JaasAuthenticationInterceptor


1   /*
2   * JBoss, Home of Professional Open Source
3   * Copyright 2005, JBoss Inc., and individual contributors as indicated
4   * by the @authors tag. See the copyright.txt in the distribution for a
5   * full listing of individual contributors.
6   *
7   * This is free software; you can redistribute it and/or modify it
8   * under the terms of the GNU Lesser General Public License as
9   * published by the Free Software Foundation; either version 2.1 of
10  * the License, or (at your option) any later version.
11  *
12  * This software is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this software; if not, write to the Free
19  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21  */
22  package org.jboss.ejb.plugins;
23  
24  import java.security.Principal  ;
25  import java.util.Map  ;
26  import java.util.Set  ;
27  import java.lang.reflect.Method  ;
28  import javax.security.auth.Subject  ;
29  import javax.ejb.TimedObject  ;
30  import javax.ejb.Timer  ;
31  
32  import org.jboss.ejb.Container;
33  import org.jboss.invocation.Invocation;
34  import org.jboss.invocation.PayloadKey;
35  import org.jboss.metadata.ApplicationMetaData;
36  import org.jboss.metadata.AssemblyDescriptorMetaData;
37  import org.jboss.metadata.BeanMetaData;
38  import org.jboss.metadata.SecurityIdentityMetaData;
39  import org.jboss.security.AuthenticationManager;
40  import org.jboss.security.RunAsIdentity;
41  import org.jboss.security.SecurityRolesAssociation;
42  import org.jboss.security.SecurityAssociation;
43  
44  /** This interceptor is where the EJB 2.1 authentication is performed
45   * along with the run-as identity establishment. 
46   *
47   * @author <a HREF="mailto:Scott.Stark@jboss.org">Scott Stark</a>.
48   * @author <a HREF="mailto:Thomas.Diesler@jboss.org">Thomas Diesler</a>.
49   * @version $Revision: 37459 $
50   */
51  public class JaasAuthenticationInterceptor extends AbstractInterceptor
52  {
53     /** The security domain authentication service
54      */
55     protected AuthenticationManager securityManager;
56     
57     /** A static map of SecurityRolesMetaData from jboss.xml */
58     protected Map   securityRoles;
59     /** The run-as identity for the ejb from ejb-jar.xml */
60     protected RunAsIdentity runAsIdentity;
61     /** The TimedObject.ejbTimeout callback */
62     protected Method   ejbTimeout;
63  
64     /** Called by the super class to set the container to which this interceptor
65      belongs. We obtain the security manager and runAs identity to use here.
66      */
67     public void setContainer(Container container)
68     {
69        super.setContainer(container);
70        if (container != null)
71        {
72           BeanMetaData beanMetaData = container.getBeanMetaData();
73           ApplicationMetaData applicationMetaData = beanMetaData.getApplicationMetaData();
74           AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData.getAssemblyDescriptor();
75  
76           SecurityIdentityMetaData secMetaData = beanMetaData.getSecurityIdentityMetaData();
77           if (secMetaData != null && secMetaData.getUseCallerIdentity() == false)
78           {
79              String   roleName = secMetaData.getRunAsRoleName();
80              String   principalName = secMetaData.getRunAsPrincipalName();
81  
82              // the run-as principal might have extra roles mapped in the assembly-descriptor
83              Set   extraRoleNames = assemblyDescriptor.getSecurityRoleNamesByPrincipal(principalName);
84              runAsIdentity = new RunAsIdentity(roleName, principalName, extraRoleNames);
85           }
86  
87           securityManager = container.getSecurityManager();
88           try
89           {
90              // Get the timeout method
91              ejbTimeout = TimedObject  .class.getMethod("ejbTimeout", new Class  []{Timer  .class});
92           }
93           catch (NoSuchMethodException   ignore)
94           {
95           }
96        }
97     }
98  
99     // Container implementation --------------------------------------
100    public void start() throws Exception  
101    {
102       super.start();
103    }
104 
105    public Object   invokeHome(Invocation mi) throws Exception  
106    {
107       // Authenticate the subject and apply any declarative security checks
108       checkSecurityAssociation(mi);
109 
110       /* If a run-as role was specified, push it so that any calls made
111        by this bean will have the runAsRole available for declarative
112        security checks.
113       */
114       SecurityActions.pushRunAsIdentity(runAsIdentity);
115 
116       try
117       {
118          Object   returnValue = getNext().invokeHome(mi);
119          return returnValue;
120       }
121       finally
122       {
123          SecurityActions.popRunAsIdentity();
124          SecurityActions.popSubjectContext();
125       }
126    }
127 
128    public Object   invoke(Invocation mi) throws Exception  
129    {
130       // Authenticate the subject and apply any declarative security checks
131       checkSecurityAssociation(mi);
132 
133       // Save any existing caller run-as in the invocation for other interceptors
134       RunAsIdentity callerRunAsIdentity = SecurityActions.peekRunAsIdentity();
135       if( callerRunAsIdentity != null )
136          mi.setValue("RunAsIdentity", callerRunAsIdentity, PayloadKey.TRANSIENT);
137 
138       /* If a run-as role was specified, push it so that any calls made
139        by this bean will have the runAsRole available for declarative
140        security checks.
141       */
142       SecurityActions.pushRunAsIdentity(runAsIdentity);
143 
144       try
145       {
146          Object   returnValue = getNext().invoke(mi);
147          return returnValue;
148       }
149       finally
150       {
151          SecurityActions.popRunAsIdentity();
152          SecurityActions.popSubjectContext();
153       }
154    }
155 
156    /** Authenticate the caller using the principal and credentials in the
157     * Invocation
158     */
159    private void checkSecurityAssociation(Invocation mi)
160       throws Exception  
161    {
162       Principal   principal = mi.getPrincipal();
163       Object   credential = mi.getCredential();
164       boolean trace = log.isTraceEnabled();
165 
166       // If there is not a security manager then there is no authentication required
167       Method   m = mi.getMethod();
168       boolean containerMethod = m == null || m.equals(ejbTimeout);
169       if ( containerMethod == true || securityManager == null || container == null )
170       {
171          // Allow for the progatation of caller info to other beans
172          SecurityActions.pushSubjectContext(principal, credential, null);
173          return;
174       }
175 
176       // Authenticate the caller based on the method invocation credentials
177       RunAsIdentity callerRunAsIdentity = SecurityAssociation.peekRunAsIdentity();
178       if (callerRunAsIdentity == null)
179       {
180          /* This call associates the statically defined roles with the
181          SecurityRolesAssociation thread local for use by 3.2 style of
182          login modules which combined authentication and authorization.
183          */
184          SecurityRolesAssociation.setSecurityRoles(securityRoles);
185          Subject   subject = new Subject  ();
186          if (securityManager.isValid(principal, credential, subject) == false)
187          {
188             // Check for the security association exception
189             Exception   ex = SecurityActions.getContextException();
190             if( ex != null )
191                throw ex;
192             // Else throw a generic SecurityException
193             String   msg = "Authentication exception, principal=" + principal;
194             SecurityException   e = new SecurityException  (msg);
195             throw e;
196          }
197          else
198          {
199             SecurityActions.pushSubjectContext(principal, credential, subject);
200             if (trace)
201             {
202                log.trace("Authenticated  principal=" + principal);
203             }
204          }
205       }
206       else
207       {
208          // Duplicate the current subject context on the stack since
209          SecurityActions.dupSubjectContext();
210       }
211 
212    }
213 }
214
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags