use of org.jboss.as.ejb3.security.SecurityContextInterceptorFactory in project wildfly by wildfly.
the class EJBSecurityViewConfigurator method configure.
@Override
public void configure(DeploymentPhaseContext context, ComponentConfiguration componentConfiguration, ViewDescription viewDescription, ViewConfiguration viewConfiguration) throws DeploymentUnitProcessingException {
if (componentConfiguration.getComponentDescription() instanceof EJBComponentDescription == false) {
throw EjbLogger.ROOT_LOGGER.invalidEjbComponent(componentConfiguration.getComponentName(), componentConfiguration.getComponentClass());
}
final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
final EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) componentConfiguration.getComponentDescription();
final boolean isSecurityDomainKnown = ejbComponentDescription.isSecurityDomainKnown();
if ((!deploymentUnit.hasAttachment(SecurityAttachments.SECURITY_ENABLED)) && (!isSecurityDomainKnown)) {
// the security subsystem is not present and Elytron is not being used for security, we don't apply any security settings
return;
}
final DeploymentReflectionIndex deploymentReflectionIndex = deploymentUnit.getAttachment(org.jboss.as.server.deployment.Attachments.REFLECTION_INDEX);
// In such cases, we do *not* apply any security interceptors
if (ejbComponentDescription.getSecurityDomain() == null || ejbComponentDescription.getSecurityDomain().isEmpty()) {
if (ROOT_LOGGER.isDebugEnabled()) {
ROOT_LOGGER.debug("Security is *not* enabled on EJB: " + ejbComponentDescription.getEJBName() + ", since no explicit security domain is configured for the bean, nor is there any default security domain configured in the EJB3 subsystem");
}
return;
}
final String viewClassName = viewDescription.getViewClassName();
final EJBViewDescription ejbViewDescription = (EJBViewDescription) viewDescription;
// setup the JACC contextID.
String contextID = deploymentUnit.getName();
if (deploymentUnit.getParent() != null) {
contextID = deploymentUnit.getParent().getName() + "!" + contextID;
}
final EJBViewMethodSecurityAttributesService.Builder viewMethodSecurityAttributesServiceBuilder;
final ServiceName viewMethodSecurityAttributesServiceName;
// for both these views. So here we skip the @WebService view if the bean also has a @LocalBean (no-interface) view and let the EJBViewMethodSecurityAttributesService be built when the no-interface view is processed
if (ejbComponentDescription instanceof SessionBeanComponentDescription && MethodIntf.SERVICE_ENDPOINT == ejbViewDescription.getMethodIntf() && ((SessionBeanComponentDescription) ejbComponentDescription).hasNoInterfaceView()) {
viewMethodSecurityAttributesServiceBuilder = null;
viewMethodSecurityAttributesServiceName = null;
} else {
viewMethodSecurityAttributesServiceBuilder = new EJBViewMethodSecurityAttributesService.Builder();
viewMethodSecurityAttributesServiceName = EJBViewMethodSecurityAttributesService.getServiceName(ejbComponentDescription.getApplicationName(), ejbComponentDescription.getModuleName(), ejbComponentDescription.getEJBName(), viewClassName);
}
// setup the method specific security interceptor(s)
boolean beanHasMethodLevelSecurityMetadata = false;
final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
final List<Method> methodsWithoutExplicitSecurityConfiguration = new ArrayList<Method>();
for (final Method viewMethod : viewMethods) {
// TODO: proxy factory exposes non-public methods, is this a bug in the no-interface view?
if (!Modifier.isPublic(viewMethod.getModifiers())) {
continue;
}
if (viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
continue;
}
// setup the authorization interceptor
final ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
boolean methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, permissions, false, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription);
if (!methodHasSecurityMetadata) {
//if it was not handled by the descriptor processor we look for annotation basic info
methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, ejbComponentDescription.getAnnotationMethodPermissions(), true, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription);
}
// if any method has security metadata then the bean has method level security metadata
if (methodHasSecurityMetadata) {
beanHasMethodLevelSecurityMetadata = true;
} else {
// make a note that this method didn't have any explicit method permissions configured
methodsWithoutExplicitSecurityConfiguration.add(viewMethod);
}
}
final boolean securityRequired = beanHasMethodLevelSecurityMetadata || ejbComponentDescription.hasBeanLevelSecurityMetadata();
// setup the security context interceptor
if (isSecurityDomainKnown) {
final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = ejbComponentDescription.getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());
elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> viewConfiguration.addViewInterceptor(elytronInterceptorFactory, priority));
} else {
viewConfiguration.addViewInterceptor(new SecurityContextInterceptorFactory(securityRequired, true, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
}
// now add the authorization interceptor if the bean has *any* security metadata applicable
if (securityRequired) {
// check the missing-method-permissions-deny-access configuration and add the authorization interceptor
// to methods which don't have explicit method permissions.
// (@see http://anil-identity.blogspot.in/2010/02/tip-interpretation-of-missing-ejb.html for details)
final Boolean denyAccessToMethodsMissingPermissions = ((EJBComponentDescription) componentConfiguration.getComponentDescription()).isMissingMethodPermissionsDeniedAccess();
// default to "deny access"
if (denyAccessToMethodsMissingPermissions != Boolean.FALSE) {
for (final Method viewMethod : methodsWithoutExplicitSecurityConfiguration) {
if (viewMethodSecurityAttributesServiceBuilder != null) {
// build the EJBViewMethodSecurityAttributesService to expose these security attributes to other components like WS (@see https://issues.jboss.org/browse/WFLY-308)
viewMethodSecurityAttributesServiceBuilder.addMethodSecurityMetadata(viewMethod, EJBMethodSecurityAttribute.denyAll());
}
// "deny access" implies we need the authorization interceptor to be added so that it can nuke the invocation
if (isSecurityDomainKnown) {
viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(RolesAllowedInterceptor.DENY_ALL), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
} else {
final Interceptor authorizationInterceptor = new AuthorizationInterceptor(EJBMethodSecurityAttribute.denyAll(), viewClassName, viewMethod, contextID);
viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(authorizationInterceptor), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
}
}
}
}
if (viewMethodSecurityAttributesServiceBuilder != null) {
final EJBViewMethodSecurityAttributesService viewMethodSecurityAttributesService = viewMethodSecurityAttributesServiceBuilder.build();
context.getServiceTarget().addService(viewMethodSecurityAttributesServiceName, viewMethodSecurityAttributesService).install();
}
}
use of org.jboss.as.ejb3.security.SecurityContextInterceptorFactory in project wildfly by wildfly.
the class SingletonComponentDescription method createConfiguration.
@Override
public ComponentConfiguration createConfiguration(final ClassReflectionIndex classIndex, final ClassLoader moduleClassLoader, final ModuleLoader moduleLoader) {
ComponentConfiguration singletonComponentConfiguration = new ComponentConfiguration(this, classIndex, moduleClassLoader, moduleLoader);
// setup the component create service
singletonComponentConfiguration.setComponentCreateServiceFactory(new SingletonComponentCreateServiceFactory(this.isInitOnStartup(), dependsOn));
if (isExplicitSecurityDomainConfigured()) {
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
String contextID = deploymentUnit.getName();
if (deploymentUnit.getParent() != null) {
contextID = deploymentUnit.getParent().getName() + "!" + contextID;
}
EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) description;
if (isSecurityDomainKnown()) {
final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());
elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> configuration.addPostConstructInterceptor(elytronInterceptorFactory, priority));
} else {
configuration.addPostConstructInterceptor(new SecurityContextInterceptorFactory(isExplicitSecurityDomainConfigured(), false, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
}
}
});
}
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(DeploymentPhaseContext context, ComponentDescription description, ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
if (isInitOnStartup()) {
final StartupCountdown startupCountdown = context.getDeploymentUnit().getAttachment(Attachments.STARTUP_COUNTDOWN);
configuration.addPostConstructInterceptor(new ImmediateInterceptorFactory(new StartupCountDownInterceptor(startupCountdown)), InterceptorOrder.ComponentPostConstruct.STARTUP_COUNTDOWN_INTERCEPTOR);
}
}
});
if (getTransactionManagementType().equals(TransactionManagementType.CONTAINER)) {
//we need to add the transaction interceptor to the lifecycle methods
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
final EEApplicationClasses applicationClasses = context.getDeploymentUnit().getAttachment(Attachments.EE_APPLICATION_CLASSES_DESCRIPTION);
InterceptorClassDescription interceptorConfig = ComponentDescription.mergeInterceptorConfig(configuration.getComponentClass(), applicationClasses.getClassByName(description.getComponentClassName()), description, MetadataCompleteMarker.isMetadataComplete(context.getDeploymentUnit()));
if (interceptorConfig.getPostConstruct() != null) {
configuration.addPostConstructInterceptor(new LifecycleCMTTxInterceptor.Factory(interceptorConfig.getPostConstruct(), true), InterceptorOrder.ComponentPostConstruct.TRANSACTION_INTERCEPTOR);
}
configuration.addPreDestroyInterceptor(new LifecycleCMTTxInterceptor.Factory(interceptorConfig.getPreDestroy(), true), InterceptorOrder.ComponentPreDestroy.TRANSACTION_INTERCEPTOR);
configuration.addTimeoutViewInterceptor(TimerCMTTxInterceptor.FACTORY, InterceptorOrder.View.CMT_TRANSACTION_INTERCEPTOR);
}
});
} else {
// add the bmt interceptor
getConfigurators().add(new ComponentConfigurator() {
@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
configuration.addPostConstructInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.ComponentPostConstruct.TRANSACTION_INTERCEPTOR);
configuration.addPreDestroyInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.ComponentPreDestroy.TRANSACTION_INTERCEPTOR);
// add the bmt interceptor factory
configuration.addComponentInterceptor(EjbBMTInterceptor.FACTORY, InterceptorOrder.Component.BMT_TRANSACTION_INTERCEPTOR, false);
}
});
}
return singletonComponentConfiguration;
}
Aggregations