[jboss-cvs] Picketbox SVN: r103 - in trunk: picketbox/src/main/java/org/picketbox/sandbox and 11 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Aug 12 11:51:42 EDT 2010
Author: anil.saldhana at jboss.com
Date: 2010-08-12 11:51:40 -0400 (Thu, 12 Aug 2010)
New Revision: 103
Added:
trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/
trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/MissingArgumentsException.java
trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/WrongEEResourceException.java
Modified:
trunk/picketbox/src/main/java/org/picketbox/core/authorization/resources/POJOResource.java
trunk/picketbox/src/main/java/org/picketbox/sandbox/PBSandbox.java
trunk/picketbox/src/test/java/org/picketbox/test/api/AuthorizationUnitTestCase.java
trunk/picketbox/src/test/java/org/picketbox/test/api/InstanceBasedAuthorizationUnitTestCase.java
trunk/security-jboss-sx/acl/src/test/java/org/jboss/test/security/acl/TestResource.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/JavaEEResource.java
trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/AuthorizationContextUnitTestCase.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/JBossAuthZMgrSafetyUnitTestCase.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/StandaloneJBossAMgrUnitTestCase.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/ACLTestResource.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java
trunk/security-spi/authorization/src/main/java/org/jboss/security/authorization/Resource.java
trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractEJBAuthorizationHelper.java
trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractJavaEEHelper.java
Log:
SECURITY-517: SECURITY-515:
Modified: trunk/picketbox/src/main/java/org/picketbox/core/authorization/resources/POJOResource.java
===================================================================
--- trunk/picketbox/src/main/java/org/picketbox/core/authorization/resources/POJOResource.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/picketbox/src/main/java/org/picketbox/core/authorization/resources/POJOResource.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -21,6 +21,7 @@
*/
package org.picketbox.core.authorization.resources;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
@@ -56,6 +57,11 @@
public Map<String, Object> getMap()
{
- return map;
+ return Collections.unmodifiableMap( map );
+ }
+
+ public void add(String key, Object value)
+ {
+ map.put(key, value);
}
}
\ No newline at end of file
Modified: trunk/picketbox/src/main/java/org/picketbox/sandbox/PBSandbox.java
===================================================================
--- trunk/picketbox/src/main/java/org/picketbox/sandbox/PBSandbox.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/picketbox/src/main/java/org/picketbox/sandbox/PBSandbox.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -153,15 +153,22 @@
{
return new Resource()
{
- public ResourceType getLayer()
- {
- return ResourceType.POJO;
- }
+ HashMap<String,Object> contextMap = new HashMap<String,Object>();
+
+ public ResourceType getLayer()
+ {
+ return ResourceType.POJO;
+ }
- public Map<String, Object> getMap()
- {
- return new HashMap<String,Object>();
- }
+ public Map<String, Object> getMap()
+ {
+ return contextMap;
+ }
+
+ public void add(String key, Object value)
+ {
+ contextMap.put(key, value);
+ }
};
}
}
\ No newline at end of file
Modified: trunk/picketbox/src/test/java/org/picketbox/test/api/AuthorizationUnitTestCase.java
===================================================================
--- trunk/picketbox/src/test/java/org/picketbox/test/api/AuthorizationUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/picketbox/src/test/java/org/picketbox/test/api/AuthorizationUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -124,15 +124,22 @@
{
return new Resource()
{
- public ResourceType getLayer()
- {
- return ResourceType.POJO;
- }
+ HashMap<String,Object> contextMap = new HashMap<String, Object>();
- public Map<String, Object> getMap()
- {
- return new HashMap<String,Object>();
- }
+ public ResourceType getLayer()
