Search in sources :

Example 6 with SecurityRoleMetaData

use of org.jboss.metadata.javaee.spec.SecurityRoleMetaData in project wildfly by wildfly.

the class EjbJaccConfigurator method configure.

@Override
public void configure(final DeploymentPhaseContext context, final ComponentDescription description, final ComponentConfiguration configuration) throws DeploymentUnitProcessingException {
    final DeploymentUnit deploymentUnit = context.getDeploymentUnit();
    final DeploymentReflectionIndex reflectionIndex = deploymentUnit.getAttachment(Attachments.REFLECTION_INDEX);
    final EJBComponentDescription ejbComponentDescription = EJBComponentDescription.class.cast(description);
    final EjbJaccConfig ejbJaccConfig = new EjbJaccConfig();
    context.getDeploymentUnit().addToAttachmentList(EjbDeploymentAttachmentKeys.JACC_PERMISSIONS, ejbJaccConfig);
    // process the method permissions.
    for (final ViewConfiguration viewConfiguration : configuration.getViews()) {
        final List<Method> viewMethods = viewConfiguration.getProxyFactory().getCachedMethods();
        for (final Method viewMethod : viewMethods) {
            if (!Modifier.isPublic(viewMethod.getModifiers()) || viewMethod.getDeclaringClass() == WriteReplaceInterface.class) {
                continue;
            }
            final EJBViewConfiguration ejbViewConfiguration = EJBViewConfiguration.class.cast(viewConfiguration);
            // try to create permissions using the descriptor metadata first.
            ApplicableMethodInformation<EJBMethodSecurityAttribute> permissions = ejbComponentDescription.getDescriptorMethodPermissions();
            boolean createdPerms = this.createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            // no permissions created using the descriptor metadata - try to use annotation metadata.
            if (!createdPerms) {
                permissions = ejbComponentDescription.getAnnotationMethodPermissions();
                createPermissions(ejbJaccConfig, ejbComponentDescription, ejbViewConfiguration, viewMethod, reflectionIndex, permissions);
            }
        }
    }
    Set<String> securityRoles = new HashSet<String>();
    // get all roles from the deployments descriptor (assembly descriptor roles)
    SecurityRolesMetaData secRolesMetaData = ejbComponentDescription.getSecurityRoles();
    if (secRolesMetaData != null) {
        for (SecurityRoleMetaData secRoleMetaData : secRolesMetaData) {
            securityRoles.add(secRoleMetaData.getRoleName());
        }
    }
    // at this point any roles specified via RolesAllowed annotation have been mapped to EJBMethodPermissions, so
    // going through the permissions allows us to retrieve these roles.
    // TODO there might be a better way to retrieve just annotated roles without going through all processed permissions
    List<Map.Entry<String, Permission>> processedRoles = ejbJaccConfig.getRoles();
    for (Map.Entry<String, Permission> entry : processedRoles) {
        securityRoles.add(entry.getKey());
    }
    securityRoles.add(ANY_AUTHENTICATED_USER_ROLE);
    // process the security-role-ref from the deployment descriptor.
    Map<String, Collection<String>> securityRoleRefs = ejbComponentDescription.getSecurityRoleLinks();
    for (Map.Entry<String, Collection<String>> entry : securityRoleRefs.entrySet()) {
        String roleName = entry.getKey();
        for (String roleLink : entry.getValue()) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), roleName);
            ejbJaccConfig.addRole(roleLink, p);
        }
        securityRoles.remove(roleName);
    }
    // process remaining annotated declared roles that were not overridden in the descriptor.
    Set<String> declaredRoles = ejbComponentDescription.getDeclaredRoles();
    for (String role : declaredRoles) {
        if (!securityRoleRefs.containsKey(role)) {
            EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
            ejbJaccConfig.addRole(role, p);
        }
        securityRoles.remove(role);
    }
    // an EJBRoleRefPermission must be created for each declared role that does not appear in the security-role-ref.
    for (String role : securityRoles) {
        EJBRoleRefPermission p = new EJBRoleRefPermission(ejbComponentDescription.getEJBName(), role);
        ejbJaccConfig.addRole(role, p);
    }
    // proxy by sending an invocation to the ejb container.
    if (ejbComponentDescription instanceof SessionBeanComponentDescription) {
        SessionBeanComponentDescription session = SessionBeanComponentDescription.class.cast(ejbComponentDescription);
        if (session.isStateful()) {
            EJBMethodPermission p = new EJBMethodPermission(ejbComponentDescription.getEJBName(), "getEJBObject", "Home", null);
            ejbJaccConfig.addPermit(p);
        }
    }
}
Also used : SecurityRoleMetaData(org.jboss.metadata.javaee.spec.SecurityRoleMetaData) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) SecurityRolesMetaData(org.jboss.metadata.javaee.spec.SecurityRolesMetaData) WriteReplaceInterface(org.jboss.as.ee.component.serialization.WriteReplaceInterface) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBComponentDescription(org.jboss.as.ejb3.component.EJBComponentDescription) ViewConfiguration(org.jboss.as.ee.component.ViewConfiguration) EJBViewConfiguration(org.jboss.as.ejb3.component.EJBViewConfiguration) EJBMethodPermission(javax.security.jacc.EJBMethodPermission) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Permission(java.security.Permission) HashSet(java.util.HashSet) Method(java.lang.reflect.Method) EJBRoleRefPermission(javax.security.jacc.EJBRoleRefPermission) Collection(java.util.Collection) DeploymentUnit(org.jboss.as.server.deployment.DeploymentUnit) DeploymentReflectionIndex(org.jboss.as.server.deployment.reflect.DeploymentReflectionIndex) Map(java.util.Map) SessionBeanComponentDescription(org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)

Aggregations

SecurityRoleMetaData (org.jboss.metadata.javaee.spec.SecurityRoleMetaData)6 SecurityRolesMetaData (org.jboss.metadata.javaee.spec.SecurityRolesMetaData)5 HashSet (java.util.HashSet)2 DeploymentUnit (org.jboss.as.server.deployment.DeploymentUnit)2 AnnotationInstance (org.jboss.jandex.AnnotationInstance)2 EjbJarMetaData (org.jboss.metadata.ejb.spec.EjbJarMetaData)2 Method (java.lang.reflect.Method)1 Permission (java.security.Permission)1 ArrayList (java.util.ArrayList)1 Collection (java.util.Collection)1 Map (java.util.Map)1 EJBMethodPermission (javax.security.jacc.EJBMethodPermission)1 EJBRoleRefPermission (javax.security.jacc.EJBRoleRefPermission)1 Descriptions (org.jboss.annotation.javaee.Descriptions)1 ViewConfiguration (org.jboss.as.ee.component.ViewConfiguration)1 WriteReplaceInterface (org.jboss.as.ee.component.serialization.WriteReplaceInterface)1 EJBComponentDescription (org.jboss.as.ejb3.component.EJBComponentDescription)1 EJBViewConfiguration (org.jboss.as.ejb3.component.EJBViewConfiguration)1 SessionBeanComponentDescription (org.jboss.as.ejb3.component.session.SessionBeanComponentDescription)1 DeploymentUnitProcessingException (org.jboss.as.server.deployment.DeploymentUnitProcessingException)1