[jboss-cvs] JBossAS SVN: r78111 - in trunk/server/src/main/org/jboss/ejb/plugins: security and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Fri Sep 5 18:00:31 EDT 2008
Author: anil.saldhana at jboss.com
Date: 2008-09-05 18:00:30 -0400 (Fri, 05 Sep 2008)
New Revision: 78111
Modified:
trunk/server/src/main/org/jboss/ejb/plugins/RunAsSecurityInterceptor.java
trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java
trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java
trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java
Log:
JBAS-5932: refactor common code from invoke and invokeHome of the security interceptors for ejb2
Modified: trunk/server/src/main/org/jboss/ejb/plugins/RunAsSecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/RunAsSecurityInterceptor.java 2008-09-05 21:55:29 UTC (rev 78110)
+++ trunk/server/src/main/org/jboss/ejb/plugins/RunAsSecurityInterceptor.java 2008-09-05 22:00:30 UTC (rev 78111)
@@ -21,7 +21,9 @@
*/
package org.jboss.ejb.plugins;
-import org.jboss.ejb.Container;
+import java.util.Set;
+
+import org.jboss.ejb.Container;
import org.jboss.invocation.Invocation;
import org.jboss.metadata.ApplicationMetaData;
import org.jboss.metadata.AssemblyDescriptorMetaData;
@@ -29,11 +31,9 @@
import org.jboss.metadata.SecurityIdentityMetaData;
import org.jboss.security.AuthenticationManager;
import org.jboss.security.RunAs;
-import org.jboss.security.RunAsIdentity;
+import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityConstants;
-import java.util.Set;
-
/**
* An interceptor that enforces the run-as identity declared by a bean.
*
@@ -93,52 +93,31 @@
public Object invokeHome(Invocation mi) throws Exception
{
- String securityDomain = SecurityConstants.DEFAULT_APPLICATION_POLICY;
- if(securityManager != null)
- {
- securityDomain = securityManager.getSecurityDomain();
- }
-
- //Establish a security context if one is missing for Run-As push
- if(SecurityActions.getSecurityContext() == null)
- {
- SecurityActions.createAndSetSecurityContext(mi.getPrincipal(),
- mi.getCredential(), securityDomain);
- }
-
- /* If a run-as role was specified, push it so that any calls made
- by this bean will have the runAsRole available for declarative
- security checks.
- */
- SecurityActions.pushRunAsIdentity(runAsIdentity);
- SecurityActions.pushCallerRunAsIdentity(runAsIdentity);
-
- try
- {
- Object returnValue = getNext().invokeHome(mi);
- return returnValue;
- }
- finally
- {
- SecurityActions.popRunAsIdentity();
- SecurityActions.popCallerRunAsIdentity();
- }
+ boolean isInvokeMethod = false;
+ return this.process(mi, isInvokeMethod);
}
public Object invoke(Invocation mi) throws Exception
{
+ boolean isInvokeMethod = true;
+ return this.process(mi, isInvokeMethod);
+ }
+
+ public Object process(Invocation mi, boolean isInvokeMethod) throws Exception
+ {
String securityDomain = SecurityConstants.DEFAULT_APPLICATION_POLICY;
if(securityManager != null)
{
securityDomain = securityManager.getSecurityDomain();
- }
+ }
+ log.trace("Bean:"+ container.getServiceName() + " securityDomain="+securityDomain
+ + " isInvokeMethod="+ isInvokeMethod);
//Establish a security context if one is missing for Run-As push
if(SecurityActions.getSecurityContext() == null)
{
SecurityActions.createAndSetSecurityContext(mi.getPrincipal(),
mi.getCredential(), securityDomain);
}
-
/* If a run-as role was specified, push it so that any calls made
by this bean will have the runAsRole available for declarative
security checks.
