SecurityRolesInterceptor


1   /*
2   * JBoss, Home of Professional Open Source
3   * Copyright 2005, JBoss Inc., and individual contributors as indicated
4   * by the @authors tag. See the copyright.txt in the distribution for a
5   * full listing of individual contributors.
6   *
7   * This is free software; you can redistribute it and/or modify it
8   * under the terms of the GNU Lesser General Public License as
9   * published by the Free Software Foundation; either version 2.1 of
10  * the License, or (at your option) any later version.
11  *
12  * This software is distributed in the hope that it will be useful,
13  * but WITHOUT ANY WARRANTY; without even the implied warranty of
14  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15  * Lesser General Public License for more details.
16  *
17  * You should have received a copy of the GNU Lesser General Public
18  * License along with this software; if not, write to the Free
19  * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
20  * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
21  */
22  package org.jboss.ejb.plugins;
23  
24  import java.security.Principal  ;
25  import java.util.Map  ;
26  import java.util.Set  ;
27  import javax.ejb.EJBException  ;
28  
29  import org.jboss.ejb.Container;
30  import org.jboss.invocation.Invocation;
31  import org.jboss.invocation.InvocationType;
32  import org.jboss.metadata.ApplicationMetaData;
33  import org.jboss.metadata.AssemblyDescriptorMetaData;
34  import org.jboss.metadata.BeanMetaData;
35  import org.jboss.security.AnybodyPrincipal;
36  import org.jboss.security.RealmMapping;
37  import org.jboss.security.RunAsIdentity;
38  import org.jboss.security.SecurityAssociation;
39  
40  /** The declarative roles based authorization interceptor which uses the
41   * RealmMapping interface of the associated security domain.
42   *
43   * @author <a HREF="mailto:Scott.Stark@jboss.org">Scott Stark</a>.
44   * @author <a HREF="mailto:Thomas.Diesler@jboss.org">Thomas Diesler</a>.
45   * @version $Revision: 37459 $
46   */
47  public class SecurityRolesInterceptor extends AbstractInterceptor
48  {
49     /** The security domain authorization service */
50     protected RealmMapping realmMapping;
51  
52     /** A static map of SecurityRolesMetaData from jboss.xml */
53     protected Map   securityRoles;
54  
55     /** Called by the super class to set the container to which this interceptor
56      belongs. We obtain the authorization service here.
57      */
58     public void setContainer(Container container)
59     {
60        super.setContainer(container);
61        if (container != null)
62        {
63           BeanMetaData beanMetaData = container.getBeanMetaData();
64           ApplicationMetaData applicationMetaData = beanMetaData.getApplicationMetaData();
65           AssemblyDescriptorMetaData assemblyDescriptor = applicationMetaData.getAssemblyDescriptor();
66           securityRoles = assemblyDescriptor.getSecurityRoles();
67  
68           realmMapping = container.getRealmMapping();
69        }
70     }
71  
72     // Container implementation --------------------------------------
73     public void start() throws Exception  
74     {
75        super.start();
76     }
77  
78     public Object   invokeHome(Invocation mi) throws Exception  
79     {
80        // Apply any declarative security checks
81        checkSecurityAssociation(mi);
82        Object   returnValue = getNext().invokeHome(mi);
83        return returnValue;
84     }
85  
86     public Object   invoke(Invocation mi) throws Exception  
87     {
88        // Authenticate the subject and apply any declarative security checks
89        checkSecurityAssociation(mi);
90        Object   returnValue = getNext().invoke(mi);
91        return returnValue;
92     }
93  
94     /** Validate access to the method by checking the principal's roles against
95      those required to access the method.
96      @param mi the method invocation context
97      */
98     private void checkSecurityAssociation(Invocation mi)
99        throws Exception  
100    {
101       Principal   principal = mi.getPrincipal();
102       boolean trace = log.isTraceEnabled();
103 
104       if (realmMapping == null)
105       {
106          throw new EJBException  ("checkSecurityAssociation",
107             new SecurityException  ("Role mapping manager has not been set"));
108       }
109 
110       // Get the method permissions
111       InvocationType iface = mi.getType();
112       Set   methodRoles = container.getMethodPermissions(mi.getMethod(), iface);
113       if (methodRoles == null)
114       {
115          String   method = mi.getMethod().getName();
116          String   msg = "No method permissions assigned to method=" + method
117             + ", interface=" + iface;
118          log.error(msg);
119          SecurityException   e = new SecurityException  (msg);
120          throw new EJBException  ("checkSecurityAssociation", e);
121       }
122       else if (trace)
123       {
124          log.trace("method=" + mi.getMethod() + ", interface=" + iface
125             + ", requiredRoles=" + methodRoles);
126       }
127 
128       // Check if the caller is allowed to access the method
129       RunAsIdentity callerRunAsIdentity = SecurityAssociation.peekRunAsIdentity();
130       if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
131       {
132          // The caller is using a the caller identity
133          if (callerRunAsIdentity == null)
134          {
135             // Now actually check if the current caller has one of the required method roles
136             if (realmMapping.doesUserHaveRole(principal, methodRoles) == false)
137             {
138                Set   userRoles = realmMapping.getUserRoles(principal);
139                String   method = mi.getMethod().getName();
140                String   msg = "Insufficient method permissions, principal=" + principal
141                   + ", method=" + method + ", interface=" + iface
142                   + ", requiredRoles=" + methodRoles + ", principalRoles=" + userRoles;
143                log.error(msg);
144                SecurityException   e = new SecurityException  (msg);
145                throw new EJBException  ("checkSecurityAssociation", e);
146             }
147          }
148 
149          // The caller is using a run-as identity
150          else
151          {
152             // Check that the run-as role is in the set of method roles
153             if (callerRunAsIdentity.doesUserHaveRole(methodRoles) == false)
154             {
155                String   method = mi.getMethod().getName();
156                String   msg = "Insufficient method permissions, runAsPrincipal=" + callerRunAsIdentity.getName()
157                   + ", method=" + method + ", interface=" + iface
158                   + ", requiredRoles=" + methodRoles + ", runAsRoles=" + callerRunAsIdentity.getRunAsRoles();
159                log.error(msg);
160                SecurityException   e = new SecurityException  (msg);
161                throw new EJBException  ("checkSecurityAssociation", e);
162             }
163          }
164       }
165    }
166 }
167
A to Z: JavaDoc & Examples Daily Java News & Articles Open Source Projects Open Source Codes Free Computer Books Remove Frame
Popular Tags