Search in sources :

Example 16 with MethodPermission

use of com.sun.enterprise.deployment.MethodPermission in project Payara by payara.

the class EJBSecurityManager method convertEJBMethodPermissions.

/**
 * This method converts the dd in two phases.
 * Phase 1:
 * gets a map representing the methodPermission elements exactly as they
 * occured for the ejb in the dd. The map is keyed by method-permission
 * element and each method-permission is mapped to a list of method
 * elements representing the method elements of the method permision
 * element. Each method element is converted to a corresponding
 * EJBMethodPermission and added, based on its associated method-permission,
 * to the policy configuration object.
 * phase 2:
 * configures additional EJBMethodPermission policy statements
 * for the purpose of optimizing Permissions.implies matching by the
 * policy provider. This phase also configures unchecked policy
 * statements for any uncovered methods. This method gets the list
 * of method descriptors for the ejb from the EjbDescriptor object.
 * For each method descriptor, it will get a list of MethodPermission
 * objects that signify the method permissions for the Method and
 * convert each to a corresponding EJBMethodPermission to be added
 * to the policy configuration object.
 *
 * @param eDescriptor the ejb descriptor for this EJB.
 * @param pcid,       the policy context identifier.
 */
private static void convertEJBMethodPermissions(EjbDescriptor eDescriptor, String pcid) throws PolicyContextException {
    PolicyConfiguration pc = getPolicyFactory().getPolicyConfiguration(pcid, false);
    // of PolicyConfigurationFactory
    assert pc != null;
    String eName = eDescriptor.getName();
    Permissions uncheckedPermissions = null;
    Permissions excludedPermissions = null;
    HashMap rolePermissionsTable = null;
    EJBMethodPermission ejbmp = null;
    // phase 1
    Map mpMap = eDescriptor.getMethodPermissionsFromDD();
    if (mpMap != null) {
        Iterator mpIt = mpMap.entrySet().iterator();
        while (mpIt.hasNext()) {
            Map.Entry entry = (Map.Entry) mpIt.next();
            MethodPermission mp = (MethodPermission) entry.getKey();
            Iterator mdIt = ((ArrayList) entry.getValue()).iterator();
            while (mdIt.hasNext()) {
                MethodDescriptor md = (MethodDescriptor) mdIt.next();
                String mthdName = md.getName();
                String mthdIntf = md.getEjbClassSymbol();
                String[] mthdParams = md.getStyle() == 3 ? md.getParameterClassNames() : null;
                ejbmp = new EJBMethodPermission(eName, mthdName.equals("*") ? null : mthdName, mthdIntf, mthdParams);
                rolePermissionsTable = addToRolePermissionsTable(rolePermissionsTable, mp, ejbmp);
                uncheckedPermissions = addToUncheckedPermissions(uncheckedPermissions, mp, ejbmp);
                excludedPermissions = addToExcludedPermissions(excludedPermissions, mp, ejbmp);
            }
        }
    }
    // phase 2 - configures additional perms:
    // . to optimize performance of Permissions.implies
    // . to cause any uncovered methods to be unchecked
    Iterator mdIt = eDescriptor.getMethodDescriptors().iterator();
    while (mdIt.hasNext()) {
        MethodDescriptor md = (MethodDescriptor) mdIt.next();
        Method mthd = md.getMethod(eDescriptor);
        String mthdIntf = md.getEjbClassSymbol();
        if (mthd == null) {
            continue;
        }
        if (mthdIntf == null || mthdIntf.equals("")) {
            _logger.log(Level.SEVERE, "method_descriptor_not_defined", new Object[] { eName, md.getName(), md.getParameterClassNames() });
            continue;
        }
        ejbmp = new EJBMethodPermission(eName, mthdIntf, mthd);
        Iterator mpIt = eDescriptor.getMethodPermissionsFor(md).iterator();
        while (mpIt.hasNext()) {
            MethodPermission mp = (MethodPermission) mpIt.next();
            rolePermissionsTable = addToRolePermissionsTable(rolePermissionsTable, mp, ejbmp);
            uncheckedPermissions = addToUncheckedPermissions(uncheckedPermissions, mp, ejbmp);
            excludedPermissions = addToExcludedPermissions(excludedPermissions, mp, ejbmp);
        }
    }
    if (uncheckedPermissions != null) {
        pc.addToUncheckedPolicy(uncheckedPermissions);
    }
    if (excludedPermissions != null) {
        pc.addToExcludedPolicy(excludedPermissions);
    }
    if (rolePermissionsTable != null) {
        Iterator roleIt = rolePermissionsTable.entrySet().iterator();
        while (roleIt.hasNext()) {
            Map.Entry entry = (Map.Entry) roleIt.next();
            pc.addToRole((String) entry.getKey(), (Permissions) entry.getValue());
        }
    }
}
Also used : HashMap(java.util.HashMap) WeakHashMap(java.util.WeakHashMap) ArrayList(java.util.ArrayList) Method(java.lang.reflect.Method) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodDescriptor(com.sun.enterprise.deployment.MethodDescriptor) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodPermission(com.sun.enterprise.deployment.MethodPermission) Permissions(java.security.Permissions) Iterator(java.util.Iterator) PolicyConfiguration(javax.security.jacc.PolicyConfiguration) Map(java.util.Map) HashMap(java.util.HashMap) WeakHashMap(java.util.WeakHashMap)

