Examples with EJBRoleRefPermission javax.security.jacc.EJBRoleRefPermission used on opensource projects

Example 1 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class JDKPolicyFileWrapper method logImpliesFailure.

private void logImpliesFailure(Permission permission, String contextId, ProtectionDomain domain) {
    if (!(permission instanceof WebResourcePermission) && !(permission instanceof MBeanPermission) && !(permission instanceof WebRoleRefPermission) && !(permission instanceof EJBRoleRefPermission)) {
        if (logger.isLoggable(FINE)) {
            Exception ex = new Exception();
            ex.fillInStackTrace();
            logger.log(FINE, "JACC Policy Provider, failed Permission Check at :", ex);
        }
        doPrivileged(new PrivilegedAction<Object>() {

            @Override
            public Object run() {
                logger.info("JACC Policy Provider: Failed Permission Check, context(" + contextId + ")- permission(" + permission + ")");
                if (logger.isLoggable(FINE)) {
                    logger.fine("Domain that failed(" + domain + ")");
                }
                return null;
            }
        });
    }
}

Example 2 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class JaccEJBConstraintsTranslator method writeOutPermissionsForNonRoleRefRoles.

private static void writeOutPermissionsForNonRoleRefRoles(Collection<Role> allRoles, Collection<Role> ejbScopedRoleNames, String ejbName, PolicyConfiguration policyConfiguration) throws PolicyContextException {
    for (Role role : allRoles) {
        if (_logger.isLoggable(FINE)) {
            _logger.fine("JACC: Converting role-ref: Looking at Role =  " + role.getName());
        }
        if (!ejbScopedRoleNames.contains(role)) {
            String roleName = role.getName();
            policyConfiguration.addToRole(roleName, new EJBRoleRefPermission(ejbName, roleName));
            if (_logger.isLoggable(FINE)) {
                _logger.fine("JACC: Converting role-ref: Role =  " + role.getName() + " is added as a permission with name(" + ejbName + ")" + " and actions (" + roleName + ")" + " mapped to role (" + roleName + ")");
            }
        }
    }
}

Example 3 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class JaccEJBConstraintsTranslator method writeOutPermissionsForRoleRefRoles.

private static void writeOutPermissionsForRoleRefRoles(Collection<RoleReference> roleReferences, List<Role> ejbScopedRoleNames, String ejbName, PolicyConfiguration policyConfiguration) throws PolicyContextException {
    for (RoleReference roleReference : roleReferences) {
        // The name of a role, local (scoped) to a single EJB
        String ejbScopedRoleName = roleReference.getRoleName();
        ejbScopedRoleNames.add(new Role(ejbScopedRoleName));
        // The name of the global role to which the local EJB scoped role links (is mapped)
        String globalRoleName = roleReference.getSecurityRoleLink().getName();
        // Write the role reference to the target policy configuration
        policyConfiguration.addToRole(globalRoleName, new EJBRoleRefPermission(ejbName, ejbScopedRoleName));
        if (_logger.isLoggable(FINE)) {
            _logger.fine("JACC: Converting role-ref -> " + roleReference.toString() + " to permission with name(" + ejbName + ")" + " and actions (" + ejbScopedRoleName + ")" + " mapped to role (" + globalRoleName + ")");
        }
    }
}

Example 4 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class EJBSecurityManager method convertEJBRoleReferences.

/**
 * This method converts ejb role references to jacc permission objects
 * and adds them to the policy configuration object
 * It gets the list of role references from the ejb descriptor. For each
 * such role reference, create a EJBRoleRefPermission and add it to the
 * PolicyConfiguration object.
 *
 * @param eDescriptor the ejb descriptor
 * @param pcid,       the policy context identifier
 */
private static void convertEJBRoleReferences(EjbDescriptor eDescriptor, String pcid) throws PolicyContextException {
    PolicyConfiguration pc = getPolicyFactory().getPolicyConfiguration(pcid, false);
    // of PolicyConfigurationFactory
    assert pc != null;
    // Get the set of roles declared
    Set<Role> roleset = eDescriptor.getEjbBundleDescriptor().getRoles();
    Role anyAuthUserRole = new Role("**");
    boolean rolesetContainsAnyAuthUserRole = roleset.contains(anyAuthUserRole);
    List<Role> role = new ArrayList<Role>();
    String eName = eDescriptor.getName();
    for (RoleReference roleRef : eDescriptor.getRoleReferences()) {
        String rolename = roleRef.getRoleName();
        EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, rolename);
        String rolelink = roleRef.getSecurityRoleLink().getName();
        role.add(new Role(rolename));
        pc.addToRole(rolelink, ejbrr);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: Converting role-ref -> " + roleRef.toString() + " to permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + rolelink + ")");
        }
    }
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "JACC: Converting role-ref: Going through the list of roles not present in RoleRef elements and creating EJBRoleRefPermissions ");
    }
    for (Role r : roleset) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "JACC: Converting role-ref: Looking at Role =  " + r.getName());
        }
        if (!role.contains(r)) {
            String action = r.getName();
            EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, action);
            pc.addToRole(action, ejbrr);
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC: Converting role-ref: Role =  " + r.getName() + " is added as a permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + action + ")");
            }
        }
    }
    /**
     * JACC MR8 add EJBRoleRefPermission for the any authenticated user role '**'
     */
    if ((!role.contains(anyAuthUserRole)) && !rolesetContainsAnyAuthUserRole) {
        String rolename = anyAuthUserRole.getName();
        EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, rolename);
        pc.addToRole(rolename, ejbrr);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: Converting role-ref: Adding any authenticated user role-ref " + " to permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + rolename + ")");
        }
    }
}

Example 5 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project wildfly by wildfly.

the class EjbJaccConfigurator method configure.

@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
    final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
    final DeploymentReflectionIndex reflectionIndex = deploymentUnit.getAttachment(Attachments.REFLECTION_INDEX);
    final EJBComponentDescription ejbComponentDescription = EJBComponentDescription.class.cast(description);
    final EjbJaccConfig ejbJaccConfig = new EjbJaccConfig();
    context.getDeploymentUnit().addToAttachmentList(EjbDeploymentAttachmentKeys.JACC_PERMISSIONS, ejbJaccConfig);
    // process the method permissions.
    for (final ViewConfiguration viewConfiguration : configuration.getViews()) {
        final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
        for (final Method viewMethod : viewMethods) {
            if (!Modifier.isPublic(viewMethod.getModifiers()) || viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
                continue;
            }
            final EJBViewConfiguration ejbViewConfiguration = EJBViewConfiguration.class.cast(viewConfiguration);
            // try to create permissions using the descriptor metadata first.
            ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
            boolean createdPerms = this.createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            // no permissions created using the descriptor metadata - try to use annotation metadata.
            if (!createdPerms) {
                permissions = ejbComponentDescription.getAnnotationMethodPermissions();
                createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            }
        }
    }
    Set<String> securityRoles = new HashSet<String>();
    // get all roles from the deployments descriptor (assembly descriptor roles)
    SecurityRolesMetaData secRolesMetaData = ejbComponentDescription.getSecurityRoles();
    if (secRolesMetaData != null) {
        for (SecurityRoleMetaData secRoleMetaData : secRolesMetaData) {
            securityRoles.add(secRoleMetaData.getRoleName());
        }
    }
    // at this point any roles specified via RolesAllowed annotation have been mapped to EJBMethodPermissions, so
    // going through the permissions allows us to retrieve these roles.
    // TODO there might be a better way to retrieve just annotated roles without going through all processed permissions
    List<Map.Entry<String, Permission>> processedRoles = ejbJaccConfig.getRoles();
    for (Map.Entry<String, Permission> entry : processedRoles) {
        securityRoles.add(entry.getKey());
    }
    securityRoles.add(ANY_AUTHENTICATED_USER_ROLE);
    // process the security-role-ref from the deployment descriptor.
    Map<String, Collection<String>> securityRoleRefs = ejbComponentDescription.getSecurityRoleLinks();
    for (Map.Entry<String, Collection<String>> entry : securityRoleRefs.entrySet()) {
        String roleName = entry.getKey();
        for (String roleLink : entry.getValue()) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), roleName);
            ejbJaccConfig.addRole(roleLink, p);
        }
        securityRoles.remove(roleName);
    }
    // process remaining annotated declared roles that were not overridden in the descriptor.
    Set<String> declaredRoles = ejbComponentDescription.getDeclaredRoles();
    for (String role : declaredRoles) {
        if (!securityRoleRefs.containsKey(role)) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
            ejbJaccConfig.addRole(role, p);
        }
        securityRoles.remove(role);
    }
    // an EJBRoleRefPermission must be created for each declared role that does not appear in the security-role-ref.
    for (String role : securityRoles) {
        EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
        ejbJaccConfig.addRole(role, p);
    }
    // proxy by sending an invocation to the ejb container.
    if (ejbComponentDescription instanceof SessionBeanComponentDescription) {
        SessionBeanComponentDescription session = SessionBeanComponentDescription.class.cast(ejbComponentDescription);
        if (session.isStateful()) {
            EJBMethodPermission p = new EJBMethodPermission(ejbComponentDescription.getEJBName(), "getEJBObject", "Home", null);
            ejbJaccConfig.addPermit(p);
        }
    }
}