+ {
+ return ResourceType.POJO;
+ }
+
+ public Map<String, Object> getMap()
+ {
+ return contextMap;
+ }
+
+ public void add(String key, Object value)
+ {
+ contextMap.put(key, value);
+ }
};
}
}
\ No newline at end of file
Modified: trunk/picketbox/src/test/java/org/picketbox/test/api/InstanceBasedAuthorizationUnitTestCase.java
===================================================================
--- trunk/picketbox/src/test/java/org/picketbox/test/api/InstanceBasedAuthorizationUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/picketbox/src/test/java/org/picketbox/test/api/InstanceBasedAuthorizationUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -374,5 +374,10 @@
{
return this.resourceURI.toString();
}
+
+ public void add(String key, Object value)
+ {
+ this.contextMap.put(key, value);
+ }
}
}
Modified: trunk/security-jboss-sx/acl/src/test/java/org/jboss/test/security/acl/TestResource.java
===================================================================
--- trunk/security-jboss-sx/acl/src/test/java/org/jboss/test/security/acl/TestResource.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/acl/src/test/java/org/jboss/test/security/acl/TestResource.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -151,4 +151,9 @@
{
return this.name;
}
+
+ public void add(String key, Object value)
+ {
+ this.contextMap.put(key, value);
+ }
}
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/EJBResource.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -41,7 +41,7 @@
private Method ejbMethod = null;
private String ejbName = null;
private String ejbMethodInterface = null;
- private RoleGroup ejbMethodRoles = null;
+ private RoleGroup ejbMethodRoles = null;
public static final String EJB_VERSION_1_1 = "1.1";
public static final String EJB_VERSION_2_0 = "2.0";
@@ -180,7 +180,7 @@
public void setEjbVersion(String version)
{
this.version = version;
- }
+ }
public String toString()
{
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/JavaEEResource.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/JavaEEResource.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/authorization/resources/JavaEEResource.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -23,6 +23,7 @@
import java.security.CodeSource;
import java.security.Principal;
+import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
@@ -60,11 +61,21 @@
public abstract ResourceType getLayer();
/**
+ * Add a key value to the context map
+ * @param key
+ * @param value
+ */
+ public void add( String key, Object value )
+ {
+ map.put(key, value);
+ }
+
+ /**
* @see Resource#getMap()
*/
public Map<String, Object> getMap()
{
- return map;
+ return Collections.unmodifiableMap( map );
}
/**
Modified: trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/main/java/org/jboss/security/plugins/javaee/EJBAuthorizationHelper.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -36,12 +36,15 @@
import org.jboss.security.audit.AuditLevel;
import org.jboss.security.authorization.AuthorizationContext;
import org.jboss.security.authorization.PolicyRegistration;
+import org.jboss.security.authorization.Resource;
import org.jboss.security.authorization.ResourceKeys;
import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.callbacks.SecurityContextCallbackHandler;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.javaee.AbstractEJBAuthorizationHelper;
import org.jboss.security.javaee.SecurityRoleRef;
+import org.jboss.security.javaee.exceptions.MissingArgumentsException;
+import org.jboss.security.javaee.exceptions.WrongEEResourceException;
/**
@@ -54,6 +57,8 @@
{
protected static Logger log = Logger.getLogger(EJBAuthorizationHelper.class);
+ protected String POLICY_REGISTRATION_JNDI = "java:/policyRegistration";
+
@Override
public boolean authorize(
String ejbName,
@@ -141,7 +146,59 @@
return this.isCallerInRole(roleName, ejbName, ejbPrincipal,
callerSubject, contextID, securityRoleRefs, false);
}
+
+ public boolean isCallerInRole( Resource resource, String roleName ) throws WrongEEResourceException,MissingArgumentsException
+ {
+ boolean isAuthorized = false;