@@ -146,16 +125,19 @@
SecurityActions.pushRunAsIdentity(runAsIdentity);
SecurityActions.pushCallerRunAsIdentity(runAsIdentity);
+
+ log.trace("Security Context = " + SecurityActions.trace(SecurityActions.getSecurityContext()));
try
{
- Object returnValue = getNext().invoke(mi);
- return returnValue;
+ if(isInvokeMethod)
+ return getNext().invoke(mi);
+ else
+ return getNext().invokeHome(mi);
}
finally
{
SecurityActions.popRunAsIdentity();
SecurityActions.popCallerRunAsIdentity();
- }
+ }
}
-
-}
+}
\ No newline at end of file
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java 2008-09-05 21:55:29 UTC (rev 78110)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityActions.java 2008-09-05 22:00:30 UTC (rev 78111)
@@ -496,4 +496,21 @@
}
});
}
+
+ static String trace(final SecurityContext sc)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<String>()
+ {
+ public String run()
+ {
+ StringBuilder sb = new StringBuilder();
+ sb.append(" Principal = " + sc.getUtil().getUserPrincipal());
+ sb.append(" Subject:"+sc.getUtil().getSubject());
+ sb.append(" Incoming run as:"+sc.getIncomingRunAs());
+ sb.append(" Outgoing run as:"+sc.getOutgoingRunAs());
+ return sb.toString();
+ }
+ }
+ );
+ }
}
Modified: trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2008-09-05 21:55:29 UTC (rev 78110)
+++ trunk/server/src/main/org/jboss/ejb/plugins/SecurityInterceptor.java 2008-09-05 22:00:30 UTC (rev 78111)
@@ -46,7 +46,7 @@
import org.jboss.security.RunAsIdentity;
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityRolesAssociation;
-import org.jboss.security.SecurityUtil;
+import org.jboss.security.SecurityUtil;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.jboss.security.javaee.AbstractEJBAuthorizationHelper;
import org.jboss.security.javaee.EJBAuthenticationHelper;
@@ -195,64 +195,41 @@
public Object invokeHome(Invocation mi) throws Exception
{
- if(this.shouldBypassSecurity(mi))
- return getNext().invokeHome(mi);
-
- SecurityContext sc = SecurityActions.getSecurityContext();
- if( sc == null)
- throw new IllegalStateException("Security Context is null");
-
- RunAs callerRunAsIdentity = sc.getIncomingRunAs();
-
- // Authenticate the subject and apply any declarative security checks
- try
- {
- checkSecurityContext(mi, callerRunAsIdentity);
- }
- catch(Exception e)
- {
- log.error("Error in Security Interceptor",e);
- throw e;
- }
-
- /**
- * Special case: if <use-caller-identity> configured and
- * the caller is arriving with a run-as, we need to push that run-as
- */
- if(callerRunAsIdentity != null && this.isUseCallerIdentity)
- this.runAsIdentity = callerRunAsIdentity;
-
-
- /* If a run-as role was specified, push it so that any calls made
- by this bean will have the runAsRole available for declarative
- security checks.
- */
- SecurityActions.pushRunAsIdentity(runAsIdentity);
-
- try
- {
- Object returnValue = getNext().invokeHome(mi);
- return returnValue;
- }
- finally
- {
- SecurityActions.popRunAsIdentity();
- SecurityActions.popSubjectContext();
- }
+ boolean isInvoke = false;
+ return process(mi, isInvoke);
}
public Object invoke(Invocation mi) throws Exception
{
+ boolean isInvoke = true;
+ return process(mi, isInvoke);
+ }
+
+ /**
+ * Process the invocation
+ * @param mi
+ * @param isInvoke Are we from the invoke method? False = invokeHome method
+ * @return
+ * @throws Exception
+ */
+ private Object process(Invocation mi, boolean isInvoke) throws Exception
+ {
if(this.shouldBypassSecurity(mi))
- return getNext().invoke(mi);
+ {
+ log.trace("Bypass security for invoke or invokeHome");
+ if(isInvoke)
+ return getNext().invoke(mi);
+ else
+ return getNext().invokeHome(mi);
+ }
SecurityContext sc = SecurityActions.getSecurityContext();
if( sc == null)
throw new IllegalStateException("Security Context is null");
RunAs callerRunAsIdentity = sc.getIncomingRunAs();
-
+ log.trace("Caller RunAs="+callerRunAsIdentity + ": useCallerIdentity="+this.isUseCallerIdentity);
// Authenticate the subject and apply any declarative security checks
try
{
@@ -279,15 +256,17 @@
try
{
- Object returnValue = getNext().invoke(mi);
- return returnValue;
+ if(isInvoke)
+ return getNext().invoke(mi);
+ else
+ return getNext().invokeHome(mi);
}
finally
{
SecurityActions.popRunAsIdentity();
