Example 1 with EJBMethodSecurityAttribute
use of org.jboss.as.ejb3.security.EJBMethodSecurityAttribute in project wildfly by wildfly.
the class EJBSecurityViewConfigurator method configure.
@Override
public void configure(DeploymentPhaseContext context, ComponentConfiguration componentConfiguration, ViewDescription viewDescription, ViewConfiguration viewConfiguration) throws DeploymentUnitProcessingException {
if (componentConfiguration.getComponentDescription() instanceof EJBComponentDescription == false) {
throw EjbLogger.ROOT_LOGGER.invalidEjbComponent(componentConfiguration.getComponentName(), componentConfiguration.getComponentClass());
}
final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
final EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) componentConfiguration.getComponentDescription();
final boolean elytronSecurityDomain = ejbComponentDescription.getSecurityDomainServiceName() != null;
final String viewClassName = viewDescription.getViewClassName();
final EJBViewDescription ejbViewDescription = (EJBViewDescription) viewDescription;
final EJBViewMethodSecurityAttributesService.Builder viewMethodSecurityAttributesServiceBuilder;
final ServiceName viewMethodSecurityAttributesServiceName;
// note that we always install this service for SERVICE_ENDPOINT views, even if security is not enabled
if (MethodIntf.SERVICE_ENDPOINT == ejbViewDescription.getMethodIntf()) {
viewMethodSecurityAttributesServiceBuilder = new EJBViewMethodSecurityAttributesService.Builder();
viewMethodSecurityAttributesServiceName = EJBViewMethodSecurityAttributesService.getServiceName(ejbComponentDescription.getApplicationName(), ejbComponentDescription.getModuleName(), ejbComponentDescription.getEJBName(), viewClassName);
} else {
viewMethodSecurityAttributesServiceBuilder = null;
viewMethodSecurityAttributesServiceName = null;
}
if (!legacySecurityAvailable(deploymentUnit) && !elytronSecurityDomain) {
// the security subsystem is not present and Elytron is not being used for security, we don't apply any security settings
installAttributeServiceIfRequired(context, viewMethodSecurityAttributesServiceBuilder, viewMethodSecurityAttributesServiceName);
return;
}
final DeploymentReflectionIndex deploymentReflectionIndex = deploymentUnit.getAttachment(org.jboss.as.server.deployment.Attachments.REFLECTION_INDEX);
// The getSecurityDomain() will return a null value if neither an explicit security domain is configured
// for the bean nor there's any default security domain that's configured at EJB3 subsystem level.
// In such cases, we do *not* apply any security interceptors
String resolvedSecurityDomain = ejbComponentDescription.getResolvedSecurityDomain();
if (elytronSecurityDomain == false && (resolvedSecurityDomain == null || resolvedSecurityDomain.isEmpty())) {
if (ROOT_LOGGER.isDebugEnabled()) {
ROOT_LOGGER.debug("Security is *not* enabled on EJB: " + ejbComponentDescription.getEJBName() + ", since no explicit security domain is configured for the bean, nor is there any default security domain configured in the EJB3 subsystem");
}
installAttributeServiceIfRequired(context, viewMethodSecurityAttributesServiceBuilder, viewMethodSecurityAttributesServiceName);
return;
}
// setup the JACC contextID.
String contextID = deploymentUnit.getName();
if (deploymentUnit.getParent() != null) {
contextID = deploymentUnit.getParent().getName() + "!" + contextID;
}
// setup the method specific security interceptor(s)
boolean beanHasMethodLevelSecurityMetadata = false;
final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
final List<Method> methodsWithoutExplicitSecurityConfiguration = new ArrayList<Method>();
for (final Method viewMethod : viewMethods) {
// TODO: proxy factory exposes non-public methods, is this a bug in the no-interface view?
if (!Modifier.isPublic(viewMethod.getModifiers())) {
continue;
}
if (viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
continue;
}
// setup the authorization interceptor
final ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
boolean methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, permissions, false, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription, elytronSecurityDomain, resolvedSecurityDomain);
if (!methodHasSecurityMetadata) {
// if it was not handled by the descriptor processor we look for annotation basic info
methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, ejbComponentDescription.getAnnotationMethodPermissions(), true, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription, elytronSecurityDomain, resolvedSecurityDomain);
}
// if any method has security metadata then the bean has method level security metadata
if (methodHasSecurityMetadata) {
beanHasMethodLevelSecurityMetadata = true;
} else {
// make a note that this method didn't have any explicit method permissions configured
methodsWithoutExplicitSecurityConfiguration.add(viewMethod);
}
}
final boolean securityRequired = beanHasMethodLevelSecurityMetadata || ejbComponentDescription.hasBeanLevelSecurityMetadata();
if (securityRequired) {
ejbComponentDescription.setSecurityRequired(securityRequired);
}
// setup the security context interceptor
if (elytronSecurityDomain) {
final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = ejbComponentDescription.getElytronInterceptorFactories(contextID, ejbComponentDescription.requiresJacc(), true);
elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> viewConfiguration.addViewInterceptor(elytronInterceptorFactory, priority));
} else if (securityRequired) {
throw ROOT_LOGGER.legacySecurityUnsupported(resolvedSecurityDomain);
}
// now add the authorization interceptor if the bean has *any* security metadata applicable
if (securityRequired) {
// check the missing-method-permissions-deny-access configuration and add the authorization interceptor
// to methods which don't have explicit method permissions.
// (@see http://anil-identity.blogspot.in/2010/02/tip-interpretation-of-missing-ejb.html for details)
final Boolean denyAccessToMethodsMissingPermissions = ((EJBComponentDescription) componentConfiguration.getComponentDescription()).isMissingMethodPermissionsDeniedAccess();
// default to "deny access"
if (denyAccessToMethodsMissingPermissions != Boolean.FALSE) {
for (final Method viewMethod : methodsWithoutExplicitSecurityConfiguration) {
if (viewMethodSecurityAttributesServiceBuilder != null) {
// build the EJBViewMethodSecurityAttributesService to expose these security attributes to other components like WS (@see https://issues.jboss.org/browse/WFLY-308)
viewMethodSecurityAttributesServiceBuilder.addMethodSecurityMetadata(viewMethod, EJBMethodSecurityAttribute.denyAll());
}
// "deny access" implies we need the authorization interceptor to be added so that it can nuke the invocation
if (elytronSecurityDomain) {
viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(RolesAllowedInterceptor.DENY_ALL), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
} else {
throw ROOT_LOGGER.legacySecurityUnsupported(resolvedSecurityDomain);
}
}
}
}
installAttributeServiceIfRequired(context, viewMethodSecurityAttributesServiceBuilder, viewMethodSecurityAttributesServiceName);
}
Also used :
EJBViewDescription(org.jboss.as.ejb3.component.EJBViewDescription)
ArrayList(java.util.ArrayList)
Method(java.lang.reflect.Method)
EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription)
EJBViewMethodSecurityAttributesService(org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService)
InterceptorFactory(org.jboss.invocation.InterceptorFactory)
ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory)
ServiceName(org.jboss.msc.service.ServiceName)
ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory)
DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit)
DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex)
Example 2 with EJBMethodSecurityAttribute
use of org.jboss.as.ejb3.security.EJBMethodSecurityAttribute in project wildfly by wildfly.
the class MethodPermissionsMergingProcessor method handleMethodPermissions.
private void handleMethodPermissions(final EJBComponentDescription componentDescription, final MethodPermissionsMetaData methodPermissions) {
for (final MethodPermissionMetaData methodPermissionMetaData : methodPermissions) {
final MethodsMetaData methods = methodPermissionMetaData.getMethods();
for (final MethodMetaData method : methods) {
EJBMethodSecurityAttribute ejbMethodSecurityMetaData;
// Enterprise Beans 3.1 FR 17.3.2.2 The unchecked element is used instead of a role name in the method-permission element to indicate that all roles are permitted.
if (methodPermissionMetaData.isNotChecked()) {
ejbMethodSecurityMetaData = EJBMethodSecurityAttribute.permitAll();
} else {
ejbMethodSecurityMetaData = EJBMethodSecurityAttribute.rolesAllowed(methodPermissionMetaData.getRoles());
}
final String methodName = method.getMethodName();
final MethodIntf defaultMethodIntf = (componentDescription instanceof MessageDrivenComponentDescription) ? MethodIntf.MESSAGE_ENDPOINT : MethodIntf.BEAN;
final MethodIntf methodIntf = this.getMethodIntf(method.getMethodIntf(), defaultMethodIntf);
if (methodName.equals("*")) {
final EJBMethodSecurityAttribute existingRoles = componentDescription.getDescriptorMethodPermissions().getAttributeStyle1(methodIntf, null);
ejbMethodSecurityMetaData = mergeExistingRoles(ejbMethodSecurityMetaData, existingRoles);
componentDescription.getDescriptorMethodPermissions().setAttribute(methodIntf, null, ejbMethodSecurityMetaData);
} else {
final MethodParametersMetaData methodParams = method.getMethodParams();
// update the session bean description with the tx attribute info
if (methodParams == null) {
final EJBMethodSecurityAttribute existingRoles = componentDescription.getDescriptorMethodPermissions().getAttributeStyle2(methodIntf, methodName);
ejbMethodSecurityMetaData = mergeExistingRoles(ejbMethodSecurityMetaData, existingRoles);
componentDescription.getDescriptorMethodPermissions().setAttribute(methodIntf, ejbMethodSecurityMetaData, methodName);
} else {
final EJBMethodSecurityAttribute existingRoles = componentDescription.getDescriptorMethodPermissions().getAttributeStyle3(methodIntf, null, methodName, this.getMethodParams(methodParams));
ejbMethodSecurityMetaData = mergeExistingRoles(ejbMethodSecurityMetaData, existingRoles);
componentDescription.getDescriptorMethodPermissions().setAttribute(methodIntf, ejbMethodSecurityMetaData, null, methodName, this.getMethodParams(methodParams));
}
}
}
}
}
Also used :
MessageDrivenComponentDescription(org.jboss.as.ejb3.component.messagedriven.MessageDrivenComponentDescription)
EJBMethodSecurityAttribute(org.jboss.as.ejb3.security.EJBMethodSecurityAttribute)
MethodsMetaData(org.jboss.metadata.ejb.spec.MethodsMetaData)
MethodMetaData(org.jboss.metadata.ejb.spec.MethodMetaData)
MethodParametersMetaData(org.jboss.metadata.ejb.spec.MethodParametersMetaData)
MethodPermissionMetaData(org.jboss.metadata.ejb.spec.MethodPermissionMetaData)
MethodIntf(org.jboss.as.ejb3.component.MethodIntf)
Example 3 with EJBMethodSecurityAttribute
use of org.jboss.as.ejb3.security.EJBMethodSecurityAttribute in project wildfly by wildfly.
the class EjbJaccConfigurator method configure.
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
final DeploymentReflectionIndex reflectionIndex = deploymentUnit.getAttachment(Attachments.REFLECTION_INDEX);
final EJBComponentDescription ejbComponentDescription = EJBComponentDescription.class.cast(description);
final EjbJaccConfig ejbJaccConfig = new EjbJaccConfig();
context.getDeploymentUnit().addToAttachmentList(EjbDeploymentAttachmentKeys.JACC_PERMISSIONS, ejbJaccConfig);
// process the method permissions.
for (final ViewConfiguration viewConfiguration : configuration.getViews()) {
final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
for (final Method viewMethod : viewMethods) {
if (!Modifier.isPublic(viewMethod.getModifiers()) || viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
continue;
}
final EJBViewConfiguration ejbViewConfiguration = EJBViewConfiguration.class.cast(viewConfiguration);
// try to create permissions using the descriptor metadata first.
ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
boolean createdPerms = this.createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
// no permissions created using the descriptor metadata - try to use annotation metadata.
if (!createdPerms) {
permissions = ejbComponentDescription.getAnnotationMethodPermissions();
createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
}
}
}
Set<String> securityRoles = new HashSet<String>();
// get all roles from the deployments descriptor (assembly descriptor roles)
SecurityRolesMetaData secRolesMetaData = ejbComponentDescription.getSecurityRoles();
if (secRolesMetaData != null) {
for (SecurityRoleMetaData secRoleMetaData : secRolesMetaData) {
securityRoles.add(secRoleMetaData.getRoleName());
}
}
// at this point any roles specified via RolesAllowed annotation have been mapped to EJBMethodPermissions, so
// going through the permissions allows us to retrieve these roles.
// TODO there might be a better way to retrieve just annotated roles without going through all processed permissions
List<Map.Entry<String, Permission>> processedRoles = ejbJaccConfig.getRoles();
for (Map.Entry<String, Permission> entry : processedRoles) {
securityRoles.add(entry.getKey());
}
securityRoles.add(ANY_AUTHENTICATED_USER_ROLE);
// process the security-role-ref from the deployment descriptor.
Map<String, Collection<String>> securityRoleRefs = ejbComponentDescription.getSecurityRoleLinks();
for (Map.Entry<String, Collection<String>> entry : securityRoleRefs.entrySet()) {
String roleName = entry.getKey();
for (String roleLink : entry.getValue()) {
EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), roleName);
ejbJaccConfig.addRole(roleLink, p);
}
securityRoles.remove(roleName);
}
// process remaining annotated declared roles that were not overridden in the descriptor.
Set<String> declaredRoles = ejbComponentDescription.getDeclaredRoles();
for (String role : declaredRoles) {
if (!securityRoleRefs.containsKey(role)) {
EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
ejbJaccConfig.addRole(role, p);
}
securityRoles.remove(role);
}
// an EJBRoleRefPermission must be created for each declared role that does not appear in the security-role-ref.
for (String role : securityRoles) {
EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
ejbJaccConfig.addRole(role, p);
}
// proxy by sending an invocation to the ejb container.
if (ejbComponentDescription instanceof SessionBeanComponentDescription) {
SessionBeanComponentDescription session = SessionBeanComponentDescription.class.cast(ejbComponentDescription);
if (session.isStateful()) {
EJBMethodPermission p = new EJBMethodPermission(ejbComponentDescription.getEJBName(), "getEJBObject", "Home", null);
ejbJaccConfig.addPermit(p);
}
}
}
Also used :
SecurityRoleMetaData(org.jboss.metadata.javaee.spec.SecurityRoleMetaData)
EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration)
SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData)
WriteReplaceInterface(org.jboss.as.ee.component.serialization.WriteReplaceInterface)
EJBMethodPermission(javax.security.jacc.EJBMethodPermission)
EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription)
ViewConfiguration(org.jboss.as.ee.component.ViewConfiguration)
EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration)
EJBMethodPermission(javax.security.jacc.EJBMethodPermission)
EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission)
Permission(java.security.Permission)
HashSet(java.util.HashSet)
Method(java.lang.reflect.Method)
EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission)
Collection(java.util.Collection)
DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit)
DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex)
Map(java.util.Map)
SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)
Aggregations
Method (java.lang.reflect.Method)2
EJBComponentDescription (org.jboss.as.ejb3.component.EJBComponentDescription)2
DeploymentUnit (org.jboss.as.server.deployment.DeploymentUnit)2
DeploymentReflectionIndex (org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex)2
Permission (java.security.Permission)1
ArrayList (java.util.ArrayList)1
Collection (java.util.Collection)1
HashSet (java.util.HashSet)1
Map (java.util.Map)1
EJBMethodPermission (javax.security.jacc.EJBMethodPermission)1
EJBRoleRefPermission (javax.security.jacc.EJBRoleRefPermission)1
ViewConfiguration (org.jboss.as.ee.component.ViewConfiguration)1
WriteReplaceInterface (org.jboss.as.ee.component.serialization.WriteReplaceInterface)1
EJBViewConfiguration (org.jboss.as.ejb3.component.EJBViewConfiguration)1
EJBViewDescription (org.jboss.as.ejb3.component.EJBViewDescription)1
MethodIntf (org.jboss.as.ejb3.component.MethodIntf)1
MessageDrivenComponentDescription (org.jboss.as.ejb3.component.messagedriven.MessageDrivenComponentDescription)1
SessionBeanComponentDescription (org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)1
EJBMethodSecurityAttribute (org.jboss.as.ejb3.security.EJBMethodSecurityAttribute)1
EJBViewMethodSecurityAttributesService (org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService)1