Example 17 with MethodPermission

use of com.sun.enterprise.deployment.MethodPermission in project Payara by payara.

the class RolesAllowedHandler method processEjbMethodSecurity.

/**
 * Add roles and permissions to given method in EjbDescriptor.
 * @param annotation
 * @param ejbDesc
 * @param md
 */
@Override
protected void processEjbMethodSecurity(Annotation authAnnotation, MethodDescriptor md, EjbDescriptor ejbDesc) {
    RolesAllowed rolesAllowedAn = (RolesAllowed) authAnnotation;
    for (String roleName : rolesAllowedAn.value()) {
        Role role = new Role(roleName);
        // add role if not exists
        ejbDesc.getEjbBundleDescriptor().addRole(role);
        ejbDesc.addPermissionedMethod(new MethodPermission(role), md);
    }
}
Also used : Role(org.glassfish.security.common.Role) RolesAllowed(javax.annotation.security.RolesAllowed) MethodPermission(com.sun.enterprise.deployment.MethodPermission)

Example 18 with MethodPermission

use of com.sun.enterprise.deployment.MethodPermission in project Payara by payara.

the class MethodPermissionMethodExists method check.

/**
 * Methods used in method permission element of the deployment descriptor
 * must be methods defined in the enterprise bean's remote and/or home
 * interface.
 *
 * @param descriptor the Enterprise Java Bean deployment descriptor
 * @return <code>Result</code> the results for this assertion
 */
public Result check(EjbDescriptor descriptor) {
    result = getInitializedResult();
    compName = getVerifierContext().getComponentNameConstructor();
    if ((descriptor instanceof EjbSessionDescriptor) || (descriptor instanceof EjbEntityDescriptor)) {
        Map<MethodPermission, Collection<MethodDescriptor>> permissionedMethods = descriptor.getMethodPermissionsFromDD();
        if (permissionedMethods != null) {
            for (MethodPermission methodPermission : permissionedMethods.keySet()) for (MethodDescriptor methodDescriptor : permissionedMethods.get(methodPermission)) checkMethodStyles(methodDescriptor, descriptor);
        }
    }
    if (result.getStatus() != Result.FAILED) {
        addGoodDetails(result, compName);
        result.passed(smh.getLocalString(getClass().getName() + ".passed", "Valid method permission method(s) found."));
    }
    return result;
}
Also used : EjbEntityDescriptor(org.glassfish.ejb.deployment.descriptor.EjbEntityDescriptor) Collection(java.util.Collection) EjbSessionDescriptor(org.glassfish.ejb.deployment.descriptor.EjbSessionDescriptor) MethodDescriptor(com.sun.enterprise.deployment.MethodDescriptor) MethodPermission(com.sun.enterprise.deployment.MethodPermission)

Example 19 with MethodPermission

use of com.sun.enterprise.deployment.MethodPermission in project Payara by payara.

the class MethodPermissionSecurityRoleExists method check.

/**
 * Security role used in method permission element must be defined in the
 * roles element of the deployment descriptor.
 *
 * @param descriptor the Enterprise Java Bean deployment descriptor
 *
 * @return <code>Result</code> the results for this assertion
 */
public Result check(EjbDescriptor descriptor) {
    Result result = getInitializedResult();
    ComponentNameConstructor compName = getVerifierContext().getComponentNameConstructor();
    Map permissionedMethods = descriptor.getPermissionedMethodsByPermission();
    boolean oneFailed = false;
    if (permissionedMethods.size() > 0) {
        for (Iterator e = permissionedMethods.keySet().iterator(); e.hasNext(); ) {
            MethodPermission nextPermission = (MethodPermission) e.next();
            if (nextPermission.isRoleBased()) {
                if (!descriptor.getEjbBundleDescriptor().getRoles().contains(nextPermission.getRole())) {
                    oneFailed = true;
                    result.addErrorDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
                    result.addErrorDetails(smh.getLocalString(getClass().getName() + ".failed", "Error: Method permissions role [ {0} ] must be one of the roles defined in bean [ {1} ]", new Object[] { nextPermission.getRole().getName(), descriptor.getName() }));
                } else {
                    result.addGoodDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
                    result.addGoodDetails(smh.getLocalString(getClass().getName() + ".passed", "Valid: Method permissions role [ {0} ] is defined as one of the roles defined in bean [ {1} ]", new Object[] { nextPermission.getRole().getName(), descriptor.getName() }));
                }
            } else {
                addNaDetails(result, compName);
                result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable1", "There are no role based method-permissions within this bean [ {0} ]", new Object[] { descriptor.getName() }));
            }
        }
        if (oneFailed) {
            result.setStatus(Result.FAILED);
        } else {
            if (result.getStatus() != Result.NOT_APPLICABLE)
                result.setStatus(Result.PASSED);
        }
    } else {
        result.addNaDetails(smh.getLocalString("tests.componentNameConstructor", "For [ {0} ]", new Object[] { compName.toString() }));
        result.notApplicable(smh.getLocalString(getClass().getName() + ".notApplicable", "There are no <method-permission> elements within this bean [ {0} ]", new Object[] { descriptor.getName() }));
    }
    return result;
}
Also used : Iterator(java.util.Iterator) Map(java.util.Map) ComponentNameConstructor(com.sun.enterprise.tools.verifier.tests.ComponentNameConstructor) MethodPermission(com.sun.enterprise.deployment.MethodPermission) Result(com.sun.enterprise.tools.verifier.Result)

Aggregations

MethodPermission (com.sun.enterprise.deployment.MethodPermission)19 Iterator (java.util.Iterator)11 MethodDescriptor (com.sun.enterprise.deployment.MethodDescriptor)10 Set (java.util.Set)8 HashSet (java.util.HashSet)7 OrderedSet (com.sun.enterprise.deployment.OrderedSet)6 Map (java.util.Map)4 Role (org.glassfish.security.common.Role)4 MethodPermissionDescriptor (com.sun.enterprise.deployment.MethodPermissionDescriptor)2 RoleReference (com.sun.enterprise.deployment.RoleReference)2 Result (com.sun.enterprise.tools.verifier.Result)2 ComponentNameConstructor (com.sun.enterprise.tools.verifier.tests.ComponentNameConstructor)2 Enumeration (java.util.Enumeration)2 HashMap (java.util.HashMap)2 RolesAllowed (javax.annotation.security.RolesAllowed)2 EjbBundleDescriptor (com.sun.enterprise.deployment.EjbBundleDescriptor)1 EjbDescriptor (com.sun.enterprise.deployment.EjbDescriptor)1 EjbIORConfigurationDescriptor (com.sun.enterprise.deployment.EjbIORConfigurationDescriptor)1 EnvironmentProperty (com.sun.enterprise.deployment.EnvironmentProperty)1 ResourceEnvReferenceDescriptor (com.sun.enterprise.deployment.ResourceEnvReferenceDescriptor)1