+ EJBResource ejbResource = (EJBResource) resource;
+ if(roleName == null)
+ throw new IllegalArgumentException("roleName is null");
+ if( ejbResource.getEjbName() == null)
+ throw new IllegalArgumentException("ejbName is null");
+ if( ejbResource.getPolicyContextID() == null)
+ throw new IllegalArgumentException("ContextID is null");
+
+ AuthorizationManager am = securityContext.getAuthorizationManager();
+
+ Subject callerSubject = ejbResource.getCallerSubject();
+
+ if(am == null)
+ throw new IllegalStateException("AuthorizationManager is null");
+
+ try
+ {
+ if(this.policyRegistration == null)
+ this.policyRegistration = getPolicyRegistrationFromJNDI();
+ }
+ catch(Exception e)
+ {
+ log.error("Error getting Policy Registration",e);
+ }
+
+ ejbResource.add( ResourceKeys.POLICY_REGISTRATION, this.policyRegistration );
+
+ ejbResource.add( ResourceKeys.ROLENAME, roleName );
+ ejbResource.add( ResourceKeys.ROLEREF_PERM_CHECK, Boolean.TRUE);
+
+ SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler(this.securityContext);
+ RoleGroup callerRoles = am.getSubjectRoles( callerSubject, sch);
+
+ try
+ {
+ int check = am.authorize(ejbResource, callerSubject, callerRoles);
+ isAuthorized = (check == AuthorizationContext.PERMIT);
+ }
+ catch (Exception e)
+ {
+ isAuthorized = false;
+ if(log.isTraceEnabled())
+ log.trace(roleName + "::isCallerInRole check failed:"+e.getLocalizedMessage(), e);
+ authorizationAudit(AuditLevel.ERROR,ejbResource,e);
+ }
+ return isAuthorized;
+ }
+
@Override
public boolean isCallerInRole(String roleName, String ejbName, Principal ejbPrincipal, Subject callerSubject,
String contextID, Set<SecurityRoleRef> securityRoleRefs, boolean enforceEJBRestrictions)
@@ -171,6 +228,8 @@
log.error("Error getting Policy Registration",e);
}
+
+
map.put(ResourceKeys.POLICY_REGISTRATION, this.policyRegistration);
map.put(ResourceKeys.ROLENAME, roleName);
@@ -228,10 +287,74 @@
else
throw new IllegalArgumentException("Invalid ejbVersion:" + ejbVersion);
}
+
+ @Override
+ public boolean authorize( Resource resource )
+ throws WrongEEResourceException, MissingArgumentsException
+ {
+ if( resource instanceof EJBResource == false )
+ throw new WrongEEResourceException( "resource is not of type EJBResource" );
+ EJBResource ejbResource = (EJBResource) resource;
+ validateEJBResource( ejbResource );
+
+ AuthorizationManager am = securityContext.getAuthorizationManager();
+ if(am == null)
+ throw new IllegalStateException("Authorization Manager is null");
+
+ try
+ {
+ if(this.policyRegistration == null)
+ this.policyRegistration = getPolicyRegistrationFromJNDI();
+ }
+ catch(Exception e)
+ {
+ log.error("Error getting Policy Registration",e);
+ }
+ Subject callerSubject = ejbResource.getCallerSubject();
+
+ ejbResource.add( ResourceKeys.POLICY_REGISTRATION, this.policyRegistration );
+ SecurityContextCallbackHandler sch = new SecurityContextCallbackHandler( this.securityContext );
+ RoleGroup callerRoles = am.getSubjectRoles( callerSubject, sch );
+
+ boolean isAuthorized = false;
+ try
+ {
+ int check = am.authorize(ejbResource, callerSubject, callerRoles);
+ isAuthorized = (check == AuthorizationContext.PERMIT);
+ authorizationAudit((isAuthorized ? AuditLevel.SUCCESS : AuditLevel.FAILURE)
+ ,ejbResource, null);
+ }
+ catch (Exception e)
+ {
+ isAuthorized = false;
+ if(log.isTraceEnabled())
+ log.trace("Error in authorization:",e);
+ authorizationAudit(AuditLevel.ERROR,ejbResource,e);
+ }
+
+ return isAuthorized;
+ }
-
+ /**
+ * Validate that the EJBResource has all the parameters to make a decision
+ * @param ejbResource
+ */
+ private void validateEJBResource( EJBResource ejbResource ) throws MissingArgumentsException
+ {
+ if( ejbResource.getEjbName() == null )
+ throw new MissingArgumentsException( "ejbName is null" );
+ if( ejbResource.getEjbMethod() == null )
+ throw new MissingArgumentsException( "ejbMethod is null" );
+ if( ejbResource.getCodeSource() == null )
+ throw new MissingArgumentsException("EJB CodeSource is null");
+ if( ejbResource.getPolicyContextID() == null )
