception
{
- super.setUp();
- //setSecurityContext();
- //setUpPolicyContext();
+ super.setUp();
setSecurityConfiguration();
}
@@ -90,6 +91,48 @@
assertEquals(AuthorizationContext.DENY, res);
}
+ public void testEJBContextIsCallerInRoleValid() throws Exception
+ {
+ EJBXACMLPolicyModuleDelegate pc = new EJBXACMLPolicyModuleDelegate();
+
+ PolicyRegistration policyRegistration = new JBossPolicyRegistration();
+ registerPolicy(policyRegistration);
+ EJBResource er = getEJBResource(policyRegistration);
+
+ er.setPolicyContextID(contextID);
+ er.setPrincipal(new SimplePrincipal("baduser"));
+ er.getMap().put(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ er.getMap().put(ResourceKeys.ROLENAME, "employee");
+
+ Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
+ roleRefSet.add(this.getSecurityRoleRef("employee", "ProjectUser"));
+ er.setSecurityRoleReferences(roleRefSet);
+
+ int res = pc.authorize(er, new Subject(), getRoleGroup());
+ assertEquals(AuthorizationContext.PERMIT, res);
+ }
+
+ public void testEJBContextIsCallerInRoleInvalid() throws Exception
+ {
+ EJBXACMLPolicyModuleDelegate pc = new EJBXACMLPolicyModuleDelegate();
+
+ PolicyRegistration policyRegistration = new JBossPolicyRegistration();
+ registerPolicy(policyRegistration);
+ EJBResource er = getEJBResource(policyRegistration);
+
+ er.setPolicyContextID(contextID);
+ er.setPrincipal(new SimplePrincipal("baduser"));
+ er.getMap().put(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ er.getMap().put(ResourceKeys.ROLENAME, "employee");
+
+ Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
+ roleRefSet.add(this.getSecurityRoleRef("employee", "baduser"));
+ er.setSecurityRoleReferences(roleRefSet);
+
+ int res = pc.authorize(er, new Subject(), getRoleGroup());
+ assertEquals(AuthorizationContext.DENY, res);
+ }
+
private EJBResource getEJBResource(PolicyRegistration policyRegistration)
{
HashMap<String,Object> map = new HashMap<String,Object>();
@@ -98,7 +141,7 @@
EJBResource er = new EJBResource(map);
er.setEjbName("StatelessSession");
er.setEjbMethod(StatelessSession.class.getMethods()[0]);
- er.setPrincipal(p);
+ er.setPrincipal(p);
return er;
}
@@ -124,6 +167,11 @@
SecurityConfiguration.addApplicationPolicy(new ApplicationPolicy("other"));
}
+ private SecurityRoleRef getSecurityRoleRef(String roleName, String roleLink)
+ {
+ return new SecurityRoleRef(roleName, roleLink);
+ }
+
public class StatelessSession
{
public void echo(){}
More information about the jboss-cvs-commits
mailing list