KickJava   Java API By Example, From Geeks To Geeks.

Java > Open Source Codes > org > jboss > aspects > security > RoleBasedAuthorizationInterceptor


1 /*
2   * JBoss, Home of Professional Open Source
3   * Copyright 2005, JBoss Inc., and individual contributors as indicated
4   * by the @authors tag. See the copyright.txt in the distribution for a
5   * full listing of individual contributors.
6   *
7   * This is free software; you can redistribute it and/or modify it
8   * under the terms of the GNU Lesser General Public License as
9   * published by the Free Software Foundation; either version 2.1 of
10   * the License, or (at your option) any later version.
11   *
12   * This software is distributed in the hope that it will be useful,
13   * but WITHOUT ANY WARRANTY; without even the implied warranty of
14   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15   * Lesser General Public License for more details.
16   *
17   * You should have received a copy of the GNU Lesser General Public
18   * License along with this software; if not, write to the Free
19   * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20   * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21   */

22 package org.jboss.aspects.security;
23
24 import org.jboss.aop.joinpoint.Invocation;
25 import org.jboss.logging.Logger;
26 import org.jboss.security.AnybodyPrincipal;
27 import org.jboss.security.AuthenticationManager;
28 import org.jboss.security.NobodyPrincipal;
29 import org.jboss.security.RealmMapping;
30 import org.jboss.security.RunAsIdentity;
31 import org.jboss.security.SimplePrincipal;
32
33 import java.security.Principal JavaDoc;
34 import java.util.HashSet JavaDoc;
35 import java.util.Set JavaDoc;
36
37 /**
38  * The RoleBasedAuthorizationInterceptor checks that the caller principal is
39  * authorized to call a method by verifing that it contains at least one
40  * of the required roled.
41  *
42  * @author <a HREF="bill@jboss.org">Bill Burke</a>
43  * @author <a HREF="on@ibis.odessa.ua">Oleg Nitz</a>
44  * @author <a HREF="mailto:Scott.Stark@jboss.org">Scott Stark</a>.
45  * @author <a HREF="mailto:dain@daingroup.com">Dain Sundstrom</a>.
46  * @version $Revision: 46061 $
47  */

48 public class RoleBasedAuthorizationInterceptor implements org.jboss.aop.advice.Interceptor
49 {
50    protected Logger log = Logger.getLogger(this.getClass());
51    protected AuthenticationManager securityManager;
52    protected RealmMapping realmMapping;
53
54    public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping)
55    {
56       this.securityManager = manager;
57       this.realmMapping = realmMapping;
58    }
59
60    public String JavaDoc getName()
61    {
62       return "RoleBasedAuthorizationInterceptor";
63    }
64
65    protected Set JavaDoc getRoleSet(Invocation invocation)
66    {
67       Set JavaDoc roles = (Set JavaDoc) invocation.getMetaData("security", "roles");
68       if (roles == null) roles = getAnnotationRoleSet(invocation);
69       return roles;
70
71    }
72
73    protected Set JavaDoc getAnnotationRoleSet(Invocation invocation)
74    {
75       HashSet JavaDoc set = new HashSet JavaDoc();
76       Exclude exclude = (Exclude) invocation.resolveAnnotation(Exclude.class);
77       if (exclude != null)
78       {
79          set.add(NobodyPrincipal.NOBODY_PRINCIPAL);
80          return set;
81       }
82       Unchecked unchecked = (Unchecked) invocation.resolveAnnotation(Unchecked.class);
83       if (unchecked != null)
84       {
85          set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
86          return set;
87       }
88       Permissions permissions = (Permissions) invocation.resolveAnnotation(Permissions.class);
89       if (permissions == null)
90       {
91          // Default behavior is unchecked
92
set.add(AnybodyPrincipal.ANYBODY_PRINCIPAL);
93          return set;
94       }
95       for (int i = 0; i < permissions.value().length; i++)
96       {
97          set.add(new SimplePrincipal(permissions.value()[i]));
98       }
99       return set;
100    }
101    
102    /**
103     * Check if the principal is authorized to call the method by verifying that
104     * the it containes at least one of the required roles.
105     */

106    public Object JavaDoc invoke(Invocation invocation) throws Throwable JavaDoc
107    {
108       // If there is not a security manager then there is no authorization
109
// required
110
if (securityManager == null)
111       {
112          return invocation.invokeNext();
113       }
114
115       if (realmMapping == null)
116       {
117          throw new SecurityException JavaDoc("Role mapping manager has not been set");
118       }
119
120       Set JavaDoc roles = getRoleSet(invocation);
121       if (roles == null)
122       {
123          /*
124            REVISIT: for better message
125          String message = "No method permissions assigned. to " +
126                "method=" + invocation.getMethod().getName() +
127                ", interface=" + invocation.getType();
128          */

129          String JavaDoc message = "No method permissions assigned.";
130          log.error(message);
131          throw new SecurityException JavaDoc(message);
132       }
133
134       // Check if the caller is allowed to access the method
135
RunAsIdentity callerRunAsIdentity = SecurityActions.peekRunAsIdentity();
136       if (roles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
137       {
138          // The caller is using a the caller identity
139
if (callerRunAsIdentity == null)
140          {
141             Principal principal = SecurityActions.getPrincipal();
142             // Now actually check if the current caller has one of the required method roles
143
if (realmMapping.doesUserHaveRole(principal, roles) == false)
144             {
145                Set JavaDoc userRoles = realmMapping.getUserRoles(principal);
146                String JavaDoc msg = "Insufficient permissions, principal=" + principal
147                + ", requiredRoles=" + roles + ", principalRoles=" + userRoles;
148                log.error(msg);
149                throw new SecurityException JavaDoc(msg);
150             }
151          }
152
153          // The caller is using a run-as identity
154
else
155          {
156             // Check that the run-as role is in the set of method roles
157
if (callerRunAsIdentity.doesUserHaveRole(roles) == false)
158             {
159                String JavaDoc msg = "Insufficient permissions, runAsPrincipal=" + callerRunAsIdentity.getName()
160                + ", requiredRoles=" + roles + ", runAsRoles=" + callerRunAsIdentity.getRunAsRoles();
161                log.error(msg);
162                throw new SecurityException JavaDoc(msg);
163             }
164          }
165       }
166       return invocation.invokeNext();
167    }
168
169 }
170
Popular Tags