Search in sources :

Example 1 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project hibernate-orm by hibernate.

the class StandardJaccServiceImpl method doPermissionCheckInContext.

private void doPermissionCheckInContext(PermissionCheckEntityInformation entityInformation, PermissibleAction action) {
    final Policy policy = Policy.getPolicy();
    final Principal[] principals = getCallerPrincipals();
    final CodeSource codeSource = entityInformation.getEntity().getClass().getProtectionDomain().getCodeSource();
    final ProtectionDomain pd = new ProtectionDomain(codeSource, null, null, principals);
    // the action is known as 'method name' in JACC
    final EJBMethodPermission jaccPermission = new EJBMethodPermission(entityInformation.getEntityName(), action.getImpliedActions()[0], null, null);
    if (!policy.implies(pd, jaccPermission)) {
        throw new SecurityException(String.format("JACC denied permission to [%s.%s] for [%s]", entityInformation.getEntityName(), action.getImpliedActions()[0], join(principals)));
    }
}
Also used : Policy(java.security.Policy) ProtectionDomain(java.security.ProtectionDomain) CodeSource(java.security.CodeSource) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) Principal(java.security.Principal)

Example 2 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project Payara by payara.

the class JaccEJBConstraintsTranslator method createEJBMethodPermissions.

/**
 * This method converts the dd in two phases. Phase 1: gets a map representing the methodPermission elements exactly as
 * they occured for the ejb in the dd. The map is keyed by method-permission element and each method-permission is
 * mapped to a list of method elements representing the method elements of the method permision element. Each method
 * element is converted to a corresponding EJBMethodPermission and added, based on its associated method-permission, to
 * the policy configuration object. phase 2: configures additional EJBMethodPermission policy statements for the purpose
 * of optimizing Permissions.implies matching by the policy provider. This phase also configures unchecked policy
 * statements for any uncovered methods. This method gets the list of method descriptors for the ejb from the
 * EjbDescriptor object. For each method descriptor, it will get a list of MethodPermission objects that signify the
 * method permissions for the Method and convert each to a corresponding EJBMethodPermission to be added to the policy
 * configuration object.
 *
 * @param ejbDescriptor the ejb descriptor for this EJB.
 * @param policyConfiguration, the policy configuration
 */
private static void createEJBMethodPermissions(EjbDescriptor ejbDescriptor, PolicyConfiguration policyConfiguration) throws PolicyContextException {
    String ejbName = ejbDescriptor.getName();
    Permissions uncheckedPermissions = null;
    Permissions excludedPermissions = null;
    Map<String, Permissions> perRolePermissions = null;
    // Phase 1
    Map<MethodPermission, List<MethodDescriptor>> methodPermissions = ejbDescriptor.getMethodPermissionsFromDD();
    if (methodPermissions != null) {
        for (Entry<MethodPermission, List<MethodDescriptor>> permissionEntry : methodPermissions.entrySet()) {
            MethodPermission methodPermission = permissionEntry.getKey();
            for (MethodDescriptor methodDescriptor : permissionEntry.getValue()) {
                String methodName = methodDescriptor.getName().equals("*") ? null : methodDescriptor.getName();
                String methodInterface = methodDescriptor.getEjbClassSymbol();
                String[] methodParams = methodDescriptor.getStyle() == 3 ? methodDescriptor.getParameterClassNames() : null;
                EJBMethodPermission ejbMethodPermission = new EJBMethodPermission(ejbName, methodName, methodInterface, methodParams);
                perRolePermissions = addToRolePermissions(perRolePermissions, methodPermission, ejbMethodPermission);
                uncheckedPermissions = addToUncheckedPermissions(uncheckedPermissions, methodPermission, ejbMethodPermission);
                excludedPermissions = addToExcludedPermissions(excludedPermissions, methodPermission, ejbMethodPermission);
            }
        }
    }
    for (MethodDescriptor methodDescriptor : ejbDescriptor.getMethodDescriptors()) {
        Method method = methodDescriptor.getMethod(ejbDescriptor);
        if (method == null) {
            continue;
        }
        String methodInterface = methodDescriptor.getEjbClassSymbol();
        if (methodInterface == null || methodInterface.equals("")) {
            _logger.log(SEVERE, "method_descriptor_not_defined", new Object[] { ejbName, methodDescriptor.getName(), methodDescriptor.getParameterClassNames() });
            continue;
        }
        EJBMethodPermission ejbMethodPermission = new EJBMethodPermission(ejbName, methodInterface, method);
        for (MethodPermission methodPermission : ejbDescriptor.getMethodPermissionsFor(methodDescriptor)) {
            perRolePermissions = addToRolePermissions(perRolePermissions, methodPermission, ejbMethodPermission);
            uncheckedPermissions = addToUncheckedPermissions(uncheckedPermissions, methodPermission, ejbMethodPermission);
            excludedPermissions = addToExcludedPermissions(excludedPermissions, methodPermission, ejbMethodPermission);
        }
    }
    if (uncheckedPermissions != null) {
        policyConfiguration.addToUncheckedPolicy(uncheckedPermissions);
    }
    if (excludedPermissions != null) {
        policyConfiguration.addToExcludedPolicy(excludedPermissions);
    }
    if (perRolePermissions != null) {
        for (Entry<String, Permissions> entry : perRolePermissions.entrySet()) {
            policyConfiguration.addToRole(entry.getKey(), entry.getValue());
        }
    }
}
Also used : Permissions(java.security.Permissions) ArrayList(java.util.ArrayList) List(java.util.List) Method(java.lang.reflect.Method) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodDescriptor(com.sun.enterprise.deployment.MethodDescriptor) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodPermission(com.sun.enterprise.deployment.MethodPermission)

Example 3 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project hibernate-orm by hibernate.

the class StandardJaccServiceImpl method addPermission.

@Override
public void addPermission(GrantedPermission permissionDeclaration) {
    if (policyConfiguration == null) {
        policyConfiguration = locatePolicyConfiguration(contextId);
    }
    for (String grantedAction : permissionDeclaration.getPermissibleAction().getImpliedActions()) {
        final EJBMethodPermission permission = new EJBMethodPermission(permissionDeclaration.getEntityName(), grantedAction, // interfaces
        null, // arguments
        null);
        log.debugf("Adding permission [%s] to role [%s]", grantedAction, permissionDeclaration.getRole());
        try {
            policyConfiguration.addToRole(permissionDeclaration.getRole(), permission);
        } catch (PolicyContextException pce) {
            throw new HibernateException("policy context exception occurred", pce);
        }
    }
}
Also used : HibernateException(org.hibernate.HibernateException) PolicyContextException(javax.security.jacc.PolicyContextException) EJBMethodPermission(javax.security.jacc.EJBMethodPermission)

Example 4 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project Payara by payara.

the class EJBSecurityManager method convertEJBMethodPermissions.

/**
 * This method converts the dd in two phases.
 * Phase 1:
 * gets a map representing the methodPermission elements exactly as they
 * occured for the ejb in the dd. The map is keyed by method-permission
 * element and each method-permission is mapped to a list of method
 * elements representing the method elements of the method permision
 * element. Each method element is converted to a corresponding
 * EJBMethodPermission and added, based on its associated method-permission,
 * to the policy configuration object.
 * phase 2:
 * configures additional EJBMethodPermission policy statements
 * for the purpose of optimizing Permissions.implies matching by the
 * policy provider. This phase also configures unchecked policy
 * statements for any uncovered methods. This method gets the list
 * of method descriptors for the ejb from the EjbDescriptor object.
 * For each method descriptor, it will get a list of MethodPermission
 * objects that signify the method permissions for the Method and
 * convert each to a corresponding EJBMethodPermission to be added
 * to the policy configuration object.
 *
 * @param eDescriptor the ejb descriptor for this EJB.
 * @param pcid,       the policy context identifier.
 */
private static void convertEJBMethodPermissions(EjbDescriptor eDescriptor, String pcid) throws PolicyContextException {
    PolicyConfiguration pc = getPolicyFactory().getPolicyConfiguration(pcid, false);
    // of PolicyConfigurationFactory
    assert pc != null;
    String eName = eDescriptor.getName();
    Permissions uncheckedPermissions = null;
    Permissions excludedPermissions = null;
    HashMap rolePermissionsTable = null;
    EJBMethodPermission ejbmp = null;
    // phase 1
    Map mpMap = eDescriptor.getMethodPermissionsFromDD();
    if (mpMap != null) {
        Iterator mpIt = mpMap.entrySet().iterator();
        while (mpIt.hasNext()) {
            Map.Entry entry = (Map.Entry) mpIt.next();
            MethodPermission mp = (MethodPermission) entry.getKey();
