Example 16 with EJBComponent
use of org.jboss.as.ejb3.component.EJBComponent in project wildfly by wildfly.
the class SecurityContextInterceptorFactory method create.
@Override
protected Interceptor create(final Component component, final InterceptorFactoryContext context) {
if (component instanceof EJBComponent == false) {
throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
}
final EJBComponent ejbComponent = (EJBComponent) component;
final ServerSecurityManager securityManager;
if (propagateSecurity) {
securityManager = ejbComponent.getSecurityManager();
} else {
securityManager = new SimpleSecurityManager((SimpleSecurityManager) ejbComponent.getSecurityManager());
}
final EJBSecurityMetaData securityMetaData = ejbComponent.getSecurityMetaData();
String securityDomain = securityMetaData.getSecurityDomain();
if (securityDomain == null) {
securityDomain = DEFAULT_DOMAIN;
}
if (ROOT_LOGGER.isTraceEnabled()) {
ROOT_LOGGER.trace("Using security domain: " + securityDomain + " for EJB " + ejbComponent.getComponentName());
}
final String runAs = securityMetaData.getRunAs();
// TODO - We should do something with DeclaredRoles although it never has much meaning in JBoss AS
final String runAsPrincipal = securityMetaData.getRunAsPrincipal();
final SecurityRolesMetaData securityRoles = securityMetaData.getSecurityRoles();
Set<String> extraRoles = null;
Map<String, Set<String>> principalVsRolesMap = null;
if (securityRoles != null) {
principalVsRolesMap = securityRoles.getPrincipalVersusRolesMap();
if (runAsPrincipal != null)
extraRoles = securityRoles.getSecurityRoleNamesByPrincipal(runAsPrincipal);
}
SecurityContextInterceptorHolder holder = new SecurityContextInterceptorHolder();
holder.setSecurityManager(securityManager).setSecurityDomain(securityDomain).setRunAs(runAs).setRunAsPrincipal(runAsPrincipal).setPolicyContextID(this.policyContextID).setExtraRoles(extraRoles).setPrincipalVsRolesMap(principalVsRolesMap).setSkipAuthentication(securityRequired == false);
return new SecurityContextInterceptor(holder);
}
Also used :
Set(java.util.Set)
SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData)
ServerSecurityManager(org.jboss.as.core.security.ServerSecurityManager)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
SimpleSecurityManager(org.jboss.as.security.service.SimpleSecurityManager)
Example 17 with EJBComponent
use of org.jboss.as.ejb3.component.EJBComponent in project wildfly by wildfly.
the class EjbIIOPTransactionInterceptor method processInvocation.
@Override
public Object processInvocation(final InterceptorContext invocation) throws Exception {
// Do we have a foreign transaction context?
Transaction tx = TxServerInterceptor.getCurrentTransaction();
if (tx instanceof ForeignTransaction) {
final EJBComponent component = (EJBComponent) invocation.getPrivateData(Component.class);
// for timer invocations there is no view, so the methodInf is attached directly
// to the context. Otherwise we retrieve it from the invoked view
MethodIntf methodIntf = invocation.getPrivateData(MethodIntf.class);
if (methodIntf == null) {
final ComponentView componentView = invocation.getPrivateData(ComponentView.class);
if (componentView != null) {
methodIntf = componentView.getPrivateData(MethodIntf.class);
} else {
methodIntf = MethodIntf.BEAN;
}
}
final TransactionAttributeType attr = component.getTransactionAttributeType(methodIntf, invocation.getMethod());
if (attr != TransactionAttributeType.NOT_SUPPORTED && attr != TransactionAttributeType.REQUIRES_NEW) {
throw EjbLogger.ROOT_LOGGER.transactionPropagationNotSupported();
}
}
return invocation.proceed();
}
Also used :
Transaction(javax.transaction.Transaction)
ForeignTransaction(org.wildfly.iiop.openjdk.tm.ForeignTransaction)
ComponentView(org.jboss.as.ee.component.ComponentView)
ForeignTransaction(org.wildfly.iiop.openjdk.tm.ForeignTransaction)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
Component(org.jboss.as.ee.component.Component)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
MethodIntf(org.jboss.as.ejb3.component.MethodIntf)
TransactionAttributeType(javax.ejb.TransactionAttributeType)
Example 18 with EJBComponent
use of org.jboss.as.ejb3.component.EJBComponent in project wildfly by wildfly.
the class JaccInterceptor method hasPermission.
private void hasPermission(EJBComponent ejbComponent, ComponentView componentView, Method method, SecurityIdentity securityIdentity) {
MethodInterfaceType methodIntfType = getMethodInterfaceType(componentView.getPrivateData(MethodIntf.class));
EJBMethodPermission permission = createEjbMethodPermission(method, ejbComponent, methodIntfType);
ProtectionDomain domain = new ProtectionDomain(componentView.getProxyClass().getProtectionDomain().getCodeSource(), null, null, getGrantedRoles(securityIdentity));
Policy policy = WildFlySecurityManager.isChecking() ? doPrivileged((PrivilegedAction<Policy>) Policy::getPolicy) : Policy.getPolicy();
if (!policy.implies(domain, permission)) {
throw EjbLogger.ROOT_LOGGER.invocationOfMethodNotAllowed(method, ejbComponent.getComponentName());
}
}
Also used :
Policy(java.security.Policy)
ProtectionDomain(java.security.ProtectionDomain)
PrivilegedAction(java.security.PrivilegedAction)
EJBMethodPermission(javax.security.jacc.EJBMethodPermission)
MethodInterfaceType(org.jboss.metadata.ejb.spec.MethodInterfaceType)
MethodIntf(org.jboss.as.ejb3.component.MethodIntf)
Example 19 with EJBComponent
use of org.jboss.as.ejb3.component.EJBComponent in project wildfly by wildfly.
the class JaccInterceptor method processInvocation.
@Override
public Object processInvocation(InterceptorContext context) throws Exception {
Component component = context.getPrivateData(Component.class);
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
Assert.checkNotNullParam("securityDomain", securityDomain);
final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
if (component instanceof EJBComponent == false) {
throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
}
Method invokedMethod = context.getMethod();
ComponentView componentView = context.getPrivateData(ComponentView.class);
String viewClassOfInvokedMethod = componentView.getViewClass().getName();
// shouldn't really happen if the interceptor was setup correctly. But let's be safe and do a check
if (!viewClassName.equals(viewClassOfInvokedMethod) || !viewMethod.equals(invokedMethod)) {
throw EjbLogger.ROOT_LOGGER.failProcessInvocation(getClass().getName(), invokedMethod, viewClassOfInvokedMethod, viewMethod, viewClassName);
}
EJBComponent ejbComponent = (EJBComponent) component;
if (WildFlySecurityManager.isChecking()) {
try {
AccessController.doPrivileged((PrivilegedExceptionAction<Object>) () -> {
hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity);
return null;
});
} catch (PrivilegedActionException e) {
throw e.getException();
}
} else {
hasPermission(ejbComponent, componentView, invokedMethod, currentIdentity);
}
// successful authorization, let the invocation proceed
return context.proceed();
}
Also used :
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
ComponentView(org.jboss.as.ee.component.ComponentView)
PrivilegedActionException(java.security.PrivilegedActionException)
Method(java.lang.reflect.Method)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
Component(org.jboss.as.ee.component.Component)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Example 20 with EJBComponent
use of org.jboss.as.ejb3.component.EJBComponent in project wildfly by wildfly.
the class RunAsPrincipalInterceptor method processInvocation.
public Object processInvocation(final InterceptorContext context) throws Exception {
final Component component = context.getPrivateData(Component.class);
if (component instanceof EJBComponent == false) {
throw EjbLogger.ROOT_LOGGER.unexpectedComponent(component, EJBComponent.class);
}
final EJBComponent ejbComponent = (EJBComponent) component;
// Set the incomingRunAsIdentity before switching users
final SecurityDomain securityDomain = context.getPrivateData(SecurityDomain.class);
Assert.checkNotNullParam("securityDomain", securityDomain);
final SecurityIdentity currentIdentity = securityDomain.getCurrentSecurityIdentity();
final SecurityIdentity oldIncomingRunAsIdentity = ejbComponent.getIncomingRunAsIdentity();
SecurityIdentity newIdentity;
try {
// run as a user with the given name or if the caller has sufficient permission
if (runAsPrincipal.equals(ANONYMOUS_PRINCIPAL)) {
try {
newIdentity = currentIdentity.createRunAsAnonymous();
} catch (AuthorizationFailureException ex) {
newIdentity = currentIdentity.createRunAsAnonymous(false);
}
} else {
if (!runAsPrincipalExists(securityDomain, runAsPrincipal)) {
newIdentity = securityDomain.createAdHocIdentity(runAsPrincipal);
} else {
try {
newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal);
} catch (AuthorizationFailureException ex) {
newIdentity = currentIdentity.createRunAsIdentity(runAsPrincipal, false);
}
}
}
ejbComponent.setIncomingRunAsIdentity(currentIdentity);
return newIdentity.runAs(context);
} catch (PrivilegedActionException e) {
Throwable cause = e.getCause();
if (cause != null) {
if (cause instanceof Exception) {
throw (Exception) cause;
} else {
throw new RuntimeException(e);
}
} else {
throw e;
}
} finally {
ejbComponent.setIncomingRunAsIdentity(oldIncomingRunAsIdentity);
}
}
Also used :
SecurityIdentity(org.wildfly.security.auth.server.SecurityIdentity)
AuthorizationFailureException(org.wildfly.security.authz.AuthorizationFailureException)
PrivilegedActionException(java.security.PrivilegedActionException)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
Component(org.jboss.as.ee.component.Component)
EJBComponent(org.jboss.as.ejb3.component.EJBComponent)
PrivilegedActionException(java.security.PrivilegedActionException)
RealmUnavailableException(org.wildfly.security.auth.server.RealmUnavailableException)
AuthorizationFailureException(org.wildfly.security.authz.AuthorizationFailureException)
SecurityDomain(org.wildfly.security.auth.server.SecurityDomain)
Aggregations
EJBComponent (org.jboss.as.ejb3.component.EJBComponent)24
Component (org.jboss.as.ee.component.Component)7
ComponentView (org.jboss.as.ee.component.ComponentView)6
MethodIntf (org.jboss.as.ejb3.component.MethodIntf)5
SecurityDomain (org.wildfly.security.auth.server.SecurityDomain)5
SecurityIdentity (org.wildfly.security.auth.server.SecurityIdentity)5
Method (java.lang.reflect.Method)4
EjbDeploymentInformation (org.jboss.as.ejb3.deployment.EjbDeploymentInformation)4
PrivilegedActionException (java.security.PrivilegedActionException)3
IOException (java.io.IOException)2
InvalidClassException (java.io.InvalidClassException)2
RemoteException (java.rmi.RemoteException)2
PrivilegedAction (java.security.PrivilegedAction)2
ProtectionDomain (java.security.ProtectionDomain)2
HashMap (java.util.HashMap)2
Map (java.util.Map)2
Set (java.util.Set)2
ConcurrentAccessException (javax.ejb.ConcurrentAccessException)2
ConcurrentAccessTimeoutException (javax.ejb.ConcurrentAccessTimeoutException)2
TransactionAttributeType (javax.ejb.TransactionAttributeType)2