SecurityActions.popSubjectContext();
- }
- }
+ }
+ }
/** The EJB 2.0 declarative security algorithm:
1. Authenticate the caller using the principal and credentials in the MethodInfocation
@@ -340,7 +319,7 @@
SecurityActions.pushSubjectContext(principal, credential, subject);
if (trace)
{
- log.trace("Authenticated principal=" + principal);
+ log.trace("Authenticated principal=" + principal + " in security domain=" + sc.getSecurityDomain());
}
}
}
@@ -407,4 +386,4 @@
}
return false;
}
-}
+}
\ No newline at end of file
Modified: trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java 2008-09-05 21:55:29 UTC (rev 78110)
+++ trunk/server/src/main/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java 2008-09-05 22:00:30 UTC (rev 78111)
@@ -33,7 +33,6 @@
import org.jboss.security.SecurityContext;
import org.jboss.security.SecurityIdentity;
-//$Id$
/**
* Interceptor that performs the initialization required for
@@ -78,83 +77,71 @@
@Override
public Object invoke(Invocation mi) throws Exception
{
+ boolean isInvoke = true;
+ return this.process(mi, isInvoke);
+ }
+
+ @Override
+ public Object invokeHome(Invocation mi) throws Exception
+ {
+ boolean isInvoke = false;
+ return this.process(mi, isInvoke);
+ }
+
+ @SuppressWarnings("deprecation")
+ private Object process(Invocation mi, boolean isInvoke) throws Exception
+ {
//No Security in the absence of SecurityDomain
if(securityDomain == null)
- return getNext().invoke(mi);
+ {
+ if(isInvoke)
+ return getNext().invoke(mi);
+ else
+ return getNext().invokeHome(mi);
+ }
-
+ log.trace("process:isInvoke="+isInvoke + " bean="+ container.getServiceName());
SecurityIdentity si = null;
Method m = mi.getMethod();
boolean isEjbTimeOutMethod = m!= null && m.getName().equals(timedObjectMethod);
//For local ejb invocations
if(mi.isLocal() && !isEjbTimeOutMethod)
{
+ log.trace("True mi.isLocal() && !isEjbTimeOutMethod");
//Cache the security context
SecurityContext sc = SecurityActions.getSecurityContext();
if(sc != null)
si = sc.getUtil().getSecurityIdentity();
+ log.trace("SecurityIdentity="+SecurityActions.trace(si));
//Set the security context on the invocation
mi.setSecurityContext(sc);
}
else
{
+ log.trace("False mi.isLocal() && !isEjbTimeOutMethod");
establishSecurityContext(mi);
}
try
{
//Establish the run-as on the SC as the caller SC
- SecurityActions.pushCallerRunAsIdentity(SecurityActions.getSecurityContext().getOutgoingRunAs());
- Object returnValue = getNext().invoke(mi);
- return returnValue;
+ SecurityContext currentSC = SecurityActions.getSecurityContext();
+ SecurityActions.pushCallerRunAsIdentity(currentSC.getOutgoingRunAs());
+ log.trace("Going to the SecurityInterceptor with SC="+SecurityActions.trace(currentSC));
+ if(isInvoke)
+ return getNext().invoke(mi);
+ else
+ return getNext().invokeHome(mi);
}
finally
{
SecurityActions.popCallerRunAsIdentity();
if(mi.isLocal() && si != null)
SecurityActions.getSecurityContext().getUtil().setSecurityIdentity(si);
- }
+ log.trace("Exit process():isInvoke="+isInvoke);
+ }
}
-
- @Override
- public Object invokeHome(Invocation mi) throws Exception
- {
- //No Security in the absence of SecurityDomain
- if(securityDomain == null)
- return getNext().invokeHome(mi);
-
- SecurityIdentity si = null;
- Method m = mi.getMethod();
- boolean isEjbTimeOutMethod = m!= null && m.getName().equals(timedObjectMethod);
- //For local ejb invocations
- if(mi.isLocal() && !isEjbTimeOutMethod)
- {
- //Cache the security context
- SecurityContext sc = SecurityActions.getSecurityContext();
- if(sc != null)
- si = sc.getUtil().getSecurityIdentity();
- //Set the security context on the invocation
- mi.setSecurityContext(sc);
- }
- else
- {
- establishSecurityContext(mi);
- }
- try
- {
- //Establish the run-as on the SC as the caller SC
- SecurityActions.pushCallerRunAsIdentity(SecurityActions.getSecurityContext().getOutgoingRunAs());
- Object returnValue = getNext().invokeHome(mi);
- return returnValue;
- }
- finally
- {
- SecurityActions.popCallerRunAsIdentity();
- if(mi.isLocal() && si != null)
- SecurityActions.getSecurityContext().getUtil().setSecurityIdentity(si);
- }
- }
private void establishSecurityContext(Invocation mi) throws Exception
{
@@ -166,7 +153,7 @@
container.getSecurityContextClassName());
