Example 1 with SecurityContextInterceptorFactory
use of org.jboss.as.ejb3.security.SecurityContextInterceptorFactory in project wildfly by wildfly.
the class EJBSecurityViewConfigurator method configure.
@Override
public void configure(DeploymentPhaseContext context, ComponentConfiguration componentConfiguration, ViewDescription viewDescription, ViewConfiguration viewConfiguration) throws DeploymentUnitProcessingException {
if (componentConfiguration.getComponentDescription() instanceof EJBComponentDescription == false) {
throw EjbLogger.ROOT_LOGGER.invalidEjbComponent(componentConfiguration.getComponentName(), componentConfiguration.getComponentClass());
}
final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
final EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) componentConfiguration.getComponentDescription();
final boolean isSecurityDomainKnown = ejbComponentDescription.isSecurityDomainKnown();
if ((!deploymentUnit.hasAttachment(SecurityAttachments.SECURITY_ENABLED)) && (!isSecurityDomainKnown)) {
// the security subsystem is not present and Elytron is not being used for security, we don't apply any security settings
return;
}
final DeploymentReflectionIndex deploymentReflectionIndex = deploymentUnit.getAttachment(org.jboss.as.server.deployment.Attachments.REFLECTION_INDEX);
// In such cases, we do *not* apply any security interceptors
if (ejbComponentDescription.getSecurityDomain() == null || ejbComponentDescription.getSecurityDomain().isEmpty()) {
if (ROOT_LOGGER.isDebugEnabled()) {
ROOT_LOGGER.debug("Security is *not* enabled on EJB: " + ejbComponentDescription.getEJBName() + ", since no explicit security domain is configured for the bean, nor is there any default security domain configured in the EJB3 subsystem");
}
return;
}
final String viewClassName = viewDescription.getViewClassName();
final EJBViewDescription ejbViewDescription = (EJBViewDescription) viewDescription;
// setup the JACC contextID.
String contextID = deploymentUnit.getName();
if (deploymentUnit.getParent() != null) {
contextID = deploymentUnit.getParent().getName() + "!" + contextID;
}
final EJBViewMethodSecurityAttributesService.Builder viewMethodSecurityAttributesServiceBuilder;
final ServiceName viewMethodSecurityAttributesServiceName;
// for both these views. So here we skip the @WebService view if the bean also has a @LocalBean (no-interface) view and let the EJBViewMethodSecurityAttributesService be built when the no-interface view is processed
if (ejbComponentDescription instanceof SessionBeanComponentDescription && MethodIntf.SERVICE_ENDPOINT == ejbViewDescription.getMethodIntf() && ((SessionBeanComponentDescription) ejbComponentDescription).hasNoInterfaceView()) {
viewMethodSecurityAttributesServiceBuilder = null;
viewMethodSecurityAttributesServiceName = null;
} else {
viewMethodSecurityAttributesServiceBuilder = new EJBViewMethodSecurityAttributesService.Builder();
viewMethodSecurityAttributesServiceName = EJBViewMethodSecurityAttributesService.getServiceName(ejbComponentDescription.getApplicationName(), ejbComponentDescription.getModuleName(), ejbComponentDescription.getEJBName(), viewClassName);
}
// setup the method specific security interceptor(s)
boolean beanHasMethodLevelSecurityMetadata = false;
final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
final List<Method> methodsWithoutExplicitSecurityConfiguration = new ArrayList<Method>();
for (final Method viewMethod : viewMethods) {
// TODO: proxy factory exposes non-public methods, is this a bug in the no-interface view?
if (!Modifier.isPublic(viewMethod.getModifiers())) {
continue;
}
if (viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
continue;
}
// setup the authorization interceptor
final ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
boolean methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, permissions, false, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription);
if (!methodHasSecurityMetadata) {
//if it was not handled by the descriptor processor we look for annotation basic info
methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, ejbComponentDescription.getAnnotationMethodPermissions(), true, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription);
}
// if any method has security metadata then the bean has method level security metadata
if (methodHasSecurityMetadata) {
beanHasMethodLevelSecurityMetadata = true;
} else {
// make a note that this method didn't have any explicit method permissions configured
methodsWithoutExplicitSecurityConfiguration.add(viewMethod);
}
}
final boolean securityRequired = beanHasMethodLevelSecurityMetadata || ejbComponentDescription.hasBeanLevelSecurityMetadata();
// setup the security context interceptor
if (isSecurityDomainKnown) {
final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = ejbComponentDescription.getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());
elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> viewConfiguration.addViewInterceptor(elytronInterceptorFactory, priority));
} else {
viewConfiguration.addViewInterceptor(new SecurityContextInterceptorFactory(securityRequired, true, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
}
// now add the authorization interceptor if the bean has *any* security metadata applicable
if (securityRequired) {
// check the missing-method-permissions-deny-access configuration and add the authorization interceptor
// to methods which don't have explicit method permissions.
// (@see http://anil-identity.blogspot.in/2010/02/tip-interpretation-of-missing-ejb.html for details)
final Boolean denyAccessToMethodsMissingPermissions = ((EJBComponentDescription) componentConfiguration.getComponentDescription()).isMissingMethodPermissionsDeniedAccess();
// default to "deny access"
if (denyAccessToMethodsMissingPermissions != Boolean.FALSE) {
for (final Method viewMethod : methodsWithoutExplicitSecurityConfiguration) {
if (viewMethodSecurityAttributesServiceBuilder != null) {
// build the EJBViewMethodSecurityAttributesService to expose these security attributes to other components like WS (@see https://issues.jboss.org/browse/WFLY-308)
viewMethodSecurityAttributesServiceBuilder.addMethodSecurityMetadata(viewMethod, EJBMethodSecurityAttribute.denyAll());
}
// "deny access" implies we need the authorization interceptor to be added so that it can nuke the invocation
if (isSecurityDomainKnown) {
viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(RolesAllowedInterceptor.DENY_ALL), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
} else {
final Interceptor authorizationInterceptor = new AuthorizationInterceptor(EJBMethodSecurityAttribute.denyAll(), viewClassName, viewMethod, contextID);
viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(authorizationInterceptor), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
}
}
}
}
if (viewMethodSecurityAttributesServiceBuilder != null) {
final EJBViewMethodSecurityAttributesService viewMethodSecurityAttributesService = viewMethodSecurityAttributesServiceBuilder.build();
context.getServiceTarget().addService(viewMethodSecurityAttributesServiceName, viewMethodSecurityAttributesService).install();
}
}
Also used :
EJBViewDescription(org.jboss.as.ejb3.component.EJBViewDescription)
ArrayList(java.util.ArrayList)
Method(java.lang.reflect.Method)
EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription)
EJBViewMethodSecurityAttributesService(org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService)
InterceptorFactory(org.jboss.invocation.InterceptorFactory)
ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory)
ServiceName(org.jboss.msc.service.ServiceName)
ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory)
DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit)
DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex)
SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)
Interceptor(org.jboss.invocation.Interceptor)
Example 2 with SecurityContextInterceptorFactory
use of org.jboss.as.ejb3.security.SecurityContextInterceptorFactory in project wildfly by wildfly.
the class SingletonComponentDescription method createConfiguration.
@Override
public ComponentConfiguration createConfiguration(final ClassReflectionIndex classIndex, final ClassLoader moduleClassLoader, final ModuleLoader moduleLoader) {
ComponentConfiguration singletonComponentConfiguration = new ComponentConfiguration(this, classIndex, moduleClassLoader, moduleLoader);
// setup the component create service
singletonComponentConfiguration.setComponentCreateServiceFactory(new SingletonComponentCreateServiceFactory(this.isInitOnStartup(), dependsOn));
if (isExplicitSecurityDomainConfigured()) {
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
String contextID = deploymentUnit.getName();
if (deploymentUnit.getParent() != null) {
contextID = deploymentUnit.getParent().getName() + "!" + contextID;
}
EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) description;
if (isSecurityDomainKnown()) {
final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());
elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> configuration.addPostConstructInterceptor(elytronInterceptorFactory, priority));
} else {
configuration.addPostConstructInterceptor(new SecurityContextInterceptorFactory(isExplicitSecurityDomainConfigured(), false, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
}
}
});
}
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(DeploymentPhaseContext context, ComponentDescription description, ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
if (isInitOnStartup()) {
final StartupCountdown startupCountdown = context.getDeploymentUnit().getAttachment(Attachments.STARTUP_COUNTDOWN);
configuration.addPostConstructInterceptor(new ImmediateInterceptorFactory(new StartupCountDownInterceptor(startupCountdown)), InterceptorOrder.ComponentPostConstruct.STARTUP_COUNTDOWN_INTERCEPTOR);
}
}
});
if (getTransactionManagementType().equals(TransactionManagementType.CONTAINER)) {
//we need to add the transaction interceptor to the lifecycle methods
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
final EEApplicationClasses applicationClasses = context.getDeploymentUnit().getAttachment(Attachments.EE_APPLICATION_CLASSES_DESCRIPTION);
InterceptorClassDescription interceptorConfig = ComponentDescription.mergeInterceptorConfig(configuration.getComponentClass(), applicationClasses.getClassByName(description.getComponentClassName()), description, MetadataCompleteMarker.isMetadataComplete(context.getDeploymentUnit()));
if (interceptorConfig.getPostConstruct() != null) {
configuration.addPostConstructInterceptor(new LifecycleCMTTxInterceptor.Factory(interceptorConfig.getPostConstruct(), true), InterceptorOrder.ComponentPostConstruct.TRANSACTION_INTERCEPTOR);
}
configuration.addPreDestroyInterceptor(new LifecycleCMTTxInterceptor.Factory(interceptorConfig.getPreDestroy(), true), InterceptorOrder.ComponentPreDestroy.TRANSACTION_INTERCEPTOR);
configuration.addTimeoutViewInterceptor(TimerCMTTxInterceptor.FACTORY, InterceptorOrder.View.CMT_TRANSACTION_INTERCEPTOR);
}
});
} else {
// add the bmt interceptor
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
configuration.addPostConstructInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.ComponentPostConstruct.TRANSACTION_INTERCEPTOR);
configuration.addPreDestroyInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.ComponentPreDestroy.TRANSACTION_INTERCEPTOR);
// add the bmt interceptor factory
configuration.addComponentInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.Component.BMT_TRANSACTION_INTERCEPTOR, false);
}
});
}
return singletonComponentConfiguration;
}
Also used :
DeploymentUnitProcessingException(org.jboss.as.server.deployment.DeploymentUnitProcessingException)
InterceptorClassDescription(org.jboss.as.ee.component.interceptors.InterceptorClassDescription)
EEApplicationClasses(org.jboss.as.ee.component.EEApplicationClasses)
ComponentTypeIdentityInterceptorFactory(org.jboss.as.ejb3.component.interceptors.ComponentTypeIdentityInterceptorFactory)
ClassReflectionIndex(org.jboss.as.server.deployment.reflect.ClassReflectionIndex)
InterceptorFactory(org.jboss.invocation.InterceptorFactory)
ConcurrencyManagementType(javax.ejb.ConcurrencyManagementType)
SessionBeanMetaData(org.jboss.metadata.ejb.spec.SessionBeanMetaData)
DeploymentPhaseContext(org.jboss.as.server.deployment.DeploymentPhaseContext)
LifecycleCMTTxInterceptor(org.jboss.as.ejb3.tx.LifecycleCMTTxInterceptor)
HashMap(java.util.HashMap)
WriteReplaceInterface(org.jboss.as.ee.component.serialization.WriteReplaceInterface)
EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription)
StatelessWriteReplaceInterceptor(org.jboss.as.ejb3.component.session.StatelessWriteReplaceInterceptor)
ArrayList(java.util.ArrayList)
DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit)
InterceptorOrder(org.jboss.as.ee.component.interceptors.InterceptorOrder)
ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory)
DeploymentUnitProcessingException(org.jboss.as.server.deployment.DeploymentUnitProcessingException)
DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex)
Method(java.lang.reflect.Method)
SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)
EjbJarDescription(org.jboss.as.ejb3.deployment.EjbJarDescription)
MethodIntf(org.jboss.as.ejb3.component.MethodIntf)
ModuleLoader(org.jboss.modules.ModuleLoader)
MetadataCompleteMarker(org.jboss.as.ee.metadata.MetadataCompleteMarker)
ViewConfigurator(org.jboss.as.ee.component.ViewConfigurator)
ContainerManagedConcurrencyInterceptorFactory(org.jboss.as.ejb3.concurrency.ContainerManagedConcurrencyInterceptorFactory)
StartupCountdown(org.jboss.as.ee.component.deployers.StartupCountdown)
StatelessRemoteViewInstanceFactory(org.jboss.as.ejb3.component.session.StatelessRemoteViewInstanceFactory)
SecurityContextInterceptorFactory(org.jboss.as.ejb3.security.SecurityContextInterceptorFactory)
TimerCMTTxInterceptor(org.jboss.as.ejb3.tx.TimerCMTTxInterceptor)
EjbBMTInterceptor(org.jboss.as.ejb3.tx.EjbBMTInterceptor)
Attachments(org.jboss.as.ee.component.Attachments)
ComponentDescription(org.jboss.as.ee.component.ComponentDescription)
List(java.util.List)
ComponentConfiguration(org.jboss.as.ee.component.ComponentConfiguration)
EJBViewDescription(org.jboss.as.ejb3.component.EJBViewDescription)
ComponentConfigurator(org.jboss.as.ee.component.ComponentConfigurator)
ViewConfiguration(org.jboss.as.ee.component.ViewConfiguration)
EjbLogger(org.jboss.as.ejb3.logging.EjbLogger)
ServiceName(org.jboss.msc.service.ServiceName)
ViewDescription(org.jboss.as.ee.component.ViewDescription)
Collections(java.util.Collections)
TransactionManagementType(javax.ejb.TransactionManagementType)
EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription)
SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)
ComponentDescription(org.jboss.as.ee.component.ComponentDescription)
ComponentConfigurator(org.jboss.as.ee.component.ComponentConfigurator)
HashMap(java.util.HashMap)
ComponentTypeIdentityInterceptorFactory(org.jboss.as.ejb3.component.interceptors.ComponentTypeIdentityInterceptorFactory)
InterceptorFactory(org.jboss.invocation.InterceptorFactory)
ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory)
ContainerManagedConcurrencyInterceptorFactory(org.jboss.as.ejb3.concurrency.ContainerManagedConcurrencyInterceptorFactory)
StatelessRemoteViewInstanceFactory(org.jboss.as.ejb3.component.session.StatelessRemoteViewInstanceFactory)
SecurityContextInterceptorFactory(org.jboss.as.ejb3.security.SecurityContextInterceptorFactory)
DeploymentPhaseContext(org.jboss.as.server.deployment.DeploymentPhaseContext)
EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription)
ComponentConfiguration(org.jboss.as.ee.component.ComponentConfiguration)
InterceptorClassDescription(org.jboss.as.ee.component.interceptors.InterceptorClassDescription)
EEApplicationClasses(org.jboss.as.ee.component.EEApplicationClasses)
SecurityContextInterceptorFactory(org.jboss.as.ejb3.security.SecurityContextInterceptorFactory)
ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory)
DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit)
StartupCountdown(org.jboss.as.ee.component.deployers.StartupCountdown)
Aggregations
Method (java.lang.reflect.Method)2
ArrayList (java.util.ArrayList)2
EJBComponentDescription (org.jboss.as.ejb3.component.EJBComponentDescription)2
EJBViewDescription (org.jboss.as.ejb3.component.EJBViewDescription)2
SessionBeanComponentDescription (org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)2
DeploymentUnit (org.jboss.as.server.deployment.DeploymentUnit)2
DeploymentReflectionIndex (org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex)2
ImmediateInterceptorFactory (org.jboss.invocation.ImmediateInterceptorFactory)2
Collections (java.util.Collections)1
HashMap (java.util.HashMap)1
List (java.util.List)1
ConcurrencyManagementType (javax.ejb.ConcurrencyManagementType)1
TransactionManagementType (javax.ejb.TransactionManagementType)1
Attachments (org.jboss.as.ee.component.Attachments)1
ComponentConfiguration (org.jboss.as.ee.component.ComponentConfiguration)1
ComponentConfigurator (org.jboss.as.ee.component.ComponentConfigurator)1
ComponentDescription (org.jboss.as.ee.component.ComponentDescription)1
EEApplicationClasses (org.jboss.as.ee.component.EEApplicationClasses)1
ViewConfiguration (org.jboss.as.ee.component.ViewConfiguration)1
ViewConfigurator (org.jboss.as.ee.component.ViewConfigurator)1