+ throw new MissingArgumentsException("ContextID is null");
+ if( ejbResource.getCallerSubject() == null && ejbResource.getCallerRunAsIdentity() == null )
+ throw new MissingArgumentsException("Either callerSubject or callerRunAs should be non-null");
+ }
+
private PolicyRegistration getPolicyRegistrationFromJNDI() throws Exception
{
- return (PolicyRegistration) (new InitialContext()).lookup("java:/policyRegistration");
+ return (PolicyRegistration) (new InitialContext()).lookup(POLICY_REGISTRATION_JNDI);
}
}
\ No newline at end of file
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/AuthorizationContextUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/AuthorizationContextUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/AuthorizationContextUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -184,6 +184,8 @@
{
result = aContext.authorize(new Resource()
{
+ HashMap<String,Object> contextMap = new HashMap<String,Object>();
+
public ResourceType getLayer()
{
return ResourceType.WEB;
@@ -192,8 +194,13 @@
@SuppressWarnings("unchecked")
public Map getMap()
{
- return new HashMap();
+ return contextMap;
}
+
+ public void add(String key, Object value)
+ {
+ contextMap.put(key, value);
+ }
});
}
catch(AuthorizationException e)
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/JBossAuthZMgrSafetyUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/JBossAuthZMgrSafetyUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/JBossAuthZMgrSafetyUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -96,6 +96,8 @@
private class TestResource implements Resource
{
+ HashMap<String,Object> contextMap = new HashMap<String,Object>();
+
public ResourceType getLayer()
{
return ResourceType.WEB;
@@ -103,7 +105,12 @@
public Map<String, Object> getMap()
{
- return new HashMap<String,Object>();
+ return contextMap;
+ }
+
+ public void add(String key, Object value)
+ {
+ contextMap.put(key, value);
}
}
}
\ No newline at end of file
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/StandaloneJBossAMgrUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/StandaloneJBossAMgrUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/StandaloneJBossAMgrUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -65,6 +65,8 @@
final HashMap<String, Object> cmap = new HashMap<String,Object>();
Resource testResource = new Resource()
{
+ HashMap<String,Object> contextMap = new HashMap<String,Object>();
+
public ResourceType getLayer()
{
return ResourceType.WEB;
@@ -74,6 +76,11 @@
{
return Collections.unmodifiableMap(cmap);
}
+
+ public void add(String key, Object value)
+ {
+ contextMap.put(key, value);
+ }
};
assertEquals(AuthorizationContext.PERMIT, jam.authorize(testResource, subject, getRoleGroup()));
}
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/ACLTestResource.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/ACLTestResource.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/ACLTestResource.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -40,7 +40,7 @@
private final int id;
- private final Map<String, Object> context = new HashMap<String, Object>();
+ private final Map<String, Object> contextMap = new HashMap<String, Object>();
/**
* <p>
@@ -69,7 +69,7 @@
*/
public Map<String, Object> getMap()
{
- return this.context;
+ return this.contextMap;
}
/**
@@ -83,4 +83,9 @@
{
return this.id;
}
+
+ public void add(String key, Object value)
+ {
+ this.contextMap.put(key, value);
+ }
}
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/acl/JBossAuthorizationManagerACLUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -109,8 +109,8 @@
Collection<Resource> childResources = new ArrayList<Resource>();
// resource 1 has resource 2 as child.
childResources.add(resource2);
- resource1.getMap().put(ResourceKeys.CHILD_RESOURCES, childResources);
- resource2.getMap().put(ResourceKeys.PARENT_RESOURCE, resource1);
+ resource1.add( ResourceKeys.CHILD_RESOURCES, childResources );
+ resource2.add( ResourceKeys.PARENT_RESOURCE, resource1 );
// using the authorization manager, check the entitlements assigned to some of the identities.
