1 25 26 package org.objectweb.easybeans.security.permissions; 27 28 import java.net.URL ; 29 import java.security.CodeSource ; 30 import java.security.Principal ; 31 import java.security.ProtectionDomain ; 32 import java.security.cert.Certificate ; 33 import java.util.List ; 34 35 import javax.security.jacc.EJBMethodPermission ; 36 import javax.security.jacc.EJBRoleRefPermission ; 37 import javax.security.jacc.PolicyContext ; 38 import javax.security.jacc.PolicyContextException ; 39 40 import org.objectweb.easybeans.api.EZBPermissionManager; 41 import org.objectweb.easybeans.api.EasyBeansInvocationContext; 42 import org.objectweb.easybeans.api.PermissionManagerException; 43 import org.objectweb.easybeans.api.bean.info.IBeanInfo; 44 import org.objectweb.easybeans.api.bean.info.IEJBJarInfo; 45 import org.objectweb.easybeans.api.bean.info.IMethodSecurityInfo; 46 import org.objectweb.easybeans.api.bean.info.ISecurityInfo; 47 import org.objectweb.easybeans.log.JLog; 48 import org.objectweb.easybeans.log.JLogFactory; 49 import org.objectweb.easybeans.security.propagation.context.SecurityCurrent; 50 51 55 public class PermissionManager extends AbsPermissionManager implements EZBPermissionManager { 56 57 60 private JLog logger = JLogFactory.getLog(PermissionManager.class); 61 62 65 private CodeSource codeSource = null; 66 67 70 private IEJBJarInfo ejbJarInfo; 71 72 78 public PermissionManager(final URL contextIdURL, final IEJBJarInfo ejbJarInfo) throws PermissionManagerException { 79 super(contextIdURL); 80 this.ejbJarInfo = ejbJarInfo; 81 this.codeSource = new CodeSource (contextIdURL, (Certificate []) null); 82 83 } 84 85 104 public void translateMetadata() throws PermissionManagerException { 105 List <IBeanInfo> beansInfo = ejbJarInfo.getBeanInfos(); 106 if (beansInfo != null) { 107 for (IBeanInfo beanInfo : beansInfo) { 108 ISecurityInfo securityInfo = beanInfo.getSecurityInfo(); 109 translateEjbMethodPermission(securityInfo); 110 translateEjbExcludeList(securityInfo); 111 translateEjbSecurityRoleRef(beanInfo, securityInfo); 112 } 113 } 114 } 115 116 138 protected void translateEjbMethodPermission(final ISecurityInfo securityInfo) throws PermissionManagerException { 139 List <IMethodSecurityInfo> methodSecurityInfos = securityInfo.getMethodSecurityInfos(); 140 if (methodSecurityInfos != null) { 141 for (IMethodSecurityInfo methodSecurityInfo : methodSecurityInfos) { 142 if (methodSecurityInfo.isUnchecked()) { 143 try { 144 logger.debug("Adding unchecked permission {0}", methodSecurityInfo.getPermission()); 145 getPolicyConfiguration().addToUncheckedPolicy(methodSecurityInfo.getPermission()); 146 } catch (PolicyContextException e) { 147 throw new PermissionManagerException("Cannot add unchecked policy for method '" + methodSecurityInfo 148 + "'.", e); 149 } 150 } else { 151 for (String roleName : methodSecurityInfo.getRoles()) { 152 try { 153 logger.debug("Adding permission {0} to role {1}", methodSecurityInfo.getPermission(), roleName); 154 getPolicyConfiguration().addToRole(roleName, methodSecurityInfo.getPermission()); 155 } catch (PolicyContextException e) { 156 throw new PermissionManagerException("Cannot add rolebase policy for method '" + methodSecurityInfo 157 + "' and for role '" + roleName + "'.", e); 158 } 159 } 160 } 161 } 162 } 163 } 164 165 178 protected void translateEjbExcludeList(final ISecurityInfo securityInfo) throws PermissionManagerException { 179 List <IMethodSecurityInfo> methodSecurityInfos = securityInfo.getMethodSecurityInfos(); 180 if (methodSecurityInfos != null) { 181 for (IMethodSecurityInfo methodSecurityInfo : methodSecurityInfos) { 182 if (methodSecurityInfo.isExcluded()) { 183 try { 184 logger.debug("Adding excluded permission {0}", methodSecurityInfo.getPermission()); 185 getPolicyConfiguration().addToExcludedPolicy(methodSecurityInfo.getPermission()); 186 } catch (PolicyContextException e) { 187 throw new PermissionManagerException("Cannot add excluded policy for method '" + methodSecurityInfo 188 + "'.", e); 189 } 190 } 191 } 192 } 193 } 194 195 210 public void translateEjbSecurityRoleRef(final IBeanInfo beanInfo, final ISecurityInfo securityInfo) 211 throws PermissionManagerException { 212 List <String > declaredRoles = securityInfo.getDeclaredRoles(); 213 if (declaredRoles != null) { 214 for (String role : declaredRoles) { 215 try { 216 getPolicyConfiguration().addToRole(role, new EJBRoleRefPermission (beanInfo.getName(), role)); 217 } catch (PolicyContextException e) { 218 throw new PermissionManagerException("Cannot add to role '" + role + "' an EJBRoleRefPermission.", e); 219 } 220 } 221 } 222 } 223 224 230 public boolean checkSecurity(final EasyBeansInvocationContext invocationContext, final boolean runAsBean) { 231 PolicyContext.setContextID(getContextId()); 232 233 Principal [] principals = SecurityCurrent.getCurrent().getSecurityContext().getCallerRoles(runAsBean); 236 ProtectionDomain protectionDomain = new ProtectionDomain (codeSource, null, null, principals); 237 238 boolean accessOK = getPolicy().implies(protectionDomain, invocationContextToMethodPermission(invocationContext)); 239 if (logger.isDebugEnabled()) { 240 logger.debug("Policy.implies result = {0} ", Boolean.valueOf(accessOK)); 241 } 242 return accessOK; 243 } 244 245 251 private static EJBMethodPermission invocationContextToMethodPermission(final EasyBeansInvocationContext invocationContext) { 252 256 EJBMethodPermission ejbMethodPermission = new EJBMethodPermission (invocationContext.getFactory().getBeanInfo().getName(), 258 "", invocationContext.getMethod()); 259 260 return ejbMethodPermission; 261 } 262 263 274 public boolean isCallerInRole(final String ejbName, final String roleName, final boolean inRunAs) { 275 PolicyContext.setContextID(getContextId()); 276 logger.debug("roleName = {0}", roleName); 277 278 Principal [] principals = SecurityCurrent.getCurrent().getSecurityContext().getCallerRoles(inRunAs); 280 ProtectionDomain protectionDomain = new ProtectionDomain (codeSource, null, null, principals); 281 282 EJBRoleRefPermission ejbRoleRefPermission = new EJBRoleRefPermission (ejbName, roleName); 285 boolean isInRole = getPolicy().implies(protectionDomain, ejbRoleRefPermission); 286 return isInRole; 287 288 } 289 290 } 291 | Popular Tags |