Search in sources :

Example 1 with SecurityContextInterceptorFactory

use of org.jboss.as.ejb3.security.SecurityContextInterceptorFactory in project wildfly by wildfly.

the class EJBSecurityViewConfigurator method configure.

@Override
public void configure(DeploymentPhaseContext context, ComponentConfiguration componentConfiguration, ViewDescription viewDescription, ViewConfiguration viewConfiguration) throws DeploymentUnitProcessingException {
    if (componentConfiguration.getComponentDescription() instanceof EJBComponentDescription == false) {
        throw EjbLogger.ROOT_LOGGER.invalidEjbComponent(componentConfiguration.getComponentName(), componentConfiguration.getComponentClass());
    }
    final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
    final EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) componentConfiguration.getComponentDescription();
    final boolean isSecurityDomainKnown = ejbComponentDescription.isSecurityDomainKnown();
    if ((!deploymentUnit.hasAttachment(SecurityAttachments.SECURITY_ENABLED)) && (!isSecurityDomainKnown)) {
        // the security subsystem is not present and Elytron is not being used for security, we don't apply any security settings
        return;
    }
    final DeploymentReflectionIndex deploymentReflectionIndex = deploymentUnit.getAttachment(org.jboss.as.server.deployment.Attachments.REFLECTION_INDEX);
    // In such cases, we do *not* apply any security interceptors
    if (ejbComponentDescription.getSecurityDomain() == null || ejbComponentDescription.getSecurityDomain().isEmpty()) {
        if (ROOT_LOGGER.isDebugEnabled()) {
            ROOT_LOGGER.debug("Security is *not* enabled on EJB: " + ejbComponentDescription.getEJBName() + ", since no explicit security domain is configured for the bean, nor is there any default security domain configured in the EJB3 subsystem");
        }
        return;
    }
    final String viewClassName = viewDescription.getViewClassName();
    final EJBViewDescription ejbViewDescription = (EJBViewDescription) viewDescription;
    // setup the JACC contextID.
    String contextID = deploymentUnit.getName();
    if (deploymentUnit.getParent() != null) {
        contextID = deploymentUnit.getParent().getName() + "!" + contextID;
    }
    final EJBViewMethodSecurityAttributesService.Builder viewMethodSecurityAttributesServiceBuilder;
    final ServiceName viewMethodSecurityAttributesServiceName;
    // for both these views. So here we skip the @WebService view if the bean also has a @LocalBean (no-interface) view and let the EJBViewMethodSecurityAttributesService be built when the no-interface view is processed
    if (ejbComponentDescription instanceof SessionBeanComponentDescription && MethodIntf.SERVICE_ENDPOINT == ejbViewDescription.getMethodIntf() && ((SessionBeanComponentDescription) ejbComponentDescription).hasNoInterfaceView()) {
        viewMethodSecurityAttributesServiceBuilder = null;
        viewMethodSecurityAttributesServiceName = null;
    } else {
        viewMethodSecurityAttributesServiceBuilder = new EJBViewMethodSecurityAttributesService.Builder();
        viewMethodSecurityAttributesServiceName = EJBViewMethodSecurityAttributesService.getServiceName(ejbComponentDescription.getApplicationName(), ejbComponentDescription.getModuleName(), ejbComponentDescription.getEJBName(), viewClassName);
    }
    // setup the method specific security interceptor(s)
    boolean beanHasMethodLevelSecurityMetadata = false;
    final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
    final List<Method> methodsWithoutExplicitSecurityConfiguration = new ArrayList<Method>();
    for (final Method viewMethod : viewMethods) {
        // TODO: proxy factory exposes non-public methods, is this a bug in the no-interface view?
        if (!Modifier.isPublic(viewMethod.getModifiers())) {
            continue;
        }
        if (viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
            continue;
        }
        // setup the authorization interceptor
        final ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
        boolean methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, permissions, false, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription);
        if (!methodHasSecurityMetadata) {
            //if it was not handled by the descriptor processor we look for annotation basic info
            methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, ejbComponentDescription.getAnnotationMethodPermissions(), true, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription);
        }
        // if any method has security metadata then the bean has method level security metadata
        if (methodHasSecurityMetadata) {
            beanHasMethodLevelSecurityMetadata = true;
        } else {
            // make a note that this method didn't have any explicit method permissions configured
            methodsWithoutExplicitSecurityConfiguration.add(viewMethod);
        }
    }
    final boolean securityRequired = beanHasMethodLevelSecurityMetadata || ejbComponentDescription.hasBeanLevelSecurityMetadata();
    // setup the security context interceptor
    if (isSecurityDomainKnown) {
        final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = ejbComponentDescription.getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());
        elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> viewConfiguration.addViewInterceptor(elytronInterceptorFactory, priority));
    } else {
        viewConfiguration.addViewInterceptor(new SecurityContextInterceptorFactory(securityRequired, true, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
    }
    // now add the authorization interceptor if the bean has *any* security metadata applicable
    if (securityRequired) {
        // check the missing-method-permissions-deny-access configuration and add the authorization interceptor
        // to methods which don't have explicit method permissions.
        // (@see http://anil-identity.blogspot.in/2010/02/tip-interpretation-of-missing-ejb.html for details)
        final Boolean denyAccessToMethodsMissingPermissions = ((EJBComponentDescription) componentConfiguration.getComponentDescription()).isMissingMethodPermissionsDeniedAccess();
        // default to "deny access"
        if (denyAccessToMethodsMissingPermissions != Boolean.FALSE) {
            for (final Method viewMethod : methodsWithoutExplicitSecurityConfiguration) {
                if (viewMethodSecurityAttributesServiceBuilder != null) {
                    // build the EJBViewMethodSecurityAttributesService to expose these security attributes to other components like WS (@see https://issues.jboss.org/browse/WFLY-308)
                    viewMethodSecurityAttributesServiceBuilder.addMethodSecurityMetadata(viewMethod, EJBMethodSecurityAttribute.denyAll());
                }
                // "deny access" implies we need the authorization interceptor to be added so that it can nuke the invocation
                if (isSecurityDomainKnown) {
                    viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(RolesAllowedInterceptor.DENY_ALL), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
                } else {
                    final Interceptor authorizationInterceptor = new AuthorizationInterceptor(EJBMethodSecurityAttribute.denyAll(), viewClassName, viewMethod, contextID);
                    viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(authorizationInterceptor), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
                }
            }
        }
    }
    if (viewMethodSecurityAttributesServiceBuilder != null) {
        final EJBViewMethodSecurityAttributesService viewMethodSecurityAttributesService = viewMethodSecurityAttributesServiceBuilder.build();
        context.getServiceTarget().addService(viewMethodSecurityAttributesServiceName, viewMethodSecurityAttributesService).install();
    }
}
Also used : EJBViewDescription(org.jboss.as.ejb3.component.EJBViewDescription) ArrayList(java.util.ArrayList) Method(java.lang.reflect.Method) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) EJBViewMethodSecurityAttributesService(org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService) InterceptorFactory(org.jboss.invocation.InterceptorFactory) ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory) ServiceName(org.jboss.msc.service.ServiceName) ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory) DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit) DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex) SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription) Interceptor(org.jboss.invocation.Interceptor)

Example 2 with SecurityContextInterceptorFactory

use of org.jboss.as.ejb3.security.SecurityContextInterceptorFactory in project wildfly by wildfly.

the class SingletonComponentDescription method createConfiguration.

@Override
public ComponentConfiguration createConfiguration(final ClassReflectionIndex classIndex, final ClassLoader moduleClassLoader, final ModuleLoader moduleLoader) {
    ComponentConfiguration singletonComponentConfiguration = new ComponentConfiguration(this, classIndex, moduleClassLoader, moduleLoader);
    // setup the component create service
    singletonComponentConfiguration.setComponentCreateServiceFactory(new SingletonComponentCreateServiceFactory(this.isInitOnStartup(), dependsOn));
    if (isExplicitSecurityDomainConfigured()) {
        getConfigurators().add(new ComponentConfigurator() {

            @Override
            public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
                final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
                String contextID = deploymentUnit.getName();
                if (deploymentUnit.getParent() != null) {
                    contextID = deploymentUnit.getParent().getName() + "!" + contextID;
                }
                EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) description;
                if (isSecurityDomainKnown()) {
                    final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());
                    elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> configuration.addPostConstructInterceptor(elytronInterceptorFactory, priority));
                } else {
                    configuration.addPostConstructInterceptor(new SecurityContextInterceptorFactory(isExplicitSecurityDomainConfigured(), false, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
                }
            }
        });
    }
    getConfigurators().add(new ComponentConfigurator() {

        @Override
        public void configure(DeploymentPhaseContext context, ComponentDescription description, ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
            if (isInitOnStartup()) {
                final StartupCountdown startupCountdown = context.getDeploymentUnit().getAttachment(Attachments.STARTUP_COUNTDOWN);
                configuration.addPostConstructInterceptor(new ImmediateInterceptorFactory(new StartupCountDownInterceptor(startupCountdown)), InterceptorOrder.ComponentPostConstruct.STARTUP_COUNTDOWN_INTERCEPTOR);
            }
        }
    });
    if (getTransactionManagementType().equals(TransactionManagementType.CONTAINER)) {
        //we need to add the transaction interceptor to the lifecycle methods
        getConfigurators().add(new ComponentConfigurator() {

            @Override
            public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
                final EEApplicationClasses applicationClasses = context.getDeploymentUnit().getAttachment(Attachments.EE_APPLICATION_CLASSES_DESCRIPTION);
                InterceptorClassDescription interceptorConfig = ComponentDescription.mergeInterceptorConfig(configuration.getComponentClass(), applicationClasses.getClassByName(description.getComponentClassName()), description, MetadataCompleteMarker.isMetadataComplete(context.getDeploymentUnit()));
                if (interceptorConfig.getPostConstruct() != null) {
                    configuration.addPostConstructInterceptor(new LifecycleCMTTxInterceptor.Factory(interceptorConfig.getPostConstruct(), true), InterceptorOrder.ComponentPostConstruct.TRANSACTION_INTERCEPTOR);
                }
                configuration.addPreDestroyInterceptor(new LifecycleCMTTxInterceptor.Factory(interceptorConfig.getPreDestroy(), true), InterceptorOrder.ComponentPreDestroy.TRANSACTION_INTERCEPTOR);
                configuration.addTimeoutViewInterceptor(TimerCMTTxInterceptor.FACTORY, InterceptorOrder.View.CMT_TRANSACTION_INTERCEPTOR);
            }
        });
    } else {
        // add the bmt interceptor
        getConfigurators().add(new ComponentConfigurator() {

            @Override
            public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
                configuration.addPostConstructInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.ComponentPostConstruct.TRANSACTION_INTERCEPTOR);
                configuration.addPreDestroyInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.ComponentPreDestroy.TRANSACTION_INTERCEPTOR);
                // add the bmt interceptor factory
                configuration.addComponentInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.Component.BMT_TRANSACTION_INTERCEPTOR, false);
            }
        });
    }
    return singletonComponentConfiguration;
}
Also used : DeploymentUnitProcessingException(org.jboss.as.server.deployment.DeploymentUnitProcessingException) InterceptorClassDescription(org.jboss.as.ee.component.interceptors.InterceptorClassDescription) EEApplicationClasses(org.jboss.as.ee.component.EEApplicationClasses) ComponentTypeIdentityInterceptorFactory(org.jboss.as.ejb3.component.interceptors.ComponentTypeIdentityInterceptorFactory) ClassReflectionIndex(org.jboss.as.server.deployment.reflect.ClassReflectionIndex) InterceptorFactory(org.jboss.invocation.InterceptorFactory) ConcurrencyManagementType(javax.ejb.ConcurrencyManagementType) SessionBeanMetaData(org.jboss.metadata.ejb.spec.SessionBeanMetaData) DeploymentPhaseContext(org.jboss.as.server.deployment.DeploymentPhaseContext) LifecycleCMTTxInterceptor(org.jboss.as.ejb3.tx.LifecycleCMTTxInterceptor) HashMap(java.util.HashMap) WriteReplaceInterface(org.jboss.as.ee.component.serialization.WriteReplaceInterface) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) StatelessWriteReplaceInterceptor(org.jboss.as.ejb3.component.session.StatelessWriteReplaceInterceptor) ArrayList(java.util.ArrayList) DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit) InterceptorOrder(org.jboss.as.ee.component.interceptors.InterceptorOrder) ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory) DeploymentUnitProcessingException(org.jboss.as.server.deployment.DeploymentUnitProcessingException) DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex) Method(java.lang.reflect.Method) SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription) EjbJarDescription(org.jboss.as.ejb3.deployment.EjbJarDescription) MethodIntf(org.jboss.as.ejb3.component.MethodIntf) ModuleLoader(org.jboss.modules.ModuleLoader) MetadataCompleteMarker(org.jboss.as.ee.metadata.MetadataCompleteMarker) ViewConfigurator(org.jboss.as.ee.component.ViewConfigurator) ContainerManagedConcurrencyInterceptorFactory(org.jboss.as.ejb3.concurrency.ContainerManagedConcurrencyInterceptorFactory) StartupCountdown(org.jboss.as.ee.component.deployers.StartupCountdown) StatelessRemoteViewInstanceFactory(org.jboss.as.ejb3.component.session.StatelessRemoteViewInstanceFactory) SecurityContextInterceptorFactory(org.jboss.as.ejb3.security.SecurityContextInterceptorFactory) TimerCMTTxInterceptor(org.jboss.as.ejb3.tx.TimerCMTTxInterceptor) EjbBMTInterceptor(org.jboss.as.ejb3.tx.EjbBMTInterceptor) Attachments(org.jboss.as.ee.component.Attachments) ComponentDescription(org.jboss.as.ee.component.ComponentDescription) List(java.util.List) ComponentConfiguration(org.jboss.as.ee.component.ComponentConfiguration) EJBViewDescription(org.jboss.as.ejb3.component.EJBViewDescription) ComponentConfigurator(org.jboss.as.ee.component.ComponentConfigurator) ViewConfiguration(org.jboss.as.ee.component.ViewConfiguration) EjbLogger(org.jboss.as.ejb3.logging.EjbLogger) ServiceName(org.jboss.msc.service.ServiceName) ViewDescription(org.jboss.as.ee.component.ViewDescription) Collections(java.util.Collections) TransactionManagementType(javax.ejb.TransactionManagementType) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription) ComponentDescription(org.jboss.as.ee.component.ComponentDescription) ComponentConfigurator(org.jboss.as.ee.component.ComponentConfigurator) HashMap(java.util.HashMap) ComponentTypeIdentityInterceptorFactory(org.jboss.as.ejb3.component.interceptors.ComponentTypeIdentityInterceptorFactory) InterceptorFactory(org.jboss.invocation.InterceptorFactory) ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory) ContainerManagedConcurrencyInterceptorFactory(org.jboss.as.ejb3.concurrency.ContainerManagedConcurrencyInterceptorFactory) StatelessRemoteViewInstanceFactory(org.jboss.as.ejb3.component.session.StatelessRemoteViewInstanceFactory) SecurityContextInterceptorFactory(org.jboss.as.ejb3.security.SecurityContextInterceptorFactory) DeploymentPhaseContext(org.jboss.as.server.deployment.DeploymentPhaseContext) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) ComponentConfiguration(org.jboss.as.ee.component.ComponentConfiguration) InterceptorClassDescription(org.jboss.as.ee.component.interceptors.InterceptorClassDescription) EEApplicationClasses(org.jboss.as.ee.component.EEApplicationClasses) SecurityContextInterceptorFactory(org.jboss.as.ejb3.security.SecurityContextInterceptorFactory) ImmediateInterceptorFactory(org.jboss.invocation.ImmediateInterceptorFactory) DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit) StartupCountdown(org.jboss.as.ee.component.deployers.StartupCountdown)

Aggregations

Method (java.lang.reflect.Method)2 ArrayList (java.util.ArrayList)2 EJBComponentDescription (org.jboss.as.ejb3.component.EJBComponentDescription)2 EJBViewDescription (org.jboss.as.ejb3.component.EJBViewDescription)2 SessionBeanComponentDescription (org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)2 DeploymentUnit (org.jboss.as.server.deployment.DeploymentUnit)2 DeploymentReflectionIndex (org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex)2 ImmediateInterceptorFactory (org.jboss.invocation.ImmediateInterceptorFactory)2 Collections (java.util.Collections)1 HashMap (java.util.HashMap)1 List (java.util.List)1 ConcurrencyManagementType (javax.ejb.ConcurrencyManagementType)1 TransactionManagementType (javax.ejb.TransactionManagementType)1 Attachments (org.jboss.as.ee.component.Attachments)1 ComponentConfiguration (org.jboss.as.ee.component.ComponentConfiguration)1 ComponentConfigurator (org.jboss.as.ee.component.ComponentConfigurator)1 ComponentDescription (org.jboss.as.ee.component.ComponentDescription)1 EEApplicationClasses (org.jboss.as.ee.component.EEApplicationClasses)1 ViewConfiguration (org.jboss.as.ee.component.ViewConfiguration)1 ViewConfigurator (org.jboss.as.ee.component.ViewConfigurator)1