JBossAuthorizationManager jam = new JBossAuthorizationManager("test-acl");
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/authorization/xacml/EJBXACMLUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -101,8 +101,8 @@
er.setPolicyContextID(contextID);
er.setPrincipal(new SimplePrincipal("baduser"));
- er.getMap().put(ResourceKeys.ROLEREF_PERM_CHECK, true);
- er.getMap().put(ResourceKeys.ROLENAME, "employee");
+ er.add(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ er.add(ResourceKeys.ROLENAME, "employee");
Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
roleRefSet.add(this.getSecurityRoleRef("employee", "ProjectUser"));
@@ -122,8 +122,8 @@
er.setPolicyContextID(contextID);
er.setPrincipal(new SimplePrincipal("baduser"));
- er.getMap().put(ResourceKeys.ROLEREF_PERM_CHECK, true);
- er.getMap().put(ResourceKeys.ROLENAME, "employee");
+ er.add(ResourceKeys.ROLEREF_PERM_CHECK, true);
+ er.add(ResourceKeys.ROLENAME, "employee");
Set<SecurityRoleRef> roleRefSet = new HashSet<SecurityRoleRef>();
roleRefSet.add(this.getSecurityRoleRef("employee", "baduser"));
Modified: trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java
===================================================================
--- trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-jboss-sx/jbosssx/src/test/java/org/jboss/test/security/helpers/EJBAuthorizationHelperUnitTestCase.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -21,7 +21,9 @@
*/
package org.jboss.test.security.helpers;
+import java.security.CodeSource;
import java.security.Principal;
+import java.util.HashMap;
import javax.security.auth.Subject;
@@ -29,8 +31,10 @@
import org.jboss.security.SecurityContext;
import org.jboss.security.SimplePrincipal;
+import org.jboss.security.authorization.resources.EJBResource;
import org.jboss.security.config.ApplicationPolicy;
import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.javaee.exceptions.MissingArgumentsException;
import org.jboss.security.plugins.JBossPolicyRegistration;
import org.jboss.security.plugins.JBossSecurityContext;
import org.jboss.security.plugins.javaee.EJBAuthorizationHelper;
@@ -84,6 +88,42 @@
assertTrue("Authz", result);
}
+ public void testValidAuthorizationWithEJBResource() throws Exception
+ {
+ Principal ejbPrincipal = new SimplePrincipal("AuthenticatedPrincipal");
+ Subject callerSubject = new Subject();
+ callerSubject.getPrincipals().add(ejbPrincipal);
+
+ RoleGroup roleGroup = SecurityTestUtil.getRoleGroup(new String[]{"roleA", "roleC"});
+
+ //Add good roles to the context
+ sc.getUtil().setRoles(roleGroup);
+
+ EJBResource ejbResource = new EJBResource( new HashMap<String, Object>());
+ ejbResource.setEjbName( "TestEJB" );
+ ejbResource.setEjbMethod( DummyClass.class.getMethod("someMethod", new Class[0]) );
+ ejbResource.setPrincipal(ejbPrincipal);
+ ejbResource.setEjbMethodInterface( "void someMethod" );
+ ejbResource.setCodeSource(this.getClass().getProtectionDomain().getCodeSource() );
+ ejbResource.setCallerSubject(callerSubject);
+ ejbResource.setCallerRunAsIdentity( null );
+ ejbResource.setPolicyContextID( "ejb.jar" );
+ ejbResource.setEjbMethodRoles(methodRoleGroup);
+ boolean result = eah.authorize( ejbResource );
+
+ /*boolean result = eah.authorize("TestEJB",
+ DummyClass.class.getMethod("someMethod", new Class[0]),
+ ejbPrincipal,
+ "void someMethod",
+ this.getClass().getProtectionDomain().getCodeSource(),
+ callerSubject,
+ null,
+ "ejb.jar",
+ methodRoleGroup);*/
+
+ assertTrue("Authz", result);
+ }
+
public void testInvalidAuthorization() throws Exception
{
Principal ejbPrincipal = new SimplePrincipal("AuthenticatedPrincipal");
@@ -108,6 +148,47 @@
assertFalse("InvalidAuthz", result);
}
+ /**
+ * Test that authorization fails when the subject has wrong role
+ * @throws Exception
+ */
+ public void testInvalidAuthorizationWithEJBResource() throws Exception
+ {
+ Principal ejbPrincipal = new SimplePrincipal("AuthenticatedPrincipal");
+ Subject callerSubject = new Subject();
+ callerSubject.getPrincipals().add(ejbPrincipal);
+
+ RoleGroup roleGroup = SecurityTestUtil.getRoleGroup(new String[]{"villain"});
+
+ //Add good roles to the context
+ sc.getUtil().setRoles(roleGroup);
+
+ EJBResource ejbResource = new EJBResource( new HashMap<String, Object>());
+ ejbResource.setEjbName( "TestEJB" );
+ ejbResource.setEjbMethod( DummyClass.class.getMethod("someMethod", new Class[0]) );
+ ejbResource.setPrincipal(ejbPrincipal);
+ ejbResource.setEjbMethodInterface( "void someMethod" );
+ ejbResource.setCodeSource(this.getClass().getProtectionDomain().getCodeSource() );
