RoleBasedAuthorizationInterceptor


1   /*
2     * JBoss, Home of Professional Open Source
3     * Copyright 2005, JBoss Inc., and individual contributors as indicated
4     * by the @authors tag. See the copyright.txt in the distribution for a
5     * full listing of individual contributors.
6     *
7     * This is free software; you can redistribute it and/or modify it
8     * under the terms of the GNU Lesser General Public License as
9     * published by the Free Software Foundation; either version 2.1 of
10    * the License, or (at your option) any later version.
11    *
12    * This software is distributed in the hope that it will be useful,
13    * but WITHOUT ANY WARRANTY; without even the implied warranty of
14    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15    * Lesser General Public License for more details.
16    *
17    * You should have received a copy of the GNU Lesser General Public
18    * License along with this software; if not, write to the Free
19    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21    */
22  package org.jboss.aspects.security;
23  
24  import org.jboss.aop.joinpoint.Invocation;
25  import org.jboss.logging.Logger;
26  import org.jboss.security.AnybodyPrincipal;
27  import org.jboss.security.AuthenticationManager;
28  import org.jboss.security.NobodyPrincipal;
29  import org.jboss.security.RealmMapping;
30  import org.jboss.security.RunAsIdentity;
31  import org.jboss.security.SimplePrincipal;
32  
33  import java.security.Principal  ;
34  import java.util.HashSet  ;
35  import java.util.Set  ;
36  
37  /**
38   * The RoleBasedAuthorizationInterceptor checks that the caller principal is
39   * authorized to call a method by verifing that it contains at least one
40   * of the required roled.
41   *
42   * @author <a HREF="bill@jboss.org">Bill Burke</a>
43   * @author <a HREF="on@ibis.odessa.ua">Oleg Nitz</a>
44   * @author <a HREF="mailto:Scott.Stark@jboss.org">Scott Stark</a>.
45   * @author <a HREF="mailto:dain@daingroup.com">Dain Sundstrom</a>.
46   * @version $Revision: 46061 $
47   */
48  public class RoleBasedAuthorizationInterceptor implements org.jboss.aop.advice.Interceptor
49  {
50     protected Logger log = Logger.getLogger(this.getClass());
51     protected AuthenticationManager securityManager;
52     protected RealmMapping realmMapping;
53  
54     public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping)
55     {
56        this.securityManager = manager;
57        this.realmMapping = realmMapping;
58     }
59  
60     public String   getName()
61     {
62        return "RoleBasedAuthorizationInterceptor";
63     }
64  
65     protected Set   getRoleSet(Invocation invocation)
66     {
67        Set   roles = (Set  ) invocation.getMetaData("security", "roles");
68        if (roles == null) roles = getAnnotationRoleSet(invocation);
69        return roles;
70  
71     }
72  
73     protected Set   getAnnotationRoleSet(Invocation invocation)
74     {
75        HashSet   set = new HashSet  ();
76        Exclude exclude = (Exclude) invocation.resolveAnnotation(Exclude.class);
77        if (exclude != null)
78        {
79           set.add(NobodyPrincipal.NOBODY_PRINCIPAL);
80           return set;
81        }
82        Unchecked unchecked = (Unchecked) invocation.resolveAnnotation(Unchecked.class);
83        if (unchecked != null)
84        {
85           set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
86           return set;
87        }
88        Permissions permissions = (Permissions) invocation.resolveAnnotation(Permissions.class);
89        if (permissions == null)
90        {
91           // Default behavior is unchecked
92           set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
93           return set;
94        }
95        for (int i = 0; i < permissions.value().length; i++)
96        {
97           set.add(new SimplePrincipal(permissions.value()[i]));
98        }
99        return set;
100    }
101    
102    /**
103     * Check if the principal is authorized to call the method by verifying that
104     * the it containes at least one of the required roles.
105     */
106    public Object   invoke(Invocation invocation) throws Throwable  
107    {
108       // If there is not a security manager then there is no authorization
109       // required
110       if (securityManager == null)
111       {
112          return invocation.invokeNext();
113       }
114 
115       if (realmMapping == null)
116       {
117          throw new SecurityException  ("Role mapping manager has not been set");
118       }
119 
120       Set   roles = getRoleSet(invocation);
121       if (roles == null)
122       {
123          /*
124            REVISIT: for better message
125          String message = "No method permissions assigned. to " +
126                "method=" + invocation.getMethod().getName() +
127                ", interface=" + invocation.getType();
128          */
129          String   message = "No method permissions assigned.";
130          log.error(message);
131          throw new SecurityException  (message);
132       }
133 
134       // Check if the caller is allowed to access the method
135       RunAsIdentity callerRunAsIdentity = SecurityActions.peekRunAsIdentity();
136       if (roles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
137       {
138          // The caller is using a the caller identity
139          if (callerRunAsIdentity == null)
140          {
141             Principal principal = SecurityActions.getPrincipal();
142             // Now actually check if the current caller has one of the required method roles
143             if (realmMapping.doesUserHaveRole(principal, roles) == false)
144             {
145                Set   userRoles = realmMapping.getUserRoles(principal);
146                String   msg = "Insufficient permissions, principal=" + principal
147                + ", requiredRoles=" + roles + ", principalRoles=" + userRoles;
148                log.error(msg);
149                throw new SecurityException  (msg);
150             }
151          }
152 
153          // The caller is using a run-as identity
154          else
155          {
156             // Check that the run-as role is in the set of method roles
157             if (callerRunAsIdentity.doesUserHaveRole(roles) == false)
158             {
159                String   msg = "Insufficient permissions, runAsPrincipal=" + callerRunAsIdentity.getName()
160                + ", requiredRoles=" + roles + ", runAsRoles=" + callerRunAsIdentity.getRunAsRoles();
161                log.error(msg);
162                throw new SecurityException  (msg);
163             }
164          }
165       }
166       return invocation.invokeNext();
167    }
168 
169 }
170
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags