Examples with EJBViewMethodSecurityAttributesService org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService used on opensource projects

Example 1 with EJBViewMethodSecurityAttributesService

use of org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService in project wildfly by wildfly.

the class EJBSecurityViewConfigurator method configure.

@Override
public void configure(DeploymentPhaseContext context, ComponentConfiguration componentConfiguration, ViewDescription viewDescription, ViewConfiguration viewConfiguration) throws DeploymentUnitProcessingException {
    if (componentConfiguration.getComponentDescription() instanceof EJBComponentDescription == false) {
        throw EjbLogger.ROOT_LOGGER.invalidEjbComponent(componentConfiguration.getComponentName(), componentConfiguration.getComponentClass());
    }
    final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
    final EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) componentConfiguration.getComponentDescription();
    final boolean elytronSecurityDomain = ejbComponentDescription.getSecurityDomainServiceName() != null;
    final String viewClassName = viewDescription.getViewClassName();
    final EJBViewDescription ejbViewDescription = (EJBViewDescription) viewDescription;
    final EJBViewMethodSecurityAttributesService.Builder viewMethodSecurityAttributesServiceBuilder;
    final ServiceName viewMethodSecurityAttributesServiceName;
    // note that we always install this service for SERVICE_ENDPOINT views, even if security is not enabled
    if (MethodIntf.SERVICE_ENDPOINT == ejbViewDescription.getMethodIntf()) {
        viewMethodSecurityAttributesServiceBuilder = new EJBViewMethodSecurityAttributesService.Builder();
        viewMethodSecurityAttributesServiceName = EJBViewMethodSecurityAttributesService.getServiceName(ejbComponentDescription.getApplicationName(), ejbComponentDescription.getModuleName(), ejbComponentDescription.getEJBName(), viewClassName);
    } else {
        viewMethodSecurityAttributesServiceBuilder = null;
        viewMethodSecurityAttributesServiceName = null;
    }
    if (!legacySecurityAvailable(deploymentUnit) && !elytronSecurityDomain) {
        // the security subsystem is not present and Elytron is not being used for security, we don't apply any security settings
        installAttributeServiceIfRequired(context, viewMethodSecurityAttributesServiceBuilder, viewMethodSecurityAttributesServiceName);
        return;
    }
    final DeploymentReflectionIndex deploymentReflectionIndex = deploymentUnit.getAttachment(org.jboss.as.server.deployment.Attachments.REFLECTION_INDEX);
    // The getSecurityDomain() will return a null value if neither an explicit security domain is configured
    // for the bean nor there's any default security domain that's configured at EJB3 subsystem level.
    // In such cases, we do *not* apply any security interceptors
    String resolvedSecurityDomain = ejbComponentDescription.getResolvedSecurityDomain();
    if (elytronSecurityDomain == false && (resolvedSecurityDomain == null || resolvedSecurityDomain.isEmpty())) {
        if (ROOT_LOGGER.isDebugEnabled()) {
            ROOT_LOGGER.debug("Security is *not* enabled on EJB: " + ejbComponentDescription.getEJBName() + ", since no explicit security domain is configured for the bean, nor is there any default security domain configured in the EJB3 subsystem");
        }
        installAttributeServiceIfRequired(context, viewMethodSecurityAttributesServiceBuilder, viewMethodSecurityAttributesServiceName);
        return;
    }
    // setup the JACC contextID.
    String contextID = deploymentUnit.getName();
    if (deploymentUnit.getParent() != null) {
        contextID = deploymentUnit.getParent().getName() + "!" + contextID;
    }
    // setup the method specific security interceptor(s)
    boolean beanHasMethodLevelSecurityMetadata = false;
    final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
    final List<Method> methodsWithoutExplicitSecurityConfiguration = new ArrayList<Method>();
    for (final Method viewMethod : viewMethods) {
        // TODO: proxy factory exposes non-public methods, is this a bug in the no-interface view?
        if (!Modifier.isPublic(viewMethod.getModifiers())) {
            continue;
        }
        if (viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
            continue;
        }
        // setup the authorization interceptor
        final ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
        boolean methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, permissions, false, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription, elytronSecurityDomain, resolvedSecurityDomain);
        if (!methodHasSecurityMetadata) {
            // if it was not handled by the descriptor processor we look for annotation basic info
            methodHasSecurityMetadata = handlePermissions(contextID, componentConfiguration, viewConfiguration, deploymentReflectionIndex, viewClassName, ejbViewDescription, viewMethod, ejbComponentDescription.getAnnotationMethodPermissions(), true, viewMethodSecurityAttributesServiceBuilder, ejbComponentDescription, elytronSecurityDomain, resolvedSecurityDomain);
        }
        // if any method has security metadata then the bean has method level security metadata
        if (methodHasSecurityMetadata) {
            beanHasMethodLevelSecurityMetadata = true;
        } else {
            // make a note that this method didn't have any explicit method permissions configured
            methodsWithoutExplicitSecurityConfiguration.add(viewMethod);
        }
    }
    final boolean securityRequired = beanHasMethodLevelSecurityMetadata || ejbComponentDescription.hasBeanLevelSecurityMetadata();
    if (securityRequired) {
        ejbComponentDescription.setSecurityRequired(securityRequired);
    }
    // setup the security context interceptor
    if (elytronSecurityDomain) {
        final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = ejbComponentDescription.getElytronInterceptorFactories(contextID, ejbComponentDescription.requiresJacc(), true);
        elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> viewConfiguration.addViewInterceptor(elytronInterceptorFactory, priority));
    } else if (securityRequired) {
        throw ROOT_LOGGER.legacySecurityUnsupported(resolvedSecurityDomain);
    }
    // now add the authorization interceptor if the bean has *any* security metadata applicable
    if (securityRequired) {
        // check the missing-method-permissions-deny-access configuration and add the authorization interceptor
        // to methods which don't have explicit method permissions.
        // (@see http://anil-identity.blogspot.in/2010/02/tip-interpretation-of-missing-ejb.html for details)
        final Boolean denyAccessToMethodsMissingPermissions = ((EJBComponentDescription) componentConfiguration.getComponentDescription()).isMissingMethodPermissionsDeniedAccess();
        // default to "deny access"
        if (denyAccessToMethodsMissingPermissions != Boolean.FALSE) {
            for (final Method viewMethod : methodsWithoutExplicitSecurityConfiguration) {
                if (viewMethodSecurityAttributesServiceBuilder != null) {
                    // build the EJBViewMethodSecurityAttributesService to expose these security attributes to other components like WS (@see https://issues.jboss.org/browse/WFLY-308)
                    viewMethodSecurityAttributesServiceBuilder.addMethodSecurityMetadata(viewMethod, EJBMethodSecurityAttribute.denyAll());
                }
                // "deny access" implies we need the authorization interceptor to be added so that it can nuke the invocation
                if (elytronSecurityDomain) {
                    viewConfiguration.addViewInterceptor(viewMethod, new ImmediateInterceptorFactory(RolesAllowedInterceptor.DENY_ALL), InterceptorOrder.View.EJB_SECURITY_AUTHORIZATION_INTERCEPTOR);
                } else {
                    throw ROOT_LOGGER.legacySecurityUnsupported(resolvedSecurityDomain);
                }
            }
        }
    }
    installAttributeServiceIfRequired(context, viewMethodSecurityAttributesServiceBuilder, viewMethodSecurityAttributesServiceName);
}

Example 2 with EJBViewMethodSecurityAttributesService

use of org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService in project wildfly by wildfly.

the class EndpointService method start.

@Override
public void start(final StartContext context) {
    WSLogger.ROOT_LOGGER.starting(name);
    if (endpoint.getProperty(ELYTRON_SECURITY_DOMAIN) != null && Boolean.parseBoolean(endpoint.getProperty(ELYTRON_SECURITY_DOMAIN).toString())) {
        if (EndpointType.JAXWS_EJB3.equals(endpoint.getType())) {
            endpoint.setSecurityDomainContext(new ElytronSecurityDomainContextImpl(this.ejbApplicationSecurityDomain.get().getSecurityDomain()));
        } else {
            endpoint.setSecurityDomainContext(new ElytronSecurityDomainContextImpl(this.elytronSecurityDomain.get()));
        }
    }
    if (EndpointType.JAXWS_EJB3.equals(endpoint.getType())) {
        final EJBViewMethodSecurityAttributesService ejbMethodSecurityAttributeService = this.ejbMethodSecurityAttributeService.get();
        endpoint.addAttachment(EJBMethodSecurityAttributeProvider.class, new EJBMethodSecurityAttributesAdaptor(ejbMethodSecurityAttributeService));
    }
    final List<RecordProcessor> processors = endpoint.getRecordProcessors();
    for (final RecordProcessor processor : processors) {
        registerRecordProcessor(processor, endpoint);
    }
    final EndpointMetricsFactory endpointMetricsFactory = SPIProvider.getInstance().getSPI(EndpointMetricsFactory.class);
    endpoint.setEndpointMetrics(endpointMetricsFactory.newEndpointMetrics());
    registerEndpoint(endpoint);
    endpoint.getLifecycleHandler().start(endpoint);
    ServiceContainerEndpointRegistry.register(aliasName, endpoint);
    endpointConsumer.accept(endpoint);
}

Example 3 with EJBViewMethodSecurityAttributesService

use of org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService in project wildfly by wildfly.

the class EJBSecurityViewConfigurator method installAttributeServiceIfRequired.

private void installAttributeServiceIfRequired(DeploymentPhaseContext context, EJBViewMethodSecurityAttributesService.Builder viewMethodSecurityAttributesServiceBuilder, ServiceName viewMethodSecurityAttributesServiceName) {
    if (viewMethodSecurityAttributesServiceBuilder != null) {
        final EJBViewMethodSecurityAttributesService viewMethodSecurityAttributesService = viewMethodSecurityAttributesServiceBuilder.build();
        context.getServiceTarget().addService(viewMethodSecurityAttributesServiceName, viewMethodSecurityAttributesService).install();
    }
}

Example 4 with EJBViewMethodSecurityAttributesService

use of org.jboss.as.ejb3.security.service.EJBViewMethodSecurityAttributesService in project wildfly by wildfly.

the class EndpointService method install.

public static void install(final ServiceTarget serviceTarget, final Endpoint endpoint, final DeploymentUnit unit) {
    final ServiceName serviceName = getServiceName(unit, endpoint.getShortName());
    final String propContext = endpoint.getName().getKeyProperty(Endpoint.SEPID_PROPERTY_CONTEXT);
    final String propEndpoint = endpoint.getName().getKeyProperty(Endpoint.SEPID_PROPERTY_ENDPOINT);
    final StringBuilder context = new StringBuilder(Endpoint.SEPID_PROPERTY_CONTEXT).append("=").append(propContext);
    final ServiceBuilder<?> builder = serviceTarget.addService(serviceName);
    Supplier<ApplicationSecurityDomainService.ApplicationSecurityDomain> ejbApplicationSecurityDomain = null;
    Supplier<EJBViewMethodSecurityAttributesService> ejbMethodSecurityAttributeService = null;
    Supplier<SecurityDomain> elytronSecurityDomain = null;
    final ServiceName alias = WSServices.ENDPOINT_SERVICE.append(context.toString()).append(propEndpoint);
    final Consumer<Endpoint> endpointConsumer = builder.provides(serviceName, alias);
    // builder.addAliases(alias);
    final String domainName = getDeploymentSecurityDomainName(endpoint, unit);
    endpoint.setProperty(SECURITY_DOMAIN_NAME, domainName);
    if (isElytronSecurityDomain(unit, endpoint, domainName)) {
        if (EndpointType.JAXWS_EJB3.equals(endpoint.getType())) {
            ServiceName ejbSecurityDomainServiceName = EJB_APPLICATION_SECURITY_DOMAIN_RUNTIME_CAPABILITY.getCapabilityServiceName(domainName, ApplicationSecurityDomainService.ApplicationSecurityDomain.class);
            ejbApplicationSecurityDomain = builder.requires(ejbSecurityDomainServiceName);
        } else {
            ServiceName securityDomainName = unit.getAttachment(Attachments.CAPABILITY_SERVICE_SUPPORT).getCapabilityServiceName(Capabilities.CAPABILITY_APPLICATION_SECURITY_DOMAIN, domainName).append(Constants.SECURITY_DOMAIN);
            elytronSecurityDomain = builder.requires(securityDomainName);
        }
        endpoint.setProperty(ELYTRON_SECURITY_DOMAIN, true);
    } else if (isLegacySecurityDomain(unit, endpoint, domainName)) {
        throw ROOT_LOGGER.legacySecurityUnsupported();
    }
    final Supplier<AbstractServerConfig> serverConfigService = builder.requires(WSServices.CONFIG_SERVICE);
    if (EndpointType.JAXWS_EJB3.equals(endpoint.getType())) {
        ejbMethodSecurityAttributeService = builder.requires(getEJBViewMethodSecurityAttributesServiceName(unit, endpoint));
    }
    builder.setInstance(new EndpointService(endpoint, serviceName, alias, endpointConsumer, serverConfigService, ejbApplicationSecurityDomain, ejbMethodSecurityAttributeService, elytronSecurityDomain));
    builder.install();
    // add a dependency on the endpoint service to web deployments, so that the
    // endpoint servlet is not started before the endpoint is actually available
    unit.addToAttachmentList(Attachments.WEB_DEPENDENCIES, serviceName);
}