Example 1 with ServerSecurityManager
use of org.jboss.as.core.security.ServerSecurityManager in project wildfly by wildfly.
the class AuthorizationInterceptor method processInvocation.
@Override
public Object processInvocation(InterceptorContext context) throws Exception {
final Component component = context.getPrivateData(Component.class);
if (component instanceof EJBComponent == false) {
throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
}
final Method invokedMethod = context.getMethod();
final ComponentView componentView = context.getPrivateData(ComponentView.class);
final String viewClassOfInvokedMethod = componentView.getViewClass().getName();
// shouldn't really happen if the interceptor was setup correctly. But let's be safe and do a check
if (!this.viewClassName.equals(viewClassOfInvokedMethod) || !this.viewMethod.equals(invokedMethod)) {
throw EjbLogger.ROOT_LOGGER.failProcessInvocation(this.getClass().getName(), invokedMethod, viewClassOfInvokedMethod, viewMethod, viewClassName);
}
final EJBComponent ejbComponent = (EJBComponent) component;
final ServerSecurityManager securityManager = ejbComponent.getSecurityManager();
final MethodInterfaceType methodIntfType = this.getMethodInterfaceType(componentView.getPrivateData(MethodIntf.class));
// set the JACC contextID before calling the security manager.
final String previousContextID = setContextID(this.contextID);
try {
if (WildFlySecurityManager.isChecking()) {
try {
AccessController.doPrivileged(new PrivilegedExceptionAction<Object>() {
@Override
public ProtectionDomain run() {
if (!securityManager.authorize(ejbComponent.getComponentName(), componentView.getProxyClass().getProtectionDomain().getCodeSource(), methodIntfType.name(), AuthorizationInterceptor.this.viewMethod, AuthorizationInterceptor.this.getMethodRolesAsPrincipals(), AuthorizationInterceptor.this.contextID)) {
throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(invokedMethod, ejbComponent.getComponentName());
}
return null;
}
});
} catch (PrivilegedActionException e) {
throw e.getException();
}
} else {
if (!securityManager.authorize(ejbComponent.getComponentName(), componentView.getProxyClass().getProtectionDomain().getCodeSource(), methodIntfType.name(), this.viewMethod, this.getMethodRolesAsPrincipals(), this.contextID)) {
throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(invokedMethod, ejbComponent.getComponentName());
}
}
// successful authorization, let the invocation proceed
return context.proceed();
} finally {
// reset the previous JACC contextID.
setContextID(previousContextID);
}
}
Also used :
ProtectionDomain(java.security.ProtectionDomain)
PrivilegedActionException(java.security.PrivilegedActionException)
Method(java.lang.reflect.Method)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
MethodIntf(org.jboss.as.ejb3.component.MethodIntf)
ComponentView(org.jboss.as.ee.component.ComponentView)
ServerSecurityManager(org.jboss.as.core.security.ServerSecurityManager)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
Component(org.jboss.as.ee.component.Component)
MethodInterfaceType(org.jboss.metadata.ejb.spec.MethodInterfaceType)
Example 2 with ServerSecurityManager
use of org.jboss.as.core.security.ServerSecurityManager in project wildfly by wildfly.
the class SecurityContextInterceptorFactory method create.
@Override
protected Interceptor create(final Component component, final InterceptorFactoryContext context) {
if (component instanceof EJBComponent == false) {
throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
}
final EJBComponent ejbComponent = (EJBComponent) component;
final ServerSecurityManager securityManager;
if (propagateSecurity) {
securityManager = ejbComponent.getSecurityManager();
} else {
securityManager = new SimpleSecurityManager((SimpleSecurityManager) ejbComponent.getSecurityManager());
}
final EJBSecurityMetaData securityMetaData = ejbComponent.getSecurityMetaData();
String securityDomain = securityMetaData.getSecurityDomain();
if (securityDomain == null) {
securityDomain = DEFAULT_DOMAIN;
}
if (ROOT_LOGGER.isTraceEnabled()) {
ROOT_LOGGER.trace("Using security domain: " + securityDomain + " for EJB " + ejbComponent.getComponentName());
}
final String runAs = securityMetaData.getRunAs();
// TODO - We should do something with DeclaredRoles although it never has much meaning in JBoss AS
final String runAsPrincipal = securityMetaData.getRunAsPrincipal();
final SecurityRolesMetaData securityRoles = securityMetaData.getSecurityRoles();
Set<String> extraRoles = null;
Map<String, Set<String>> principalVsRolesMap = null;
if (securityRoles != null) {
principalVsRolesMap = securityRoles.getPrincipalVersusRolesMap();
if (runAsPrincipal != null)
extraRoles = securityRoles.getSecurityRoleNamesByPrincipal(runAsPrincipal);
}
SecurityContextInterceptorHolder holder = new SecurityContextInterceptorHolder();
holder.setSecurityManager(securityManager).setSecurityDomain(securityDomain).setRunAs(runAs).setRunAsPrincipal(runAsPrincipal).setPolicyContextID(this.policyContextID).setExtraRoles(extraRoles).setPrincipalVsRolesMap(principalVsRolesMap).setSkipAuthentication(securityRequired == false);
return new SecurityContextInterceptor(holder);
}
Also used :
Set(java.util.Set)
SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData)
ServerSecurityManager(org.jboss.as.core.security.ServerSecurityManager)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
SimpleSecurityManager(org.jboss.as.security.service.SimpleSecurityManager)
Aggregations
ServerSecurityManager (org.jboss.as.core.security.ServerSecurityManager)2
EJBComponent (org.jboss.as.ejb3.component.EJBComponent)2
Method (java.lang.reflect.Method)1
PrivilegedActionException (java.security.PrivilegedActionException)1
ProtectionDomain (java.security.ProtectionDomain)1
Set (java.util.Set)1
Component (org.jboss.as.ee.component.Component)1
ComponentView (org.jboss.as.ee.component.ComponentView)1
MethodIntf (org.jboss.as.ejb3.component.MethodIntf)1
SimpleSecurityManager (org.jboss.as.security.service.SimpleSecurityManager)1
MethodInterfaceType (org.jboss.metadata.ejb.spec.MethodInterfaceType)1
SecurityRolesMetaData (org.jboss.metadata.javaee.spec.SecurityRolesMetaData)1