+ ejbResource.setCallerSubject(callerSubject);
+ ejbResource.setCallerRunAsIdentity( null );
+ ejbResource.setPolicyContextID( "ejb.jar" );
+ ejbResource.setEjbMethodRoles(methodRoleGroup);
+
+ boolean result = eah.authorize( ejbResource );
+
+ /*boolean result = eah.authorize("TestEJB",
+ DummyClass.class.getMethod("someMethod", new Class[0]),
+ ejbPrincipal,
+ "void someMethod",
+ this.getClass().getProtectionDomain().getCodeSource(),
+ callerSubject,
+ null,
+ "ejb.jar",
+ methodRoleGroup);*/
+
+ assertFalse("InvalidAuthz", result);
+ }
+
public void testRequiredParameters() throws Exception
{
Principal ejbPrincipal = new SimplePrincipal("AuthenticatedPrincipal");
@@ -138,6 +219,51 @@
}
}
+ public void testRequiredParametersWithEJBResource() throws Exception
+ {
+ Principal ejbPrincipal = new SimplePrincipal("AuthenticatedPrincipal");
+ Subject callerSubject = new Subject();
+ callerSubject.getPrincipals().add(ejbPrincipal);
+
+ RoleGroup roleGroup = SecurityTestUtil.getRoleGroup(new String[]{"villain"});
+
+ CodeSource cs = this.getClass().getProtectionDomain().getCodeSource();
+ //Add good roles to the context
+ sc.getUtil().setRoles(roleGroup);
+
+ EJBResource ejbResource = new EJBResource( new HashMap<String, Object>() );
+ ejbResource.setEjbName( "TestEJB" );
+ ejbResource.setEjbMethod( DummyClass.class.getMethod("someMethod", new Class[0]) );
+ ejbResource.setPrincipal( ejbPrincipal );
+ ejbResource.setEjbMethodInterface( "void someMethod" );
+ ejbResource.setCodeSource( cs );
+ ejbResource.setPolicyContextID( "ejb.jar" );
+ ejbResource.setEjbMethodRoles( methodRoleGroup );
+
+ //The following two conditions should throw an IllegalArgumentException
+ ejbResource.setCallerRunAsIdentity( null );
+ ejbResource.setCallerSubject( null );
+
+ try
+ {
+ eah.authorize( ejbResource );
+ /*eah.authorize("TestEJB",
+ DummyClass.class.getMethod("someMethod", new Class[0]),
+ ejbPrincipal,
+ "void someMethod",
+ this.getClass().getProtectionDomain().getCodeSource(),
+ null,
+ null,
+ "ejb.jar",
+ methodRoleGroup);*/
+ fail("Either subject or caller runas needs to be passed");
+ }
+ catch( MissingArgumentsException iae)
+ {
+ //pass
+ }
+ }
+
/**
* Dummy Class just to get a Method instance
* by calling DummyClass.class.getMethod()
Modified: trunk/security-spi/authorization/src/main/java/org/jboss/security/authorization/Resource.java
===================================================================
--- trunk/security-spi/authorization/src/main/java/org/jboss/security/authorization/Resource.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-spi/authorization/src/main/java/org/jboss/security/authorization/Resource.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -38,4 +38,11 @@
//Return the contextual map
public Map<String,Object> getMap();
-}
+
+ /**
+ * Add key value to context map
+ * @param key
+ * @param value
+ */
+ public void add( String key, Object value );
+}
\ No newline at end of file
Modified: trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractEJBAuthorizationHelper.java
===================================================================
--- trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractEJBAuthorizationHelper.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractEJBAuthorizationHelper.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -29,7 +29,10 @@
import javax.security.auth.Subject;
import org.jboss.security.RunAs;
+import org.jboss.security.authorization.Resource;
import org.jboss.security.identity.RoleGroup;
+import org.jboss.security.javaee.exceptions.MissingArgumentsException;
+import org.jboss.security.javaee.exceptions.WrongEEResourceException;
/**
* EJB Authorization Helper
@@ -53,6 +56,14 @@
* @param ejbVersion
*/
public abstract void setEJBVersion(String ejbVersion);
+
+ /**
+ * Authorize the EJB
+ * @param resource
+ * @return
+ * @throws {@code WrongEEResourceException} if the resource is not EJB resource
+ */
+ public abstract boolean authorize( Resource resource ) throws WrongEEResourceException;
/**
* Authorize the EJB Invocation
@@ -67,7 +78,9 @@
* @param methodRoles
* @return true - subject is authorized
* @throws IllegalStateException Authorization Manager from SecurityContext is null
- * @throws IllegalArgumentException ejbName, ejbMethod, ejbCS, contextID is null
+ * @throws IllegalArgumentException ejbName, ejbMethod, ejbCS or contextID is null
+ * @deprecated
+ * @see #authorize(Resource)
*/
public abstract boolean authorize(String ejbName,
Method ejbMethod,
@@ -88,8 +101,26 @@
* @param contextID
* @param securityRoleRefs
* @return true - caller is in the role
+ * @throws WrongEEResourceException when resource is not EJB Resource
+ * @throws MissingArgumentsException roleName, ejbName or contextID is null
+ */
+ public abstract boolean isCallerInRole( Resource resource, String roleName )
+ throws WrongEEResourceException, MissingArgumentsException;
+
+
+ /**
+ * Check if the caller is in any of the roles
+ * @param roleName
+ * @param ejbName
+ * @param ejbPrincipal
+ * @param callerSubject
+ * @param contextID
+ * @param securityRoleRefs
+ * @return true - caller is in the role
* @throws IllegalStateException Authorization Manager from SecurityContext is null
* @throws IllegalArgumentException roleName, ejbName, contextID is null
+ * @deprecated
+ * @see #isCallerInRole(Resource, String)
*/
public abstract boolean isCallerInRole(String roleName,
String ejbName,
@@ -112,6 +143,8 @@
* @return true - caller is in the role
* @throws IllegalStateException Authorization Manager from SecurityContext is null
* @throws IllegalArgumentException roleName, ejbName, contextID is null
+ * @deprecated
+ * @see #isCallerInRole(Resource, String)
*/
public abstract boolean isCallerInRole(String roleName,
String ejbName,
Modified: trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractJavaEEHelper.java
===================================================================
--- trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractJavaEEHelper.java 2010-07-13 20:42:27 UTC (rev 102)
+++ trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/AbstractJavaEEHelper.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -95,11 +95,11 @@
//Authorization Exception stacktrace is huge. Scale it down
//as the original stack trace can be seen in server.log (if needed)
String exceptionMessage = e != null ? e.getLocalizedMessage() : "";
- Map<String,Object> cmap = new HashMap<String,Object>();
- cmap.putAll(resource.getMap());
- cmap.put("Resource:", resource.toString());
- cmap.put("Exception:", exceptionMessage);
- audit(level,cmap,null);
+ Map<String,Object> auditContextMap = new HashMap<String,Object>();
+ auditContextMap.putAll(resource.getMap());
+ auditContextMap.put("Resource:", resource.toString());
+ auditContextMap.put("Exception:", exceptionMessage);
+ audit(level,auditContextMap,null);
}
protected void audit(String level,
Added: trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/MissingArgumentsException.java
===================================================================
--- trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/MissingArgumentsException.java (rev 0)
+++ trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/MissingArgumentsException.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -0,0 +1,52 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.javaee.exceptions;
+
+/**
+ * An exception indicating there are missing arguments
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 12, 2010
+ */
+public class MissingArgumentsException extends IllegalArgumentException
+{
+ private static final long serialVersionUID = 1L;
+
+ public MissingArgumentsException()
+ {
+ super();
+ }
+
+ public MissingArgumentsException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+
+ public MissingArgumentsException(String s)
+ {
+ super(s);
+ }
+
+ public MissingArgumentsException(Throwable cause)
+ {
+ super(cause);
+ }
+}
\ No newline at end of file
Added: trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/WrongEEResourceException.java
===================================================================
--- trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/WrongEEResourceException.java (rev 0)
+++ trunk/security-spi/spi/src/main/java/org/jboss/security/javaee/exceptions/WrongEEResourceException.java 2010-08-12 15:51:40 UTC (rev 103)
@@ -0,0 +1,54 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.jboss.security.javaee.exceptions;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * A security exception to indicate the wrong type of EE resource
+ * @author Anil.Saldhana at redhat.com
+ * @since Aug 11, 2010
+ */
+public class WrongEEResourceException extends GeneralSecurityException
+{
+ private static final long serialVersionUID = 1L;
+
+ public WrongEEResourceException()
+ {
+ super();
+ }
+
+ public WrongEEResourceException(String message, Throwable cause)
+ {
+ super(message, cause);
+ }
+
+ public WrongEEResourceException(String msg)
+ {
+ super(msg);
+ }
+
+ public WrongEEResourceException(Throwable cause)
+ {
+ super(cause);
+ }
+}
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list