Search in sources :

Example 1 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class JDKPolicyFileWrapper method logImpliesFailure.

private void logImpliesFailure(Permission permission, String contextId, ProtectionDomain domain) {
    if (!(permission instanceof WebResourcePermission) && !(permission instanceof MBeanPermission) && !(permission instanceof WebRoleRefPermission) && !(permission instanceof EJBRoleRefPermission)) {
        if (logger.isLoggable(FINE)) {
            Exception ex = new Exception();
            ex.fillInStackTrace();
            logger.log(FINE, "JACC Policy Provider, failed Permission Check at :", ex);
        }
        doPrivileged(new PrivilegedAction<Object>() {

            @Override
            public Object run() {
                logger.info("JACC Policy Provider: Failed Permission Check, context(" + contextId + ")- permission(" + permission + ")");
                if (logger.isLoggable(FINE)) {
                    logger.fine("Domain that failed(" + domain + ")");
                }
                return null;
            }
        });
    }
}
Also used : WebResourcePermission(javax.security.jacc.WebResourcePermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) MBeanPermission(javax.management.MBeanPermission) WebRoleRefPermission(javax.security.jacc.WebRoleRefPermission) URISyntaxException(java.net.URISyntaxException) MalformedURLException(java.net.MalformedURLException) ExpandException(sun.security.util.PropertyExpander.ExpandException) PolicyContextException(javax.security.jacc.PolicyContextException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)

Example 2 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class JaccEJBConstraintsTranslator method writeOutPermissionsForNonRoleRefRoles.

private static void writeOutPermissionsForNonRoleRefRoles(Collection<Role> allRoles, Collection<Role> ejbScopedRoleNames, String ejbName, PolicyConfiguration policyConfiguration) throws PolicyContextException {
    for (Role role : allRoles) {
        if (_logger.isLoggable(FINE)) {
            _logger.fine("JACC: Converting role-ref: Looking at Role =  " + role.getName());
        }
        if (!ejbScopedRoleNames.contains(role)) {
            String roleName = role.getName();
            policyConfiguration.addToRole(roleName, new EJBRoleRefPermission(ejbName, roleName));
            if (_logger.isLoggable(FINE)) {
                _logger.fine("JACC: Converting role-ref: Role =  " + role.getName() + " is added as a permission with name(" + ejbName + ")" + " and actions (" + roleName + ")" + " mapped to role (" + roleName + ")");
            }
        }
    }
}
Also used : Role(org.glassfish.security.common.Role) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission)

Example 3 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class JaccEJBConstraintsTranslator method writeOutPermissionsForRoleRefRoles.

private static void writeOutPermissionsForRoleRefRoles(Collection<RoleReference> roleReferences, List<Role> ejbScopedRoleNames, String ejbName, PolicyConfiguration policyConfiguration) throws PolicyContextException {
    for (RoleReference roleReference : roleReferences) {
        // The name of a role, local (scoped) to a single EJB
        String ejbScopedRoleName = roleReference.getRoleName();
        ejbScopedRoleNames.add(new Role(ejbScopedRoleName));
        // The name of the global role to which the local EJB scoped role links (is mapped)
        String globalRoleName = roleReference.getSecurityRoleLink().getName();
        // Write the role reference to the target policy configuration
        policyConfiguration.addToRole(globalRoleName, new EJBRoleRefPermission(ejbName, ejbScopedRoleName));
        if (_logger.isLoggable(FINE)) {
            _logger.fine("JACC: Converting role-ref -> " + roleReference.toString() + " to permission with name(" + ejbName + ")" + " and actions (" + ejbScopedRoleName + ")" + " mapped to role (" + globalRoleName + ")");
        }
    }
}
Also used : Role(org.glassfish.security.common.Role) RoleReference(com.sun.enterprise.deployment.RoleReference) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission)

Example 4 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project Payara by payara.

the class EJBSecurityManager method convertEJBRoleReferences.

/**
 * This method converts ejb role references to jacc permission objects
 * and adds them to the policy configuration object
 * It gets the list of role references from the ejb descriptor. For each
 * such role reference, create a EJBRoleRefPermission and add it to the
 * PolicyConfiguration object.
 *
 * @param eDescriptor the ejb descriptor
 * @param pcid,       the policy context identifier
 */
private static void convertEJBRoleReferences(EjbDescriptor eDescriptor, String pcid) throws PolicyContextException {
    PolicyConfiguration pc = getPolicyFactory().getPolicyConfiguration(pcid, false);
    // of PolicyConfigurationFactory
    assert pc != null;
    // Get the set of roles declared
    Set<Role> roleset = eDescriptor.getEjbBundleDescriptor().getRoles();
    Role anyAuthUserRole = new Role("**");
    boolean rolesetContainsAnyAuthUserRole = roleset.contains(anyAuthUserRole);
    List<Role> role = new ArrayList<Role>();
    String eName = eDescriptor.getName();
    for (RoleReference roleRef : eDescriptor.getRoleReferences()) {
        String rolename = roleRef.getRoleName();
        EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, rolename);
        String rolelink = roleRef.getSecurityRoleLink().getName();
        role.add(new Role(rolename));
        pc.addToRole(rolelink, ejbrr);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: Converting role-ref -> " + roleRef.toString() + " to permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + rolelink + ")");
        }
    }
    if (_logger.isLoggable(Level.FINE)) {
        _logger.log(Level.FINE, "JACC: Converting role-ref: Going through the list of roles not present in RoleRef elements and creating EJBRoleRefPermissions ");
    }
    for (Role r : roleset) {
        if (_logger.isLoggable(Level.FINE)) {
            _logger.log(Level.FINE, "JACC: Converting role-ref: Looking at Role =  " + r.getName());
        }
        if (!role.contains(r)) {
            String action = r.getName();
            EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, action);
            pc.addToRole(action, ejbrr);
            if (_logger.isLoggable(Level.FINE)) {
                _logger.fine("JACC: Converting role-ref: Role =  " + r.getName() + " is added as a permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + action + ")");
            }
        }
    }
    /**
     * JACC MR8 add EJBRoleRefPermission for the any authenticated user role '**'
     */
    if ((!role.contains(anyAuthUserRole)) && !rolesetContainsAnyAuthUserRole) {
        String rolename = anyAuthUserRole.getName();
        EJBRoleRefPermission ejbrr = new EJBRoleRefPermission(eName, rolename);
        pc.addToRole(rolename, ejbrr);
        if (_logger.isLoggable(Level.FINE)) {
            _logger.fine("JACC: Converting role-ref: Adding any authenticated user role-ref " + " to permission with name(" + ejbrr.getName() + ") and actions (" + ejbrr.getActions() + ")" + "mapped to role (" + rolename + ")");
        }
    }
}
Also used : Role(org.glassfish.security.common.Role) RoleReference(com.sun.enterprise.deployment.RoleReference) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) ArrayList(java.util.ArrayList) PolicyConfiguration(javax.security.jacc.PolicyConfiguration)

Example 5 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project wildfly by wildfly.

the class EjbJaccConfigurator method configure.

@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
    final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
    final DeploymentReflectionIndex reflectionIndex = deploymentUnit.getAttachment(Attachments.REFLECTION_INDEX);
    final EJBComponentDescription ejbComponentDescription = EJBComponentDescription.class.cast(description);
    final EjbJaccConfig ejbJaccConfig = new EjbJaccConfig();
    context.getDeploymentUnit().addToAttachmentList(EjbDeploymentAttachmentKeys.JACC_PERMISSIONS, ejbJaccConfig);
    // process the method permissions.
    for (final ViewConfiguration viewConfiguration : configuration.getViews()) {
        final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
        for (final Method viewMethod : viewMethods) {
            if (!Modifier.isPublic(viewMethod.getModifiers()) || viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
                continue;
            }
            final EJBViewConfiguration ejbViewConfiguration = EJBViewConfiguration.class.cast(viewConfiguration);
            // try to create permissions using the descriptor metadata first.
            ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
            boolean createdPerms = this.createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            // no permissions created using the descriptor metadata - try to use annotation metadata.
            if (!createdPerms) {
                permissions = ejbComponentDescription.getAnnotationMethodPermissions();
                createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            }
        }
    }
    Set<String> securityRoles = new HashSet<String>();
    // get all roles from the deployments descriptor (assembly descriptor roles)
    SecurityRolesMetaData secRolesMetaData = ejbComponentDescription.getSecurityRoles();
    if (secRolesMetaData != null) {
        for (SecurityRoleMetaData secRoleMetaData : secRolesMetaData) {
            securityRoles.add(secRoleMetaData.getRoleName());
        }
    }
    // at this point any roles specified via RolesAllowed annotation have been mapped to EJBMethodPermissions, so
    // going through the permissions allows us to retrieve these roles.
    // TODO there might be a better way to retrieve just annotated roles without going through all processed permissions
    List<Map.Entry<String, Permission>> processedRoles = ejbJaccConfig.getRoles();
    for (Map.Entry<String, Permission> entry : processedRoles) {
        securityRoles.add(entry.getKey());
    }
    securityRoles.add(ANY_AUTHENTICATED_USER_ROLE);
    // process the security-role-ref from the deployment descriptor.
    Map<String, Collection<String>> securityRoleRefs = ejbComponentDescription.getSecurityRoleLinks();
    for (Map.Entry<String, Collection<String>> entry : securityRoleRefs.entrySet()) {
        String roleName = entry.getKey();
        for (String roleLink : entry.getValue()) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), roleName);
            ejbJaccConfig.addRole(roleLink, p);
        }
        securityRoles.remove(roleName);
    }
    // process remaining annotated declared roles that were not overridden in the descriptor.
    Set<String> declaredRoles = ejbComponentDescription.getDeclaredRoles();
    for (String role : declaredRoles) {
        if (!securityRoleRefs.containsKey(role)) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
            ejbJaccConfig.addRole(role, p);
        }
        securityRoles.remove(role);
    }
    // an EJBRoleRefPermission must be created for each declared role that does not appear in the security-role-ref.
    for (String role : securityRoles) {
        EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
        ejbJaccConfig.addRole(role, p);
    }
    // proxy by sending an invocation to the ejb container.
    if (ejbComponentDescription instanceof SessionBeanComponentDescription) {
        SessionBeanComponentDescription session = SessionBeanComponentDescription.class.cast(ejbComponentDescription);
        if (session.isStateful()) {
            EJBMethodPermission p = new EJBMethodPermission(ejbComponentDescription.getEJBName(), "getEJBObject", "Home", null);
            ejbJaccConfig.addPermit(p);
        }
    }
}
Also used : SecurityRoleMetaData(org.jboss.metadata.javaee.spec.SecurityRoleMetaData) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData) WriteReplaceInterface(org.jboss.as.ee.component.serialization.WriteReplaceInterface) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) ViewConfiguration(org.jboss.as.ee.component.ViewConfiguration) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Permission(java.security.Permission) HashSet(java.util.HashSet) Method(java.lang.reflect.Method) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Collection(java.util.Collection) DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit) DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex) Map(java.util.Map) SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)

Aggregations

EJBRoleRefPermission (javax.security.jacc.EJBRoleRefPermission)8 Role (org.glassfish.security.common.Role)3 RoleReference (com.sun.enterprise.deployment.RoleReference)2 Permission (java.security.Permission)2 EJBMethodPermission (javax.security.jacc.EJBMethodPermission)2 Method (java.lang.reflect.Method)1 MalformedURLException (java.net.MalformedURLException)1 URISyntaxException (java.net.URISyntaxException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PermissionCollection (java.security.PermissionCollection)1 Policy (java.security.Policy)1 PrivilegedAction (java.security.PrivilegedAction)1 ProtectionDomain (java.security.ProtectionDomain)1 ArrayList (java.util.ArrayList)1 Collection (java.util.Collection)1 Enumeration (java.util.Enumeration)1 HashSet (java.util.HashSet)1 Map (java.util.Map)1 MBeanPermission (javax.management.MBeanPermission)1 PolicyConfiguration (javax.security.jacc.PolicyConfiguration)1