SecurityMBeanServerInterceptor


1   /*
2    * Copyright (C) MX4J.
3    * All rights reserved.
4    *
5    * This software is distributed under the terms of the MX4J License version 1.0.
6    * See the terms of the MX4J License in the documentation provided with this software.
7    */
8   
9   package mx4j.server.interceptor;
10  
11  import java.security.AccessControlException  ;
12  import java.security.AccessController  ;
13  import java.security.PrivilegedAction  ;
14  import java.security.ProtectionDomain  ;
15  import java.util.ArrayList  ;
16  
17  import javax.management.Attribute  ;
18  import javax.management.AttributeList  ;
19  import javax.management.AttributeNotFoundException  ;
20  import javax.management.InvalidAttributeValueException  ;
21  import javax.management.ListenerNotFoundException  ;
22  import javax.management.MBeanException  ;
23  import javax.management.MBeanInfo  ;
24  import javax.management.MBeanRegistrationException  ;
25  import javax.management.NotificationFilter  ;
26  import javax.management.NotificationListener  ;
27  import javax.management.ObjectName  ;
28  import javax.management.ReflectionException  ;
29  import javax.management.MBeanPermission  ;
30  
31  import mx4j.server.MBeanMetaData;
32  import javax.management.MBeanTrustPermission  ;
33  
34  /**
35   * Interceptor that takes care of performing security checks (in case the SecurityManager is installed) for
36   * MBeanServer to MBean calls.
37   *
38   * @author <a HREF="mailto:biorn_steedom@users.sourceforge.net">Simone Bordet</a>
39   * @version $Revision: 1.12 $
40   */
41  public class SecurityMBeanServerInterceptor extends DefaultMBeanServerInterceptor implements SecurityMBeanServerInterceptorMBean
42  {
43     public String   getType()
44     {
45        return "security";
46     }
47  
48     public boolean isEnabled()
49     {
50        return true;
51     }
52  
53     public void addNotificationListener(MBeanMetaData metadata, NotificationListener   listener, NotificationFilter   filter, Object   handback)
54     {
55        checkPermission(metadata.getMBeanInfo().getClassName(), null, metadata.getObjectName(), "addNotificationListener");
56        super.addNotificationListener(metadata, listener, filter, handback);
57     }
58  
59     public void removeNotificationListener(MBeanMetaData metadata, NotificationListener   listener) throws ListenerNotFoundException  
60     {
61        checkPermission(metadata.getMBeanInfo().getClassName(), null, metadata.getObjectName(), "removeNotificationListener");
62        super.removeNotificationListener(metadata, listener);
63     }
64  
65     public void removeNotificationListener(MBeanMetaData metadata, NotificationListener   listener, NotificationFilter   filter, Object   handback) throws ListenerNotFoundException  
66     {
67        checkPermission(metadata.getMBeanInfo().getClassName(), null, metadata.getObjectName(), "removeNotificationListener");
68        super.removeNotificationListener(metadata, listener, filter, handback);
69     }
70  
71     public void instantiate(MBeanMetaData metadata, String   className, String  [] params, Object  [] args) throws ReflectionException  , MBeanException  
72     {
73        checkPermission(className, null, metadata.getObjectName(), "instantiate");
74        super.instantiate(metadata, className, params, args);
75     }
76  
77     public MBeanInfo   getMBeanInfo(MBeanMetaData metadata)
78     {
79        checkPermission(metadata.getMBeanInfo().getClassName(), null, metadata.getObjectName(), "getMBeanInfo");
80        return super.getMBeanInfo(metadata);
81     }
82  
83     public Object   invoke(MBeanMetaData metadata, String   method, String  [] params, Object  [] args) throws MBeanException  , ReflectionException  
84     {
85        checkPermission(metadata.getMBeanInfo().getClassName(), method, metadata.getObjectName(), "invoke");
86        return super.invoke(metadata, method, params, args);
87     }
88  
89     public AttributeList   getAttributes(MBeanMetaData metadata, String  [] attributes)
90     {
91        Object  [] secured = filterAttributes(metadata.getMBeanInfo().getClassName(), metadata.getObjectName(), attributes, true);
92        String  [] array = new String  [secured.length];
93        for (int i = 0; i < array.length; ++i) array[i] = (String  )secured[i];
