JaccAuthorizationInterceptor


1   /*
2   * JBoss, Home of Professional Open Source
3   * Copyright 2005, JBoss Inc., and individual contributors as indicated
4   * by the @authors tag. See the copyright.txt in the distribution for a
5   * full listing of individual contributors.
6   *
7   * This is free software; you can redistribute it and/or modify it
8   * under the terms of the GNU Lesser General Public License as
9   * published by the Free Software Foundation; either version 2.1 of
10  * the License, or (at your option) any later version.
11  *
12  * This software is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this software; if not, write to the Free
19  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21  */
22  package org.jboss.ejb.plugins;
23  
24  import java.lang.reflect.Method  ;
25  import java.security.CodeSource  ;
26  import java.security.Policy  ;
27  import java.security.Principal  ;
28  import java.security.ProtectionDomain  ;
29  import java.util.Set  ;
30  import javax.security.auth.Subject  ;
31  import javax.security.jacc.EJBMethodPermission  ;
32  
33  import org.jboss.ejb.Container;
34  import org.jboss.invocation.Invocation;
35  import org.jboss.metadata.BeanMetaData;
36  
37  /** This interceptor is where the JACC ejb container authorization is performed.
38   *
39   * @author <a HREF="mailto:Scott.Stark@jboss.org">Scott Stark</a>
40   * @author <a HREF="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
41   * @version $Revision: 46072 $
42   */
43  public class JaccAuthorizationInterceptor extends AbstractInterceptor
44  {
45     private Policy   policy;
46     private String   ejbName;
47     private CodeSource   ejbCS;
48  
49     /** Called by the super class to set the container to which this interceptor
50      belongs. We obtain the security manager and runAs identity to use here.
51      */
52     public void setContainer(Container container)
53     {
54        super.setContainer(container);
55        if (container != null)
56        {
57           BeanMetaData beanMetaData = container.getBeanMetaData();
58           ejbName = beanMetaData.getEjbName();
59           ejbCS = container.getBeanClass().getProtectionDomain().getCodeSource();
60           //Set the flag on the container that JACC is enabled 
61           container.setJaccEnabled(true);  
62        }
63        policy = Policy.getPolicy();
64     }
65  
66     // Container implementation --------------------------------------
67     public void start() throws Exception  
68     {
69        super.start();
70     }
71  
72     public Object   invokeHome(Invocation mi) throws Exception  
73     {
74        // Authorize the call
75        checkSecurityAssociation(mi);
76        Object   returnValue = getNext().invokeHome(mi);
77        return returnValue;
78     }
79  
80     public Object   invoke(Invocation mi) throws Exception  
81     {
82        // Authorize the call
83        checkSecurityAssociation(mi);
84        Object   returnValue = getNext().invoke(mi);
85        return returnValue;
86     }
87  
88     /** Authorize the caller's access to the method invocation
89      */
90     private void checkSecurityAssociation(Invocation mi)
91        throws Exception  
92     {
93        Method   m = mi.getMethod();
94        // Ignore internal container calls
95        if( m == null  )
96           return;
97  
98        String   iface = mi.getType().toInterfaceString();
99        EJBMethodPermission   methodPerm = new EJBMethodPermission  (ejbName, iface, m);
100       // Get the caller
101       Subject   caller = SecurityActions.getContextSubject();
102       Principal  [] principals = null;
103       if( caller != null )
104       {
105          // Get the caller principals
106          Set   principalsSet = caller.getPrincipals();
107          principals = new Principal  [principalsSet.size()];
108          principalsSet.toArray(principals);      
109       }
110       ProtectionDomain   pd = new ProtectionDomain   (ejbCS, null, null, principals);
111       if( policy.implies(pd, methodPerm) == false )
112       {
113          String   msg = "Denied: "+methodPerm+", caller=" + caller;
114          SecurityException   e = new SecurityException  (msg);
115          throw e;
116       }
117    }
118 }
119
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags