Search in sources :

Example 6 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project tomee by apache.

the class JaccPermissionsBuilder method addDeclaredEjbPermissions.

private void addDeclaredEjbPermissions(final EjbJarInfo ejbJar, final EnterpriseBeanInfo beanInfo, final String defaultRole, PermissionCollection notAssigned, final PolicyContext policyContext) throws OpenEJBException {
    final PermissionCollection uncheckedPermissions = policyContext.getUncheckedPermissions();
    final PermissionCollection excludedPermissions = policyContext.getExcludedPermissions();
    final Map<String, PermissionCollection> rolePermissions = policyContext.getRolePermissions();
    final String ejbName = beanInfo.ejbName;
    /**
     * JACC v1.0 section 3.1.5.1
     */
    for (final MethodPermissionInfo methodPermission : ejbJar.methodPermissions) {
        final List<String> roleNames = methodPermission.roleNames;
        final boolean unchecked = methodPermission.unchecked;
        final boolean excluded = methodPermission.excluded;
        for (final MethodInfo method : methodPermission.methods) {
            if (!ejbName.equals(method.ejbName)) {
                continue;
            }
            // method name
            String methodName = method.methodName;
            if ("*".equals(methodName)) {
                // jacc uses null instead of *
                methodName = null;
            }
            // method interface
            final String methodIntf = method.methodIntf;
            // method parameters
            final String[] methodParams;
            if (method.methodParams != null) {
                final List<String> paramList = method.methodParams;
                methodParams = paramList.toArray(new String[paramList.size()]);
            } else {
                methodParams = null;
            }
            // create the permission object
            final EJBMethodPermission permission = new EJBMethodPermission(ejbName, methodName, methodIntf, methodParams);
            notAssigned = cullPermissions(notAssigned, permission);
            // if this is unchecked, mark it as unchecked; otherwise assign the roles
            if (unchecked) {
                uncheckedPermissions.add(permission);
            } else if (excluded) {
                /**
                 * JACC v1.0 section 3.1.5.2
                 */
                excludedPermissions.add(permission);
            } else {
                for (final String roleName : roleNames) {
                    PermissionCollection permissions = rolePermissions.get(roleName);
                    if (permissions == null) {
                        permissions = DelegatePermissionCollection.getPermissionCollection();
                        rolePermissions.put(roleName, permissions);
                    }
                    permissions.add(permission);
                }
            }
        }
    }
    /**
     * JACC v1.0 section 3.1.5.3
     */
    for (final SecurityRoleReferenceInfo securityRoleRef : beanInfo.securityRoleReferences) {
        if (securityRoleRef.roleLink == null) {
            throw new OpenEJBException("Missing role-link");
        }
        final String roleLink = securityRoleRef.roleLink;
        PermissionCollection roleLinks = rolePermissions.get(roleLink);
        if (roleLinks == null) {
            roleLinks = DelegatePermissionCollection.getPermissionCollection();
            rolePermissions.put(roleLink, roleLinks);
        }
        roleLinks.add(new EJBRoleRefPermission(ejbName, securityRoleRef.roleName));
    }
    /**
     * EJB v2.1 section 21.3.2
     *
     * It is possible that some methods are not assigned to any security
     * roles nor contained in the <code>exclude-list</code> element. In
     * this case, it is the responsibility of the Deployer to assign method
     * permissions for all of the unspecified methods, either by assigning
     * them to security roles, or by marking them as <code>unchecked</code>.
     */
    PermissionCollection permissions;
    if (defaultRole == null) {
        permissions = uncheckedPermissions;
    } else {
        permissions = rolePermissions.get(defaultRole);
        if (permissions == null) {
            permissions = DelegatePermissionCollection.getPermissionCollection();
            rolePermissions.put(defaultRole, permissions);
        }
    }
    final Enumeration e = notAssigned.elements();
    while (e.hasMoreElements()) {
        final Permission p = (Permission) e.nextElement();
        permissions.add(p);
    }
}
Also used : PermissionCollection(java.security.PermissionCollection) OpenEJBException(org.apache.openejb.OpenEJBException) Enumeration(java.util.Enumeration) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Permission(java.security.Permission)

Example 7 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project wildfly by wildfly.

the class EjbJaccConfigurator method configure.

@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
    final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
    final DeploymentReflectionIndex reflectionIndex = deploymentUnit.getAttachment(Attachments.REFLECTION_INDEX);
    final EJBComponentDescription ejbComponentDescription = EJBComponentDescription.class.cast(description);
    final EjbJaccConfig ejbJaccConfig = new EjbJaccConfig();
    context.getDeploymentUnit().addToAttachmentList(EjbDeploymentAttachmentKeys.JACC_PERMISSIONS, ejbJaccConfig);
    // process the method permissions.
    for (final ViewConfiguration viewConfiguration : configuration.getViews()) {
        final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
        for (final Method viewMethod : viewMethods) {
            if (!Modifier.isPublic(viewMethod.getModifiers()) || viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
                continue;
            }
            final EJBViewConfiguration ejbViewConfiguration = EJBViewConfiguration.class.cast(viewConfiguration);
            // try to create permissions using the descriptor metadata first.
            ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
            boolean createdPerms = this.createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            // no permissions created using the descriptor metadata - try to use annotation metadata.
            if (!createdPerms) {
                permissions = ejbComponentDescription.getAnnotationMethodPermissions();
                createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            }
        }
    }
    Set<String> securityRoles = new HashSet<String>();
    // get all roles from the deployments descriptor (assembly descriptor roles)
    SecurityRolesMetaData secRolesMetaData = ejbComponentDescription.getSecurityRoles();
    if (secRolesMetaData != null) {
        for (SecurityRoleMetaData secRoleMetaData : secRolesMetaData) {
            securityRoles.add(secRoleMetaData.getRoleName());
        }
    }
    // at this point any roles specified via RolesAllowed annotation have been mapped to EJBMethodPermissions, so
    // going through the permissions allows us to retrieve these roles.
    // TODO there might be a better way to retrieve just annotated roles without going through all processed permissions
    List<Map.Entry<String, Permission>> processedRoles = ejbJaccConfig.getRoles();
    for (Map.Entry<String, Permission> entry : processedRoles) {
        securityRoles.add(entry.getKey());
    }
    securityRoles.add(ANY_AUTHENTICATED_USER_ROLE);
    // process the security-role-ref from the deployment descriptor.
    Map<String, Collection<String>> securityRoleRefs = ejbComponentDescription.getSecurityRoleLinks();
    for (Map.Entry<String, Collection<String>> entry : securityRoleRefs.entrySet()) {
        String roleName = entry.getKey();
        for (String roleLink : entry.getValue()) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), roleName);
            ejbJaccConfig.addRole(roleLink, p);
        }
        securityRoles.remove(roleName);
    }
    // process remaining annotated declared roles that were not overridden in the descriptor.
    Set<String> declaredRoles = ejbComponentDescription.getDeclaredRoles();
    for (String role : declaredRoles) {
        if (!securityRoleRefs.containsKey(role)) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
            ejbJaccConfig.addRole(role, p);
        }
        securityRoles.remove(role);
    }
    // an EJBRoleRefPermission must be created for each declared role that does not appear in the security-role-ref.
    for (String role : securityRoles) {
        EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
        ejbJaccConfig.addRole(role, p);
    }
    // proxy by sending an invocation to the ejb container.
    if (ejbComponentDescription instanceof SessionBeanComponentDescription) {
        SessionBeanComponentDescription session = SessionBeanComponentDescription.class.cast(ejbComponentDescription);
        if (session.isStateful()) {
            EJBMethodPermission p = new EJBMethodPermission(ejbComponentDescription.getEJBName(), "getEJBObject", "Home", null);
            ejbJaccConfig.addPermit(p);
        }
    }
}
Also used : SecurityRoleMetaData(org.jboss.metadata.javaee.spec.SecurityRoleMetaData) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData) WriteReplaceInterface(org.jboss.as.ee.component.serialization.WriteReplaceInterface) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) ViewConfiguration(org.jboss.as.ee.component.ViewConfiguration) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Permission(java.security.Permission) HashSet(java.util.HashSet) Method(java.lang.reflect.Method) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Collection(java.util.Collection) DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit) DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex) Map(java.util.Map) SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)

Example 8 with EJBRoleRefPermission

use of javax.security.jacc.EJBRoleRefPermission in project wildfly by wildfly.

the class EJBComponent method isCallerInRole.

public boolean isCallerInRole(final String roleName) throws IllegalStateException {
    if (isSecurityDomainKnown()) {
        if (enableJacc) {
            Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy();
            ProtectionDomain domain = new ProtectionDomain(null, null, null, JaccInterceptor.getGrantedRoles(getCallerSecurityIdentity()));
            return policy.implies(domain, new EJBRoleRefPermission(getComponentName(), roleName));
        } else {
            return checkCallerSecurityIdentityRole(roleName);
        }
    }
    // No security, no role membership.
    return false;
}
Also used : Policy(java.security.Policy) ProtectionDomain(java.security.ProtectionDomain) PrivilegedAction(java.security.PrivilegedAction) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission)

Aggregations

EJBRoleRefPermission (javax.security.jacc.EJBRoleRefPermission)8 Role (org.glassfish.security.common.Role)3 RoleReference (com.sun.enterprise.deployment.RoleReference)2 Permission (java.security.Permission)2 EJBMethodPermission (javax.security.jacc.EJBMethodPermission)2 Method (java.lang.reflect.Method)1 MalformedURLException (java.net.MalformedURLException)1 URISyntaxException (java.net.URISyntaxException)1 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1 PermissionCollection (java.security.PermissionCollection)1 Policy (java.security.Policy)1 PrivilegedAction (java.security.PrivilegedAction)1 ProtectionDomain (java.security.ProtectionDomain)1 ArrayList (java.util.ArrayList)1 Collection (java.util.Collection)1 Enumeration (java.util.Enumeration)1 HashSet (java.util.HashSet)1 Map (java.util.Map)1 MBeanPermission (javax.management.MBeanPermission)1 PolicyConfiguration (javax.security.jacc.PolicyConfiguration)1