Examples with EJBMethodPermission - javax.security.jacc.EJBMethodPermission

Example 6 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project tomee by apache.

the class JaccPermissionsBuilder method addPossibleEjbMethodPermissions.

/**
 * Generate all the possible permissions for a bean's interface.
 *
 * Method permissions are defined in the deployment descriptor as a binary
 * relation from the set of security roles to the set of methods of the
 * home, component, and/or web service endpoint interfaces of session and
 * entity beans, including all their superinterfaces (including the methods
 * of the <code>EJBHome</code> and <code>EJBObject</code> interfaces and/or
 * <code>EJBLocalHome</code> and <code>EJBLocalObject</code> interfaces).
 *
 * @param permissions     the permission set to be extended
 * @param ejbName         the name of the EJB
 * @param methodInterface the EJB method interface
 * @param clazz           clazz
 * @throws OpenEJBException in case a class could not be found
 */
public void addPossibleEjbMethodPermissions(final PermissionCollection permissions, final String ejbName, final String methodInterface, final Class clazz) throws OpenEJBException {
    if (clazz == null) {
        return;
    }
    for (final Method method : clazz.getMethods()) {
        final String methodIface = "LocalBean".equals(methodInterface) || "LocalBeanHome".equals(methodInterface) ? null : methodInterface;
        permissions.add(new EJBMethodPermission(ejbName, methodIface, method));
    }
}

Also used : Method(java.lang.reflect.Method) EJBMethodPermission(javax.security.jacc.EJBMethodPermission)

Example 7 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project tomee by apache.

the class AbstractSecurityService method isCallerAuthorized.

@Override
public boolean isCallerAuthorized(final Method method, final InterfaceType type) {
    final ThreadContext threadContext = ThreadContext.getThreadContext();
    final BeanContext beanContext = threadContext.getBeanContext();
    try {
        final String ejbName = beanContext.getEjbName();
        String name = type == null ? null : type.getSpecName();
        if ("LocalBean".equals(name) || "LocalBeanHome".equals(name)) {
            name = null;
        }
        final Identity currentIdentity = clientIdentity.get();
        final SecurityContext securityContext;
        if (currentIdentity == null) {
            securityContext = threadContext.get(SecurityContext.class);
        } else {
            securityContext = new SecurityContext(currentIdentity.getSubject());
        }
        securityContext.acc.checkPermission(new EJBMethodPermission(ejbName, name, method));
    } catch (final AccessControlException e) {
        return false;
    }
    return true;
}

Also used : BeanContext(org.apache.openejb.BeanContext) ThreadContext(org.apache.openejb.core.ThreadContext) AccessControlException(java.security.AccessControlException) EJBMethodPermission(javax.security.jacc.EJBMethodPermission)

Example 8 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project wildfly by wildfly.

the class EjbJaccConfigurator method createPermissions.

protected boolean createPermissions(final EjbJaccConfig ejbJaccConfig, final EJBComponentDescription description, final EJBViewConfiguration ejbViewConfiguration, final Method viewMethod, final DeploymentReflectionIndex index, final ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions) {
    EJBMethodSecurityAttribute ejbMethodSecurityMetaData = permissions.getViewAttribute(ejbViewConfiguration.getMethodIntf(), viewMethod);
    // if this is null we try with the corresponding bean method.
    if (ejbMethodSecurityMetaData == null) {
        ejbMethodSecurityMetaData = permissions.getViewAttribute(MethodIntf.BEAN, viewMethod);
    }
    final Method classMethod = ClassReflectionIndexUtil.findMethod(index, ejbViewConfiguration.getComponentConfiguration().getComponentClass(), viewMethod);
    if (ejbMethodSecurityMetaData == null && classMethod != null) {
        // if this is null we try with the corresponding bean method.
        ejbMethodSecurityMetaData = permissions.getAttribute(ejbViewConfiguration.getMethodIntf(), classMethod);
        if (ejbMethodSecurityMetaData == null) {
            ejbMethodSecurityMetaData = permissions.getAttribute(MethodIntf.BEAN, classMethod);
        }
    }
    // check if any security metadata was defined for the method.
    if (ejbMethodSecurityMetaData != null) {
        final MethodInterfaceType interfaceType = this.getMethodInterfaceType(ejbViewConfiguration.getMethodIntf());
        final EJBMethodPermission permission = new EJBMethodPermission(description.getEJBName(), interfaceType.name(), viewMethod);
        if (ejbMethodSecurityMetaData.isPermitAll()) {
            ejbJaccConfig.addPermit(permission);
        }
        if (ejbMethodSecurityMetaData.isDenyAll()) {
            ejbJaccConfig.addDeny(permission);
        }
        for (String role : ejbMethodSecurityMetaData.getRolesAllowed()) {
            ejbJaccConfig.addRole(role, permission);
        }
        return true;
    }
    return false;
}

Also used : Method(java.lang.reflect.Method) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodInterfaceType(org.jboss.metadata.ejb.spec.MethodInterfaceType)

Example 9 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project wildfly by wildfly.

the class EjbJaccConfigurator method configure.

@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
    final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
    final DeploymentReflectionIndex reflectionIndex = deploymentUnit.getAttachment(Attachments.REFLECTION_INDEX);
    final EJBComponentDescription ejbComponentDescription = EJBComponentDescription.class.cast(description);
    final EjbJaccConfig ejbJaccConfig = new EjbJaccConfig();
    context.getDeploymentUnit().addToAttachmentList(EjbDeploymentAttachmentKeys.JACC_PERMISSIONS, ejbJaccConfig);
    // process the method permissions.
    for (final ViewConfiguration viewConfiguration : configuration.getViews()) {
        final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
        for (final Method viewMethod : viewMethods) {
            if (!Modifier.isPublic(viewMethod.getModifiers()) || viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
                continue;
            }
            final EJBViewConfiguration ejbViewConfiguration = EJBViewConfiguration.class.cast(viewConfiguration);
            // try to create permissions using the descriptor metadata first.
            ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
            boolean createdPerms = this.createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            // no permissions created using the descriptor metadata - try to use annotation metadata.
            if (!createdPerms) {
                permissions = ejbComponentDescription.getAnnotationMethodPermissions();
                createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            }
        }
    }
    Set<String> securityRoles = new HashSet<String>();
    // get all roles from the deployments descriptor (assembly descriptor roles)
    SecurityRolesMetaData secRolesMetaData = ejbComponentDescription.getSecurityRoles();
    if (secRolesMetaData != null) {
        for (SecurityRoleMetaData secRoleMetaData : secRolesMetaData) {
            securityRoles.add(secRoleMetaData.getRoleName());
        }
    }
    // at this point any roles specified via RolesAllowed annotation have been mapped to EJBMethodPermissions, so
    // going through the permissions allows us to retrieve these roles.
    // TODO there might be a better way to retrieve just annotated roles without going through all processed permissions
    List<Map.Entry<String, Permission>> processedRoles = ejbJaccConfig.getRoles();
    for (Map.Entry<String, Permission> entry : processedRoles) {
        securityRoles.add(entry.getKey());
    }
    securityRoles.add(ANY_AUTHENTICATED_USER_ROLE);
    // process the security-role-ref from the deployment descriptor.
    Map<String, Collection<String>> securityRoleRefs = ejbComponentDescription.getSecurityRoleLinks();
    for (Map.Entry<String, Collection<String>> entry : securityRoleRefs.entrySet()) {
        String roleName = entry.getKey();
        for (String roleLink : entry.getValue()) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), roleName);
            ejbJaccConfig.addRole(roleLink, p);
        }
        securityRoles.remove(roleName);
    }
    // process remaining annotated declared roles that were not overridden in the descriptor.
    Set<String> declaredRoles = ejbComponentDescription.getDeclaredRoles();
    for (String role : declaredRoles) {
        if (!securityRoleRefs.containsKey(role)) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
            ejbJaccConfig.addRole(role, p);
        }
        securityRoles.remove(role);
    }
    // an EJBRoleRefPermission must be created for each declared role that does not appear in the security-role-ref.
    for (String role : securityRoles) {
        EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
        ejbJaccConfig.addRole(role, p);
    }
    // proxy by sending an invocation to the ejb container.
    if (ejbComponentDescription instanceof SessionBeanComponentDescription) {
        SessionBeanComponentDescription session = SessionBeanComponentDescription.class.cast(ejbComponentDescription);
        if (session.isStateful()) {
            EJBMethodPermission p = new EJBMethodPermission(ejbComponentDescription.getEJBName(), "getEJBObject", "Home", null);
            ejbJaccConfig.addPermit(p);
        }
    }
}

Also used : SecurityRoleMetaData(org.jboss.metadata.javaee.spec.SecurityRoleMetaData) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData) WriteReplaceInterface(org.jboss.as.ee.component.serialization.WriteReplaceInterface) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) ViewConfiguration(org.jboss.as.ee.component.ViewConfiguration) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Permission(java.security.Permission) HashSet(java.util.HashSet) Method(java.lang.reflect.Method) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Collection(java.util.Collection) DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit) DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex) Map(java.util.Map) SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)

Example 10 with EJBMethodPermission

use of javax.security.jacc.EJBMethodPermission in project wildfly by wildfly.

the class JaccInterceptor method hasPermission.

private void hasPermission(EJBComponent ejbComponent, ComponentView componentView, Method method, SecurityIdentity securityIdentity) {
    MethodInterfaceType methodIntfType = getMethodInterfaceType(componentView.getPrivateData(MethodIntf.class));
    EJBMethodPermission permission = createEjbMethodPermission(method, ejbComponent, methodIntfType);
    ProtectionDomain domain = new ProtectionDomain(componentView.getProxyClass().getProtectionDomain().getCodeSource(), null, null, getGrantedRoles(securityIdentity));
    Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy();
    if (!policy.implies(domain, permission)) {
        throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(method, ejbComponent.getComponentName());
    }
}

Also used : Policy(java.security.Policy) ProtectionDomain(java.security.ProtectionDomain) PrivilegedAction(java.security.PrivilegedAction) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) MethodInterfaceType(org.jboss.metadata.ejb.spec.MethodInterfaceType) MethodIntf(org.jboss.as.ejb3.component.MethodIntf)

Aggregations

EJBMethodPermission (javax.security.jacc.EJBMethodPermission)10 Method (java.lang.reflect.Method)5 MethodDescriptor (com.sun.enterprise.deployment.MethodDescriptor)2 MethodPermission (com.sun.enterprise.deployment.MethodPermission)2 Permission (java.security.Permission)2 Permissions (java.security.Permissions)2 Policy (java.security.Policy)2 ProtectionDomain (java.security.ProtectionDomain)2 ArrayList (java.util.ArrayList)2 Map (java.util.Map)2 EJBRoleRefPermission (javax.security.jacc.EJBRoleRefPermission)2 MethodInterfaceType (org.jboss.metadata.ejb.spec.MethodInterfaceType)2 AccessControlException (java.security.AccessControlException)1 CodeSource (java.security.CodeSource)1 PermissionCollection (java.security.PermissionCollection)1 Principal (java.security.Principal)1 PrivilegedAction (java.security.PrivilegedAction)1 Collection (java.util.Collection)1 Enumeration (java.util.Enumeration)1 HashMap (java.util.HashMap)1