            Iterator mdIt = ((ArrayList) entry.getValue()).iterator();
            while (mdIt.hasNext()) {
                MethodDescriptor md = (MethodDescriptor) mdIt.next();
                String mthdName = md.getName();
                String mthdIntf = md.getEjbClassSymbol();
                String[] mthdParams = md.getStyle() == 3 ? md.getParameterClassNames() : null;
                ejbmp = new EJBMethodPermission(eName, mthdName.equals("*") ? null : mthdName, mthdIntf, mthdParams);
                rolePermissionsTable = addToRolePermissionsTable(rolePermissionsTable, mp, ejbmp);
                uncheckedPermissions = addToUncheckedPermissions(uncheckedPermissions, mp, ejbmp);
                excludedPermissions = addToExcludedPermissions(excludedPermissions, mp, ejbmp);
            }
        }
    }
    // phase 2 - configures additional perms:
    // . to optimize performance of Permissions.implies
    // . to cause any uncovered methods to be unchecked
    Iterator mdIt = eDescriptor.getMethodDescriptors().iterator();
    while (mdIt.hasNext()) {
        MethodDescriptor md = (MethodDescriptor) mdIt.next();
        Method mthd = md.getMethod(eDescriptor);
        String mthdIntf = md.getEjbClassSymbol();
        if (mthd == null) {
            continue;
        }
        if (mthdIntf == null || mthdIntf.equals("")) {
            _logger.log(Level.SEVERE, "method_descriptor_not_defined", new Object[] { eName, md.getName(), md.getParameterClassNames() });
            continue;
        }
        ejbmp = new EJBMethodPermission(eName, mthdIntf, mthd);
        Iterator mpIt = eDescriptor.getMethodPermissionsFor(md).iterator();
        while (mpIt.hasNext()) {
            MethodPermission mp = (MethodPermission) mpIt.next();
            rolePermissionsTable = addToRolePermissionsTable(rolePermissionsTable, mp, ejbmp);
            uncheckedPermissions = addToUncheckedPermissions(uncheckedPermissions, mp, ejbmp);
            excludedPermissions = addToExcludedPermissions(excludedPermissions, mp, ejbmp);
        }
    }
    if (uncheckedPermissions != null) {
        pc.addToUncheckedPolicy(uncheckedPermissions);
    }
    if (excludedPermissions != null) {
        pc.addToExcludedPolicy(excludedPermissions);
    }
    if (rolePermissionsTable != null) {
        Iterator roleIt = rolePermissionsTable.entrySet().iterator();
        while (roleIt.hasNext()) {
            Map.Entry entry = (Map.Entry) roleIt.next();
            pc.addToRole((String) entry.getKey(), (Permissions) entry.getValue());
        }
    }
}
Also used : HashMap(java.util.HashMap) WeakHashMap(java.util.WeakHashMap) ArrayList(java.util.ArrayList) Method(java.lang.reflect.Method) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodDescriptor(com.sun.enterprise.deployment.MethodDescriptor) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodPermission(com.sun.enterprise.deployment.MethodPermission) Permissions(java.security.Permissions) Iterator(java.util.Iterator) PolicyConfiguration(javax.security.jacc.PolicyConfiguration) Map(java.util.Map) HashMap(java.util.HashMap) WeakHashMap(java.util.WeakHashMap)

Example 5 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project tomee by apache.

the class JaccPermissionsBuilder method addDeclaredEjbPermissions.

