SecurityAuthorizationInterceptor


1   /*
2     * JBoss, Home of Professional Open Source
3     * Copyright 2005, JBoss Inc., and individual contributors as indicated
4     * by the @authors tag. See the copyright.txt in the distribution for a
5     * full listing of individual contributors.
6     *
7     * This is free software; you can redistribute it and/or modify it
8     * under the terms of the GNU Lesser General Public License as
9     * published by the Free Software Foundation; either version 2.1 of
10    * the License, or (at your option) any later version.
11    *
12    * This software is distributed in the hope that it will be useful,
13    * but WITHOUT ANY WARRANTY; without even the implied warranty of
14    * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15    * Lesser General Public License for more details.
16    *
17    * You should have received a copy of the GNU Lesser General Public
18    * License along with this software; if not, write to the Free
19    * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20    * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21    */
22  package org.jboss.ejb.plugins;
23  
24  import java.lang.reflect.Method  ;
25  import java.security.CodeSource  ;
26  import java.util.HashMap  ;
27   
28  import javax.security.auth.Subject  ;
29  
30  import org.jboss.ejb.Container;
31  import org.jboss.invocation.Invocation; 
32  import org.jboss.metadata.BeanMetaData;
33  import org.jboss.mx.util.MBeanProxyExt;
34  import org.jboss.mx.util.MBeanServerLocator;
35  import org.jboss.security.AuthorizationManager;
36  import org.jboss.security.SecurityConstants;
37  import org.jboss.security.Util;
38  import org.jboss.security.authorization.AuthorizationContext;
39  import org.jboss.security.authorization.EJBResource;
40  import org.jboss.security.authorization.ResourceKeys;
41  import org.jboss.security.plugins.AuthorizationManagerServiceMBean;
42  
43  //$Id: SecurityAuthorizationInterceptor.java 46508 2006-07-26 02:26:10Z asaldhana $
44  
45  /**
46   *  Authorization Interceptor that makes use of the Authorization
47   *  Framework for access control decisions
48   *  @author <a HREF="mailto:Anil.Saldhana@jboss.org">Anil Saldhana</a>
49   *  @since  Jul 6, 2006 
50   *  @version $Revision: 46508 $
51   */
52  public class SecurityAuthorizationInterceptor extends AbstractInterceptor
53  {  
54     protected boolean trace = false;
55     protected String   ejbName = null; 
56     protected CodeSource   ejbCS = null;
57     protected AuthorizationManagerServiceMBean authorizationManagerService = null;
58     protected String   appSecurityDomain = null; 
59     //Fallback Security Domain
60     protected String   defaultAuthorizationSecurityDomain = SecurityConstants.DEFAULT_EJB_APPLICATION_POLICY;
61     
62     
63     public SecurityAuthorizationInterceptor()
64     { 
65        trace = log.isTraceEnabled();
66        authorizationManagerService = (AuthorizationManagerServiceMBean)
67           MBeanProxyExt.create(AuthorizationManagerServiceMBean.class,
68                 AuthorizationManagerServiceMBean.OBJECT_NAME,
69                 MBeanServerLocator.locateJBoss()); 
70     }
71  
72     /**
73      * @see AbstractInterceptor#setContainer(Container)
74      */
75     public void setContainer(Container container)
76     {
77        super.setContainer(container);
78        if (container != null)
79        {
80           BeanMetaData beanMetaData = container.getBeanMetaData();
81           appSecurityDomain = container.getBeanMetaData().getApplicationMetaData().getSecurityDomain();
82           ejbName = beanMetaData.getEjbName();  
83           ejbCS = container.getBeanClass().getProtectionDomain().getCodeSource();
84        }
85     } 
86  
87     /**
88      * @see AbstractInterceptor#invokeHome(Invocation)
89      */
90     public Object   invokeHome(Invocation mi) throws Exception  
91     {
92        // Authorize the call
93        checkAuthorization(mi);
94        Object   returnValue = getNext().invokeHome(mi);
95        return returnValue;
96     }
97  
98     /**
99      * @see AbstractInterceptor#invoke(Invocation)
100     */
101    public Object   invoke(Invocation mi) throws Exception  
102    {
103       // Authorize the call
104       checkAuthorization(mi);
105       Object   returnValue = getNext().invoke(mi);
106       return returnValue;
107    }
108 
109    /** Authorize the caller's access to the method invocation
110     */
111    private void checkAuthorization(Invocation mi)
112       throws Exception  
113    {
114       Method   ejbMethod = mi.getMethod();
115       // Ignore internal container calls
116       if( ejbMethod== null  )
117          return; 
118       // Get the caller
119       Subject   caller = SecurityActions.getContextSubject(); 
120       
121       AuthorizationManager authzManager = this.getAuthorizationManager();
122       final HashMap   map =  new HashMap  ();
123       map.put(ResourceKeys.EJB_NAME ,this.ejbName);
124       map.put(ResourceKeys.EJB_METHOD,ejbMethod); 
125       map.put(ResourceKeys.EJB_PRINCIPAL, mi.getPrincipal());
126       map.put(ResourceKeys.EJB_METHODINTERFACE, mi.getType().toInterfaceString());
127       map.put(ResourceKeys.EJB_CODESOURCE, ejbCS);
128       map.put(ResourceKeys.CALLER_SUBJECT, caller);
129       map.put(ResourceKeys.AUTHORIZATION_MANAGER,authzManager); 
130       map.put(ResourceKeys.RUNASIDENTITY, SecurityActions.peekRunAsIdentity());
131       map.put(ResourceKeys.EJB_METHODROLES, container.getMethodPermissions(ejbMethod, mi.getType()));
132       EJBResource ejbResource = new EJBResource(map); 
133       boolean isAuthorized = false;
134       try
135       {
136          int check = authzManager.authorize(ejbResource);
137          isAuthorized = (check == AuthorizationContext.PERMIT);
138       } 
139       catch (Exception   e)
140       {
141          isAuthorized = false;
142          if(trace)
143             log.trace("Error in authorization:",e);
144          else
145             log.error("Error in authorization:"+e.getLocalizedMessage());
146       }
147       String   msg = "Denied: caller=" + caller;
148       if(!isAuthorized)
149          throw new SecurityException  (msg); 
150    }
151    
152    /**
153     * Get the Authorization Manager for the security domain
154     * @see SecurityConstants#DEFAULT_EJB_APPLICATION_POLICY
155     * @return authorization manager
156     * @throws Exception
157     */
158    private AuthorizationManager getAuthorizationManager() throws Exception  
159    { 
160       String   tempSecurityDomain = appSecurityDomain != null ? Util.unprefixSecurityDomain(appSecurityDomain) :
161                                                        defaultAuthorizationSecurityDomain; 
162       AuthorizationManager am =  authorizationManagerService.getAuthorizationManager(tempSecurityDomain);
163       if(trace)
164          log.trace(am.toString());
165       return am;
166    }  
167 }
168
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags