1 22 package org.jboss.test.jmx.interceptors; 23 24 import java.security.Principal ; 25 import java.lang.reflect.Method ; 26 import java.util.HashSet ; 27 import java.util.Map ; 28 import javax.naming.InitialContext ; 29 import javax.security.auth.Subject ; 30 31 import org.jboss.mx.interceptor.AbstractInterceptor; 32 import org.jboss.mx.server.Invocation; 33 import org.jboss.mx.server.MBeanInvoker; 34 import org.jboss.logging.Logger; 35 import org.jboss.security.RealmMapping; 36 import org.jboss.security.SubjectSecurityManager; 37 import org.jboss.security.SimplePrincipal; 38 import org.jboss.security.SecurityAssociation; 39 import org.jboss.invocation.MarshalledInvocation; 40 41 48 public final class JNDISecurity 49 extends AbstractInterceptor 50 { 51 private static Logger log = Logger.getLogger(JNDISecurity.class); 52 private static final Principal READER_ROLE = new SimplePrincipal("JNDIReader"); 53 private static final Principal WRITER_ROLE = new SimplePrincipal("JNDIWriter"); 54 55 private String securityDomain; 56 private SubjectSecurityManager authMgr; 57 private RealmMapping roleMgr; 58 private Map methodMap; 59 60 public String getSecurityDomain() 61 { 62 return securityDomain; 63 } 64 public void setSecurityDomain(String securityDomain) throws Exception 65 { 66 log.info("setSecurityDomain: "+securityDomain); 67 this.securityDomain = securityDomain; 68 InitialContext ctx = new InitialContext (); 69 this.authMgr = (SubjectSecurityManager) ctx.lookup(securityDomain); 70 this.roleMgr = (RealmMapping) ctx.lookup(securityDomain); 71 } 72 73 public Object invoke(Invocation invocation) throws Throwable 75 { 76 String opName = invocation.getName(); 77 log.info("invoke, opName="+opName); 78 79 if( opName == null || opName.equals("invoke") == false ) 81 return invocation.nextInterceptor().invoke(invocation); 82 83 Object [] args = invocation.getArgs(); 84 org.jboss.invocation.Invocation invokeInfo = 85 (org.jboss.invocation.Invocation) args[0]; 86 if( authMgr == null || roleMgr == null ) 88 { 89 String msg = "No security mgr configured, check securityDomain: "+securityDomain; 90 throw new SecurityException (msg); 91 } 92 93 Principal principal = invokeInfo.getPrincipal(); 95 Object credential = invokeInfo.getCredential(); 96 Subject subject = new Subject (); 97 if( authMgr.isValid(principal, credential, subject) == false ) 98 { 99 String msg = "Failed to authenticate principal: "+principal; 100 throw new SecurityException (msg); 101 } 102 SecurityAssociation.pushSubjectContext(subject, principal, credential); 103 104 try 105 { 106 if( methodMap == null ) 108 initMethodMap(invocation); 109 HashSet methodRoles = new HashSet (); 110 if( invokeInfo instanceof MarshalledInvocation ) 111 { 112 MarshalledInvocation mi = (MarshalledInvocation) invokeInfo; 113 mi.setMethodMap(methodMap); 114 } 115 Method method = invokeInfo.getMethod(); 116 boolean isRead = isReadMethod(method); 117 if( isRead == true ) 118 methodRoles.add(READER_ROLE); 119 else 120 methodRoles.add(WRITER_ROLE); 121 if( roleMgr.doesUserHaveRole(principal, methodRoles) == false ) 122 { 123 String msg = "Failed to authorize subject: "+authMgr.getActiveSubject() 124 + " principal: " + principal 125 + " for access roles:" + methodRoles; 126 throw new SecurityException (msg); 127 } 128 129 return invocation.nextInterceptor().invoke(invocation); 131 } 132 finally 133 { 134 SecurityAssociation.popSubjectContext(); 135 } 136 } 137 138 private boolean isReadMethod(Method method) 139 { 140 boolean isRead = true; 141 String name = method.getName(); 142 isRead = name.equals("lookup") || name.equals("list") 143 || name.equals("listBindings"); 144 return isRead; 145 } 146 147 150 private void initMethodMap(Invocation invocation) throws Throwable 151 { 152 MBeanInvoker invoker = invocation.getInvoker(); 153 methodMap = (Map ) invoker.getAttribute("MethodMap"); 154 } 155 } 156 | Popular Tags |