private void addDeclaredEjbPermissions(final EjbJarInfo ejbJar, final EnterpriseBeanInfo beanInfo, final String defaultRole, PermissionCollection notAssigned, final PolicyContext policyContext) throws OpenEJBException {
    final PermissionCollection uncheckedPermissions = policyContext.getUncheckedPermissions();
    final PermissionCollection excludedPermissions = policyContext.getExcludedPermissions();
    final Map<String, PermissionCollection> rolePermissions = policyContext.getRolePermissions();
    final String ejbName = beanInfo.ejbName;
    /**
     * JACC v1.0 section 3.1.5.1
     */
    for (final MethodPermissionInfo methodPermission : ejbJar.methodPermissions) {
        final List<String> roleNames = methodPermission.roleNames;
        final boolean unchecked = methodPermission.unchecked;
        final boolean excluded = methodPermission.excluded;
        for (final MethodInfo method : methodPermission.methods) {
            if (!ejbName.equals(method.ejbName)) {
                continue;
            }
            // method name
            String methodName = method.methodName;
            if ("*".equals(methodName)) {
                // jacc uses null instead of *
                methodName = null;
            }
            // method interface
            final String methodIntf = method.methodIntf;
            // method parameters
            final String[] methodParams;
            if (method.methodParams != null) {
                final List<String> paramList = method.methodParams;
                methodParams = paramList.toArray(new String[paramList.size()]);
            } else {
                methodParams = null;
            }
            // create the permission object
            final EJBMethodPermission permission = new EJBMethodPermission(ejbName, methodName, methodIntf, methodParams);
            notAssigned = cullPermissions(notAssigned, permission);
            // if this is unchecked, mark it as unchecked; otherwise assign the roles
            if (unchecked) {
                uncheckedPermissions.add(permission);
            } else if (excluded) {
                /**
                 * JACC v1.0 section 3.1.5.2
                 */
                excludedPermissions.add(permission);
            } else {
                for (final String roleName : roleNames) {
                    PermissionCollection permissions = rolePermissions.get(roleName);
                    if (permissions == null) {
                        permissions = DelegatePermissionCollection.getPermissionCollection();
                        rolePermissions.put(roleName, permissions);
                    }
                    permissions.add(permission);
                }
            }
        }
    }
    /**
     * JACC v1.0 section 3.1.5.3
     */
    for (final SecurityRoleReferenceInfo securityRoleRef : beanInfo.securityRoleReferences) {
        if (securityRoleRef.roleLink == null) {
            throw new OpenEJBException("Missing role-link");
        }
        final String roleLink = securityRoleRef.roleLink;
        PermissionCollection roleLinks = rolePermissions.get(roleLink);
        if (roleLinks == null) {
            roleLinks = DelegatePermissionCollection.getPermissionCollection();
            rolePermissions.put(roleLink, roleLinks);
        }
        roleLinks.add(new EJBRoleRefPermission(ejbName, securityRoleRef.roleName));
    }
    /**
     * EJB v2.1 section 21.3.2
     *
     * It is possible that some methods are not assigned to any security
     * roles nor contained in the <code>exclude-list</code> element. In
     * this case, it is the responsibility of the Deployer to assign method
     * permissions for all of the unspecified methods, either by assigning
     * them to security roles, or by marking them as <code>unchecked</code>.
     */
    PermissionCollection permissions;
    if (defaultRole == null) {
        permissions = uncheckedPermissions;
    } else {
        permissions = rolePermissions.get(defaultRole);
        if (permissions == null) {
            permissions = DelegatePermissionCollection.getPermissionCollection();
            rolePermissions.put(defaultRole, permissions);
        }
    }
    final Enumeration e = notAssigned.elements();
    while (e.hasMoreElements()) {
        final Permission p = (Permission) e.nextElement();
        permissions.add(p);
    }
}
Also used : PermissionCollection(java.security.PermissionCollection) OpenEJBException(org.apache.openejb.OpenEJBException) Enumeration(java.util.Enumeration) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Permission(java.security.Permission)

Aggregations

EJBMethodPermission (javax.security.jacc.EJBMethodPermission)10 Method (java.lang.reflect.Method)5 MethodDescriptor (com.sun.enterprise.deployment.MethodDescriptor)2 MethodPermission (com.sun.enterprise.deployment.MethodPermission)2 Permission (java.security.Permission)2 Permissions (java.security.Permissions)2 Policy (java.security.Policy)2 ProtectionDomain (java.security.ProtectionDomain)2 ArrayList (java.util.ArrayList)2 Map (java.util.Map)2 EJBRoleRefPermission (javax.security.jacc.EJBRoleRefPermission)2 MethodInterfaceType (org.jboss.metadata.ejb.spec.MethodInterfaceType)2 AccessControlException (java.security.AccessControlException)1 CodeSource (java.security.CodeSource)1 PermissionCollection (java.security.PermissionCollection)1 Principal (java.security.Principal)1 PrivilegedAction (java.security.PrivilegedAction)1 Collection (java.util.Collection)1 Enumeration (java.util.Enumeration)1 HashMap (java.util.HashMap)1