if(sc != null)
- {
+ {
//Get the run-as, principal, cred etc from the invocation and set it on the context
SecurityActions.setSecurityIdentity(newSC,
sc.getUtil().getSecurityIdentity());
@@ -178,5 +165,6 @@
}
//Set the SecurityManagement on the context
newSC.setSecurityManagement(container.getSecurityManagement());
+ log.trace("establishSecurityIdentity:SecCtx="+SecurityActions.trace(newSC));
}
}
Modified: trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java
===================================================================
--- trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java 2008-09-05 21:55:29 UTC (rev 78110)
+++ trunk/server/src/main/org/jboss/ejb/plugins/security/SecurityActions.java 2008-09-05 22:00:30 UTC (rev 78111)
@@ -31,9 +31,7 @@
import org.jboss.security.SecurityIdentity;
import org.jboss.security.SecurityContextFactory;
import org.jboss.security.SecurityContextAssociation;
-
-//$Id$
-
+
/**
* Privileged Blocks
* @author Anil.Saldhana at redhat.com
@@ -42,12 +40,12 @@
*/
class SecurityActions
{
- public static SecurityContext createAndSetSecurityContext(final String domain,
+ static SecurityContext createAndSetSecurityContext(final String domain,
final String fqnClassName) throws PrivilegedActionException
{
- return (SecurityContext) AccessController.doPrivileged(new PrivilegedExceptionAction()
+ return AccessController.doPrivileged(new PrivilegedExceptionAction<SecurityContext>()
{
- public Object run() throws Exception
+ public SecurityContext run() throws Exception
{
SecurityContext sc = SecurityContextFactory.createSecurityContext(domain, fqnClassName);
setSecurityContext(sc);
@@ -56,11 +54,11 @@
);
}
- public static SecurityContext getSecurityContext()
+ static SecurityContext getSecurityContext()
{
- return (SecurityContext) AccessController.doPrivileged(new PrivilegedAction()
+ return AccessController.doPrivileged(new PrivilegedAction<SecurityContext>()
{
- public Object run()
+ public SecurityContext run()
{
return SecurityContextAssociation.getSecurityContext();
}}
@@ -69,7 +67,7 @@
static void pushCallerRunAsIdentity(final RunAs ra)
{
- AccessController.doPrivileged(new PrivilegedAction(){
+ AccessController.doPrivileged(new PrivilegedAction<Object>(){
public Object run()
{
SecurityContext sc = SecurityContextAssociation.getSecurityContext();
@@ -82,9 +80,9 @@
}
- public static void popCallerRunAsIdentity()
+ static void popCallerRunAsIdentity()
{
- AccessController.doPrivileged(new PrivilegedAction(){
+ AccessController.doPrivileged(new PrivilegedAction<Object>(){
public Object run()
{
SecurityContext sc = SecurityContextAssociation.getSecurityContext();
@@ -96,9 +94,9 @@
});
}
- public static void setSecurityContext(final SecurityContext sc)
+ static void setSecurityContext(final SecurityContext sc)
{
- AccessController.doPrivileged(new PrivilegedAction()
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
{
public Object run()
{
@@ -108,10 +106,10 @@
);
}
- public static void setSecurityIdentity(final SecurityContext sc,
+ static void setSecurityIdentity(final SecurityContext sc,
final SecurityIdentity si)
{
- AccessController.doPrivileged(new PrivilegedAction()
+ AccessController.doPrivileged(new PrivilegedAction<Object>()
{
public Object run()
{
@@ -120,4 +118,38 @@
}}
);
}
+
+ static String trace(final SecurityContext sc)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<String>()
+ {
+ public String run()
+ {
+ StringBuilder sb = new StringBuilder();
+ sb.append(" Principal = " + sc.getUtil().getUserPrincipal());
+ sb.append(" Subject:"+sc.getUtil().getSubject());
+ sb.append(" Incoming run as:"+sc.getIncomingRunAs());
+ sb.append(" Outgoing run as:"+sc.getOutgoingRunAs());
+ return sb.toString();
+ }
+ }
+ );
+ }
+
+ static String trace(final SecurityIdentity si)
+ {
+ return AccessController.doPrivileged(new PrivilegedAction<String>()
+ {
+ public String run()
+ {
+ StringBuilder sb = new StringBuilder();
+ sb.append(" Principal = " + si.getPrincipal());
+ sb.append(" Subject:"+si.getSubject());
+ sb.append(" Incoming run as:"+si.getIncomingRunAs());
+ sb.append(" Outgoing run as:"+si.getOutgoingRunAs());
+ return sb.toString();
+ }
+ }
+ );
+ }
}
More information about the jboss-cvs-commits
mailing list