94        return super.getAttributes(metadata, array);
95     }
96  
97     public AttributeList   setAttributes(MBeanMetaData metadata, AttributeList   attributes)
98     {
99        Object  [] secured = filterAttributes(metadata.getMBeanInfo().getClassName(), metadata.getObjectName(), attributes.toArray(), false);
100       AttributeList   list = new AttributeList  ();
101       for (int i = 0; i < secured.length; ++i) list.add(secured[i]);
102       return super.setAttributes(metadata, list);
103    }
104 
105    public Object   getAttribute(MBeanMetaData metadata, String   attribute) throws MBeanException  , AttributeNotFoundException  , ReflectionException  
106    {
107       checkPermission(metadata.getMBeanInfo().getClassName(), attribute, metadata.getObjectName(), "getAttribute");
108       return super.getAttribute(metadata, attribute);
109    }
110 
111    public void setAttribute(MBeanMetaData metadata, Attribute   attribute) throws MBeanException  , AttributeNotFoundException  , InvalidAttributeValueException  , ReflectionException  
112    {
113       checkPermission(metadata.getMBeanInfo().getClassName(), attribute.getName(), metadata.getObjectName(), "setAttribute");
114       super.setAttribute(metadata, attribute);
115    }
116 
117    public void registration(MBeanMetaData metadata, int operation) throws MBeanRegistrationException  
118    {
119       switch (operation)
120       {
121          case PRE_REGISTER:
122             checkPermission(metadata.getMBeanInfo().getClassName(), null, metadata.getObjectName(), "registerMBean");
123             checkTrustRegistration(metadata.getMBean().getClass());
124             break;
125          case POST_REGISTER_TRUE:
126             // The MBean can implement MBeanRegistration and change the ObjectName
127             checkPermission(metadata.getMBeanInfo().getClassName(), null, metadata.getObjectName(), "registerMBean");
128             break;
129          case PRE_DEREGISTER:
130             checkPermission(metadata.getMBeanInfo().getClassName(), null, metadata.getObjectName(), "unregisterMBean");
131             break;
132          default:
133             break;
134       }
135       super.registration(metadata, operation);
136    }
137 
138    private void checkPermission(String   className, String   methodName, ObjectName   objectname, String   action)
139    {
140       SecurityManager   sm = System.getSecurityManager();
141       if (sm != null)
142       {
143          sm.checkPermission(new MBeanPermission  (className, methodName, objectname, action));
144       }
145    }
146 
147    private void checkTrustRegistration(final Class   cls)
148    {
149       SecurityManager   sm = System.getSecurityManager();
150       if (sm != null)
151       {
152          ProtectionDomain   domain = (ProtectionDomain  )AccessController.doPrivileged(new PrivilegedAction  ()
153          {
154             public Object   run()
155             {
156                return cls.getProtectionDomain();
157             }
158          });
159 
160          MBeanTrustPermission   permission = new MBeanTrustPermission  ("register");
161          if (!domain.implies(permission))
162          {
163             throw new AccessControlException  ("Access denied " + permission + ": MBean class " + cls.getName() + " is not trusted for registration");
164          }
165       }
166    }
167 
168    private Object  [] filterAttributes(String   className, ObjectName   objectName, Object  [] attributes, boolean isGet)
169    {
170       SecurityManager   sm = System.getSecurityManager();
171       if (sm == null) return attributes;
172 
173       ArrayList   list = new ArrayList  ();
174 
175       for (int i = 0; i < attributes.length; ++i)
176       {
177          Object   attribute = attributes[i];
178          String   name = isGet ? (String  )attribute : ((Attribute  )attribute).getName();
179 
180          try
181          {
182             checkPermission(className, name, objectName, isGet ? "getAttribute" : "setAttribute");
183             list.add(attribute);
184          }
185          catch (SecurityException   ignore)
186          {
187             // This is ok.  We just don't add this attribute to the list
188          }
189       }
190 
191       return list.toArray();
192    }
193 }
194
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags