use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.
the class JDKPolicyFileWrapper method logImpliesFailure.
private void logImpliesFailure(Permission permission, String contextId, ProtectionDomain domain) {
if (!(permission instanceof WebResourcePermission) && !(permission instanceof MBeanPermission) && !(permission instanceof WebRoleRefPermission) && !(permission instanceof EJBRoleRefPermission)) {
if (logger.isLoggable(FINE)) {
Exception ex = new Exception();
ex.fillInStackTrace();
logger.log(FINE, "JACC Policy Provider, failed Permission Check at :", ex);
}
doPrivileged(new PrivilegedAction<Object>() {
@Override
public Object run() {
logger.info("JACC Policy Provider: Failed Permission Check, context(" + contextId + ")- permission(" + permission + ")");
if (logger.isLoggable(FINE)) {
logger.fine("Domain that failed(" + domain + ")");
}
return null;
}
});
}
}
use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.
the class JaccEJBConstraintsTranslator method writeOutPermissionsForNonRoleRefRoles.
private static void writeOutPermissionsForNonRoleRefRoles(Collection<Role> allRoles, Collection<Role> ejbScopedRoleNames, String ejbName, PolicyConfiguration policyConfiguration) throws PolicyContextException {
for (Role role : allRoles) {
if (_logger.isLoggable(FINE)) {
_logger.fine("JACC: Converting role-ref: Looking at Role = " + role.getName());
}
if (!ejbScopedRoleNames.contains(role)) {
String roleName = role.getName();
policyConfiguration.addToRole(roleName, new EJBRoleRefPermission(ejbName, roleName));
if (_logger.isLoggable(FINE)) {
_logger.fine("JACC: Converting role-ref: Role = " + role.getName() + " is added as a permission with name(" + ejbName + ")" + " and actions (" + roleName + ")" + " mapped to role (" + roleName + ")");
}
}
}
}
use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.
the class JaccEJBConstraintsTranslator method writeOutPermissionsForRoleRefRoles.
private static void writeOutPermissionsForRoleRefRoles(Collection<RoleReference> roleReferences, List<Role> ejbScopedRoleNames, String ejbName, PolicyConfiguration policyConfiguration) throws PolicyContextException {
for (RoleReference roleReference : roleReferences) {
// The name of a role, local (scoped) to a single EJB
String ejbScopedRoleName = roleReference.getRoleName();
ejbScopedRoleNames.add(new Role(ejbScopedRoleName));
// The name of the global role to which the local EJB scoped role links (is mapped)
String globalRoleName = roleReference.getSecurityRoleLink().getName();
// Write the role reference to the target policy configuration
policyConfiguration.addToRole(globalRoleName, new EJBRoleRefPermission(ejbName, ejbScopedRoleName));
if (_logger.isLoggable(FINE)) {
_logger.fine("JACC: Converting role-ref -> " + roleReference.toString() + " to permission with name(" + ejbName + ")" + " and actions (" + ejbScopedRoleName + ")" + " mapped to role (" + globalRoleName + ")");
}
}
}
use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.
the class EJBSecurityManager method convertEJBRoleReferences.
/**
* This method converts ejb role references to jacc permission objects
* and adds them to the policy configuration object
* It gets the list of role references from the ejb descriptor. For each
* such role reference, create a EJBRoleRefPermission and add it to the
* PolicyConfiguration object.
*
* @param eDescriptor the ejb descriptor
* @param pcid, the policy context identifier
*/
private static void convertEJBRoleReferences(EjbDescriptor eDescriptor, String pcid) throws PolicyContextException {
PolicyConfiguration pc = getPolicyFactory().getPolicyConfiguration(pcid, false);
// of PolicyConfigurationFactory
assert pc != null;
// Get the set of roles declared
Set<Role> roleset = eDescriptor.getEjbBundleDescriptor().getRoles();
Role anyAuthUserRole = new Role("**");
boolean rolesetContainsAnyAuthUserRole = roleset.contains(anyAuthUserRole);
List<Role> role = new ArrayList<Role>();
String eName = eDescriptor.getName();
for (RoleReference roleRef : eDescriptor.getRoleReferences()) {
String rolename = roleRef.getRoleName();
EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, rolename);
String rolelink = roleRef.getSecurityRoleLink().getName();
role.add(new Role(rolename));
pc.addToRole(rolelink, ejbrr);
if (_logger.isLoggable(Level.FINE)) {
_logger.fine("JACC: Converting role-ref -> " + roleRef.toString() + " to permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + rolelink + ")");
}
}
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "JACC: Converting role-ref: Going through the list of roles not present in RoleRef elements and creating EJBRoleRefPermissions ");
}
for (Role r : roleset) {
if (_logger.isLoggable(Level.FINE)) {
_logger.log(Level.FINE, "JACC: Converting role-ref: Looking at Role = " + r.getName());
}
if (!role.contains(r)) {
String action = r.getName();
EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, action);
pc.addToRole(action, ejbrr);
if (_logger.isLoggable(Level.FINE)) {
_logger.fine("JACC: Converting role-ref: Role = " + r.getName() + " is added as a permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + action + ")");
}
}
}
/**
* JACC MR8 add EJBRoleRefPermission for the any authenticated user role '**'
*/
if ((!role.contains(anyAuthUserRole)) && !rolesetContainsAnyAuthUserRole) {
String rolename = anyAuthUserRole.getName();
EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, rolename);
pc.addToRole(rolename, ejbrr);
if (_logger.isLoggable(Level.FINE)) {
_logger.fine("JACC: Converting role-ref: Adding any authenticated user role-ref " + " to permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + rolename + ")");
}
}
}
use of javax.security.jacc.EJBRoleRefPermission in project wildfly by wildfly.
the class EjbJaccConfigurator method configure.
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
final DeploymentReflectionIndex reflectionIndex = deploymentUnit.getAttachment(Attachments.REFLECTION_INDEX);
final EJBComponentDescription ejbComponentDescription = EJBComponentDescription.class.cast(description);
final EjbJaccConfig ejbJaccConfig = new EjbJaccConfig();
context.getDeploymentUnit().addToAttachmentList(EjbDeploymentAttachmentKeys.JACC_PERMISSIONS, ejbJaccConfig);
// process the method permissions.
for (final ViewConfiguration viewConfiguration : configuration.getViews()) {
final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
for (final Method viewMethod : viewMethods) {
if (!Modifier.isPublic(viewMethod.getModifiers()) || viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
continue;
}
final EJBViewConfiguration ejbViewConfiguration = EJBViewConfiguration.class.cast(viewConfiguration);
// try to create permissions using the descriptor metadata first.
ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
boolean createdPerms = this.createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
// no permissions created using the descriptor metadata - try to use annotation metadata.
if (!createdPerms) {
permissions = ejbComponentDescription.getAnnotationMethodPermissions();
createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
}
}
}
Set<String> securityRoles = new HashSet<String>();
// get all roles from the deployments descriptor (assembly descriptor roles)
SecurityRolesMetaData secRolesMetaData = ejbComponentDescription.getSecurityRoles();
if (secRolesMetaData != null) {
for (SecurityRoleMetaData secRoleMetaData : secRolesMetaData) {
securityRoles.add(secRoleMetaData.getRoleName());
}
}
// at this point any roles specified via RolesAllowed annotation have been mapped to EJBMethodPermissions, so
// going through the permissions allows us to retrieve these roles.
// TODO there might be a better way to retrieve just annotated roles without going through all processed permissions
List<Map.Entry<String, Permission>> processedRoles = ejbJaccConfig.getRoles();
for (Map.Entry<String, Permission> entry : processedRoles) {
securityRoles.add(entry.getKey());
}
securityRoles.add(ANY_AUTHENTICATED_USER_ROLE);
// process the security-role-ref from the deployment descriptor.
Map<String, Collection<String>> securityRoleRefs = ejbComponentDescription.getSecurityRoleLinks();
for (Map.Entry<String, Collection<String>> entry : securityRoleRefs.entrySet()) {
String roleName = entry.getKey();
for (String roleLink : entry.getValue()) {
EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), roleName);
ejbJaccConfig.addRole(roleLink, p);
}
securityRoles.remove(roleName);
}
// process remaining annotated declared roles that were not overridden in the descriptor.
Set<String> declaredRoles = ejbComponentDescription.getDeclaredRoles();
for (String role : declaredRoles) {
if (!securityRoleRefs.containsKey(role)) {
EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
ejbJaccConfig.addRole(role, p);
}
securityRoles.remove(role);
}
// an EJBRoleRefPermission must be created for each declared role that does not appear in the security-role-ref.
for (String role : securityRoles) {
EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
ejbJaccConfig.addRole(role, p);
}
// proxy by sending an invocation to the ejb container.
if (ejbComponentDescription instanceof SessionBeanComponentDescription) {
SessionBeanComponentDescription session = SessionBeanComponentDescription.class.cast(ejbComponentDescription);
if (session.isStateful()) {
EJBMethodPermission p = new EJBMethodPermission(ejbComponentDescription.getEJBName(), "getEJBObject", "Home", null);
ejbJaccConfig.addPermit(p);
}
}
}
Aggregations